In 2018, the European Union (EU) enacted the General Data Protection Regulation (GDPR) to ensure the ‘consistent and homogenous’ implementation of rules protecting the fundamental right to data privacy across the EU. Often self-described as one of the world’s toughest data privacy laws, the GDPR particularly advances the ability of a ‘data subject’ to file a complaint and seek redressal if data protection infringement occurs. As commentators note, ‘access to data protection remedies [for data subjects] constitutes a core element of GDPR enforcement.’
Four years of implementation down the line, however, a question emerges: is the GDPR actually improving citizens’ access to grievance redressal in the case of data infringements?
This is the question explored by a new empirical study titled ‘The Right to Lodge A Data Protection Complaint: Ok, But Then What?’. Authored by members of the Data Protection Law Scholars Network, and supported and commissioned by Access Now, the June 2022 report largely studies the complaint processing mechanisms listed on 12 Data Protection Authority (DPA) websites. In doing so, it evaluates whether these bodies are fulfilling their legal obligations to transparently and rigorously act on such complaints, and protect a data subject’s Fundamental Right to Data Protection.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
What it reveals: ‘data subjects across the EU do not have an equal right to lodge a complaint.’ This is because of the GDPR’s inconsistent application by Member States’ DPAs, which can at times limit citizens’ knowledge of how grievance mechanisms work, hindering them from fully realising their rights to privacy. Additionally, resource-strapped DPAs are known to prioritise certain types of complaints over others, in order to minimise their involvement and simplify the complaint redressal process. The report notes that it is uncertain as to when such fast-tracking nudged data subjects ‘into giving up on the full extent of their rights as granted by the GDPR.’
The bottom line: the ‘fragmentation of [GDPR] practices [by DPAs] triggers questions as to whether they are compatible with the consistent application of the GDPR throughout the EU.’ To improve the fulfilment of the Fundamental Right to Privacy, the report’s recommendations suggest implementing the GDPR using a relatively standardised, transparent approach.
Why it matters: Formulating robust privacy laws is important—but ensuring they are implemented consistently, and that citizens understand and utilise them is more important. The shortcomings listed in the report highlight the realities of enforcement, and the kind of outreach it takes to ensure that citizens’ rights are protected. Such insight may be useful for India—which appears to be flirting with its own notion of a Data Protection Authority in upcoming data protection laws. The report’s focus on strengthening the institutions and processes under the GDPR to suit citizen interests alone may be of particular note, especially given the criticism invited by proposed Indian data protection authorities.
But First, When and How Can EU Data Subjects File Data Infringement Complaints Under GDPR?
What kind of complaints can be filed?: Somewhat surprisingly, the otherwise comprehensive GDPR does not precisely define what a ‘complaint’ is. However, the European Data Protection Board (EDPB)—an independent body set up to ensure the GDPR’s consistent application across the EU—suggests that they may concern any potential infringement of the GDPR while processing the data subject’s personal data. What’s not included in its understanding of a complaint: general ‘enquiries’ on the data subject’s rights under GDPR, or ‘tips’ from individuals who suspect a third party of violating the GDPR.
How can ‘data subjects’ protect their privacy in the case of infringements?: As per the GDPR, they can either file complaints in Court, or at their relevant Data Protection Authority (DPA). In both cases, they can either exercise their rights by appearing for themselves, or by asking a non-profit organisation to appear on their behalf.
What are Data Protection Authorities?: DPAs are independent, ‘supervisory authorities’, whose main function is to ensure that the GDPR is consistently applied across the Union. Data subjects can lodge a complaint with the DPA of the EU Member State they reside in, the DPA of the State their work is located in, or with the DPA of the State where the alleged infringement has occurred. Many DPAs are both understaffed and under-resourced, making it difficult for them to deal with an increasing number of complaints, especially as a result of the pandemic.
How are complaints processed?: DPAs are legally obligated to facilitate data subjects to submit complaints. Submissions must be facilitated through electronic forms, ‘without excluding other means of communication.’ Post this, they have a ‘general obligation’ to ‘handle’ the complaints—which means they have to discern whether an individual complaint is admissible (or a potential infringement) and ensure ‘due diligence’ with the GDPR while doing so. Critically, the EU does not specify what the criteria for admissibility are. However, the EDPB notes that complaints may be rejected if unrelated to data protection, if ‘unfounded or excessive’, or if filed incorrectly as per the Member State DPA’s regulations. The report notes that across DPAs in the EU, there appears to be little uniform clarity on what ‘handling a complaint’ precisely means—leading to different authorities utilising different approaches. Some DPAs have also ‘expanded the possibilities for DPAs to reject complaints on grounds not foreseen under the GDPR.’
What are the outcomes of complaints?: DPAs are obligated under the GDPR to inform a data subject of the outcome of its investigation within a ‘reasonable period’. According to the EDPB, potential outcomes could be the DPA establishing an infringement, settling the complaint amicably between the contesting parties, or informing the data controller of its data protection responsibilities under the GDPR. Any legally binding decisions should be argued clearly in writing by the DPA—this is because they may ‘give rise to a judicial review.’ Critically, the GDPR does not specify a timeline to complete handling complaints within—some DPAs simply complete them based on their own national laws, with processing taking between one month to a year.
Can DPA Decisions Be Challenged?: Yes. In fact, data subjects in the EU have the right to judicially challenge ‘inactive’ DPAs that do not handle their complaints correctly. Additionally, they have the right to ‘effective judicial remedy’ against legally binding DPA decisions that concern them.
So, What Did the Study Find?
DPAs should improve complaint facilitation techniques: Aside from their legal obligation to do so, improving these mechanisms will help DPAs process submissions better. It will improve legal literacy for data subjects too—leading to less uncertainty over how to file a complaint. Developing a universal standard for filing complaints that centre user interests, based on shared best practices by DPAs, may help address this. Failing to do so may violate a subject’s right to file a complaint with a ‘supervisory authority’ under the GDPR.
- Is information on lodging complaints easily available?: Most DPA websites examined by the researchers had an accessible electronic complaints filing mechanism. The survey also found that it was generally easy to access the right form when submitting a complaint. The Dutch DPA website also offers forms for users to submit ‘tips’ instead of actual complaints. The Belgian DPA further suggests other government agencies that may be more appropriate to redress the complaint at hand.
- However, in some cases, clunky website navigation makes finding the complaints form difficult—which may pre-suppose that the data subject knows what they’re looking for and how to find it.
- Is there a universal standard to file a complaint?: Some DPAs have online submission forms, while others offer the option of filling a form manually and then sending it to the DPA. Some DPAs, however, utilise their respective ‘national public portals’ to file complaints—these generic forms are often not tailored to the needs of GDPR complaints.
- What are the requirements for supporting evidence?: Depending on the DPA and the kind of complaint, different types of supporting evidence may be requested. These requirements are not always presented as necessary—but are instead ‘implied’ in the instructions of a complaint form. Some of these evidence requirements ‘do not directly derive from the GDPR .. which might be in tension with the DPAsʼ obligation to facilitate the submission of complaints.’
- Do DPAs proactively support data subject queries?: The researchers noted that most DPA websites do not offer tailored support channels to help data subjects as they submit complaints. Subjects have to search for the DPA’s generic contact details for help.
Improve information provided to complainants: Complainants should not just be aided when it comes to filing a complaint—they should know what comes next, once the complaint is filed, and what they can demand of DPAs. Awareness of their rights to data privacy and grievance redressal under the GDPR incentivises citizens to make use of the GDPR. DPAs should improve the quality and quantity of information provided to data subjects in this regard—especially in the case of ‘fast-tracked’ complaints, whose outcomes may be unclear to the public.
- What are the next steps?: Most DPAs surveyed failed to inform users of their right to legally challenge a DPA. Some do not specify a timeline for its redressal. The potential outcomes of the DPA’s decision remain unclear too.
- Do proofs of submission differ?: In order to legally challenge a DPA, complainants require proof that a complaint was indeed submitted. However, DPAs often fail to provide proof/receipt of submission, instead instructing users to download a copy of their complaint if they desire.
Remove hindrances to cross-border data processing rights: Doing so will empower data subjects across the EU to uniformly exercise their right to file a complaint with a DPA outside of their State of residence.
- Possibility of cross-border data processing?: Sometimes, a complaint may result in cross-border processing (referred to as ‘one-stop-shop’), with another DPA eventually charged with investigating the complaint. The researchers noted that most DPA websites do not inform data subjects of this possibility.
- Cross-border complaints are difficult to file: While data subjects can file a complaint in a Member State different from the one they ordinarily reside in, this can be difficult to do. In Poland, for example, the report states that complaints can only be lodged on its public portal, which is hosted only in Polish. To open an account, you need a Polish social security number. Identity can be verified through a ‘paid qualified certificate’, or through a ‘free trusted profile’, which can only be established by signing into Polish e-banking services. A non-resident may find it impossible to lodge a complaint in this case—such practices are not derived from the GDPR and are dependent on a Member State’s own choices while implementing the law. On the other hand, some DPAs have low identification thresholds while filing a complaint, and offer submission portals in multiple languages for non-residents.
Improve awareness of Non-Profit Involvement: Non-profits can effectively advise data subjects on submitting complaints. Developing a public register of such entities who may represent data subjects in such cases may be the call of the hour.
- Is the possibility of NGO representation currently highlighted?: Barring some exceptions, data subjects are generally not made aware that non-profits and other individuals can file complaints on their behalf.
All relevant bodies should come together to strengthen the Right to Data Protection: Devising a mechanism that measures DPA compliance with the GDPR is critical. The EDPB should improve its efforts to ensure the consistent implementation of the GDPR across the EU.
- As seen already, complaints are handled differently depending on the DPA—which may transgress the GDPR’s aim of a consistently applied data regulation across the bloc.
- The EDPB and the individual DPAs are responsible for ensuring that the GDPR’s implementation is not fragmented. Efforts have been made by the EDPB to better document these shortcomings in implementation—however, these texts also suffer from a lack of transparency and public consultation.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Data Protection Bill 2021: How India’s Data Protection Authority Will Be Set Up And Work
- Data Protection Bill: How Should The DPA Be Set Up And What Functions Should It Have #NAMA
- Data Protection Bill: Issues Around Cross-Border Transfer Approval, Data Localisation, Adequacy, And Exemptions To Foreign Data #NAMA
- A Complete Guide To The Data Protection Bill, 2021