European Disability Forum

Donate

Concerns Over GDPR Procedural Regulation Trilogue Negotiations: Joint Letter to EU Institutions

Concerns Over GDPR Procedural Regulation Trilogue Negotiations: Joint Letter to EU Institutions

This joint letter has been written and co-signed by over 30 civil society organisations concerned by the trilogue negotiations over the General Data Protection Regulation (GDPR) procedural regulation.

Now or Never: Strengthen GDPR Procedural Rules to Hold Big Tech Accountable Once and for All

Dear Trilogue Negotiators,

We, the undersigned civil society organisations – based also on direct experience as complainants in cross-border GDPR cases – write to express our concern regarding the development of
the proposed GDPR Procedural Regulation, which we believe represents a missed opportunity to address longstanding enforcement challenges effectively.

As Big Tech companies revise their content policies to flout EU principles on platform accountability and openly challenge the EU legal framework, strengthening enforcement mechanisms
that uphold protective legislation designed to safeguard peoples’ fundamental rights and freedoms is more critical than ever. For years, these companies have systematically undermined data
protection, privacy and other fundamental rights. All these rights are core to the EU’s foundational values of equality, non-discrimination, human dignity, freedom and democracy enshrined in
the EU Treaties and the Charter.

Yet, especially large actors with vast financial resources have been able to delay procedures for years, obstruct cases and ultimately weaken the real-life impact of the GDPR. While headline-grabbing fines create the impression of enforcement, many of these penalties remain unpaid, further undermining the GDPR’s credibility. This persistent lack of consequences allows companies to evade accountability, enabling reality to drift even further from the rules and principles of the GDPR while exacerbating harm.

This is not a new issue, but its persistence and escalation demand urgent accountability. Despite the robust framework provided by the GDPR, enforcement has fallen far short, blocking the GDPR from becoming a success in practice and enabling corporations to operate with practical impunity. The GDPR Procedural Regulation offers a rare and critical opportunity to address these limitations and ensure meaningful accountability and real ways for people to claim their rights. At the same time, it can make a significant contribution to the EU´s new priority of becoming ‘simpler and faster’.

We are concerned that the ongoing negotiations are missing a crucial opportunity to establish a robust and stable enforcement procedure. There is a risk of producing a compromised text that not only fails to deliver the necessary reforms but may also introduce new vulnerabilities for abuse, further weakening people’s ability to exercise their GDPR rights. Without a well-designed
procedure, individuals will lack the practical means to enforce the rights that the law is meant to guarantee. A rights-focused enforcement of the GDPR is essential for safeguarding human rights across diverse areas – including employment, education, welfare, and migration – and is critical to realizing the EU’s vision of a rights-respecting digital future.

The Regulation is far more than a procedural update; the GDPR is the backbone of the EU’s digital rulebook, serving as a cornerstone of its digital policy, and beyond. The law is designed to streamline, harmonise, and accelerate GDPR enforcement in cross-border cases, addressing long-standing delays and inconsistencies. At the root of these issues are uncertainties in certain GDPR provisions, systemic inaction by some Data Protection Authorities (DPAs) and the exploitation of these weaknesses by tech companies. These failures have eroded public trust in the GDPR’s enforcement mechanisms and allowed individuals’ rights to be undermined on a massive scale.

We have long advocated for stronger, rights-centered enforcement of the GDPR and welcomed many elements of the Council’s General Approach and the European Parliament’s Report. However, the early stages of trilogue negotiations have surfaced deeply troubling compromises that seem to make the procedure more complex. This could further undermine accountability, disempower individuals and collectives, and leave unresolved issues or even risk codifying existing problems. The process so far seems not to have received the attention and scrutiny it deserves. This is not only a missed opportunity to strengthen the protection of people’s rights but also risks inviting countless new disputes before DPAs, national courts, and the CJEU if the text lacks sufficient robustness, potentially undermining the EU’s reputation. We urge you to:

  1.  Prioritise this legislative initiative as an essential part of the backbone of EU digital law enforcement. The GDPR Procedural Regulation is critical to strengthening the currently flawed effectiveness of the EU’s data protection framework and fostering a fair digital ecosystem.
  2. Revisit problematic provisions and preliminary trilogue agreements. Current draft texts, particularly Article 5, 19 and 21, seem to include loopholes that would risk perpetuating inefficiencies and abuses, notably regarding the asymmetry between individual complainants and powerful companies. These must be addressed to create a robust framework.
  3. Keep in mind the law’s objectives: ensuring procedures that are shorter, efficient, and rights-respecting. However, be also wary of provisions that may appear beneficial in theory by streamlining processes but risk becoming unworkable in practice, ultimately creating bureaucratic deadlock and further eroding individuals’ rights, such as Articles 11 to 16 and the proposed Article 6bis.
  4. Allow sufficient time for negotiations and consult with experts. Rushing this process, as we have seen thus far, risks compromising the Regulation’s integrity and effectiveness, particularly in safeguarding rights. In procedural law, every detail matters and must properly interact with each other. The implications of each provision must be carefully evaluated. Legal clarity and consistency are essential for a successful outcome.
  5. Strengthen safeguards for data subjects in cross-border cases. The Regulation must guarantee consistent, timely, and rights-respecting enforcement across the EU/ EEA, restoring trust in GDPR mechanisms and ensuring full respect of the Charter of Fundamental Rights. This includes securing symmetrical right to be heard and equal access to case files for both parties.

The GDPR Procedural Regulation represents a critical opportunity to correct course and establish a framework that holds companies accountable while safeguarding individuals’ fundamental rights. This is an opportunity to address criticisms of the GDPR’s effectiveness, which Big Tech companies are exploiting to perpetuate data infringements that cause significant harm across societies.

We call on you, as negotiators, to seize this moment to craft a regulation that prioritises individual rights over corporate convenience. Failure to do so would not only weaken the GDPR but
undermine the EU’s entire digital acquis and embolden further violations. Strengthening this Regulation will send a powerful message: the EU remains resolute in its commitment to upholding
fundamental rights, and the rule of law in the digital age.

The digital age stands at a critical crossroads, as does the EU’s regulatory legacy. We call on you to meet this shared responsibility with the urgency and determination it demands. The digital rights community stands ready to support this process with our technical expertise and experience, and we will be closely monitoring the decisions made in the coming months. The future of data protection—and the many fundamental rights it underpins—hangs in the balance.

Yours sincerely,

 

Signatories, in alphabetical order.

  1. Access Now
  2. Asociația pentru Tehnologie și Internet (ApTI)
  3. Aspiration
  4. Bits of Freedom
  5. Defend Democracy
  6. Deutsche Vereinigung für Datenschutz e.V. (DVD)
  7. Digital Rights Ireland
  8. Digitalcourage
  9. Državljan D / Citizen D
  10. Ekō
  11. Electronic Frontier Norway (EFN)
  12. Electronic Privacy Information Center (EPIC)
  13. European Center for Not-For-Profit (ECNL)
  14. European Digital Rights (EDRi)
  15. European Disability Forum (EDF)
  16. European Network Against Racism (ENAR)
  17. European Sex Workers’ Rights Alliance (ESWA)
  18. Homo Digitalis
  19. Irish Council for Civil Liberties (ICCL)
  20. IT-Pol
  21. Liberties (Civil Liberties Union for Europe)
  22. Lie Detectors
  23. New School of the Anthropocene
  24. noyb
  25. Panoptykon Foundation
  26. Politiscope
  27. Privacy International
  28. SHARE Foundation
  29. Statewatch
  30. Superrr Lab
  31. Vrijschrift.org
  32. Xnet, Institute for Democratic Digitalisation