Dear Trilogue Negotiators,
We, the undersigned civil society organisations — drawing from direct experience as complainants in cross-border General Data Protection Regulation (GDPR) cases — write to express our concern regarding the development of the proposed GDPR Procedural Regulation, which we believe represents a missed opportunity to address long-standing enforcement challenges effectively.
As Big Tech companies revise their content policies to flout EU principles on platform accountability and openly challenge the EU legal framework, strengthening enforcement mechanisms that uphold protective legislation designed to safeguard peoples’ fundamental rights and freedoms is more critical than ever. For years, these companies have systematically undermined data protection, privacy, and other fundamental rights. All these rights are core to the EU’s foundational values of equality, non-discrimination, human dignity, freedom, and democracy enshrined in the EU Treaties and the Charter.
Yet, especially large actors with vast financial resources have been able to delay procedures for years, obstruct cases and ultimately weaken the real-life impact of the GDPR. While headline-grabbing fines create the impression of enforcement, many of these penalties remain unpaid, further undermining the GDPR’s credibility. This persistent lack of consequences allows companies to evade accountability, enabling reality to drift even further from the rules and principles of the GDPR while exacerbating harm.
This is not a new issue, but its persistence and escalation demand urgent accountability. Despite the robust framework provided by the GDPR, enforcement has fallen far short, blocking the GDPR from becoming a success in practice and enabling corporations to operate with practical impunity. The GDPR Procedural Regulation offers a rare and critical opportunity to address these limitations and ensure meaningful accountability and real ways for people to claim their rights. At the same time, it can make a significant contribution to the EU’s new priority of becoming ‘simpler and faster.’
We are concerned that the ongoing negotiations are missing a crucial opportunity to establish a robust and stable enforcement procedure. There is a risk of producing a compromised text that not only fails to deliver the necessary reforms but may also introduce new vulnerabilities for abuse, further weakening people’s ability to exercise their GDPR rights. Without a well-designed procedure, individuals will lack the practical means to enforce the rights that the law is meant to guarantee. A rights-focused enforcement of the GDPR is essential for safeguarding human rights across diverse areas — including employment, education, welfare, and migration — and is critical to realising the EU’s vision of a rights-respecting digital future.
The Regulation is far more than a procedural update; the GDPR is the backbone of the EU’s digital rulebook, serving as a cornerstone of its digital policy and beyond. The law is designed to streamline, harmonise, and accelerate GDPR enforcement in cross-border cases, addressing long-standing delays and inconsistencies. At the root of these issues are uncertainties in certain GDPR provisions, systemic inaction by some Data Protection Authorities (DPAs) and the exploitation of these weaknesses by tech companies. These failures have eroded public trust in the GDPR’s enforcement mechanisms and allowed individuals’ rights to be undermined on a massive scale.
We have long advocated for stronger, rights-centred enforcement of the GDPR and welcomed many elements of the Council’s General Approach and the European Parliament’s report. However, the early stages of trilogue negotiations have surfaced deeply troubling compromises that seem to make the procedure more complex. This could further undermine accountability, disempower individuals and collectives, and leave unresolved issues or even risk codifying existing problems. The process so far seems not to have received the attention and scrutiny it deserves. This is not only a missed opportunity to strengthen the protection of people’s rights but also risks inviting countless new disputes before DPAs, national courts, and the Court of Justice of the European Union if the text lacks sufficient robustness, potentially undermining the EU’s reputation.
We urge you to:
- Prioritise this legislative initiative as an essential part of the backbone of EU digital law enforcement. The GDPR Procedural Regulation is critical to strengthening the currently flawed effectiveness of the EU’s data protection framework and fostering a fair digital ecosystem.
- Revisit problematic provisions and preliminary trilogue agreements. Current draft texts, particularly Articles 5, 19 and 21, seem to include loopholes that would risk perpetuating inefficiencies and abuses, notably regarding the asymmetry between individual complainants and powerful companies. These must be addressed to create a robust framework.
- Keep in mind the law’s objectives: ensuring procedures that are shorter, efficient, and rights-respecting. However, be also wary of provisions that may appear beneficial in theory by streamlining processes but risk becoming unworkable in practice, ultimately creating bureaucratic deadlock and further eroding individuals’ rights, such as Articles 11 to 16 and the proposed Article 6bis.
- Allow sufficient time for negotiations and consult with experts. Rushing this process, as we have seen thus far, risks compromising the Regulation’s integrity and effectiveness, particularly in safeguarding rights. In procedural law, every detail matters and must properly interact with each other. The implications of each provision must be carefully evaluated. Legal clarity and consistency are essential for a successful outcome.
- Strengthen safeguards for data subjects in cross-border cases. The Regulation must guarantee consistent, timely, and rights-respecting enforcement across the EU/EEA, restoring trust in GDPR mechanisms and ensuring full respect of the Charter of Fundamental Rights. This includes securing symmetrical right to be heard and equal access to case files for both parties.
The GDPR Procedural Regulation represents a critical opportunity to correct course and establish a framework that holds companies accountable while safeguarding individuals’ fundamental rights. This is an opportunity to address criticisms of the GDPR’s effectiveness, which Big Tech companies are exploiting to perpetuate data infringements that cause significant harm across societies.
We call on you, as negotiators, to seize this moment to craft a regulation that prioritises individual rights over corporate convenience. Failure to do so would not only weaken the GDPR but undermine the EU’s entire digital acquis and embolden further violations. Strengthening this Regulation will send a powerful message: the EU remains resolute in its commitment to upholding fundamental rights, and the rule of law in the digital age.
The digital age stands at a critical crossroads, as does the EU’s regulatory legacy. We call on you to meet this shared responsibility with the urgency and determination it demands. The digital rights community stands ready to support this process with our technical expertise and experience, and we will be closely monitoring the decisions made in the coming months. The future of data protection — and the many fundamental rights it underpins — hangs in the balance.
Signatories
- Access Now
- Asociația pentru Tehnologie și Internet (ApTI)
- Aspiration
- Bits of Freedom
- Defend Democracy
- Deutsche Vereinigung für Datenschutz e.V. (DVD)
- Digital Rights Ireland
- Digitalcourage
- Državljan D / Citizen D
- Ekō
- Electronic Frontier Norway (EFN)
- Electronic Privacy Information Center (EPIC)
- European Center for Not-For-Profit (ECNL)
- European Digital Rights (EDRi)
- European Disability Forum (EDF)
- European Network Against Racism (ENAR)
- European Sex Workers’ Rights Alliance (ESWA)
- Homo Digitalis
- Irish Council for Civil Liberties (ICCL)
- IT-Pol
- Liberties (Civil Liberties Union for Europe)
- Lie Detectors
- New School of the Anthropocene
- noyb
- Panoptykon Foundation
- Politiscope
- Privacy International
- SHARE Foundation
- Statewatch
- Superrr Lab
- Vrijschrift.org
- Xnet, Institute for Democratic Digitalisation