Digital Marketing and Advertising Association Calls for a Harmonised Cross-border Complaints Process
Brussels, 17th January, 2023 - IAB Europe, representing a diverse membership of digital marketing, digital advertising, and media companies, has communicated its strong concerns to Members of the European Parliament (MEPs) regarding the draft report on the GDPR procedural regulation by the Civil Liberties, Justice and Home Affairs (LIBE) Committee.
The draft report, if implemented in its current form, falls short of the initial ambitions to harmonise procedural rules, which could hinder a consistent and fair GDPR cross-border complaints process for all organisations. In the letter sent today, IAB Europe encourages Members of the European Parliament to consider six key recommendations to address these concerns. These include keeping the administrative nature of cross-border complaints; respecting the GDPR governance model; enabling early resolution; respecting the confidentiality of business information; harmonising the defendant's right to be heard; and including flexible time limits for the defendant's views.
In the letter to MEPs, IAB Europe underscores the importance of addressing these concerns to harmonise and streamline GDPR procedural rules in cross-border cases, ensuring a fair, predictable, and efficient resolution process. The full letter can be seen below and accessed here.
Dear Member of the European Parliament,
IAB Europe, representing a diverse membership of digital marketing, digital advertising and media companies, would like to express their strong concerns to the draft report on the GDPR procedural regulation by the Civil Liberties, Justice and Home Affairs (LIBE) Committee. If implemented as it is, the draft report will fall short of the initial ambitions to harmonise procedural rules, and ensure that the GDPR complaints process is consistent, predictable and fair for all organisations and results in simple, fast and efficient resolution for consumers.
As the LIBE Committee is looking to agree on a common position on the GDPR procedural regulation, IAB Europe encourages MEPs to consider the recommendations below.
The new rights of ‘equality of arms’ and ‘to be heard’ for complainants, introduced by the draft report, increase the risk of turning what has been an administrative procedure into an adversarial one instead. While the draft report proposes to align some of the procedural protections to “all parties”, it also reinforces the rights of the complainants while at the same time hollowing out some of the procedural protections proposed in the initial draft to the investigated parties. The combination of all these proposals makes the draft report imbalanced leading to a flagrant absence of the rights of defence for any investigated party.
This approach will slow down the process to the detriment of all parties and will fall short of the initial ambition of the legislation to make the cross-border complaints process more consistent, swift and efficient. This will also undermine the independence of Lead Supervisory Authorities (LSA) as enshrined in the GDPR.
The draft report provides the EDPB with new powers to weigh in on disputes regarding procedural issues and to carry out factual investigations under the dispute resolution procedure. It also allows the EDPB to adopt binding decisions under the urgency procedure, which would be applicable to all member states. These proposals are in direct conflict with the role and authority of the LSA under articles 56 and 60 of the GDPR and this cannot be supplanted. We urge the co-legislators to reject these proposals which could further undermine the GDPR’s cornerstone one-stop-shop mechanism by redistributing decision-making and administrative competence from the LSA to the EDPB.
The European Commission’s proposal sets out clear opportunities for the defendant to express their views during the administrative procedure. However, the LIBE draft report, which would give a right to be heard to parties ‘before any measure is taken that would adversely affect’ the parties, is unclear. The text also allows supervisory authorities to limit this right to be heard under their national procedural law. Potential restrictions on the right to be heard at national level and vague concepts, such as “adversely affect”, will create legal uncertainty and increase the risk of diverging interpretation and application across member states. IAB Europe urges the colegislators to respect the defendant’s right to be heard as a fundamental right to defence during clearly defined stages in the process, to ensure a fair, predictable and harmonised procedure. Furthermore, the proposed deletion of Article 24 would remove a key requirement for parties to be heard before the European Data Protection Board (EDPB).
The draft report requires the supervisory authorities to set “reasonable” time limits for providing views, which should not exceed four weeks. While the introduction of “reasonable” time limits is very welcome, we advise against a strict deadline, which will not be flexible enough to accommodate complex cases. Time limits should be proportionate depending on the complexity of each case. This is key to ensure that defendants have enough time to share their views, especially when the case is complex.
The draft report deletes all measures from the Commission proposal to protect defendants’ confidential information. In particular, the text grants complainants full access to all documents about the case except ‘internal deliberations’. It also removes the provision that would prevent complainants from using the preliminary findings for purposes other than the concrete investigation.
These proposals would increase the risk of media leaks, which could influence the decisions from supervisory authorities, and therefore undermine their independence and the overall integrity of the administrative procedure. We urge the co-legislators to respect current practices regarding defendants’ confidentiality and ensure, as far as possible, the effectiveness of sanction mechanisms across Europe in case of confidentiality breaches.
The draft report increases transparency and opportunities for organisations to receive complaints at an early stage in the process and directly resolve them. This is very welcome. However, the report proposes stricter conditions for the parties to settle unresolved cases via the amicable resolution process. In cases where the organisation and the complainant agree, the text would require the supervisory authority to launch its own investigation under broad and vague conditions and with no clear threshold for initiating the investigation. This proposal introduces uncertainty and unpredictability and could result in arbitrary decisions. We urge the co-legislators to remove these barriers to the use of amicable settlements in non-contentious cases that do not pose systemic threats to EU citizens’ fundamental rights. This approach would ensure that LSAs focus their resources on the most pressing and egregious cases.
Thank you for considering these concerns and taking the arguments mentioned above into account, in order to harmonise and streamline GDPR procedural rules in cross-border cases.