Systemic issues with EU data protection guidance

The EDPB isn't the EU's "privacy legislature" but it must play an important role in ensuring consistency and the faithful execution of the law

Chances are that when you google something GDPR, ePrivacy or data protection related, ICO guidance will be among the first few search results. While it isn't bad per se, I don't want it to be the first/main reference when a layperson is trying to comply with the GDPR/ePrivacy. The ICO has business-friendly (that is to say contra legem) takes on data protection law — or at best they just don't address some contentious points — and may soon fall under a different legal regime if the Data (Use and Access) Bill comes to pass.

In its place we could have the national DPAs fill that vacuum but their guidance mostly shows up in country-specific search results except for the DPC and for obvious reasons, I’d rather not have them writing the primary guidance either. The obvious solution is that the EDPB needs to step up. Odds are that over two dozen DPAs doing the same thing separately will have a worse result than all of them pooling resources into a single product (which also saves on resources). Issuing guidance and ensuring consistency is one of the primary purposes of the EDPB after all.

But I think they should be doing a better job with the promotion of its guidelines and making sure that they are authoritative when it comes to interpreting the GDPR, not just read by privacy professionals and nerds (but I repeat myself).

For this to be the case, national DPAs should not duplicate its guidance but merely refer to it. They should only publish complementary guidance where it's necessary to adapt to national law and circumstances. Alternatively, each national DPAs could produce consolidated guidelines that directly (copy-paste) incorporate EDPB guidelines. In any case, I think the coherence of national guidance with EDPB guidance should be a legal requirement.¹ In other words, EDPB guidance should be binding on the DPAs (with respect to them not duplicating it or at least not following the EDPB’s direction). While EDPB guidance is presently non-binding in nature, Article 64 opinions can at least be enforced by the EDPB because the DPAs must trigger the dispute resolution mechanism in Article 65 — which does lead to a binding decision — if they do not intend to follow it in an individual case.

Whenever there's a debate, the EDPB should settle it, otherwise the GDPR objective of consistency is just words on paper and makes everything very unpredictable for controllers and data subjects. The EDPB and DPAs should act as one vis-à-vis everyone else, not a loose coalition of (sometimes bureaucratically warring) tribes moving in different directions.

There's also a concerning rise — in my opinion at least — of the use of Article 64(2) requests for EDPB opinions by DPAs to force the EDPB take a position (in a matter of weeks!). While opinions have their place, I think the two most recent opinions should have been guidelines to begin with. If the guidelines are supposed to come after an opinion, then that is just wasteful duplication.

Another downside of the opinions is that they (currently) don’t foresee any consultation with interested stakeholders before their adoption, despite some recent ones essentially being guidelines. Therefore where the EDPB considers that a requested opinion should really be turned into guidelines, they should ask the DPAs to withdraw the request and whenever that doesn’t happen organize (short) consultations on the opinion and/or start simultaneous work on guidelines (that are then more or less copy-pasted into the opinion).

The EDPB should adopt a policy, an inter-institutional agreement or a memorandum of understanding with the DPAs that on new and general matters — as opposed to how to apply existing law and guidelines to specific circumstances and individual cases — guidelines should be prioritized and asked for first instead of the opinions. If a DPA asks for guidelines, the EDPB should start working on them in short order, lest the DPA request an opinion. Perhaps national DPAs could even (unofficially) initiate work on (new) guidelines within the EDPB on their own and slowly get others onboard until there’s a majority for their adoption.

Privacy professionals are often burned out from the work, so following developments should be made easier for them, not harder. This duplication with national and EDPB guidance, opinions and guidelines and A29WP guidance (both GDPR and DPD-related) is really unnecessary. It’s better to do something once and do it well: comprehensively consult stakeholders, come to a legal position and get to the final result quickly instead of wasting everyone’s time and generating unnecessary discussion with unnecessary steps and back-and-forth.

To be more authoritative and have more of an impact, EDPB guidance itself must also be improved. While I think the EDPB usually sticks pretty close to the law, they do occasionally deviate from it by inventing obligations or exceptions that maybe aren’t there or just watering down the law (like in the recent consent-or-pay opinion). They have a reputation of being inexorable after consultations, often changing very little. While not suggesting the EDPB should issue guidance that is not in accordance with the law, when it comes to a bit more ridiculous, maximalist, extremely burdensome, unintentional or otherwise undesirable provisions or legal interpretations, I do think they could indicate a more lax enforcement policy for those provisions in that guidance, essentially saying the DPAs aren’t all that serious about them. Still, it must be clear that if forced to handle a case, a DPA will have to decide on it in accordance with applicable law, but may choose smaller or insignificant sanctions for such violations where its discretion permits.

The EDPB and especially smaller DPAs like issuing their guidance (and forms) in PDF or Word documents. This isn’t great for SEO and quick navigability — I don’t want to download a separate document unless expressly requested. While I understand that these are the tools that lots of DPA employees are used to and allow them to collaborate, I think they should consider offering a web version of guidance as an alternative. They could even write the documentation in Markdown format and then using something like Obsidian publish or similar (wiki) tools that allow you to link to different (parts of) documents and display how the current page relates to other concepts. I understand that might be a somewhat harder to collaborate on presently but improved tooling is on the way and is just something to consider in the future. This would also ideally help avoid a lot of the issues and errors that are par for the course with proprietary formats. If you've read EDPB guidelines in the past, you know what I'm talking about.

EDPB guidance also exists in this weird duality with previous A29WP guidance on the GDPR where some A29WP documents have been superseded by those of the EDPB while others haven’t been (yet). A29WP of course also issued guidance on the Data Protection Directive (DPD), which is maintained in a (horribly outdated and half-broken) archive by DG JUST. While the DPD hasn’t been relevant for years, those old documents are still referenced by the EDPB and hold, at the very least, historical value. Therefore I think they should be incorporated — as old and no longer up-to-date documents (with a warning label saying that) — into the current EDPB database.²

But as it concerns the GDPR, I think it would make sense to group the various versions of guidance related to it in under a single banner (e.g. guidelines on GDPR consent), irrespective of whether they were issued by the EDPB or the A29WP³. As an aside, this is probably just my OCD or computer science brain talking (and I know versioning schemes differ) but I’m slightly annoyed that draft guidelines (adopted for public consultation) get assigned version 1.0 and the adopted guidelines version 2.0. They’re supposed to be the same guidelines in the end (version 1.0 not 2.0) so, in software development terms, the draft guidelines are supposed to be a ‘beta’ release channel⁴, not a new version in and of itself. Obviously renumbering these versions would make previous references ambiguous or broken, so to avoid that, it would be best to replace the current guidance identifiers (e.g. 02/2024⁵) as well — with just a short sequential or random number that is common to all the EDPB versions and independent from the year (which also makes sense if revisions are adopted in the years that follow).

Easy access to past versions of guidelines on the same topic and legislation (even if issued by the A29WP) would also be nice. To an extent this already exists with links to versions adopted for public consultation; but I can’t for example find version 2.0 of the guidelines on the right of access because it was replaced with version 2.1 that included some corrections (which is how x.1 versioning should work in my opinion). The EDPB website also warns you (using a red or green dot indicator) whether the version you’re looking at is final or not. It would also be nice if there was an easy (perhaps GitHub-style) way to compare the differences between versions so you don’t have to drop them in a compare PDFs tool every time. This all builds towards an EDPB Lex official journal of sorts for soft law and could even be emulated (perhaps using a common libraries and frameworks) by other (EU) agencies and institutions.

Building this sort of infrastructure is important in the long run as the guidelines will inevitably have to be changed more substantially (beyond 2.x versions) to respond to changing circumstances and developments in technology, case law and legislation, as was the case with the adoption of the Digital Services Act⁶ and the European Electronic Communications Code, which expanded the scope of the ePrivacy Directive.

I sometimes also get the sense that there’s a tendency to patch up old guidelines with new ones that have a somewhat different scope while not updating the old ones and ensuring consistency between the two. The guidelines on consent aren’t even entirely internally consistent with respect to consent-or-pay and the EDPB’s legal position on the matter became even less coherent with the consent-or-pay opinion (and soon guidelines!). The EDPB would ideally amend multiple guidance documents at once to update them or resolve inconsistencies with other documents (if there are any), similar to an omnibus law that amends several laws at once.

While citing case law and doing light legal analysis within guidelines can be helpful and gives them more weight, I think in trickier cases⁷ that require more extensive argumentation and research (such as studies on expected consent rates, user expectations, economic impacts and so on), it’s would be useful to separate the legal analysis and research from general guidelines that are supposed to be to-the-point and serve compliance. These legal opinions could thus make guidelines shorter and more to the point, while also making the lives of DPAs easier, as they could refer to a common pre-prepared document when figuring how to resolve a certain case and justify their decision.

I think ICO guidance is also particularly effective because they include FAQs, 'at a glance' sections, self-serve tools and checklists which can quickly be put into practice. Here I think the EDPB is moving in the right direction as it has produced nice compliance tools and a guide for SMEs but at the moment, I think the ICO has this better fleshed out. I think it’s worth investing in this as it means that DPAs spend fewer resources on helplines that advise controllers on how to comply as well as data subjects understand their rights.

Some DPAs also produce advice — of frankly very varying quality — on the request of a controller or data subject and then publish it on their website which can be tremendously useful when applying data protection law to very specific circumstances. Perhaps there is space to avoid duplication here as well and share (machine-translated) opinions across borders in a common EDPB register, though this would likely require a modest degree of technical (and maybe even legal) homogenization. This would also encourage those opinions to be of a higher quality — they would be read by people across the EU/EEA after all — and could be informed by the knowledge and experience of other DPAs.

While national DPAs may see all this as the taking away of some of their soft law power (which is sort of true), they should also consider that this frees up resources for enforcement. But I also get the feeling that many DPAs feel like their primary job is doing their other bureaucratic tasks required by the GDPR, writing guidance, advising companies and organizing educational events. Guidelines being an EU-level issue also has the side benefit of allowing the DPAs to hide behind the EDPB on controversial topics that may draw ire of national political leaders. But if the EDPB is issuing the guidance, a national DPA can argue that they are just implementing the law as directed by the EDPB. It can thus also act as a shield for independence. Well, at least for the DPAs that think they should be independent.

Soft law should not be underestimated as it can be the second point of reference (after the law itself) — or sometimes even the first — not only for addressees and beneficiaries of data protection law but also the DPAs and even courts. When the EDPB decides on its own interpretation, undoing that precedent isn’t always easy. After all, who are you to say the body of expert regulators got it wrong?

If by any chance someone at the EPDB is reading this: I love your work otherwise, this is just an area where I think the institution could improve on but I understand that the EDPB is also resource-constrained. Admittedly, all this frankly also seems pretty far-fetched at this time since the DPAs sometimes even have trouble coming to an agreement on guidance, with that agreement sometimes being only the lowest common denominator position among the DPAs.

For further reading on this topic (or EDPB accountability), I’d recommend the paper The European Data Protection Board -a (non)consensual and (un)accountable role? by Lisette Mustert and Cristiana Santos.

1

While not quite binding, Article 4(4) of the BEREC Regulation and Article 10(2) of the European Electronic Communications Code at least require national regulatory authorities (NRAs) under that regime to take BEREC — the EDPB of telecommunication regulators — to take the EU-level opposition into account and explain any deviations from it.

This might also be sufficient as otherwise EDPB “soft” law would be considered binding hard law on the DPAs (especially if they had to follow it in decision-making) and they would have to be afforded judicial review in EU courts. But perhaps that could also be a good way to provide legal clarification of these issues without having to bring a concrete case. This could even edge towards abstract (in abstracto — as opposed to in concreto) judicial review of EDPB “soft” law, similar to the abstract judicial review that member state constitutional courts perform and that is inaccessible to non-privileged applicants in EU courts for secondary (hard!) EU law under the Plaumann test.

2

Old guidance on the Data Protection Directive could be hidden by default as it relates to legislation that is no longer applicable. In any case, if the ePrivacy Regulation or some other ePrivacy Directive replacement gets adopted, the EDPB would need a way to maintain guidance relating to similar repealed legislation while still grouping it together with the guidance for new legislation (as long as it’s about a similar topic such as legitimate interests under the GDPR and DPD).

3

It doesn’t seem accurate to say that the EDPB is a legal successor to the A29WP that was more of an advisory group (akin to the High-Level Group for the Digital Markets Act) without a legal personality, while the EDPB was explicitly given one by Article 68(1) GDPR. It is however clear from Recital 139 and Article 94 GDPR that the EDPB was intended to replace the A29WP. Nonetheless, the work of the A29WP is not the EDPB’s own — it’s not like one institution was just renamed — and is merely “endorsed” by it. Regardless, people treat the two bodies in the same way and I think their work belongs in the same place (even if the EDPB wants to mark A29WP documents with an “endorsed by the EDPB” tag).

4

Alternatively draft guidelines are analogous to a proposal for a regulation/directive (in EUspeak) or a draft law (a bill). I suppose a pre-draft general outline of the guidelines could be considered an ‘alpha’ channel, as with the recent consent-or-pay stakeholder event.

5

The keen-eyed will have also noticed how the leading zero is sometimes omitted but this is obviously pretty irrelevant and overly pedantic.

6

For instance Recital 68 DSA is a side-channel interpretation of GDPR that clarifies that only consent is a valid legal basis for processing personal data in ad targeting. Article 26(3) DSA also prohibits profiling using Article 9 GDPR personal data on online platforms, though the scope of that prohibition isn’t terribly large.

7

Such as on the interaction of data protection law and intermediary liability, application of GDPR to artificial intelligence or when personal data can be considered a tradable commodity and what impacts of that are.

Comments

[Privacat]

I'm with you on consolidation and centralizing guidance, but I don't have much faith in the EDPB as a body when it comes to this effort. The last few guidance documents/opinions have been a hot mess of maximalism and 'IDK, you guys figure it out' regulatory punting. That said, I don't know if there's a better body for this task.

Maybe more/different people doing the work?