Proposal 21
Ensure the European Data Protection Board fight actively and independently against discrimination and digital rights violations.
Detailed explanation
Provide the European Data Protection Board and each national data protection authority with sufficient funding and human resources. Make them free of conflicts of interest so that they can independently investigate and sanction digital rights violations.
Ensure the European and national data monitoring authorities fight actively against discrimination.
There are two levels of supervisory authorities for the protection of personal data:
— the national data protection supervisory authorities (DPAs), whose role is defined by Article 4 of the GDPR
— the European Data Protection Board (EDPB), whose role is defined by Articles 68 to 76 of the GDPR.
However, the national and European bodies are not sufficiently independent of the States and companies, do not have sufficient resources of their own and their scope of control remains limited.
The GDPR is a regulation and according to Art. 288 TFEU it is binding in its entirety and directly applicable in all Member States.
Art. 68 (point 3) of the GDPR defines the composition of the EDPB: all heads of a supervisory authority in each Member State and the European Data Protection Supervisor (or their respective representatives).
Chapter VI (Art. 51 to 59) refers to the national supervisory authorities. Articles 51 to 54 define the qualifications and eligibility requirements for appointment to these national authorities, but do not directly regulate the composition and selection of their members.
We therefore request that in the GDPR, the requirements for the composition of DPAs be formalized to ensure their independence from both the collecting structures and the States.
Furthermore, to guarantee this independence and effective investigative capacities, it is necessary to establish in the GDPR a minimum rate of funding of these authorities by each State (expressed in relation to the population of the country).
Another possibility would be a direct allocation of the EU's investments to guarantee the protection of personal data of all European citizens, which could be the subject of a specific plan to be integrated into the EU budget, on the proposal of the EU Commission. Article 312 of the TFEU, which defines the maximum annual amounts in the Multiannual Financial Framework (MFF), could be mobilized.
The desire to generalise 5G, and more generally digital technologies, particularly in relations with public authorities, could lead to an increase in discrimination.
Current data protection is insufficient in an Internet of Bodies and Things scenario in which all devices are collecting our data 24/7, to be processed as Big Data by artificial intelligence which has been proven to reproduce and aggravate discrimination.
Unlike individual consent, discrimination must be dealt with by an independent authority responsible for the a priori protection of data subjects.
The GDPR clearly mentions cases of discrimination as falling within the competence of supervisory authorities (points 75 and 85 of the GDPR), with reference to the CFR (in particular Articles 8, 20, 21, 33, 34, 35, 36, 38, 42).
However, these authorities have made little use of this competence, and to date do not provide any regular assessment of such discrimination, neither at national nor at European level.
We call for these laws to be implemented.
(Updated in October 2022: The Austrian organization None of Your Business (“NOYB”) filed 101 complaints on Google Analytics and Facebook Connect integrations in webpages of EU controllers. In several cases they are successful - The Italian, French and Austrian DPA has banned the use of Google Analytics.)