EDPB binding directions too broad or disregarded
Article(s) involved (national, EU, or other): Article 65.
Problem
When implementing the EDPB decision, SAs ‘must’ follow the binding directions of the EDPB. These binding directions, however, are often broadly formulated, leaving a lot of leeway to the SAs to deal with it as they wish. E.g., a higher fine, does not per se lead to a fine that is truly high enough.
The EDPB is, furthermore, not keeping an eye on the implementation of its decisions. All the SAs should do, is informing the Board about its final decision. If not followed, there is no tool in the GDPR that allows the EDPB to act (only possibilities are Commission infringement procedure, or CJEU).
Ideal Solution
EDPB should formulate its decisions in a way that leaves less discretion to the national SAs. EDPB should be able to step in when its decisions are not followed. Inspiration can be found within the SRB’s regulation: if SRB’s decision is not correctly implemented by the national authorities, the SRB can take over and directly address its decision towards the institution under resolution, see SRMR, Articles 18(9), 29(1), 28(1), 29(2).
Proposed Solution
Concepts 8 and 11 should limit this problem.