The European Commission proposed on 4 July new rules to support the effectiveness and efficiency of enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. The GDPR Procedural Regulation aims to streamline cooperation between data protection authorities (DPAs), by harmonising some aspects of their administrative procedures in cross-border cases.
Advertisement
Does this proposal change data protection rules?
No. As we have seen, the GDPR works. The Commission’s Procedural Regulation does not affect any substantial elements of the GDPR, such as the rights of data subjects, the obligations of data controllers and processors, or the lawful grounds for processing personal data as set by the GDPR.
In its 2020 report on the application of the GDPR, the Commission found that procedural differences applied by DPAs hinder the smooth and effective functioning of the GDPR’s cooperation and dispute resolution mechanisms in cross-border cases (i.e. when there are complainants located in more than one Member State).
The Commission identified that a more harmonised approach on issues such as complaint admissibility, the exercise of due process rights, and the involvement of complainants in the procedure would improve efficiency and results for citizens, businesses and data protection authorities alike. These elements were also identified as important by the European Parliament and the European Data Protection Board (EDPB).
Does the proposal change the ‘one-stop-shop’ system?
No. The regulation fully maintains and supports this system, where individuals and organisations can deal with their local/lead DPA. Individuals reap the benefits of the ‘one-stop-shop’ system every day, by relying on their local DPA to protect their rights, no matter where the organisation processing their data is based. Businesses also benefit from the right to deal with a single Data Protection Authority.
The proposal complements the GDPR by specifying detailed procedural rules for the cross-border enforcement system – the Regulation will operate within the framework established by the GDPR. It does not alter the procedural steps provided by the GDPR, nor the roles of the actors in the cross-border enforcement procedure complainants, the lead DPA, DPAs concerned, or the EDPB.
How do DPAs cooperate on cross-border cases?
The GDPR is enforced by independent national DPAs, as well as national courts. In cases that involve cross-border processing of personal data (processing that takes place or substantially affects data subjects in more than one Member State) the GDPR’s ‘one-stop-shop’ enforcement system applies. In such cases, the DPA where the entity under investigation is established conducts the investigation in cooperation with other relevant DPAs.
Under the GDPR, DPAs cooperate in order to reach consensus on the application of the GDPR. Where DPAs are unable to reach consensus in a cross-border case, the GDPR provides for dispute resolution by the European Data Protection Board (EDPB).
How will DPAs cooperate under this proposal?
The proposal introduces additional steps in the cooperation between DPAs to facilitate early consensus-building and to reduce disagreements later in the process which would require the use of the dispute resolution mechanism.
Early in an investigation, the lead DPA must send a ‘summary of key issues’ to their counter-parts concerned in the EU. This summary identifies the main elements subject to investigation and the lead DPA’s views on the case. This will ensure that the DPAs concerned have all the necessary information to provide their views on the case at an early stage.
Should a DPA disagree with the lead DPA’s assessment, this authority can request a joint operation or mutual assistance mechanism, as provided by the GDPR. Should the DPAs still disagree on the scope of a complaint-based case, the proposal empowers the European Data Protection Board (EDPB) to adopt an urgent binding resolution to resolve such disagreement early in the process.
What does the proposal mean for complainants?
Currently, DPAs have fragmented approaches to the notion of a complaint. The proposal harmonises the elements which must be provided by complainants in cross-border cases. The DPA that receives a complaint should be responsible for determining its admissibility.
The proposal also ensures that complainants will have the same procedural rights in cross-border cases regardless of where the complaint is lodged or which DPA leads the investigation, such as the right to be heard before a decision fully or partially rejecting a complaint, will be adopted.
The regulation recognises the usefulness of amicable settlements by DPAs, which provide speedy resolution.
Where a DPA follows up on a complaint, complainants will be able to make their views known on the allegations against the controller or processor, and, where necessary, to access documents in the administrative file. The proposal harmonises the right of the complainant to be heard prior to the full or partial rejection of a complaint. It ensures that whenever a complaint is rejected, complainants should be able to challenge the decision in court.
What does it mean for controllers and processors under investigation?
Under the new rules, parties under investigation will have the right to be heard at key stages in the procedure, including during dispute resolution by the EDPB. It also clarifies the content of the administrative file and the parties’ rights of access to the file.
The lead DPA should communicate their ‘preliminary findings’ to such parties, namely the allegations and the supporting evidence. Under the dispute resolution mechanism, the EDPB should allow the parties to exercise their right to be heard before adopting its decision.
The proposal also lays down detailed rules regarding the treatment of confidential information.
Data protection in the EU (europa.eu)
EU data protection rules empower citizens (europa.eu)
5th anniversary of the General Data Protection Regulation (europa.eu)
Source: European Commission
