The European Commission (EC) presented an initiative to adopt rules complementing the ones enshrined in the General Data Protection Regulation (GDPR). According to plans of the EC, a supplementary regulation with additional procedural rules for cross-border cases shall be adopted. A corresponding proposal for a regulation has already been published.
We explain the planned changes and indicate whether companies can expect relief.
Background of the initiative
The EC regularly evaluates legislative acts of the European Union (EU). In doing so, the EC examines, in particular, whether such legal acts are still up to date, what effect they have in practice and whether any adjustments are necessary.
In accordance with Art. 97 GDPR, the first evaluation of the GDPR was completed in May 2020 (the next evaluation is planned for 2024).
The first evaluation confirmed that the GDPR remains fit for the digital age and that it has strengthened data subject rights. Furthermore, the report indicated that while data protection authorities are using their extended corrective powers – i.e., their powers to respond to GDPR violations through measures such as warnings or reprimands, or by imposing an administrative fine –, there is still room for improvement regarding the cooperation among European data protection authorities.
The EC shied away from opening Pandora’s box and addressing this problem directly in the GDPR, but is willing to do so in a separate regulation (the so-called GDPR Procedural Regulation).
The fact that the cooperation of the European data protection authorities is not always optimal has also demonstrated itself in several proceedings, above all in the proceedings against Meta Platforms Ireland (Facebook). In these proceedings, the competent supervisory authority, the Irish Data Protection Commission, delayed its decision and even intended to entirely refrain from imposing a fine. Backlash from other European supervisory authorities and a binding decision of the European Data Protection Board were necessary to conclude the proceedings against Meta with the highest fine under the GDPR thus far.
What rules does the draft regulation provide for?
The proposal for the GDPR Procedural Regulation aims to improve cross-border cooperation among supervisory authorities. The substantive provisions of the GDPR – such as those relating to data subject rights or the obligation to maintain a record of processing activities – remain intact.
In other words, should the new GDPR Procedural Regulation be adopted, businesses and data subjects will only notice it if they are involved in cross-border proceedings before a supervisory authority or wish to initiate such proceedings. Cross-border proceedings are proceedings that concern processing operations with a link to more than one EU Member State.
The proposed GDPR Procedural Regulation contains a number of procedural rules for such proceedings, which are characterised by the need for cooperation between the lead supervisory authority and the other supervisory authorities concerned.
For example, with the GDPR Procedural Regulation, a complaint form setting out the minimum content requirements for a complaint shall be established. The proposal clarifies that no additional information may be required for the admissibility of a complaint.
According to the proposal for the GDPR Procedural Regulation, the lead supervisory authority should regularly update the other supervisory authorities concerned about the investigation and provide them with all relevant information hereto. The subsequent cooperation between the authorities is regulated in detail as well. The aim is to reach an agreement between the authorities as quickly as possible, thereby speeding up cross-border proceedings.
Furthermore, the proposed regulation provides for the right of the complainant to be heard if his or her complaint is to be rejected in whole or in part. The opposing party is to be given the right to be heard at important stages of the proceedings. In addition, the GDPR Procedural Regulation governs the parties’ access to the administrative file and the treatment of confidential information.
Lastly, the possibility shall be introduced to settle proceedings through an amicable settlement. In such a case, the dispute is settled through an agreement between the parties. According to the proposal, if the complainant does not object to the amicable settlement proposed by the supervisory authority within one month, it shall take effect, while the complaint shall be considered withdrawn.
The EC recognised the problem of the often very slow enforcement of the GDPR and wants to address it. It remains to be seen whether the GDPR Procedural Regulation will have the desired effect in practice. Given that the draft regulation only concerns cross-border cases, nothing will change in the – often equally lengthy – domestic procedures.
At this stage, it is still not clear whether and in what form the proposal will be adopted by the EU legislature. As the current term of the European Parliament ends in 2024, there is only a short window for the legislative proceedings. As usual, we will keep you informed of any developments.