(Even) Stronger enforcement of the GDPR?

1. General

On 4 July 2023, the European Commission proposed a new Regulation laying down additional procedural rules relating to the enforcement of the GDPR.[1] These new rules will support the effectiveness and efficiency of enforcement and set up concrete procedural rules for the authorities when applying the GDPR in cross-border-cases.

1.1 Background

Since the GDPR entered into force, more than 2,000 "one-stop-shop" cases[2] have been filed with the data protection authorities ("DPAs"). Seven hundred and eleven final decisions have been issued and fines of hundreds of millions of euros have been imposed on data controllers.

When conducting proceedings to enforce the GDPR, DPAs as well as national courts apply national procedural law. In cross-border-cases, i.e. if the data processing is conducted in various Member States or data subjects from different Member States are affected, the "one-stop-shop" mechanism applies. This means that the DPA of the Member State where the data controller is established acts as lead supervisory authority and is obliged to apply the cooperation mechanism between the lead supervisory authority and the other supervisory authorities concerned.[3] The lead supervisory authority therefore is entitled to request information and assistance from the other authorities concerned, while all authorities are strongly encouraged to reach consensus on the (respective national) application of the GDPR. Where DPAs are unable to agree on the application, the GDPR provides for a dispute resolution mechanism by the European Data Protection Board ("EDPB").

In its 2020 Report[4], the Commission was already able to ascertain that a smooth and effective application of the GDPR was difficult due to procedural differences in the Member States. In 2022, the EDPB issued guidelines on the application of the cooperation mechanism[5] and sent a public letter to the Commission containing a list of proposals regarding procedural aspects that could benefit from further harmonisation at the EU level. The proposals are aimed to streamline and strengthen cooperation and help to deliver a quicker remedy for data subjects.[6] This list contained, among other things: the status and rights of the parties to the administrative procedures; procedural deadlines; requirements for admissibility or dismissal of complaints; investigative powers of supervisory authorities; and the practical implementation of the cooperation procedure.

1.2 Commission's proposal

The new proposal of the Commission takes the input of various stakeholders into account and provides detailed procedural rules to ensure the smooth application of the cooperation and consistency mechanism established by the GDPR. It also aims to support the timely completion of investigations and the delivery of swift remedies for individuals, harmonising rules in the following areas:

• Rights of complainants:Standardising the requirements for a cross-border complaint to be admissible, thus removing the current obstacles created by DPAs following different national rules. It establishes uniform rights for complainants to be heard in cases where their complaints are rejected in whole or partially. In cases where a complaint is investigated, the proposal sets out rules to ensure that complainants are properly involved.
• Rights of parties under investigation (controllers and processors):Giving the parties under investigation the right to be heard at key stages of the procedure, including during dispute resolution by the EDPB, and clarifying the content of the administrative file and the parties' rights of access to the file. The proposal also lays down detailed rules regarding the treatment of confidential information.
• Streamlining cooperation and dispute resolution: Enabling DPAs to issue their views early on in investigations by sending a "summary of key issues" to the other DPAs concerned and making use of all cooperation tools provided by the GDPR, such as joint investigations and mutual assistance. These provisions will enhance DPAs' influence over cross-border cases, facilitate early consensus-building in the investigation, and reduce later disagreements. The proposal specifies detailed rules to facilitate the swift completion of the GDPR's dispute resolution mechanism and, where appropriate, provides common deadlines for cross-border cooperation and dispute resolution.

According to the Commission, the proposed rules will help individuals to clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process, help businesses to clarify their due process rights when a DPA investigates a potential breach of the GDPR, and help DPAs to smoothen cooperation and enhance the efficiency of enforcement. However, the proposal does not aim to affect any substantial elements of the GDPR, such as the rights of data subjects, the obligations of data controllers and processors, or the lawful grounds for processing personal data as set by the GDPR.

The proposal still must be adopted by the European Parliament and the Council of the European Union and thus in the EU's ordinary legislative procedure. In any case, it is to be appreciated that effective implementation measures and a more precise definition of the rights and obligations of all parties to a cross-border procedure, such as a multinational data breach, are provided for.

[1] European Commission, 4 July 2023, Proposal for a regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679; COM(2023) 348 final, 2023/0202 (COD).

[2] "Cross-border cases" or cases which affect individuals located in more than one Member State.

[3] Cf Art 60 et seq GDPR.

[4] European Commission, 24 June 2020, COM(2020) 264 final; Pursuant to Art 97 GDPR, by 25 May 2020 and every four years thereafter, the Commission will publish a report on the evaluation and review of the GDPR.

[5] EDPB, Guidelines 02/2022 on the application of Article 60 GDPR.

[6] EDPB, 10 October 2022, OUT2022 -0069.