On 4 July 2023, the European Commission unveiled a new legislative proposal aimed at enhancing the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. The proposed GDPR Procedural Regulation is designed to bolster cooperation between data protection authorities (“DPAs”) by standardizing certain administrative procedures for cross-border cases. Importantly, this proposal does not entail changes to the core data protection rules themselves. The GDPR’s fundamental elements remain unaffected and intact as established by the GDPR.
The need for this procedural regulation stems from the 2020 report on the application of the GDPR, where the European Commission identified differences in procedural approaches among DPAs that hindered the efficient functioning of cooperation and dispute resolution mechanisms in cross-border cases. The proposed changes aim to address these discrepancies and improve efficiency, benefiting citizens, businesses, and data protection authorities alike.
Notably, the 'one-stop-shop' mechanism, which allows individuals and organizations to engage with their local/lead DPA for data protection matters, remains unchanged and fully supported by the regulation. This system enables individuals to rely on their local DPAs to protect their rights, regardless of the location of the processing organization. Similarly, businesses continue to benefit from the streamlined process of dealing with a single Data Protection Authority.
The GDPR Procedural Regulation complements the existing GDPR framework by specifying detailed procedural rules for cross-border enforcement. It does not alter the procedural steps outlined in the GDPR or the roles of the various actors involved in cross-border enforcement, including complainants, the lead DPA, concerned DPAs, and the European Data Protection Board (“EDPB”).
The proposed changes emphasize the use of a standardized form for lodging complaints. This approach aims to create a consistent and structured process for complainants across the European Union. The completeness of the form would undergo evaluation by the relevant DPA. Key factors such as the gravity of the alleged breach and its systemic or repetitive nature would be taken into account during the assessment.
In terms of DPAs' cooperation in cross-border cases, the proposed regulation introduces additional steps to facilitate early consensus-building and reduce potential disagreements that may necessitate dispute resolution. A noteworthy addition is the potential for amicable solutions in resolving complaints. This suggests that parties involved might be able to find mutually agreeable resolutions, thereby expediting the complaint-handling process. However, complainants would retain the right to object if they disagree with the proposed resolution.
For entities under investigation (controllers and processors), the proposal introduces clearer rights to be heard at key stages of the procedure, including during EDPB-led dispute resolution. Additionally, complainants may request access to non-confidential documents utilized by authorities during their assessment. This provision enhances transparency and empowers complainants with a deeper understanding of the investigation.
Efficient cooperation among data protection authorities is central to the proposal's objectives. The leading privacy authority responsible for a particular case will collaborate closely with other relevant authorities. For scenarios where disputes persist even after the initial decision and objections, a structured dispute resolution mechanism comes into play. The parties involved are allotted a specific timeframe within which they can present their responses to the arguments.
In summary, the European Commission's comprehensive proposal represents a concerted effort to optimize complaint handling and dispute resolution within the GDPR framework for cross-border cases. By introducing standardized procedures, enhancing complainant rights, and promoting collaborative cooperation, the proposal aims to streamline processes and deliver more efficient outcomes that benefit citizens, businesses, and data protection authorities alike.