On Tuesday 4 July, the European Commission presented a proposal for a Regulation aimed at harmonising certain administrative procedures relating to the application of the General Data Protection Regulation. Objective: to facilitate cooperation between national data protection authorities (DPAs) in cross-border cases.
“We want to ensure quicker decisions, also in complex cases [and] at the same time, decisions need to be robust and well-resourced to stand the scrutiny of the Court [of Justice of the EU] and the rights of the parties involved need to be respected”, summarised Commissioner for Justice Didier Reynders.
Facilitating consensus
To reduce disagreements between DPAs at an early stage in the investigation of a cross-border case, the new rules will require the “lead” authority, which guides the investigation, to provide a “summary of key points” to the other DPAs involved.
It should contain the main points covered by the investigation and the opinion of the “lead” authority. The other authorities concerned will then have time to communicate their own position. “This will reduce the likelihood of disagreements later in the procedure, which would require the use of dispute resolution” and therefore speed up the whole procedure, concluded Mr Reynders.
In this sense, while currently some challenges only emerge after the publication of a draft resolution, “consensus on key issues between DPAs, such as the scope of the investigation in a complaint-based case, will have to be reached earlier in the procedure”, he added. If necessary, the European Data Protection Board (EDPB) can resolve the disagreement by adopting an “urgent binding decision”.
Complainants’ rights
In addition, the proposed Regulation aims to harmonise the requirements for the admissibility of a cross-border complaint. “In practice, this means that we will no longer have situations where a complaint is sent back because the ‘lead’ authority assesses complaints differently than the authority which received the complaint”, the Commissioner summarised.
In addition, the Commission believes that the rules will ensure that complainants are “duly” involved in the process and have the same rights, regardless of where the complaint is made or which DPA is the “lead” DPA.
In concrete terms, they will be able to be heard before a complaint is rejected and to challenge this rejection in Court. “When a DPA follows up a complaint, complainants will also have the opportunity to express their opinion on the allegations made against data controllers and processors”, added Mr Reynders.
Rights of parties under investigation
At the same time, the Commission’s proposal confers and clarifies the rights of parties under investigation, i.e. data controllers or processors.
In particular, they will be able to be heard at “key stages of the procedure”, in particular before the EDPB adopts a decision in a dispute settlement.
The proposal also clarifies the content of the administrative file and the right of the parties under investigation to access it. The “lead” authority will also have to communicate its preliminary conclusions to them, notably the allegations against them and the corresponding evidence.
According to the Commission, as these entities risk potentially severe penalties, they must “benefit from guarantees similar to those provided for in criminal proceedings”.
No “reopening” of the GDPR
Finally, the Commissioner stressed that the proposed Regulation responds to the concerns of DPAs and the conclusions of the Commission’s 2020 report on the GDPR (see EUROPE 12513/10). It is not a question of reopening the general Regulation or calling into question the principle of the “one-stop-shop”, he insisted.
While the Commission will publish a new assessment of the GDPR in May 2024, “it will be the occasion to discuss all the different aspects of the GDPR”, such as a possible strengthening of the EDPB secretariat and the “one-stop shop” principle, Mr Reynders added.
Mixed reactions
Despite the Commission’s arguments, the new rules have struggled to convince.
CCIA Europe, which represents the interests of the technology industry, felt that despite “minor improvements”, the proposal did not address “the most pressing procedural shortcomings” in the general Regulation. In addition to insufficient reinforcement of the “one-stop shop” principle, it deplores the fact that companies are given too little time to respond to allegations made against them, and that they are unable to appeal against EDPB decisions.
On the contrary, Nyob, the association run by data protection advocate Max Schrems, believes that we are shifting from “a procedure about the rights of users to a procedure about the rights of companies”, given that the latter will be able to be heard “throughout the procedure and [will get] access to the case files”.
Finally, while the European office of the Association of Privacy Professionals admitted that a “resolution of procedural divergences could make cross-border application of the GDPR more coordinated, harmonised, transparent and predictable”, it called for caution. “One area to watch will be Member States’ reactions as they may have to concede significant changes to their national systems, which could in turn have ripple effects in other areas of law beyond data protection”, explained Isabelle Roccia, Director General.
On the same day, the Court of Justice of the EU also handed down a judgment on Meta, holding that competition authorities may assess compliance with the GDPR when investigating an abuse of a dominant position (see other news).
The draft Regulation: https://aeur.eu/f/7wc (Original version in French by Hélène Seynaeve)