What’s this all about?
The European Commission has issued a “Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679” (“the EU proposal”) – Regulation 2016//679 is of course EU GPPR. This article looks at this EU proposal in brief.
What’s the background?
EU GDPR is enforced by EU country independent national Data Protection Authorities (“DPAs”) along with EU country national courts. In matters where data processing occurs, or substantially affects, so-called “data subjects” (“individuals”) in more than one EU country, the EU GDPR so-called “One-Stop-Shop” enforcement system applies. Under this enforcement system, in a given case, the DPA where the entity under investigation is based leads the investigation in co-operation with other so-called “concerned” DPAs. Under this co-operation, DPAs try to reach agreement in these cross-border cases, but, where they are unable to agree, a dispute resolution process comes into play under the auspices of the European Data Protection Board (“EDPB”).
Why is the EU proposing these procedural rules?
Further progress is needed to make the handling of cross-border cases more efficient and harmonised across the EU. The main aim of the EU proposal therefore seems to be to streamline cooperation between DPAs when enforcing EU GDPR in cross-border cases and reduce disagreements and facilitate consensus among DPAs. The EU proposal therefore sets up concrete procedural rules for DPAs when applying EU GDPR in cases which affect individuals located in more than one EU country. Further, according to the European Commission:
“For individuals, the new rules will clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process. For businesses, the new rules will clarify their due process rights when a DPA investigates a potential breach of the GDPR. The rules will therefore bring swifter resolution of cases, meaning quicker remedies for individuals and more legal certainty for businesses.”
What are the key aspects of the proposal?
Key aspects of the EU proposal can be divided into three areas and summarised as follows:
- Streamlining Cooperation and Dispute Resolution – DPAs will be able to provide their views early on in investigations, and make use of all the tools of cooperation provided by EU GDPR, such as joint investigations and mutual assistance. These provisions are to enhance DPAs’ influence over cross-border cases, facilitate early consensus-building in the investigation, and reduce later disagreements. The EU proposal specifies detailed rules to facilitate the swift completion of the EU GDPR dispute resolution mechanism, and provides common deadlines for cross-border cooperation and dispute resolution;
- Complainants’ Rights – the requirements for a cross-border complaint to be admissible are being harmonised. Common rights for complainants to be heard in cases where their complaints are fully or partially rejected are also set out. In cases where a complaint is investigated, the EU proposal specifies rules for the involvement of the complainant. A complaint may also be resolved by amicable settlement between the complainant and the parties under investigation. A cross-border complaints form will need to be used – no additional information will be required in order for the complaint to be admissible; and,
- Parties Under Investigation Rights – parties under investigation are provided with the right to be heard at key stages in the procedure, including during the EU GDPR dispute resolution mechanism process. The content of the administrative file and the parties’ rights of access to the file have been clarified – the right of access to the administrative file will not however extend to correspondence and exchange of views between the lead DPA and the “concerned” DPAs.
For the sake of clarity, the EU proposal does not affect any of the existing substantive parts (obligations, rights, sanctions etc.) of EU GDPR.
The EU proposal will now make its way through the EU legislative pipeline. At a very rough estimate it might be two years before it finally becomes fully legally adopted; note that the European Parliament elections will take place in June 2024.
What are the takeaways?
The existing way in which cross-border EU GDPR cases have been handled have met with criticism – the proof of the proposed reforms will be in the pudding. Because organisations may become involved in a cross-border matter they should follow the development of the EU proposal and ensure that they have a full understanding of the new rules when they are finally in force.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The EU proposal can be found here can be found here: https://commission.europa.eu/publications/proposal-regulation-laying-down-additional-procedural-rules-relating-enforcement-gdpr_en.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|