Reforms to GDPR Procedural Rules

Empowering Data Protection: European Commission proposes comprehensive reforms to GDPR enforcement

In a significant move aimed at strengthening data protection measures, the European Commission has proposed a comprehensive proposal for a new regulation laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (Proposal). This initiative follows the European Data Protection Board’s (EDPB) recommendations, and responds to their call for legal harmonisation to address obstacles in cross-border cooperation. Sorainen senior associate Jūlija Terjuhana was invited to serve as advisor to rapporteur Katrina Zarina, who led the work on the European Economic and Social Committee’s opinion on this proposal. In late November, the opinion received a vote from the Section for the Single Market, Production and Consumption (INT).

In April 2022, the EDPB adopted a statement, signalling its enduring commitment to close cross-border cooperation. While the EDPB has taken important steps to promote cooperation and swift enforcement, certain obstacles in the EU member states require legal harmonisation. To this end, the EDPB identified a list of procedural aspects that could benefit from further harmonisation. In response, the European Commission proposed the GDPR Procedural Regulation, which addresses significant challenges faced in the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. By consolidating procedures, harmonising admissibility requirements, and reinforcing cooperation mechanisms, the regulation aims to foster efficient cooperation between national Supervisory Authorities (SAs) while ensuring the protection of data subjects’ rights.

Submission and handling of complaints

To simplify the complaint process, a standardised form for cross-border complaints has been proposed, ensuring consistent communication for individuals across different member states. This change aims to enhance accessibility and clarity for those filing complaints under Article 77 of the GDPR.

Cooperation between SAs in cross-border cases

Furthermore, the proposed framework introduces measures aimed at enhancing collaboration between SAs. The Proposal suggests the mandatory sharing of relevant information between SAs to promote a comprehensive understanding of cases among the involved SAs. Additionally, the lead SA will be responsible for providing a summary of key issues to concerned SAs, encouraging early collaboration and consensus-building.

Moreover, the Proposal outlines a structured process for resolving disagreements among SAs and handling complaints. In cases of disagreements, SAs will be obligated to participate in organised discussions. Furthermore, the proposed transparency standards mandate detailed reasons for the rejection of complaints be provided to complainants, and they are afforded the opportunity to respond. Complainants will also have access to non-confidential preliminary findings, allowing them to contribute their insights.

Ensuring fair participation and access to information

Notably, the Proposal underscores the importance of fairness in the investigative process. Complaints will undergo thorough and standardised evaluation, guided by clear protocols for SA to ensure uniform handling. The parties under investigation will be provided with chances to express their viewpoints. Additionally, the Proposal provides access to information, enabling parties under investigation to access the relevant administrative file after receiving preliminary findings.

Specifically, according to proposed Article 14, when the lead supervisory authority intends to submit a draft decision regarding potential infringement of the GDPR to other supervisory authorities concerned, it must present the preliminary findings to the parties under investigation, and parties are to be given an opportunity to respond in writing within the set time limit. The lead supervisory authority must consider these responses before making a decision.

Similarly, in accordance with Article 15, in case of complaints, the supervisory authority with which the complaint was filed must share a non-confidential version of the preliminary findings with the complainant. The complainant then must be granted the right to submit in writing observations on the preliminary findings within the set time limit.

Additionally, in accordance with the proposed Article 17, the parties will be granted the right to be heard in relation to the revised draft decision. If the supervisory authority considers that the revised draft related concerns aspects on which parties should have the opportunity to express their views, it will allow parties to make their views known on such new aspects within the set time limit.

Safeguarding confidentiality and efficient dispute resolution

In its approach to navigating the balance between transparency and data protection, the regulation offers explicit rules for recognising and preserving the business secrets or other confidential information of any person.

Additionally, the proposed framework provides a systematic process for resolving disputes in cases when the lead supervisory authority does not recognise relevant and reasoned objections or is of the opinion that the objections are not relevant or reasoned. In these cases, the matter is referred to a structured resolution mechanism.

Joint opinion of the EDPB and the EDPS regarding the proposed regulation

Submission and handling of complaints

In a jointly expressed opinion, the EDPB and the European Data Protection Supervisor (EDPS) urge the European Commission to go further and provide for exhaustive harmonisation of admissibility requirements, which would pre-empt conflicting national admissibility requirements. Notably, the EDPB and the EDPS argue that certain requirements – namely proof of identity, signature and telephone number – impose unnecessary barriers for complainants and should be removed from the complaint form. The EDPB and EDPS also add that it is possible that local and cross-border complaints could be subject to different information requirements in order for their complaint to be deemed admissible, depending on whether the case at hand concerns cross-border processing or not.

Cooperation between SAs in cross-border cases

The EDPB and EDPS recognise that these changes hold the potential to unlock more efficient cooperation, but emphasise that these requirements will apply to all cases (including non-complex ones) and that it is thus important not to overburden SAs by allowing leading SA to follow a proportionate approach, and also suggests clarifying the content of the “summary of key issues”.

Ensuring fair participation and access to information

The EDPB and EDPS have expressed the view that the “preliminary findings” addressed to the parties under investigation, as well as the “preliminary view” to reject the complaint should be shared with SAs concerned before they are submitted to the parties under investigation and the complainant.

Next steps

The Proposal must be approved by the European Parliament and the Council. It will enter into force on the twentieth day following its publication in The Official Journal of the European Union.