Commission Proposes Procedural Rules for GDPR Enforcement in Cross-Border Cases
The General Data Protection Regulation (GDPR) enforcement process will become more efficient for data protection authorities (DPAs) through the implementation of new rules proposed by the Commission on 4 July 2023. The proposal lays forth specific procedural guidelines for authorities in situations involving persons who have a foothold in multiple Member States. The rules also seek to increase their participation and provide clarity in the complaint submission process. Businesses' due process rights will now be clearer when a data protection authority looks into a possible GDPR violation. The new Regulation harmonises the following areas:
- Rights of complaints: By harmonising the conditions according to which a cross-border complaint can be admitted, the proposal overcomes existing barriers involving DPAs, which currently have to follow different national procedural rules;
- Rights of parties under investigation: The proposed regulation introduces the possibility for the parties under investigation to be heard at key moments in the procedure, such as during dispute resolution, by the European Data Protection Board (EDPB). It also regulates access to the administrative file's contents as well as the parties' access rights to the file.
- Streamlining cooperation and dispute resolution: Early on in investigations, DPAs shall be able to voice their opinions. The proposal offers standardised deadlines for cross-border cooperation and dispute resolution as well as specific guidelines for speeding up implementation of the GDPR's dispute resolution system.
The overall goal is to support the timely completion of investigations and the delivery of swift remedies for individuals. This proposal marks the Commission's response to the feedback received after its call for evidence from a wide variety of stakeholders, including civil society and industry associations. It addresses the input from a wide range of stakeholders: the EDPB; representatives from civil society, businesses, academia; legal practicioners; and Member States. The incorporation of this input was also reiterated by Didier Reynders, Commissioner for Justice:
“[…] Today, we have come forward with this proposal to show that we can do better to have quicker and more efficient handling of cases. We have listened to the voices of the European Data Protection Board, Data Protection Authorities, civil society, and the industry. Our proposal addresses their calls and builds on our own findings to better protect Europeans’ right to privacy, provide legal certainty to businesses, and streamline cooperation between data protection authorities on the ground”.