PURPOSE: to lay down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR).
PROPOSED ACT: Regulation of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: in its report following two years of the application of the GDPR, the Commission noted that further progress was needed to make the handling of cross-border cases more efficient and harmonised across the EU. The report noted important differences in national administrative procedures and interpretations of concepts in the GDPR cooperation mechanism.
Procedural differences applied by data protection authorities (DPAs) hinder the smooth and effective functioning of the GDPR’s cooperation and dispute resolution mechanisms in cross-border cases. These differences also have important consequences for the rights of the parties under investigation and complainants (as data subjects).
In its resolution on the Commission’s 2020 report on the GDPR, the European Parliament highlighted the need to clarify the position of complainants in the case of cross-border complaints.
The proposal aims to tackle problems in the following areas:
- Complaints: DPAs have varying interpretations on requirements for the form of a complaint, the involvement of complainants in the procedure, and the rejection of complaints. The differences mean that the treatment of complaints and the involvement of complainants varies depending on where the complaint is lodged, or which DPA is the lead DPA for a given case. As a result, they delay the conclusion of the investigation and the delivery of a remedy for the data subject in cross-border cases. In its resolution on the Commission’s 2020 report on the GDPR, the European Parliament highlighted the need to clarify the position of complainants in the case of cross-border complaints.
- Procedural rights of parties under investigation: the procedural rights of parties under investigation, such as the extent of the right to be heard and the right of access to the file, vary substantially across the Member States. The extent to which parties are heard, the timing of the hearing, and the documents that are provided to parties to enable them to exercise their right to be heard are elements on which Member States take varying approaches.
- Cooperation and dispute resolution: experience in the enforcement of the GDPR in cross-border cases shows that there is insufficient cooperation between DPAs prior to the submission of a draft decision by the lead DPA. Lack of sufficient cooperation and consensus-building on key issues in the investigation at this early stage has resulted in the submission of numerous cases to dispute resolution.
The proposal aims to address these issues by specifying procedural rules for certain stages of the investigation process in cross-border cases, thereby supporting the smooth functioning of the GDPR cooperation and dispute resolution mechanisms.
CONTENT: the proposed regulation aims to address the disparity in procedural approaches followed by DPAs, by harmonising certain aspects of the administrative procedure applied by DPAs when implementing the GDPR. It establishes procedural rules for the handling of complaints and the conduct of investigations, both complaint-based and ex officio, carried out by supervisory authorities in the cross-border application of the RGPD. Its main elements are as follows:
Form of complaints and position of complainants
The proposal:
- provides a form specifying the information required for all complaints under Article 77 GDPR concerning cross-border processing and specifies procedural rules for the involvement of complainants in the procedure, including their right to make their views known;
- specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles of the lead DPA and the DPA with which the complaint was lodged in such cases. It recognises the importance and the legality of amicable settlement of complaint-based cases.
Targeted harmonisation of procedural rights in cross-border cases
The proposal provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the Board, and clarifies the content of the administrative file and the parties’ rights of access to the file. The proposal thereby strengthens the parties’ rights of defence and ensures consistent observance of these rights regardless of which DPA is leading the investigation.
Cooperation and dispute resolution
The proposal:
- equips DPAs with the tools necessary to achieve consensus by giving added substance to the requirement for DPAs to cooperate and to share “relevant information”;
- establishes a framework for all DPAs to meaningfully impact a cross-border case by providing their views early in the investigation procedure and making use of all tools provided by the GDPR;
- entrusts the European Data Protection Board with the role of resolving disagreement by adopting an urgent binding decision in the event of disagreement between DPAs on the key issue of the scope of the investigation in complaint-based cases;
- lays down detailed requirements for the form and structure of relevant and reasoned objections raised by DPAs concerned, thereby facilitating the effective participation of all DPAs and the targeted and swift resolution of the case;
- facilitates the swift completion of the dispute resolution procedure for the parties under investigation and data subjects by laying down procedural deadlines for the dispute resolution procedure, specifies the information to be provided by the lead DPA when submitting the matter to dispute resolution, and clarifies the role of all actors involved in dispute resolution.