On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to standardize and streamline cooperation between in EU Member State Data Protection Authorities (DPAs) when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The GDPR adopts a decentralized enforcement model. National EU Member State DPAs are competent to enforce the GDPR on their respective territories. However, in cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate in accordance with the GDPR’s “one-stop-shop’ through cooperation and consistency mechanisms. Although these mechanisms establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action.
Various EU institutions, officials and national DPAs have repeatedly emphasized the importance of GDPR enforcement, which they consider to be “a cornerstone of the EU digital single market and a vital piece of legislating ensuring a human-centric approach to technology”. It is also recognized that often GDPR enforcement cases are characterized by cross-border elements. Indeed, data is the lifeblood of the digital economy and key emerging technologies such as AI, and is not restricted by territorial or jurisdictional boundaries. The GDPR recently celebrated its 5th anniversary – and more cross-border enforcement and cooperation is predicted for the next 5 years. The proposal may signal a move towards a more centralized GDPR enforcement model with the European Data Protection Board (EDPB) and EU Commission playing a more prominent role.
Key takeaways of this proposed GDPR Procedural Regulation are set out below:
- Why is a new GDPR Procedural Regulation being created? The GDPR is enforced at an EU Member State national level, and so each Member State applies its own procedural and administrative rules to any GDPR enforcement procedure. This leads to procedural divergence and ultimately hinders the effective and consistent cooperation between DPAs and the application of the GDPR throughout the EU. For instance, parties’ right to be heard, access to file and other due process rights can vary from one EU Member State to another – as would, for instance, the way an individual could file a complaint with their local DPA. One of the reasons why the EU originally opted for a decentralized enforcement model was to guarantee the ‘principle of proximity’ for individuals – granting them the opportunity to reach out to their local DPA, in their local language. The GDPR Procedural Regulation does not aim to take away from this principle, but to harmonize certain procedures to benefit individuals and businesses alike.
- Who would this apply to? The new GDPR Procedural Regulation would apply to the EU Member States that are responsible for making sure that their DPAs comply and align their local enforcement procedures with the procedural rules set out in the Regulation. The proposed GDPR Procedural Regulation would not impose any regulatory obligations on (i) individuals or (ii) controllers or processors subject to the GDPR.
- When would this apply? The Regulation would only apply in enforcement cases involving cross-border processing, meaning that the processing (i) takes place in the context of the activities of the establishment of an EU controller or processor in more than one EU Member State; or (ii) substantially affects or is likely to substantially affect individuals in more than one EU Member State (e.g. where the processing may cause damage, loss or distress to individuals).
- What are the key requirements? The proposed GDPR Procedural Regulation lays down procedural rules for (i) the handling of complaints filed by individuals in relation to their processing of personal data; and (ii) the conduct of investigations (either complaint-based or ex officio i.e. on the DPA’s own initiative) by DPAs in the cross-border enforcement of the GDPR. Among other things, the GDPR Procedural Regulation would provide (i) the information to be included in a valid individual complaint; (ii) the key circumstances to be taken into account when investigating a complaint; (iii) procedural rights for the individual who filed the complaint; (iv) amicable settlement procedural rules following a complaint and rules around translations of the complaint; (v) procedural rules around cooperation between the lead DPA and other concerned DPAs and information-sharing obligations; and (iv) procedural rules for controllers and processors involved in a DPA investigation – including the right to access the file, the right to be heard and file written submissions in response to a DPA’s preliminary findings, and rules around confidentiality for documents obtained by a DPA in the context of a GDPR investigation.
- What are the proposed sanctions? The GDPR Procedural Regulation would not impose any obligations onto private actors and, as such, would not provide for any sanction mechanism.
- How does this relate to the GDPR and other EU laws? The new GDPR Procedural Regulation is different in scope and is not intended to impact the GDPR or other EU laws. The GDPR imposes substantial requirements on controllers and processors processing personal data. The GDPR Procedural Regulation would impose certain pan-EU administrative and procedural requirements for GDPR enforcement. The GDPR Procedural Regulation is not meant to impact the “one-stop-shop” (where one lead DPA takes lead for enforcement to further consistency) or other cooperation and consistency mechanisms that exist under the GDPR.
- What does this mean in practice for businesses operating in the EU? As set out above, the GDPR Procedural Regulation would not impose any regulatory obligations on businesses who are under investigation by an EU DPA for alleged GDPR infringements. It would only grant those businesses (and individuals) more rights when they are involved in an enforcement action or investigation. From that perspective, the proposal is a welcomed development for businesses and individuals alike who will benefit from a more efficient enforcement model and legal certainty.
- Would this apply in the UK? No. The GDPR Procedural Regulation is an EU regulation and, since Brexit, EU law no longer directly applies in the UK. At this time, there do not appear to be any plans to enact a similar type of legislation in the UK. Further, the UK GDPR, unlike the EU GDPR, is not enforced across multiple jurisdictions with different national administrative and procedural law regimes—so there is less need for harmonization.
What Will Happen Next
This new GDPR Procedural Regulation does not come in isolation. Recently, there has been an uptick in GDPR regulatory enforcement as well as private litigation in the EU, including respecting key concepts and principles that have been clarified and interpreted by the EU’s highest court (the EU Court of Justice or “CJEU”). This enhances the need for consistency in cross-border enforcement. The GDPR Procedural Regulation has just been proposed by the EU Commission and will now move to being considered in the relevant European Parliament committees. It will be interesting to see how the text progresses throughout the legislative review process.