On July 4, 2023, the European Commission (EC) published its proposal for a regulation laying down additional procedural rules for the enforcement of the EU General Data Protection Regulation (GDPR) (proposal). The proposal focuses on procedural issues relating to handling complaints and conducting investigations in cross-border cases.1 The proposal adds to the procedural rules laid down in the GDPR and addresses certain practical issues and gaps. In particular, the proposal harmonizes at an EU-level the rules on complaint admissibility, strengthens due process rights for complainants and defendants, and streamlines cooperation between supervisory authorities (SAs, i.e., national data protection authorities or DPAs). If it is eventually enacted, the proposal would be of considerable importance in facilitating the enforcement of the GDPR in cross-border cases.
Background
The GDPR provides that, in complaints involving cross-border matters, an SA will take the lead in carrying out the investigation, in cooperation with other concerned SAs. The SA that takes the lead will, in principle, be the SA of the organization’s main establishment in the EU. This is known as the GDPR’s “one-stop-shop” mechanism. If the SAs cannot reach consensus on the enforcement decision, the GDPR provides for a dispute resolution mechanism through the European Data Protection Board (EDPB), which brings together the SAs of all EU countries.
Since the GDPR came into force in 2018, SAs have handled over 2,000 such cross-border cases. In several high-profile cases, SAs failed to achieve consensus, and dispute resolution through the EDPB was far from smooth. A key issue is that SAs apply national procedural rules when enforcing the GDPR, creating a patchwork of conflicting procedures that hinder cooperation. Impediments to enforcement arising from national procedural rules may also adversely affect due process rights. The EDPB identified these concerns in a “wish list” for better GDPR enforcement, which it published on October 12, 2022. The proposal addresses input from the EDPB and feedback provided by other stakeholders during the EC’s public consultation, which was closed on March 24, 2023.
Key Takeaways
We list below the key elements of the proposal:
Next Steps
The proposal imposes new procedural rules to address shortcomings and gaps in cross-border GDPR enforcement cases. In particular, the EC aims to facilitate cooperation between SAs and clarify due process rights for complainants and companies under investigation. The proposal could substantially increase the number of complaints brought under the GDPR and make them easier to enforce in different EU Member States, and thus would have considerable importance for companies. The legislative process to formally adopt the new law is likely to take a few years, and may prove politically contentious, so approval is not assured. We are closely monitoring this initiative and will continue to update you on significant developments.
Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Laura De Boel, Yann Padova, Maneesha Mithal, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.
Joanna Juzak contributed to the preparation of this Wilson Sonsini Alert.
[1]These are cases where the data processing takes place or substantially affects (or is likely to substantially affect) individuals in more than one EU country.