On July 4, 2023, the European Commission published its proposal for a regulation laying down additional procedural rules relating to the enforcement of the GDPR.  The aim of the proposed Regulation is to clarify and harmonize the procedural rules that apply when EU supervisory authorities investigate complaint-based and ex officio cross-border cases (i.e., where the relevant processing conducted by a controller or processor  spans multiple Member States, resulting in a “lead” authority and additional “concerned” authorities).  If adopted, the Regulation will sit alongside the GDPR, complementing the existing cooperation and consistency mechanisms set forth in Chapter VII.

The GDPR establishes a “one-stop-shop” mechanism for enforcement of cross-border cases.  Under this mechanism, a “lead” supervisory authority conducts the investigation and cooperates with other “concerned” supervisory authorities to reach consensus on a final decision.  In the five years since the GDPR started to apply, supervisory authorities have raised various concerns with this mechanism.

Among other measures, the proposed Regulation:

  • Specifies the procedural rights of parties under investigation.  The proposed Regulation would grant any party under investigation the right to review and respond to the lead supervisory authority’s preliminary findings, draft decisions, and any statement of reasons for an EDPB binding decision under the GDPR Article 65 dispute resolution procedure.  Under the proposed Regulation, any such party would also have access to all documents in the administrative file, excluding correspondence and “exchange of views” between supervisory authorities, once the lead authority notifies the party of its preliminary findings.  Importantly, the proposed Regulation provides that a party under investigation must indicate if any of the information it submits is confidential, and provide a separate non-confidential version of the submission.  This version would be made available to the complainant.
  • Details the rights and obligations of complainants.  The Annex to the proposed Regulation comprises a template form, which specifies the information that must be included in a complaint, and precludes Member States from requiring additional information.  The proposed Regulation also grants complainants the right to be heard at various stages of the investigative process, including if the lead supervisory authority or European Data Protection Board intends to reject their complaint in full or in part.  
  • Roles of various supervisory authorities.  The proposed Regulation clarifies the roles of the different lead supervisory authorities involved in any proceeding.  For example, the proposed Regulation specifies when a supervisory authority that originally received a complaint is responsible for certain matters (e.g., communicating with the complainant).  The proposed Regulation also sets out the specific stages of the investigation at which the lead supervisory authority must update the concerned supervisory authorities, with the aim of ensuring early and ongoing cooperation between authorities and avoiding, where possible, triggering the dispute resolution procedure in Article 65 GDPR.  For example, once a lead supervisory authority has reached a preliminary view in an investigation, it must provide the other authorities a “summary of key issues” that sets out the relevant facts, the scope of the investigation, any “complex legal and technical assessments”, and potential corrective measures, which other supervisory authorities have four weeks to comment upon.
  • Details the procedure for dispute resolution.  The proposed Regulation sets out more detail on the GDPR’s existing dispute resolution procedures.  It specifies the documents that the lead supervisory authority must provide when they submit a draft decision to the cooperation procedure and / or request a decision from the Board (including an “urgent” decision or opinion under Article 66 GDPR) and specifies timelines.  It also requires the Chair of the EDPB to prepare a “statement of reasons” for any binding decision the Board makes, which the parties under investigation and / or complainant will have one week (or two weeks where the Board has extended its own deadline for adopting a binding decision from one month to two months in complex cases) to give their views on this statement of reasons.

The Commission’s first announced its intention to harmonize these procedural aspects of the GDPR in its Work program for 2023, in reaction to its 2020 implementation report on the GDPR (see our previous blog post).  In October 2022, the EDPB published its own a “wishlist” of procedural matters to be harmonized at the EU level.

*             *             *

This proposed Regulation is at the start of the European legislative process.  The European Parliament and Council of the EU will each now develop their own positions on the proposed Regulation, before engaging in negotiations across the three institutions to finalize the text.  The Covington team will continue to monitor developments on these proposals, and we are happy to assist clients if they have queries.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Read more about Dan Cooper
Show more Show less
Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Read more about Lisa Peets
Show more Show less
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Read more about Mark Young
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Read more about Kristof Van Quathem
Show more Show less
Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Show more Show less
Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.

Read more about Sam Jungyun ChoiSam Jungyun's Linkedin Profile
Show more Show less