On July 4, 2023, the European Commission published its proposal for a regulation laying down additional procedural rules relating to the enforcement of the GDPR. The aim of the proposed Regulation is to clarify and harmonize the procedural rules that apply when EU supervisory authorities investigate complaint-based and ex officio cross-border cases (i.e., where the relevant processing conducted by a controller or processor spans multiple Member States, resulting in a “lead” authority and additional “concerned” authorities). If adopted, the Regulation will sit alongside the GDPR, complementing the existing cooperation and consistency mechanisms set forth in Chapter VII.
The GDPR establishes a “one-stop-shop” mechanism for enforcement of cross-border cases. Under this mechanism, a “lead” supervisory authority conducts the investigation and cooperates with other “concerned” supervisory authorities to reach consensus on a final decision. In the five years since the GDPR started to apply, supervisory authorities have raised various concerns with this mechanism.
Among other measures, the proposed Regulation:
- Specifies the procedural rights of parties under investigation. The proposed Regulation would grant any party under investigation the right to review and respond to the lead supervisory authority’s preliminary findings, draft decisions, and any statement of reasons for an EDPB binding decision under the GDPR Article 65 dispute resolution procedure. Under the proposed Regulation, any such party would also have access to all documents in the administrative file, excluding correspondence and “exchange of views” between supervisory authorities, once the lead authority notifies the party of its preliminary findings. Importantly, the proposed Regulation provides that a party under investigation must indicate if any of the information it submits is confidential, and provide a separate non-confidential version of the submission. This version would be made available to the complainant.
- Details the rights and obligations of complainants. The Annex to the proposed Regulation comprises a template form, which specifies the information that must be included in a complaint, and precludes Member States from requiring additional information. The proposed Regulation also grants complainants the right to be heard at various stages of the investigative process, including if the lead supervisory authority or European Data Protection Board intends to reject their complaint in full or in part.
- Roles of various supervisory authorities. The proposed Regulation clarifies the roles of the different lead supervisory authorities involved in any proceeding. For example, the proposed Regulation specifies when a supervisory authority that originally received a complaint is responsible for certain matters (e.g., communicating with the complainant). The proposed Regulation also sets out the specific stages of the investigation at which the lead supervisory authority must update the concerned supervisory authorities, with the aim of ensuring early and ongoing cooperation between authorities and avoiding, where possible, triggering the dispute resolution procedure in Article 65 GDPR. For example, once a lead supervisory authority has reached a preliminary view in an investigation, it must provide the other authorities a “summary of key issues” that sets out the relevant facts, the scope of the investigation, any “complex legal and technical assessments”, and potential corrective measures, which other supervisory authorities have four weeks to comment upon.
- Details the procedure for dispute resolution. The proposed Regulation sets out more detail on the GDPR’s existing dispute resolution procedures. It specifies the documents that the lead supervisory authority must provide when they submit a draft decision to the cooperation procedure and / or request a decision from the Board (including an “urgent” decision or opinion under Article 66 GDPR) and specifies timelines. It also requires the Chair of the EDPB to prepare a “statement of reasons” for any binding decision the Board makes, which the parties under investigation and / or complainant will have one week (or two weeks where the Board has extended its own deadline for adopting a binding decision from one month to two months in complex cases) to give their views on this statement of reasons.
The Commission’s first announced its intention to harmonize these procedural aspects of the GDPR in its Work program for 2023, in reaction to its 2020 implementation report on the GDPR (see our previous blog post). In October 2022, the EDPB published its own a “wishlist” of procedural matters to be harmonized at the EU level.
* * *
This proposed Regulation is at the start of the European legislative process. The European Parliament and Council of the EU will each now develop their own positions on the proposed Regulation, before engaging in negotiations across the three institutions to finalize the text. The Covington team will continue to monitor developments on these proposals, and we are happy to assist clients if they have queries.