European Commission adopts new rules on enforcement of the GDPR in cross-border cases

July 6, 2023

SCL readers will be aware that the GDPR is enforced by independent national data protection authorities (DPAs) as well as national courts. If cases affect data subjects in more than one member state, the GDPR’s “one-stop-shop” enforcement system applies. This means that the DPA where the entity under investigation is based conducts the investigation in cooperation with other DPAs. DPAs aim to agree a common approach in cross-border cases, but if they cannot, the European Data Protection Board gets involved. Examples have included a couple of recent cases conducted by the Irish Data Protection Commission.

When enforcing the GDPR, DPAs apply national procedural rules. This can hinder the smooth and effective functioning of the GDPR’s cooperation and dispute resolution mechanisms. In October 2022, the EDPB sent the Commission a “wish-list” with suggestions to streamline and improve some procedural aspects to strengthen cooperation and help to deliver a quicker remedy for data subjects.

Therefore, the European Commission has proposed a new law aimed at streamlining cooperation between DPAs when enforcing the GDPR in cross-border cases. It will provide for specific procedural rules for the authorities when applying the GDPR in cases which affect individuals located in more than one member state. For example, it will introduce an obligation for the lead DPA to send a “summary of key issues” to their counterparts, identifying the main elements of the investigation and its views on the case, and therefore, allowing them to provide their views early on. It aims to contribute to reduce disagreements and facilitate consensus among authorities.

For individuals, the new rules will clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process. For businesses, the new rules will clarify their due process rights when a DPA investigates a potential breach of the GDPR. They aim for swifter resolution of cases, meaning quicker remedies for individuals and more legal certainty for businesses. For data protection authorities, the new rules will smoothen cooperation and enhance efficiency of enforcement.

Harmonising procedural rules in cross-border cases

The draft Regulation will harmonise rules in the following areas:

  • Rights of complainants: The proposal harmonises the requirements for a cross-border complaint to be admissible, removing the current obstacles brought by DPAs following different rules. It establishes common rights for complainants to be heard in cases where their complaints are fully or partially rejected. In cases where a complaint is investigated, the proposal specifies rules for them to be properly involved.
  • Rights of parties under investigation (controllers and processors): The proposal provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the EDPB, and clarifies the content of the administrative file and the parties’ rights of access to the file.
  • Streamlining cooperation and dispute resolution: Under the proposal, DPAs will be able to provide their views early on in investigations, and make use of all the tools of cooperation provided by the GDPR, such as joint investigations and mutual assistance. These provisions aim to enhance DPAs’ influence over cross-border cases, facilitate early consensus-building in the investigation, and reduce later disagreements. The proposal specifies detailed rules to facilitate the swift completion of the GDPR’s dispute resolution mechanism, and provides common deadlines for cross-border cooperation and dispute resolution.