On July 4, 2023, the European Commission (EC) published its proposal for a regulation laying down additional procedural rules for the enforcement of the EU General Data Protection Regulation (GDPR) (proposal). The proposal focuses on procedural issues relating to handling complaints and conducting investigations in cross-border cases.1 The proposal adds to the procedural rules laid down in the GDPR and addresses certain practical issues and gaps. In particular, the proposal harmonizes at an EU-level the rules on complaint admissibility, strengthens due process rights for complainants and defendants, and streamlines cooperation between supervisory authorities (SAs, i.e., national data protection authorities or DPAs). If it is eventually enacted, the proposal would be of considerable importance in facilitating the enforcement of the GDPR in cross-border cases.
Background
The GDPR provides that, in complaints involving cross-border matters, an SA will take the lead in carrying out the investigation, in cooperation with other concerned SAs. The SA that takes the lead will, in principle, be the SA of the organization’s main establishment in the EU. This is known as the GDPR’s “one-stop-shop” mechanism. If the SAs cannot reach consensus on the enforcement decision, the GDPR provides for a dispute resolution mechanism through the European Data Protection Board (EDPB), which brings together the SAs of all EU countries.
Since the GDPR came into force in 2018, SAs have handled over 2,000 such cross-border cases. In several high-profile cases, SAs failed to achieve consensus, and dispute resolution through the EDPB was far from smooth. A key issue is that SAs apply national procedural rules when enforcing the GDPR, creating a patchwork of conflicting procedures that hinder cooperation. Impediments to enforcement arising from national procedural rules may also adversely affect due process rights. The EDPB identified these concerns in a “wish list” for better GDPR enforcement, which it published on October 12, 2022. The proposal addresses input from the EDPB and feedback provided by other stakeholders during the EC’s public consultation, which was closed on March 24, 2023.
Key Takeaways
We list below the key elements of the proposal:
- No changes to GDPR requirements. The proposal does not impact the substantive requirements of the GDPR (e.g., notice, legal basis, individuals’ rights). Thus, it does not require companies to change their GDPR compliance programs, though it would increase legal risks arising from enforcement of complaints.
- No changes to the one-stop-shop mechanism. The proposal adds details to, but does not revise, the GDPR’s enforcement mechanisms. In particular, the proposal maintains the one-stop-shop system.
- Standardizing complaint admissibility. The proposal harmonizes rules on assessing the admissibility of a complaint relating to a cross-border GDPR violation. It also introduces a standardized complaint form. The SA that received the complaint will have one month to determine the completeness of the information provided by the complainant. That SA will then transmit the complaint to the lead SA.
- Reinforcing the complainant’s status and rights. A complainant will have the right to be heard before the SA decides to fully or partially reject a complaint. A complainant will also be able to challenge the SA’s decision to reject the complaint in court. Since SAs may want to avoid court proceedings, this new right could lead to an increase in complaints. In particular, this new right could incentivize representative organizations (such as NGOs) to file more complaints, triggering more SA enforcement actions. This might generate higher litigation risks for companies.
- Harmonizing the rights of defendants. Defendants will have standardized due process rights, such as access to the administrative file, the ability to submit a written reply to the SA’s preliminary findings, and the right to be heard prior to adoption of the binding decision by the EDPB.
- Harmonizing rules on confidentiality. The proposal lays down harmonized rules on the treatment of confidential information provided by the defendant company. When submitting information that it considers to be confidential in the course of its defense, the defendant shall clearly identify and substantiate the reasons for its claim that such information is confidential. The defendant shall provide a separate nonconfidential version of the submission. If the defendant fails to substantiate its claim, the SA may assume that the documents do not contain business secrets or other confidential information.
- Aiming at reaching early consensus building between SAs. SAs will need to cooperate at an early stage of a cross-border proceeding. In particular, the lead SA will need to provide concerned SAs with a summary of its investigation including relevant facts and the lead SA’s views on the case. Concerned SAs will be able to express disagreement with the scope of the lead SA’s investigation. When not able to reach consensus, the lead SA may request that the EDPB takes a binding decision on the scope of the investigation.
Next Steps
The proposal imposes new procedural rules to address shortcomings and gaps in cross-border GDPR enforcement cases. In particular, the EC aims to facilitate cooperation between SAs and clarify due process rights for complainants and companies under investigation. The proposal could substantially increase the number of complaints brought under the GDPR and make them easier to enforce in different EU Member States, and thus would have considerable importance for companies. The legislative process to formally adopt the new law is likely to take a few years, and may prove politically contentious, so approval is not assured. We are closely monitoring this initiative and will continue to update you on significant developments.
Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Laura De Boel, Yann Padova, Maneesha Mithal, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.
Joanna Juzak contributed to the preparation of this Wilson Sonsini Alert.
[1]These are cases where the data processing takes place or substantially affects (or is likely to substantially affect) individuals in more than one EU country.