The European Commission has made changes aato the GDPR proposed to improve cooperation between data protection authorities, dealing with cross-border cases, strengthen.
What exactly are the changes involved and what does the Commission intend to achieve by them?
The new version of the GDPR will establish concrete procedural rules for authorities in cases involving individuals located in more than one member state.
For example, the lead data protection authority is required to send a “summary of the main issues” to their affected counterparts, stating the main elements of the investigation and its views on the case.
That way they can express their opinions early. The proposal will help reduce disagreements and facilitate consensus building between authorities from the early stages of the process.
New rules for individuals and businesses under GDPR
There will also be some changes for individuals. For example, the new rules will clarify what documents must be delivered when individuals want to file a complaint and ensure that they are properly involved in the process. For companies, the new rules will clarify their due process rights when a data protection authority investigates a possible GDPR violation.
New rules to promote faster remedies and legal certainty under GDPR
So the new rules clearly aim to make resolving complaints faster, which means that there faster remedies will be for individuals and greater legal certainty for businesses. For data protection authorities, the new rules will facilitate cooperation and, hopefully, the improve the efficiency of enforcement.
The pursuit ofr harmonization of procedural rules in cross-border cases
The new regulation contains detailed rules to support the smooth operation of the cooperation and consistency mechanism established by the GDPR. Rules are harmonized in the following areas:
Rights of those filing a complaint
The proposal harmonizes the requirements that a cross-border complaint must meet to be admissible and removes the current obstacles created by data protection authorities following different rules. It establishes common rights for those who file complaints to be heard in cases where their complaints are rejected in whole or in part. In cases where a complaint is being investigated, the proposal includes rules for their involvement.
Rights of the parties under investigation
(the controllers and processors)
The proposal will grant parties under investigation the right to be heard at key stages of the proceedings, such as during dispute resolution by the European Data Protection Board (EDPB). It also clarifies the contents of the administrative file and the parties’ access rights to the file.
Streamlining collaboration and dispute resolution
Under the proposal, data protection authorities will be able to express their views at an early stage of investigations and make use of all the cooperation tools provided for in the GDPR, such as joint investigations and mutual assistance. These provisions will increase the influence of data protection authorities in cross-border cases, facilitate early consensus building in investigations, and reduce subsequent disagreements.
The harmonization of these procedural aspects will support the timely completion of investigations and the provision of prompt remedies for individuals.
Why are these changes good?
The GDPR applies a “one stop shop” principle, selecting the lead data protection authority based on the EU country in which the entity under investigation is located.
Since most U.S. technology giants are headquartered in Ireland, some of the most high-profile cross-border cases have led to tensions between the Irish Data Protection Commission (DPC) and other national data protection authorities.
New proposals for GDPR rules
The European Commission’s new proposals are intended to harmonize procedural rules, to promote cooperation between data protection authorities promote, improve the consistency of decision-making and support vigorous enforcement. It should also reduce tensions between the different adiminish utorities
Whereodid the Commission made these changes?
Since the GDPR went into effect, more than 2,000 “one-stop-shop” cases have been created in the EDPB’s case registry and 711 final decisions have been issued. In some cases, fines of hundreds of millions of euros have been imposed. The next report on GDPR implementation is expected in 2024.
In October 2022, the EDPB sent the Commission a “wish list” of suggestions for streamlining and improving some procedural aspects to enhance cooperation and help provide faster remedies to affected parties.
Today’s proposal seeks input from a wide range of stakeholders, including the EDPB, representatives of civil society, business, academia and practitioners, as well as member states. From February to March 2023, the Commission issued a call for evidence, receiving feedback from a wide range of stakeholders, including civil society and industry associations and representative trade associations.
It is on the basis of all this feedback that the current changes came about.