New GDPR proposals address cross-border complaints
The European Commission has proposed a new law to streamline cooperation between data protection authorities when enforcing the General Data Protection Regulation (GDPR) in cross-border cases.
The new regulation will set up concrete procedural rules for the authorities when applying the GDPR in cases which affect individuals located in more than one member state. For example, it will introduce an obligation for the lead data protection authority (DPA) to send a ‘summary of key issues’ to their counterparts concerned, identifying the main elements of the investigation and its views on the case, and therefore allowing them to provide their views early on. The proposal will contribute to reduce disagreements and facilitate consensus among authorities since the initial stages of the process.
For individuals, the new rules will clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process. For businesses, the new rules will clarify their due process rights when a DPA investigates a potential breach of the GDPR. The rules will therefore bring swifter resolution of cases, meaning quicker remedies for individuals and more legal certainty for businesses. For data protection authorities, the new rules will smoothen cooperation and enhance efficiency of enforcement.
Harmonising procedural rules in cross-border cases
The new regulation provides detailed rules to support the smooth functioning of the cooperation and consistency mechanism established by the GDPR, harmonising rules in the following areas:
- Rights of complainants: The proposal harmonises the requirements for a cross-border complaint to be admissible, removing the current obstacles brought by DPAs following different rules. It establishes common rights for complainants to be heard in cases where their complaints are fully or partially rejected. In cases where a complaint is investigated, the proposal specifies rules for them to be properly involved.
- Rights of parties under investigation (controllers and processors): The proposal provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the European Data Protection Board (EDPB), and clarifies the content of the administrative file and the parties’ rights of access to the file.
- Streamlining cooperation and dispute resolution: Under the proposal, DPAs will be able to provide their views early on in investigations, and make use of all the tools of cooperation provided by the GDPR, such as joint investigations and mutual assistance. These provisions will enhance DPAs’ influence over cross-border cases, facilitate early consensus-building in the investigation, and reduce later disagreements. The proposal specifies detailed rules to facilitate the swift completion of the GDPR’s dispute resolution mechanism, and provides common deadlines for cross-border cooperation and dispute resolution. The harmonisation of these procedural aspects will support the timely completion of investigations and the delivery of a swift remedies for individuals.
One of the measures introduced in GDPR was a ‘one-stop-shop’ enforcement system where the lead regulator was appointed on the basis of where the infringing entity was based. In Ireland this put the Data Protection Commission in charge of complex investigations into multinationals such as Facebook and Google. Under the GDPR, DPAs cooperate in an endeavour to reach consensus on the application of the GDPR in cross-border cases. Where DPAs are unable to reach consensus, the GDPR provides for dispute resolution by the European Data Protection Board (EDPB).
When enforcing the GDPR, DPAs apply national procedural rules. In its 2020 report on the application of the GDPR, the Commission noted that procedural differences applied by DPAs hinder the smooth and effective functioning of the GDPR’s cooperation and dispute resolution mechanisms. In October 2022, the EDPB sent the Commission a ‘wish-list’, containing suggestions to streamline and improve some procedural aspects to strengthen cooperation and help to deliver a quicker remedy for data subjects.
The proposal addresses the input from a wide range of stakeholders, including the EDPB, representatives from civil society, businesses, academia, and legal practitioners, as well as member states. From February to March 2023, the Commission published a call for evidence, receiving feedback from a wide variety of stakeholders, including civil society and industry associations. The Commission also held bilateral meetings on the proposal on request, with civil society representatives, national authorities and industry representative organisations.
Pressure on DPC
The new measures could be seen as a rebuke for the Irish Data Protection Commission, which has received fervent criticis over the slow progress of its investigations and a perceived bias in favour of Big Tech. This was evidenced in a recent case where the DPC issued a draft decision saying Facebook’s terms and conditions insultated it from sanction under contract law. It was subsequently overruled by the European Data Protection Board. The authority later imposed a record fine of €1.2 billion against Facebook parent company Meta platforms. For the DPC to be at odds with Europe is not a new development. A recent report from the Irish Council for Civil Liberties found that since 2018 67% of decisions made by the regulator were successfully overturned at European level. France was the only other country to be met with resistance at 2%.
In 2022 CNIL, the French regulator, imposed a fine on Google of €150 million and €60 million to Facebook. At the same time the Italian regulator banned Google Analytics as its method of using tracking cookies was found not to be compliant with GDPR.
A further development has been the decision by the Court of Justice of the European Union to allow consumer organisations to pursue actions on behalf of individuals.
In 2022 the State’s budget for the data protection commission was increased to €19.1 million from €16.9 million.