The European Commission has proposed new rules to ensure the effectiveness of enforcement in cross-border GDPR cases. The new regulation seek to streamline and harmonise various aspects of the administrative mechanisms necessary in cross-border cases.
Cross border GDPR enforcement has undoubtedly not worked as the EU Commission, the data protection authorities of Member States and the European Data Protection Board would have hoped. The organisations which are the subject of these enforcement processes value clarity and consistency and all eyes will be on the new Regulation to see whether it can deliver.
Background to the proposal
In cross-border GDPR cases at present, the lead data protection authority ("DPA") (where the main establishment of the controller or processor is located) conducts the investigation. The lead authority is expected to engage with other concerned DPAs to try and reach consensus in "a spirit of sincere and effective cooperation." If a consensus cannot be agreed, 'relevant and reasoned objections' by the other concerned DPAs form part a referral to European Data Protection Board ("EDPB") for a binding decision as part of the dispute resolution procedure. So far, so good.
However, as early as 2020, the European Commission noted that differences in procedures and interpretations of DPAs in each Member State meant that further progress was required to make the handling of cross-border cases more efficient and harmonised. Additional work on these issues, including a 'Call for Evidence' in February 2023, has resulted in the proposed regulation.
The explanatory memorandum to the Regulation sets out problematic areas in respect of cross-border enforcement:
- Complaints systems across the various DPAs vary, resulting in differing treatment of complainants.
- The procedural rights of parties under investigation also vary across Member State, which is not necessarily compatible with Article 60 GDPR, which "rests on the presumption that the parties under investigation have exercised their due process rights before the draft decision is tabled by the lead DPA."
- There is also "insufficient cooperation between DPAs prior to the submission of a draft decision by the lead DPA," hindering efficient conclusions in the dispute resolution procedure.
- The GDPR does not provide deadlines for various stages of the dispute resolution procedure.
More specifically, recent decisions big tech and the Data Protection Commission ("DPC") in Ireland have also prompted discussion around the issue of cross-border enforcement. The EDPB and many DPAs have been critical of the positions taken by the DPC and of the pace at which its investigations are conducted. For its part, the DPC is critical of the position taken by the EDPB and DPA and the pace at which binding decisions are reached.
In the regard, that arising out of a recent EDPB decision regarding Facebook and Instagram, the DPC indicated it would be launching proceedings in the Court of Justice of the European Union (CJEU) to annul a direction from the EDPB to conduct a fresh investigation of Facebook and Instagram’s data processing operations. Those proceedings have been launched before the CJEU and the DPC's two key pleas are as follows:
- The EDPB exceeded its competence under Article 65(1)(a) of the GDPR in purporting to instruct the DPC to carry out a new investigation.
- The EDPB infringed Article 4(24) and Article 65(1)(a) GDPR by incorrectly interpreting those provisions as conferring a competence on the EDPB to instruct the DPC carry out a new investigation.
What are the proposed changes?
The proposal does not amend the GDPR in a substantive manner, instead aiming to increase the effectiveness of the dispute resolution mechanism in cross-border cases under the GDPR. Further, the Regulation does not alter the 'one-stop-shop', instead supporting it by providing detailed rules for the cross-border enforcement system. Neither the existing steps provided for by the GDPR, nor the roles of those involved are subject to any changes.
In an effort to resolve the problems set out above, the Commission proposes the following changes:
- Specifying the information and rules required for all cross-border complaints. A mandated form for cross-border complaints simplifies "the complaint procedure for data subjects and removes the fragmented approaches to the concept of a complaint." The form is designed to establish early disclosure of copies of "the documents attesting the relationship with the data controller (e.g. invoices, contracts); copy of any marketing messages or e-mails; pictures, photographs or screenshots; expert reports; witness reports; inspection reports."
- Those parties under cross-border investigation will be given the opportunity to be heard at key stages. Once the preliminary findings are communicated, the lead DPA will grant access to the administrative file to the entity subject to the complaint; but "shall not extend to correspondence and exchange of views between the lead supervisory authority and supervisory authorities concerned." This aims to ensure the consistent observance of rights of defence.
- Added substance is given to the requirement for the DPAs to cooperate and share relevant information as set out in Article 60. The regulation establishes a framework to allow DPAs to provide views early on in cross-border investigations and facilitating consensus-building.
Once the lead DPA has formed a preliminary view, then it will be required to draft a summary of key issues setting out the facts and the scope of the investigation; in addition any complex legal or technological assessment relevant to preliminary orientation of their assessment is required; finally the identification of potential corrective measures should be included.
In response to that summary, the other DPAs have 4 weeks to respond if they wish to do so. Cases where there is no response are identified as 'non-contentious', and the preliminary findings must be communicated within 9 months of the end of the 4 weeks.
If a response if provided, it is expected to set out any legal arguments succinctly and sufficiently clear, along with any supporting documents. Disagreement between the DPAs relating to the scope of the investigation in complaint-based cases will be referred to the EPDB to resolve the deadlock with an urgent binding decision. This is consistent with the aims of reducing the need for the dispute resolution mechanism.
In the event that the dispute resolution mechanism is required, the regulation sets out those documents to be provided by the lead DPA, with the EDPB required to identify any relevant and reasoned objections within 4 weeks.
What will the impact of these changes be?
The concerns around cross-border enforcement are not new and in fact were raised by the UK and Ireland in 2015 during the drafting of the GDPR. It has taken a few years of protracted cross border cases for changes to be brought forward. It would seem to be a step in the right direction, but it remains to be seen how effective the new Regulation will be and whether there are any unintended consequences.
From a Spanish perspective. the proposed regulation may have a positive effect, if we evaluate the latest activity report published by the Spanish Data Protection Agency. Their most recent report analysing all 2022 cases indicates that the Spanish Data Protection Agency received more cross-border cases from other European authorities than the previous year (+12%). An increase was also documented in the number of proceedings in which the Spanish DPA has participated (+17%), the final step of a complex process of consensus and resolution that can last even several years. Furthermore, the General (Sub)Direction for Data Inspection also participated in several European working groups, to unify criteria and to cooperate on various matters.
To put things in perspective, in 2022, the Spanish Agency participated as lead authority in a total of 15 cross-border cases, and as interested authority in 201 cases. Lastly, it is relevant noting that the Spanish Agency participated in a total of 132 draft decisions in 2022. These draft decisions, although issued by another DPA, involved the subsequent work of negotiation and consensus among all the participating authorities, a process requiring a great deal of resources and effort.
As the new Regulation proposes increased cross-border cooperation, when combined with those recent statistics, the new rules proposed by the European Commission may be considered as a positive initiative from the perspective of the Spanish Data Protection Agency.