The European Commission seeks to combat longstanding issues under the General Data Protection Regulation (GDPR) regarding cross-border cases with new proposed rules.
The GDPR Procedural Regulation, announced Tuesday, would not alter the GDPR but serve as a compliment to the landmark data privacy legislation, helping to establish clearer guidelines around the law’s “one-stop shop” mechanism. Under the one-stop shop, cross-border cases against companies are led by the relevant data protection authority (DPA) in the region in which the business is headquartered.
The mechanism has led to criticism and disagreement between EU DPAs, most notably regarding Ireland’s policing of Big Tech giants including Meta, Google, and Twitter.
“The proposal complements the GDPR by specifying detailed procedural rules for the cross-border enforcement system,” said the European Commission in a Q&A document. “The regulation will operate within the framework established by the GDPR.”
No changes would be made regarding roles in cross-border enforcement procedures under the regulation. Rather, the proposal would add additional steps in such cases in an effort to “facilitate early consensus-building and to reduce disagreements later in the process,” the European Commission said.
“Early in an investigation, the lead DPA must send a ‘summary of key issues’ to their counterparts concerned in the EU,” explained the commission. “This summary identifies the main elements subject to investigation and the lead DPA’s views on the case. This will ensure that the DPAs concerned have all the necessary information to provide their views on the case at an early stage.
“Should a DPA disagree with the lead DPA’s assessment, this authority can request a joint operation or mutual assistance mechanism, as provided by the GDPR. Should the DPAs still disagree on the scope of a complaint-based case, the proposal empowers the European Data Protection Board (EDPB) to adopt an urgent binding resolution to resolve such disagreement early in the process.”
The proposal would also clarify complainants’ rights in cross-border cases and the rights of companies under investigation to hear and respond to a DPA’s preliminary findings against them.
During an event in May marking five years since the GDPR entered force, EU officials first teased the proposal, saying it came in response to an EDPB “wish list” about how cooperation among DPAs and enforcement could be improved.
“It is clear that enforcement of GDPR works, but the procedures in cross-border cases can be still improved,” said European Commissioner for Justice Didier Reynders in the commission’s release. “[W]e have come forward with this proposal to show that we can do better to have quicker and more efficient handling of cases.”