Proposed new EU regulation that provides additional procedural rules for enforcing GDPR
On July 4, 2023, the European Commission proposed a regulation that provides for new procedural rules for enforcing the GDPR. The General Data Protection Regulation, known as the GDPR, went into effect on May 25, 2018. The commission's proposed legislation does not intend to change the rights or obligations of personal data controllers or data processors. It aims to clarify cooperation between data protection authorities. The GDPR, in its wording, talks about "cooperation" between data protection authorities but lacks precision, so the proposed regulation is intended to remedy this phenomenon.
The main thrust of the proposal is to strengthen:
• The right to be heard – The proposal aims to ensure that parties have the right to be heard "at key stages of the proceedings" and have access to the file, thus ensuring the protection of the right to good administration under Article 42 of the Charter. If the supervisory authority considers that the revised draft decision from Article 60 of the GDPR, contains elements on which the parties to the proceedings should be given an opportunity to comment, the supervisory authority shall provide the parties subject to the investigation with an opportunity to comment on the topic of new elements before submitting the revised draft decision.
• Cooperation with data protection authorities – It is mainly intended to clarify the cooperation of authorities under Article 60 of the GDPR and thus increase the option of the instruments of the DPAs to reach a consensus, reduce the likelihood of disagreements and enable the Council to make an urgent binding decision. The new regulation's emphasis on open dialogues between supervisory authorities and enables the supervisory authorities concerned to significantly influence the course of the investigation by sharing their experiences and views with the lead supervisory authority.
• Complaint procedures – The proposed regulation wants to introduce a standardized form for all complaints related to cross-border data processing, specifying how complainants can participate and have the right to express their views.
• Objections and dispute resolution – The proposed new regulation includes requirements for objections raised by data protection authorities, as well as specifying procedures and time limits for dispute resolution.
It is to be seen whether the target of “timely completion of investigations” and “swift remedies for individuals” can be achieved through this new regulation. As seen with the latest Meta case by the Irish Data Protection Commission, the procedural rules were slowing down the case by a lot as the other supervisory authorities concerned must wait with their feedback on the initial proposal for a decision.