Upcoming GDPR Proposal: Procedural Rules Must Be Unified

GDPR

Because of the disparities in national administrative procedures and national law implementation, the GDPR went into effect with the goal of harmonizing data privacy regulations across the EEA. Due to the lack of a need for EU Member States to implement the Regulation, it has a directly applicable effect that does not create total uniformity because there are more than 30 provisions where Member States have the freedom to adapt to their national laws, resulting in different national adaptations of GDPR as well as practical issues.

According to the European Commission’s published initiative titled “Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation” below;

This project will improve national data protection agencies’ collaboration when enforcing the General Data Protection Regulation (GDPR) in cross-border incidents. It will do so by harmonizing several components of the administrative procedure used by national data protection agencies in cross-border cases. This will help the GDPR collaboration and dispute resolution processes run smoothly.

With many big internet companies’ European headquarters in Ireland, the Irish DPC has the authority to handle the majority of GDPR violations on the continent, and the Commission’s goal is to reverse that. These initiative guidelines are planned to clarify and supplement the existing GDPR Articles 60 and 65 provisions on cooperation and dispute settlement.

According to the EDPB’s Statement on Enforcement Cooperation dated April 28, 2022, the Board members agreed that the cases listed below can be handled by a restricted number of DPAs for efficiency reasons.

  • Cases of strategic importance where a number of quantitative and qualitative criteria are met (for example, cases affecting a large number of data subjects in the EEA, cases dealing with a structural or recurring problem in several member states, cases dealing with the intersection of data protection with other legal fields…)

An action plan will be prepared at the EDPB level under the leadership of the Lead Supervisory Authority to ensure that the work is completed in the most efficient and timely manner possible.

DPAs will place a special emphasis on the early and consistent disclosure of all relevant information in order to achieve speedy informal consensus building.

DPAs in groups may elect to collaborate on investigation and enforcement actions, and DPAs in these groupings may share work. An EDPB task force can be formed as needed.

The EDPB will make it easier to use all of the GDPR’s tools, including Article 62 joint investigations. Members of the EDPB decided to conduct joint investigations.

In a letter written to the European Commission on October 10, 2022, the EDPB found that the efficiency of the cooperation mechanism can be better standardized between Data Protection Authorities. The EDPB’s adopted statement of April 2022 demonstrated the lasting commitment to tight cross-border collaboration.

These procedural components are to be harmonized in order to maximize the efficiency of the collaboration mechanism.

These elements are listed below:

  • Identification of the procedure’s parties; the position and rights of the complainant

In some Member States, complainants are considered parties to the procedure and/or are granted special rights, but this is not the case in others.

To unify that procedure, any disparities in complaint treatment based on national procedural legislation should be avoided when the Lead Supervisory Authority is in charge.

  • The procedure’s parties’ rights

Because the procedural rights of parties differ within the EU, uniform implementation of the GDPR may be met by identifying the procedural rights of parties. This element, in particular, may be useful in terms of dispute resolution in line with Article 65(1)(a) GDPR.

  • Access to the file by the parties and confidentially

The right of the parties to view the documentation of the proceedings has different implications in different member states, making the cooperation mechanism under Article 60 GDPR challenging because it is unclear which papers would be considered part of the file. It is recommended that documents including formalized opinions, comments, and positions comprising relevant and reasoned objections from Supervisory Authorities be clarified, which may include highlighted proprietary information such as corporate secrets.

  • The ability to be heard

The right is guaranteed in Article 41 of the EU Charter and is mirrored in Article 60 of the GDPR through collaboration with the Lead Supervisory Authority and other relevant supervisory agencies. To be unified, parties must have consistent norms regarding the extent, modality, and timing of their right to be heard. In current practice, States differ not only in terms of whether the complainant is entitled to study and respond to a draft decision (and, when this option is provided for, this may or may not contain the planned punishments and corrective measures), but also in terms of timing.

  • Deadlines for procedures

The question of whether the complainant is a “party” to the procedure is not united, and such changes may be made in order to avoid unequal treatment of complainants depending on the Member State. The representation indicated in Article 80 (2) GDPR should be regarded similarly to individual complainants.

Many procedures, both at the national and cross-border levels, do not have a timeframe, which might cause unnecessary delays in case resolution.

  • Information from the relevant supervisory bodies, as well as Board decisions, will be made public.

Currently, Member States have different rules, which causes transparency concerns because some Member States allow for the publication of judgments while others only publish decisions that cannot be challenged.

The comment time for this initiative ended on March 24, 2023, and the Commission’s adoption is scheduled for the second quarter of 2023. It is intended that by introducing improved collaboration, the complexity, and delay caused by procedural rules of national laws throughout the EU will be removed, and legal certainty, as well as the credibility of enforcement, will be brought.

Picture of Dposphere

Dposphere

Recent Post