The European Commission has proposed changes to the GDPR intended to improve cooperation between Data Protection Authorities (DPAs) working on enforcement in cross-border cases.
The rules are the outcome of an October 2022 “wish list” sent to the Commission by the European Data Protection Board (EDPB), which operates a dispute resolution process when DPAs can’t agree on a way forward.
That happened most famously earlier this year, when the Irish DPA disagreed with other national authorities about a case against Meta which ultimately led to a record €1.2bn ($1.3bn) fine.
Read more about GDPR cases: WhatsApp Hit with €5.5m fine for GDPR Violations
The GDPR has a “one stop shop” rule whereby the lead DPA is selected according to the EU country in which the entity under investigation is based.
However, with most US tech giants headquartered in Ireland, some of the highest-profile cross-border cases have created tension between the Irish Data Protection Commission (DPC) and other national DPAs.
Since the GDPR came into force, over 2000 one-stop-shop cases have been created in the EDPB's case register.
The European Commission’s new proposals are designed to harmonize procedural rules to improve cooperation between DPAs and consistency of decision making. They will:
- Establish common rights for complainants to be heard in cases where their complaints are fully or partially rejected
- Provide parties under investigation with the right to be heard at key stages in the procedure, including during EDPB dispute resolution
- Enable DPAs to provide their views early on in investigations, conduct joint investigations and provide “mutual assistance,” thus enhancing their influence over cross-border cases, building consensus early in investigations and reducing later disagreements
“While the independent authorities are doing a tremendous work, it’s time to ensure we can operate faster and in a more decisive way. Especially in serious cases in which one violation may have many victims across the EU,” argued Commission vice president for values and transparency, Věra Jourová.
“Our proposal lays down rules to guarantee smooth cooperation among data protection authorities, supporting more vigorous enforcement, to the benefit of the people and businesses alike.”
Sonia Cissé, TMT/IP partner at Linklaters argued that businesses should be reassured the GDPR remains flexible.
“This new GDPR enforcement draft law brings once again data subjects at the center, giving them the opportunity to be more involved in the process of their complaints,” she added.
“This is clearly in line with the principles set out in the latest drafts and regulations: giving back control to individuals over their data and means to defend themselves against the excess observed in the digital sector.”