The European Commission has proposed new rules to help supervisory authorities enforce the data protection regulation in cross-border cases.
In its five-year history, the GDPR (General Data Protection Regulation) has drastically altered the way organisations process and use personal data, but enforcing these rules hasn’t been easy.
One of the biggest challenges has been investigations that span multiple countries, with several supervisory authorities involved in the case.
Lawmakers have battled to address these problems throughout the GDPR’s tenure, and they hope that the introduction of the GDPR Procedural Regulation will be a much-needed fix.
“The GDPR is well enforced but we can do better,” Justice Commissioner Didier Reynders said in a statement addressing the proposal. “We’ve seen many fines, but sometimes it’s complex and long,” he added, referencing the €4 billion in fines that have been levied under its rules.
How it will work
The new rules concern the way the GDPR is enforced by DPAs (data protection authorities), which are the domestic bodies that are responsible for managing data protection rules in their territory, as well as national courts.
Ordinarily, a single DPA would be responsible for investigating a complaint or data breach, and then issuing an appropriate response. This could mean a warning, enforcement action or a fine.
However, in cases where the organisation in question processes personal data across multiple territories, the regulatory process is more complex.
Consider, for instance, that the GDPR gives each data protection body a certain amount of leeway to interpret compliance. Certain the rules are tweaked in different regions (such as the age at which someone is no longer considered a minor), while there are no set parameters for how DPAs should conduct investigations.
Although this approach promotes flexibility, it also creates inconsistency – something that the GDPR aims to avoid.
Regulators attempt to remove inconsistencies in cross-border cases by establishing a lead DPA, which is the one located in the same territory as the organisation under investigation. That authority then cooperates with other relevant DPAs during the probe.
However, this approach has proven to be flawed, which is why the European Commission’s proposal introduces new processes.
Its rules are intended to facilitate consensus-building as early into the investigation as possible, which should reduce disagreements later on and the need for dispute resolution mechanism.
Under the new rules, the lead DPA must send a “summary of key issues” to other interested authorities. This report identifies the main elements that are being investigated and the lead DPA’s opinion on the case.
Should a fellow DPA disagree with the lead authority’s assessment, it can request a joint operation or mutual assistance mechanism, as provided by the GDPR.
If the authorities disagree on the scope of a complaint-based case, the proposal gives the EDPB (European Data Protection Board) the power to adopt an urgent binding resolution to resolve the issue.
Meanwhile, the party or parties under investigation have the right to be heard at key stages in the procedure – including during dispute resolution by the EDPB.
The new rules also clarify the content of the administrative file and the parties’ rights of access to that information.
Why this is important
The GDPR Procedural Regulation won’t affect core aspects of GDPR compliance, such as the rights of data subjects, the obligations of data processor or the lawful bases for processing personal data.
However, it will have a significant impact on the way the GDPR is enforced – which has been one of the biggest obstacles preventing its success.
In a 2020 report on the application of the GDPR, the European Commission found that procedural differences applied by DPAs in cross-border investigations delayed investigations.
This has also been seen in practice, with Ireland’s DPC (Data Protection Commission) in particular facing criticism for its approach to GDPR enforcement.
The country is the European home of tech giants such as Meta and Google, and as a result it’s been bombarded with regulatory complaints. The DPC’s investigations into those complaints have been scrutinised, with some final decisions being overturned by the EU.
With new rules promoting stronger cooperation between supervisory authorities, the hope is that investigations will be completed quicker and there will be greater agreement on appropriate punishments.
