On 20 February 2023, the European Commission announced ongoing preparations for a legislative initiative that will 'streamline cooperation between national data protection authorities' (DPAs) when enforcing the GDPR in cross-border cases, including through harmonising 'some aspects of the administrative procedure the national DPAs apply in cross-border cases', to 'support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms.'
On 24 February 2023, the Commission indeed launched a four-week public consultation on this legislative initiative, with a view to present a proposal for a Regulation by Q2 2023. In addition to feedback from stakeholders, the Commission will seek advice from the European Data Protection Board (EDPB), the GDPR Multi-stakeholder Expert Group, and the Member States’ GDPR Expert Group.
Is the Commission’s reopening the GDPR?
By 25 May 2024, the Commission is due to undertake the GDPR’s first (major) review. The previous stock-taking exercise, which took place in 2020, only two years after the GDPR entered into application, found that it would be 'premature' to consider any amendments to the framework, especially given the success of the GDPR 'as a key reference point at international level and acted as a catalyst for many countries around the world to consider introducing modern privacy rules'. When it came to enforcement, the report noted that 'it is still early to fully assess the functioning of the new cooperation and consistency mechanisms' and thus the recommendations made to ensure that the governance system would 'deliver its full potential' were non-legislative. The European Data Protection Board (EDPB), EU Member States and European Parliament, all came to the same conclusion that any amendments would be 'premature' but felt that improvements could be made regarding enforcement (and particularly cooperation), with the European Parliament expressing 'great concern over the functioning of the mechanism, particularly regarding the role of the Irish and Luxembourg DPAs'.
The European Parliament’s concerns have become increasingly mainstream, with the European Data Protection Supervisor (EDPS) organising a conference in June 2022 on the 'Future of Data Protection: Effective Enforcement in the Digital World'. In his keynote speech, EDPS Wojciech Wiewiórowski said, 'I believe we are still not seeing sufficient enforcement, in particular against Big Tech […] In a way, instead of achieving level playing field, we observe how big companies, thanks to their resources, can benefit from the lack of strong enforcement and further expand their advantage over small competitors.' In his speech, Wiewiórowski emphasised that 'the EDPS is not proposing to reopen the discussions on the substance of the GDPR and is not (and will never be) endorsing any attempts to weaken its principles' but that, when it came to improving the enforcement of the framework, 'we are now ready to talk legislation'.
The timing of this initiative, which comes as the EU’s legislative cycle is slowing down and gearing up for elections in May 2024, is particularly relevant. If proposed before the summer, there would be significant pressure on the EU Member States and European Parliament to conclude the proposal by the end of 2023/beginning of 2024. This would leave limited scope for either institution to raise more fundamental questions regarding the functioning of the one-stop-shop (OSS) mechanism or to reopen discussions on the GDPR. In fact, by heading off and closing the discussion on enforcement now, the hope may be that the debate is not reopened following the May 2024 review.
What can we expect?
The EDPS’ speech, together with the EDPB’s statement on enforcement cooperation (and related letter), anticipated several policy options on which the Commission is now consulting:
- specifying procedural deadlines for cooperation between data protection supervisory authorities on cross-border cases (under Articles 60 and 65 GDPR);
- providing tools to data protection supervisory authorities to promote cooperation early in the investigation process;
- clarifying the position of complainants in the procedural steps, including the possibility for complainants to make their views known;
- streamlining the way the parties under investigation are heard during the procedure; and
- clarifying how information is to be shared between the investigating data protection supervisory authority and the concerned supervisory authorities at the various stages of the procedure, including in the steps leading to a binding opinion by the EDPB.
Relatedly, in response to an investigation by the EU Ombudsman regarding concerns that it collects insufficient information about Ireland's implementation of the GDPR, the Commission has committed to:
- Request all national supervisory data protection authorities to share with the Commission, on a bi-monthly and strictly confidential basis, an overview of large-scale cross-border investigations under the GDPR with information on the following pre-determined fields: case no., controller or processor involved, investigation type (ex officio or complaint-based), summary of investigation scope (including which provisions of the GDPR are at issue), DPAs concerned, key procedural steps taken and dates, and investigatory or any other measures taken and dates.
- In its second report on the application of the GDPR, provide an account of its practice of receiving this information from the national DPAs, indicating the specific kinds of data received.
What does this mean for business?
The Commission’s hopes its proposals will lead to cross-border investigations being resolved more quickly for both data subjects and the parties under investigation. They may also result in greater harmonisation and therefore more certainty and efficiency for businesses involved in such investigations.
The Commission’s intervention is likely to be welcomed by privacy advocates who have argued the GDPR needs more rigorous enforcement. All businesses should be aware that a more efficient and streamlined process for cross-border investigations is likely to allow DPAs to use their limited resources more efficiently, and therefore undertake more extensive enforcement activities.
Businesses should keep abreast of the progress of the proposed changes, and how they may evolve following feedback.