The amount of fines imposed under the EU General Data Protection Regulation (GDPR) reached a new high in 2023. A recently leaked proposal for a regulation laying down additional procedural rules relating to the enforcement of the GDPR could further turn up the heat. This regulation aims to speed up enforcement, largely by streamlining the procedure and facilitating cooperation between supervisory authorities in case of cross-border regulatory investigations.
The GDPR is enforced by independent national supervisory authorities in each of the 30 EEA jurisdictions. In case of cross-border processing that takes place, or substantially affects individuals in more than one EEA country, the GDPR provides for a one-stop-shop mechanism. This means that the supervisory authority where the company under investigation is based conducts the investigation and cooperates with other supervisory authorities in other affected jurisdictions. In its 2020 report on the application of the GDPR, the European Commission (EC) found that national differences hinder the smooth and efficient cooperation and impede the swift resolution of cross-border investigations. In response, the EC submitted a draft regulation last year, which has now been signed off by the representatives from the EU Member States and which will next be negotiated by the Council of the EU and the European Parliament.
In its latest version, the proposed regulation provides specific procedural rules to speed up the handling of cross-border complaints and to streamline cooperation between national supervisory authorities. The proposed regulation harmonises the requirements for the admissibility of cross-border complaints and clarifies the procedural steps and deadlines of an investigation. In addition, increased cooperation between the supervisory authorities should help to reach consensus early on in cross-border investigations. The latter notably includes an improved exchange of information between the supervisory authorities involved:
- In this regard, the supervisory authority, which is leading the investigation, will be required to regularly update the other supervisory authorities concerned about the investigation and provide them with all relevant information as soon as it becomes available. The relevant information to be provided will depend on the specificity of each case and shall be proportionate.
- Relevant information to be exchanged between supervisory authorities in the course of the investigation shall include, amongst others, (i) information on the opening of an investigation of an alleged infringement of the GDPR, (ii) information on the use of investigative powers, such as data protection audits, and related documents resulting from the exercise of these powers, (iii) a summary of the key issues of the investigation, and (iv) any other information deemed useful and relevant for the purpose of the investigation.
- The rules contained in the draft will only apply to the exchange of information between supervisory authorities and only in the case of investigations under the GDPR. The draft does not aim to enhance cooperation with other authorities, nor does it relate to the enforcement of other regulations.
The proposed regulation also harmonises rules in other areas, such as the rights of complainants and the rights of the parties under investigation:
- Parties under investigation, for example, shall have the right to be heard before any measure affecting them adversely is taken. For complainants, the proposed regulation establishes the common right to be heard before the supervisory authority dismisses or rejects the complaint. To this end, complainants must be informed of the reasons for the intended dismissal or rejection. In cases where the complaint is being investigated, the draft provides rules to involve the complainant, including the obligation of the lead supervisory authority to communicate its preliminary findings to the complainant.
- In its latest version, the proposed regulation grants the right to access the administrative file not only to the parties under investigation, but also to complainants. Since the administrative file includes all documents obtained or produced by the supervisory authorities involved during the procedure, such a right to access may lead to the disclosure of sensitive company data. To prevent trade secrets and other confidential information from being disclosed, the draft requires parties under investigation to clearly identify confidential information, give reasons for the confidentiality claimed and provide a separate non-confidential version of the document in question. It remains to be seen whether this right to access will be maintained in the regulation or whether further measures to protect the confidentiality of ongoing investigation will be introduced.
The proposed regulation was received with some skepticism, in particular because the greater influence of concerned supervisory authorities may undermine the one-stop-shop mechanism and thus be contrary to provisions in the GDPR. The upcoming negotiations between the European Parliament and the Council of the EU are not expected to take place before fall.