On 4 July 2023, the European Commission proposed new rules to enhance the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. The suggested GDPR Procedural Regulation aims to streamline cooperation between data protection authorities (DPAs) by harmonising administrative procedures. The proposed regulation introduces robust procedural rules for DPAs when applying the GDPR to cases involving individuals in multiple Member States.

The key provisions of the proposal include:

• Cooperation between DPAs:  The lead DPA will be obligated to share a summary of key issues with relevant counterparts, facilitating early consensus and reducing disagreements among authorities.
• Rights of complainants:  The proposal synchronises the requirements for cross-border complaints, such as ensuring that all complainants are heard even if their complaints are partially or fully rejected. It also specifies rules for complainant involvement in cases under investigation.
• Rights of parties under investigation:  Controllers and processors under investigation will have the right to be heard at key stages, including during dispute resolution by the European Data Protection Board (EDPB). The proposal clarifies the content of the administrative file and their rights of access to it.
• Streamlining cooperation and dispute resolution: DPAs will have the ability to provide their views early in investigations and utilise the cooperation tools provided by the GDPR. The proposal also establishes detailed rules for the swift completion of dispute resolution, including common deadlines for cross-border cooperation.

The harmonisation of these procedural aspects aims to expedite investigations, deliver timely remedies for individuals, and provide legal certainty for businesses, while fully maintaining the current “one-stop-shop” system, where individuals and organisations can deal with their local, single DPA.

The proposal is based on input from various stakeholders, including the EDPB, civil society, businesses, academia, legal practitioners, and Member States. The European Commission conducted a call for evidence and held bilateral meetings with stakeholders to gather feedback on the proposal. Stakeholders are asked to provide input to the Commission on the formal adoption of the Procedural Regulation by 4 September this year.

Q&As on the stronger enforcement of the GDPR in cross-border cases issued by the European Commission to provide further clarification, can be found here.

European Commission’s press release can be found here.

The GDPR can be found here and the GDPR Procedural Regulation can be accessed here.