Even the General Data Protection Regulation (GDPR)’s most devoted supporters concede one problem with the law: Enforcement.
The GDPR’s “one-stop-shop” process, designed to systematize coordination among data protection authorities (DPAs) in cross-border complaints, has led to a bottleneck of data protection complaints and some in-fighting among regulators.
The proposed GDPR Procedural Regulation is the Commission’s attempt to fix cross-border GDPR enforcement. Here are four cross-border enforcement problems identified by the Commission and four proposed solutions to fix them.
Problem 1: DPAs have different rules for complaints
The GDPR was designed to make data protection law more uniform across the EU. However, DPAs have set up different complaint procedures, leading to inconsistencies for data subjects across the member states.
- A complaint accepted by one DPA might be rejected by another, perhaps because the complainant has not provided enough information.
- Some DPAs do not involve complainants in the complaints process, while others treat all parties equally.
- Some DPAs reject complaints on an informal basis, while others adopt a formal decision in every case (whether or not a complaint is fully investigated).
Proposed solution: Standardized complaints procedure
The Commission’s proposal would create a new procedure for cross-border complaints, including a standard form that must be used when submitting a cross-border complaint.
As long as the complainant provides all the information requested in the form, the complaint will be investigated.
The proposal also sets out new requirements for DPAs when investigating GDPR complaints.
Problem 2: Inconsistent rights among parties to a complaint
The Commission suggests that different member states provide different rights for parties to complaints under the GDPR. For example:
- The right of each party to be heard.
- The timing of the hearing.
- The right to access documents.
This is a particular problem for cross-border complaints, as the DPA cooperation process assumes that all parties have been heard before a draft decision is considered by the EDPB.
Proposed solution: Harmonized procedural rights
The Commission’s proposal suggests standardizing the involvement of parties to a complaint, including during the EDPB dispute resolution process.
The proposal would also standardize the contents of a complaint file and set out who has access to the file.
Problem 3: DPAs are not cooperating
The Commission suggests that DPAs are not endeavoring to resolve disputes before moving to the GDPR’s dispute resolution process. Essentially, the Commission seems to think that DPAs are moving to adopt “binding decisions” too early.
The dispute resolution process should be used in exceptional cases—once all DPAs have had the opportunity to submit “relevant information” and have attempted to arrive at a consensus.
Proposed solution: Streamlined cooperation process
The proposal sets out a new cooperation and consistency process that ultimately aims to reduce the number of binding decisions. The reforms include:
- A stronger requirement for DPAs to cooperate.
- Clearer rules around submitting “relevant information” in cross-border cases.
- A new procedure for the EDPB to adopt an urgent decision while an investigation is underway.
Problem 4: The dispute resolution process is inefficient
Although the Commission clearly aims to reduce the reliance on the GDPR’s dispute resolution procedure, the proposal also notes that some problems arise when the dispute resolution procedure is underway, including:
- The process is slow (the Commission does not say this but implies it).
- DPAs have inconsistent ways of contributing to the process.
- DPAs from smaller member states can be under-represented.
Proposed solution: Reformed dispute resolution procedure
The proposal aims to tighten up the dispute resolution procedure including by providing:
- New detailed requirements around the form and structure of “relevant and reasoned objections”.
- Deadlines by which parts of the dispute resolution procedure should be completed.
- Clearer roles for various parties in the procedure (the lead DPA, concerned DPAs, and the EDPB).