Aug 222023

EU Commission Adopts New Rules for GDPR Enforcement: the Beginning of a Centralized Enforcement Model?

William RM Long, Maarten Meulenbelt, Lauren Cuyvers and Subhalakshmi Kumar
, , , ,

On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to standardize and streamline cooperation between EU Member State Data Protection Authorities (DPAs) when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The GDPR adopts a decentralized enforcement model. National EU Member State DPAs are competent to enforce the GDPR on their respective territories. However, in cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate in accordance with the GDPR’s “one-stop-shop” through cooperation and consistency mechanisms. Although these mechanisms establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action.

Various EU institutions, officials and national DPAs have repeatedly emphasized the importance of GDPR enforcement, which they consider to be “a cornerstone of the EU digital single market and a vital piece of legislating ensuring a human-centric approach to technology”. It is also recognized that often GDPR enforcement cases are characterized by cross-border elements. Indeed, data is the lifeblood of the digital economy and key emerging technologies such as AI, and is not restricted by territorial or jurisdictional boundaries. The GDPR recently celebrated its 5th anniversary – and more cross-border enforcement and cooperation is predicted for the next 5 years.  The proposal may signal a move towards a more centralized GDPR enforcement model with the European Data Protection Board (EDPB) and EU Commission playing a more prominent role.

Key takeaways of this proposed GDPR Procedural Regulation are set out below:

  1. Why is a new GDPR Procedural Regulation being created? The GDPR is enforced at an EU Member State national level, and so each Member State applies its own procedural and administrative rules to any GDPR enforcement procedure. This leads to procedural divergence and ultimately hinders the effective and consistent cooperation between DPAs and the application of the GDPR throughout the EU. For instance, parties’ right to be heard, access to file and other due process rights can vary from one EU Member State to another – as would, for instance, the way an individual could file a complaint with their local DPA. One of the reasons why the EU originally opted for a decentralized enforcement model was to guarantee the ‘principle of proximity’ for individuals – granting them the opportunity to reach out to their local DPA, in their local language. The GDPR Procedural Regulation does not aim to take away from this principle, but to harmonize certain procedures to benefit individuals and businesses alike.
  2. Who would this apply to? The new GDPR Procedural Regulation would apply to the EU Member States that are responsible for making sure that their DPAs comply and align their local enforcement procedures with the procedural rules set out in the Regulation. The proposed GDPR Procedural Regulation would not impose any regulatory obligations on (i) individuals or (ii) controllers or processors subject to the GDPR.
  3. When would this apply? The Regulation would only apply in enforcement cases involving cross-border processing, meaning that the processing (i) takes place in the context of the activities of the establishment of an EU controller or processor in more than one EU Member State; or (ii) substantially affects or is likely to substantially affect individuals in more than one EU Member State (e.g. where the processing may cause damage, loss or distress to individuals).
  4. What are the key requirements? The proposed GDPR Procedural Regulation lays down procedural rules for (i) the handling of complaints filed by individuals in relation to their processing of personal data; and (ii) the conduct of investigations (either complaint-based or ex officio i.e. on the DPA’s own initiative) by DPAs in the cross-border enforcement of the GDPR. Among other things, the GDPR Procedural Regulation would provide (i) the information to be included in a valid individual complaint; (ii) the key circumstances to be taken into account when investigating a complaint; (iii) procedural rights for the individual who filed the complaint; (iv) amicable settlement procedural rules following a complaint and rules around translations of the complaint; (v) procedural rules around cooperation between the lead DPA and other concerned DPAs and information-sharing obligations; and (iv) procedural rules for controllers and processors involved in a DPA investigation – including the right to access the file, the right to be heard and file written submissions in response to a DPA’s preliminary findings, and rules around confidentiality for documents obtained by a DPA in the context of a GDPR investigation.
  5. What are the proposed sanctions? The GDPR Procedural Regulation would not impose any obligations onto private actors and, as such, would not provide for any sanction mechanism.
  6. How does this relate to the GDPR and other EU laws? The new GDPR Procedural Regulation is different in scope and is not intended to impact the GDPR or other EU laws. The GDPR imposes substantial requirements on controllers and processors processing personal data. The GDPR Procedural Regulation would impose certain pan-EU administrative and procedural requirements for GDPR enforcement. The GDPR Procedural Regulation is not meant to impact the “one-stop-shop” (where one lead DPA takes lead for enforcement to further consistency) or other cooperation and consistency mechanisms that exist under the GDPR.
  7. What does this mean in practice for businesses operating in the EU? As set out above, the GDPR Procedural Regulation would not impose any regulatory obligations on businesses who are under investigation by an EU DPA for alleged GDPR infringements. It would only grant those businesses (and individuals) more rights when they are involved in an enforcement action or investigation.  From that perspective, the proposal is a welcomed development for businesses and individuals alike who will benefit from a more efficient enforcement model and legal certainty.
  8. Would this apply in the UK? No. The GDPR Procedural Regulation is an EU regulation and, since Brexit, EU law no longer directly applies in the UK. At this time, there do not appear to be any plans to enact a similar type of legislation in the UK. Further, the UK GDPR, unlike the EU GDPR, is not enforced across multiple jurisdictions with different national administrative and procedural law regimes—so there is less need for harmonization.

What Will Happen Next

This new GDPR Procedural Regulation does not come in isolation. Recently, there has been an uptick in GDPR regulatory enforcement as well as private litigation in the EU, including respecting key concepts and principles that have been clarified and interpreted by the EU’s highest court (the EU Court of Justice or “CJEU”).  This enhances the need for consistency in cross-border enforcement. The GDPR Procedural Regulation has just been proposed by the EU Commission and will now move to being considered in the relevant European Parliament committees. It will be interesting to see how the text progresses throughout the legislative review process.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Maarten Meulenbelt

Brussels

mmeulenbelt@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Subhalakshmi Kumar

London

skumar@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

District Court Finds Communications Decency Act Provides Automotive Device Manufacturer Immunity for Clean Air Act Violations

On March 28, 2024, in US v. EZ Lynk, the U.S. District Court for the Southern District of New York dismissed the Department of Justice’s (DOJ) claim that an automotive device manufacturer violated Section 203 of the Clean Air Act (CAA), holding that Section 230 of the Communications Decency Act (CDA) provided complete immunity from CAA liability for the sale of certain aftermarket automotive devices. This decision of first impression offers an important precedent in the automotive industry and beyond. The decision gives effect to the CDA as drafted and will make it significantly harder for the government to hold manufacturers and online retailers liable for content, including software, created and sold by third parties.