EU Governments Sign-off Proposed Reforms to GDPR Procedural Rules and Council Reaches Common Member States’ Position

On 24 May 2024, the Council of the European Union (the “Council”) released new details of a proposed reform of the General Data Protection Regulation’s (“GDPR”) procedural rules, which representatives of EU national governments approved on 29 May 2024. On 13 June 2024, the Council issued a press release detailing its agreed common Member States’ position that maintains the general thrust of the original proposed reforms, but which seeks to: (i) introduce clearer timelines; (ii) improve efficiency of cooperation; and (iii) provide an early resolution mechanism.

The proposed reforms, first tabled in July 2023, are designed to streamline and improve the efficiency and harmonisation of GDPR enforcement actions. In particular, the reforms specify procedural rules for certain stages of the investigation process in cross-border data protection cases and should enable the smooth functioning of the cooperation mechanisms between supervisory authorities (“DPAs”) for GDPR enforcement. Currently, the GDPR is enforced at a national level – each Member State applies its own procedural and administrative rules to any GDPR enforcement action. This has resulted in some procedural divergence since the GDPR was first introduced in 2018 and therefore presents an obstacle to cooperation between DPAs and the consistent application of the GDPR across EU countries. Some current differences between Member States’ respective procedures include the parties’ right to be heard, the access to file, and other due process rights. The original decentralised enforcement model under the GDPR – also known as the ‘one-stop shop’ mechanism – was designed to guarantee the ‘principle of proximity’ – the ability for individuals to reach out to their local DPA in their local language; these new reforms are not designed to detract from this principle, but rather to harmonise certain procedures to benefit individuals and businesses.

The proposed reforms specifically set out procedural rules for: (i) the handling of complaints filed by individuals in relation to their processing of personal data; and (ii) the conduct of investigations by DPAs in cross-border GDPR enforcement. The proposed reforms further provide: (i) the information to be included in a valid individual complaint; (ii) the key circumstances to be taken into account during an investigation of a complaint; (iii) procedural rights for the individual who filed the complaint; (iv) procedural rules allowing for early resolution (including an amicable settlement) following a complaint and rules around translations of the complaint; (v) procedural rules around cooperation between the lead DPA and other concerned DPAs and information-sharing obligations; (vi) high priority being given to cases pertaining to the rights of a child as a data subject; and (vii) procedural rules for controllers and processors involved in a DPA investigation – including the right to access the file, the right to be heard and filing written submissions in response to a DPA’s preliminary findings, and rules around confidentiality for documents obtained by a DPA in the context of a GDPR investigation.

Please also see this previous Sidley blog post from August 2023 which looked in detail at the proposed reforms when they were first proposed.

Concerns have been raised by industry about the potential for regulators to intervene in the enforcement processes of other jurisdictions – indeed, there is a provision in the proposed reforms which appears to give other regulators an ability to overrule the lead supervisory authority regarding whether a case requires close cooperation between watchdogs, which some view as problematic.

Following the adoption by the Council of the general approach on 13 June 2024, the next legislative stage will involve negotiations with the European Parliament. However, these are expected to occur in the Autumn or even later given the recent European elections.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.