On 4 July 2023, the European Commission published its proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (the "GDPR") (the "Proposal").
The Proposal aims to improve cooperation among EU Member States in cross-border GDPR complaints and investigations. The European Commission recognises the divergences across Member States in their approaches to GDPR complaints. By clarifying the roles of all actors involved and setting out precise procedural rules for each stage of the complaints and investigation process, the Proposal strives to enable the swift conclusion of such cases.
The Proposal's explanatory memorandum explains that the Proposal aims to deal with the different interpretations of Data Protection Authorities ("DPAs") on complaints, procedural rights of parties under investigation, and cooperation and dispute resolution by:
- Providing a new form specifying information needed for all complaints under Article 77 GDPR concerning cross-border processing.
- Harmonising procedural rights in cross-border cases including introducing time limits.
- Giving DPAs tools to achieve consensus and setting up a framework for DPAs to provide comments early in the investigation.
- Laying down procedural deadlines for the dispute resolution procedure, and clarifiying which information the lead DPA must provide when submitting the matter to dispute resolution.
The Proposal sets out new procedural requirements and time limits for complaint handling, which are intended to streamline the handling of cross-border GDPR complaints and investigations across Member States.
Complainants should expect to see their cases responded to and handled more quickly, and controllers can take comfort from the fact that complaints should be dealt with (one way or the other) much more quickly.
Rather than being an erosion of the one-stop-shop regime that some commentators predicted, the Proposal seems to be focused on practical issues and matters of procedure, to address the sheer volume of complaints being handled by regulators across the EU.
Handling of Complaints under the Proposal
Chapter II (Article 3) of the Proposal sets out prescribed rules which must be followed when submitting and handling complaints:
- The complainant must use a prescribed form (set out in the Annex) for all complaints based on the GDPR relating to cross-border processing.
- This form must be lodged with the supervisory authority ("SA"), which must acknowledge receipt within one week.
- The SA with which the complaint was lodged determines whether the complaint relates to cross-border processing and whether the Form provides complete information.
- The SA then transmits the complaint to the lead SA ("LSA").
- If the complainant wishes to claim confidentiality, they must also submit a non-confidential version of the complaint.
The SA must take into account 'all relevant circumstances' when considering whether a complaint requires investigation. This includes: (a) the expediency of delivering an effective and timely remedy; (b) gravity of the alleged breach; and (c) systemic or repetitive nature of the alleged breach.
The Proposal establishes a more formal framework for amicable settlement between complainants and investigated parties: where the SA considers an amicable settlement has been found, it must communicate the proposed settlement to the complainant, who then has one month within which to object before the complaint is deemed to have been withdrawn (Article 5).
The Proposal also tasks the SA with which the complaint was lodged with translating the complaint into the language of the LSA, and translating the documents provided by the LSA into the language of the complainant (Article 6).
Cooperation in Cross-Border Cases
Cooperation between supervisory authorities
Chapter III of the Proposal deals with cooperation between SAs in cross-border cases. Section 1 provides that:
- The LSA must frequently provide the other concerned supervisory authorities ("CSAs") with updates on the investigation, providing them with all 'relevant information' once it is available (including certain documents, such as summary of key issues, preliminary findings, and response of the investigated parties to, and views of the complainant on, the preliminary findings) (Article 8).
- The LSA must send a summary of key issues to the CSAs, once it has formed a preliminary view in an investigation.
- The CSAs may provide comments within four weeks of receipt (where no comments are provided, the case is considered to be non-contentious).
- Where a CSA disagrees with the LSA's assessment on the scope of the complaint investigation, or the LSA's preliminary orientation regarding complex legal or technological assessments, it must make a request to the LSA under Article 61 (mutual assistance) or 62 (joint operations) of the GDPR within two months.
- Where there is no agreement between the LSA and one or more CSA in a complaint-based investigation (the timeframe for agreement is not specified but may be the two-month period), the LSA must request an urgent binding decision of the European Data Protection Board ("EDPB") pursuant to Article 66(3) GDPR.
Full or Partial Rejection of Complaints
The LSA must provide the SA with which the complaint was lodged with the reasons for its preliminary view that the complaint should be fully, or partially, rejected, so that the SA has the information required to decide to reject the complaint. The SA with which the complaint was lodged must inform the complainant of the reasons for the rejection within three weeks, and set a time-limit within which the complainant can make their views known in writing. If the complainant does so and the preliminary view that the complaint should be rejected does not change, the SA with which the complaint was lodged prepares the draft decision under Article 60(3) of the GDPR, to be submitted to other CSAs by the LSA (Article 11).
Decisions Addressed to Controllers and Processors
Chapter III (Section 3) harmonises the investigated parties' right to be heard. It provides that the LSA must submit its preliminary findings to the parties under investigation, setting out the facts and entire legal assessment raised against them. The preliminary findings must indicate corrective measures which the LSA intends to use. The LSA must give the parties a set time limit within which to provide their views in writing (after which time the LSA does not have to take account of their views). Investigated parties may set out all facts and legal arguments relevant to their defence in their written reply. They must attach any relevant documents as proof of the facts (Article 14). Article 17 provides for a 'right to be heard' – where the LSA considers that the revised draft decision raises elements which the investigated parties should be able to express their views on, it must provide them with the possibility to do so, subject to a time limit.
Objections Raised by CSAs
Chapter III (Section 4) sets out the requirements for the form and structure of relevant and reasoned objections raised by CSAs. For instance, the length must not exceed three pages, the CSA's disagreement must be stated at the beginning, and legal arguments must be set out and grouped by reference to the operative part of the draft decision to which they relate.
Final Provisions of the Proposal
The Proposal goes on to provide:
- Rules relating to the content of and access to the administrative file (to enable investigated parties to exercise their right to be heard), and treatment of confidential information.
- That, if the LSA does not follow the relevant and reasoned objections of the CSAs, or is of the view that they are not relevant or reasoned, it must submit the matter to the dispute resolution mechanism set out in Article 65 GDPR. It sets out the documents which the LSA must provide to the EDPB (within four weeks of receipt of which the EDPB must identify relevant and reasoned objections) (Article 22).
- That, before adopting a binding decision under Article 65(1)(a) GDPR, the EDPB must provide the investigated parties with a statement of reasons explaining its reasoning. Articles 25 and 26 set out rules for the submission of matters to dispute resolution under Article 65(1)(b) and (c) GDPR.
- The procedural rules for the urgency procedure in Article 66 GDPR, where a request for an urgent opinion of the EDPB is made.
If you would like to discuss the Proposal, or any other related data protection and data privacy matter concerning your business, please do not hesitate to contact any member of our Technology and Innovation Group.