The proposed regulation would merely lay down some (mostly) procedural rules for an improved cross-border enforcement of the GDPR by Data Protection Authorities (DPAs). This has been a deliberate choice with a view to tackle the most pressing needs whilst only minimally interfering with national procedural rules. While Member States may like the idea of leaving purely national proceedings unfettered, their DPAs would have to grapple with diverging standards.
But even within its limited scope the proposal still fails some of the needs, hopes and expectations stirred by the utterly unsatisfactory practice of GDPR enforcement. As will be shown, it contains a mixed bag of goodies (and baddies) while deceiving key expectations formulated by the different players. As such, the proposal may well look like a promising, though misguided, political bargain, meant to get something adopted. Yet chances are slim that it will be, since the 2024 legislative cut-off date looms over it, with further consideration depending on the conditions set out in Rule 240 of the EP’s rules of procedure.
So, despite a last minute efforts at speedy (pre-)legislation following years of inertia, a first reproach must be that this proposal comes too late. A second reprimand would note that the text bears too little content capable of facilitating cross-border enforcement. Finally, the proposal appears to favor industry and DPA interests over complainant concerns, which would further stifle the private GDPR enforcement.
What's the matter with GDPR enforecement?
As recently summarised by Lynskey and Hoffmann/Mustert, the GDPR’s transnational enforcement is broken in many ways, with the absence of a common procedural framework being one part of the diagnosis, besides conceptual divergences, the blatant under-funding of DPAs and ensuing selection and avoidance strategies. In practice, divergences have become apparent as to if, what and how complaints are effectively handled, the duration of and participation in proceedings, as well as the provision of information on the progress of an investigation. A 2022 study also found that, in the absence of clear rules and criteria on the admissibility of a complaint, some Member States have expanded the possibilities for DPAs to reject complaints on grounds not foreseen under the GDPR.
With regard to 5 Aspects (parties, complaints, deadlines, investigative powers and the cooperation procedure), the EDPB formulated a total of 25 suggestions. The Commission went to work and, earlier this year, invited comments from interested parties.
Its call for evidence stated that the idea was to improve cooperation between DPAs by a targeted harmonisation of key procedural aspects for cross-border cases. This comprised tools to promote cooperation early in the investigation process, the position of complainants in the procedural steps, the way the parties under investigation are heard during the procedure, as well as information sharing between the authorities.
The Commission received a wealth of suggestions, ranging from ideas that would have upended the whole architecture of decentralized GDPR enforcement to a whole draft law on GDPR enforcement procedure.
What's in the proposal?
Preceded by 38 lavish recitals, some of which contain elements not mirrored in the relevant articles, the proposal’s 31 provisions are spread over 7 chapters and also address 5 aspects which, however, only partly overlap with those identified by the EDPB. They concern complaints, cooperation, confidentiality, dispute resolution and urgency A striking difference resides in the absence of the ‘party’ category, given the Commission’s choice not to grant complainants that status. From the complainants’ point of view, the proposal’s most important practical feature is the complaint form set out in the annex, designed to overcome the uncertainty resulting from the very diverse national understandings of what qualifies as a complaint. Namely, no information other than that required by the form will have to be provided in order to make a valid cross-border complaint.
To present the contents of the proposed regulation in more detail, one would first note that, alongside object and scope, chapter 1 sets out very few definitions. Their list is poised to be substantially extended in the legislative procedure, starting with who qualifies as a complainant. What constitutes a complaint follows from Article 3 in conjunction with the annex, but would merit a definition nevertheless.
Chapter II provides rules on the submission and handling of complaints and sets out factors for DPAs to take into account when considering the extent appropriate to investigate a complaint.
Chapter III concerns the cooperation between DPAs in cross-border cases. Its provisions are meant to facilitate timely agreement among them so to reduce the need for dispute resolution. Under the proposal, the lead DPA is to involve concerned authorities in the early stages of the process to discuss the substance of the case, including its legal scope. In particular, once the lead DPA has formed a preliminary view on the investigation, it shall send a ‘summary of key issues’ identifying the main findings of fact and the lead DPA’s views on the case to DPAs concerned. Where there is no agreement at this stage regarding the scope of the investigation in complaint-based cases or the legal or technological assessment undertaken by the lead DPA, Article 10 requires a disagreeing DPA to make a request to the lead DPA under Article 61 (mutual assistance) or 62 (joint operations) of the GDPR. Where DPAs cannot agree on the scope of the investigation in complaint-based cases, Article 10 provides that the lead DPA shall request an urgent binding decision of the EDPB pursuant to Article 66(3) GDPR.
In response to a crucial weakness of current cooperation, Article 18 of the Proposal lays down detailed requirements for the form and structure of reasoned and relevant objections (RROs). These must be confined to factual elements included in the draft decision, and they must not change the scope of the investigation. All legal arguments must be grouped and refer to the relevant operative part of the lead DPA’s draft decision.
Section 3 of Chapter III concerns the right to be heard of parties under investigation. It provides that the lead DPA shall share with them its preliminary findings, setting out the objections raised, the relevant facts, supporting evidence, legal analysis, and, where applicable, proposed corrective measures. Complainants will be given the possibility to submit in writing observations on the preliminary findings and the parties under investigation shall have the opportunity to provide their views where the lead DPA intends to submit a revised draft decision. Finally, section 4 of Chapter III lays down detailed requirements for the form and structure of RROs raised by DPAs concerned. These must be confined to factual elements included in the draft decision, and they must not change the scope of the investigation. All legal arguments must be grouped and refer to the relevant operative part of the draft decision. The proposed regulation also imposes strict limits with respect to the volume of such RROs.
Chapter IV establishes rules regarding the scope of, and access to the file, as well as on the treatment of confidential information. It does not however venture to further specify the practical modalities of granting such access. Chapter V contains procedural rules for the dispute resolution procedure set out in Article 65 GDPR, namely on the information to be provided to the EDPB, deadlines and party rights. While arranging for investigated parties and complainants to make observations within very tight deadlines, Article 24 also provides that the EDPB’s equally tight deadline of one month is extended accordingly. Procedural rules for the urgency procedure in Article 66 GDPR can be found in Chapter VI, while Chapter VII concerns deadlines, transitional provisions, and the entry into force of the regulation.
What the players say
The proposal has stirred mixed emotions, the strongest criticism coming from data protection activists. NOYB has it in a first, albeit quite general, statement. A comparison of the proposal with NOYB’s suggestions for detailed procedural rules governing GDPR enforcement indeed highlights the shortcomings of the proposal. As also flagged by the consumer organization BEUC, a major issue is the lack of an autonomous right for complainants to be heard and informed from early on in an investigation. Indeed, the proposal provides a right to be heard only upon partial or full rejection.
Voices from the industry suggest that many of their queries have been taken on board, even though namely the Computer and Communication Industry Association is still quite critical. While its opposition to tight deadlines is understandable, albeit in defiance of the proposal’s aim to speed-up procedures, the idea to establish a right to appeal binding EDPB decisions could not possibly have found its way into the Commission proposal. It would topple the very architecture of GDPR enforcement.
What do we make of the proposal?
It takes a lot of goodwill to laud the proposal beyond the recognition that the Commission has come up with anything at all. Still, in order to provide the reader with a first appreciation allowing to engage in a meaningful discussion of the matter, it is possible to present the proposal as the mirror image of the good, the bad and the ugly.
The good: It’s above all the complaint form. This will help launching – and examining – cross-border complaints, both currently depending on quite diverse national conceptions. The Regulation also confirms that admissibility must not be reexamined by the lead DPA. Yet there are still some open questions like whether this also applies to standing requirements for representative organizations or limitation periods. Moreover, as follows from recital (4), national approaches to how the complaint form is submitted may continue to differ.
Second, the obligations on early information and observation sharing among DPAs obviously have the potential to smooth the transnational enforcement. It just needs to be seen how they are met without structural changes and better funding.
Fairly good is also the attempt to address confidentiality and the right to be heard by common provisions at EU level, rather than setting out conflict of law rules resulting in the application of domestic provisions. Both issues will nevertheless prove contentious during the legislative procedure. It is to be seen whether the EP will insist on improving complainants’ rights to be heard and informed. A right of participation before the EDPB would be a game-changer. Under the Proposal, prior to adopting its Binding Decision, the EDPB shall provide the parties under investigation (the complainant in the case of full or partial rejection of a complaint) with a statement explaining the reasoning it intends to adopt. The party under investigation / the complainant has one week to comment, which in complex matters may be extended to two weeks. No oral hearing is foreseen.
Member States may find it hard to accept that an EU regulation sets out autonomous procedural rights rather than leaving this matter to national rules merely framed by EU law. Namely confidentiality is a hot topic in European administrative procedures. Under the GDPR, the issue has recently come to the fore with Irish law allowing to penalise the divulgation of information concerning ongoing procedures. The Commission proposal takes a strict approach by excluding investigation documents from access requests under laws on public access to official documents before the proceedings are over.
The bad: It is hard to see how the proposed regulation can substantially improve transnational GDPR enforcement, the success of which still depends on the authorities’ means and will to investigate and cooperate. In this connection, the proposal’s added value is limited, in particular since some of its key provisions merely rephrase those of the GDPR.
A provision in point is Article 4 (Investigation of complaints), which seeks to streamline the understanding of ‘the extent appropriate to which a complaint should be investigated’, as set out under Article 57(1)(f) GDPR. Article 4 does not add a lot by requiring that ‘(w)hile assessing the extent appropriate to which a complaint should be investigated in each case the supervisory authority shall take into account all relevant circumstances, including all of the following:
(a) the expediency of delivering an effective and timely remedy to the complainant;
(b) the gravity of the alleged infringement;
(c) the systemic or repetitive nature of the alleged infringement.’
One may derive a contrario that isolated and seemingly small-scale infringements can be shelved. Beyond the express wording of Article 5, the relevant recital (6) moreover suggests that this is equally so where the complainant has sought a judicial remedy as under Article 79 GDPR as well.
Finally, one would have expected to see more and clearer deadlines in the proposed regulation. Curiously, some missing deadlines can be found in the recitals, namely (14), stating that where none of the DPAs concerned raise comments on the key issues summarized by the lead DPA, it should communicate the preliminary findings provided for in Article 14 within nine months.
While the proposal subjects the acknowledgment of a complaint, the decision on its admissibility, the transfer to the lead DPA, comments and requests by DPAs concerned, as well as submissions by investigated parties and complainants to deadlines, there are still no time limits for the work done by the lead DPA. This concerns in particular the ‘summary of key issues’ under Article 9(3), the ‘preliminary view as to full or partial rejection’, the draft, revised draft and final decisions.
Here, the EDPB and data protection activists had asked for a stricter framework. As this was fervently opposed by industry associations, the Commission refrained, citing the varying complexity of investigations and the discretion of DPAs to investigate infringements of the GDPR. This stance is quite unfortunate. It would have been much better to set out deadlines with the possibility to be extended where appropriate.
The ugly: Data protection activists are right to flag the imbalance between parties with regard to the procedural rights granted by the proposal. While this imbalance largely stems from the fact that a party under investigation must be heard so to respect, among other guarantees, Article 41 of the EU Charter of Fundamental Rights, one wonders why complainants are not put in a position to pursue their complaints as effectively as possible.
A crucial question in this regard has been whether complainants should enjoy party status.
Some argued that providing complainants with the status of a party would introduce adversarial elements into an essentially administrative process and thus impact the equilibrium of investigation procedures. This could result in a violation of the equality of arms and the right of defence principle at authority level. Therefore, complainants should not be included as a party into the proceedings. The EDPB flagged the divergence of national rules and practices, while activists recalled that the GDPR is indeed about preserving the rights of data subjects, who should thus be treated as parties with, in particular, a right to be heard. As follows from recital (25), the Commission disagreed.
Granted, it is legally sound to consider that a right to be heard only arises where the complainant would be adversely affected by a decision, which will be the case where the authorities intend to reject her complaint. But then again, once the investigation has led to a preliminary view that the complaint should be fully or partially rejected, the complainant’s views may come too late to change the outcome.
Taking up a suggestion by the EDPB, the proposed regulation also addresses amicable settlements. While there is nothing wrong in principle with the non-contentious settlement of legal issues and despite already existing practices as well as EDPB guidelines on the matter, Article 5 of the proposed regulation appears to thwart the rights-based nature of the GDPR in respect of complaint-based investigations. Where the DPA concludes that an amicable settlement may indeed be reached, chances are slim that the complainant’s objection will result in the authorities finally siding with their point of view. Rather, the possibility to find an amicable settlement should be a matter solely for the data subject and processor/controller concerned, not the DPA. From a legal drafting point of view, it is deplorable that the relevant recital (9) contains a precision not included in Article 5, namely that the complaint may still result in an ex officio case.
Finally, it is quite telling the explanatory memorandum falsely identifies Article 47 of the EU Charter as being served by a better resolution of cross-border cases, for the decisions taken neither qualify as a judicial remedy for the purpose of that provision, nor are its objectives sufficiently reflected in the proposal.
What's missing?
With the proposal concerning procedural rules, one may have hoped for provisions on the collection of evidence, (the law applicable to) oral hearings, or rules regarding the language, notification and publication of decisions. Also, it could have been beneficial to ponder the default digitalization of proceedings, in particular as regards the cooperation between DPAs.
What's next?
The Proposal has now entered the ordinary legislative procedure with the European Parliament having sent it to the Civil Liberties, Justice and Home Affairs committee. While its opinion may have a fundamental impact on the proposal, it may complicate the negotiations. Meanwhile, the clock is ticking.