On Tuesday, European Commissioner for Justice Didier Reynders presented a legislative proposal aimed at facilitating cooperation among data protection authorities on cross-border EU General Data Protection Regulation investigations. The draft regulation builds on the inaugural GDPR evaluation report produced in 2020 and the European Data Protection Board's 2022 wish list for procedural harmonization of cross-border cases enforcement.
"We are not reopening the GDPR. We are not modifying the fundamentals of the one-stop-shop. We are merely establishing detailed rules to facilitate harmonious and effective cooperation among DPAs for cross-border cases," Reynders said regarding proposed harmonization.
The proposal is articulated around four main pillars and among other changes:
- Complaint: harmonizing the conditions of what constitutes a complaint.
- Rights of complainants: introducing a right to be heard.
- Rights of parties under investigation (controllers and processors); introducing a right to be heard and right of access to documentation with proper protections for trade secrets and sensitive business information.
- Streamlining cooperation and dispute resolution: creating conditions for earlier and formed exchange of information among DPAs as well as setting detailed rules such as deadlines.
Meeting the proposal's requirements will take some of degree change for all member states but it won't lead to a complete overhaul of their respective systems. There will be tricky aspects though. Let me flag three initial thoughts.
First, to truly ensure harmonization, the European Commission's intention is that member states meet the level set in the final regulation and refrain from going above (or obviously staying below) the threshold it sets, which may mean some dialing down for a couple of member states. Second, a corollary aspect will be navigating the willingness of member states to shake up procedural rules applicable to data protection cases if such changes also affect procedures relevant in other areas of the law. Thirdly, the proposal will require empowering the EDPB while not challenging the decentralized enforcement model built by the GDPR.
As European Parliament and the Council of the European Union now get to examine the proposal, Commissioner Reynders did not commit to finalizing the negotiations by the May 2024 elections given the busy legislative calendar ahead.
Reynders' statement dismissing a reopening of the GDPR was also met with relief by many. We knew that was the case, but like in long-term relationships, it is nice to hear it once in a while.
Elsewhere:
- During his press conference, Reynders also addressed data protection adequacy issues. With the U.K., he confirmed he is exchanging regularly with his British counterparts and the EU is taking a wait-and-see approach to U.K. General Data Protection Regulation reform's possible impact, if any, on adequacy. On the U.S. front, he also confirmed he hopes to conclude the adequacy approval process by the end of the month. The U.S. Department of Justice made a "positive evolution" this week on the designation of EU and European Economic Area countries as an area where the new U.S. system as designed under the Data Privacy Framework could be applied.
- In a decision this week about Meta, the Court of Justice of the European Union found that "a national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed." It also found that "the personalized advertising […] cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue in the absence of the data subject’s consent."
- Madrid will become the EU capital for the next six month as Spain takes over the rotating presidency of the Council of the European Union. It has visibly stepped up its involvement in many European policy files this year. The proposed Artificial Intelligence Act is one of the last outstanding pieces on the digital agenda before the elections and Spain has every intention to get the regulation across the finish line before the end of 2023.
Comments, suggestions, constructive criticism? iroccia@iapp.org