The European Parliament and the Polish Presidency of the Council of the European Union reached a provisional agreement 16 June on a long-awaited regulation aimed at improving cooperation between national-level data protection authorities when enforcing cross-border cases under the General Data Protection Regulation. The agreement also includes clarification of relevant procedures and rights as well as "fleshing out of earlier provisions" related to cooperation and dispute resolution procedures.
In emailed comments to the IAPP, Markéta Gregorová, Pirate Member of the European Parliament and rapporteur in Committee on Civil Liberties, Justice and Home Affairs, said, "I'm proud that we've successfully negotiated a long-overdue GDPR enforcement procedures regulation that finally ends the years-long limbo citizens have faced in cross-border cases."
She added, "For the first time, we're setting clear, enforceable deadlines, alongside strong rights for both complainants and companies, including access to case files and the right to be heard. This will make the system faster, fairer, and more transparent."
Poland's Deputy Prime Minister and Minister for Digital Affairs Krzysztof Gawkowski said, "We have taken a big step towards improving cooperation between national data protection bodies when they enforce citizens' rights under the GDPR. This objective is to speed up the process of handling cross-border GDPR complaints filed by citizens or organizations."
The provisional agreement still requires confirmation by the Council and Parliament, and the new rules will enter into force after final adoption. Notably, the law would create deadlines for procedures in order to speed up the investigatory and enforcement process.
"Once a lead supervisory authority has been established," a European Parliament press release states, "it must finish the investigation and submit a draft decision within 15 months, unless the complexity of the case requires and extension of a maximum 12 months."
Regarding the deadlines, Gregorová said, "I personally pushed through a key change: data protection authorities will now have to close straightforward cases within 12 months, and even the most complex ones within 15 months, with the possibility of limited extensions when strictly necessary."
At the time of publication of this article, the official text of the agreement was not yet released and likely will not be until after a final agreement is reached between the co-legislators.
However, in a related analysis piece for the IAPP, representatives from Hogan Lovells offer a more in-depth look at the GDPR's cooperation and consistency framework, the procedural history and key elements of the provisional agreement and various considerations for businesses. They point out that the provisional agreement "appears to incorporate elements" from the European Commission, Parliament and Council, but some controversial elements remain, including the shorter deadlines for lead supervisory authorities.
Privacy rights group NOYB's Max Schrems has been critical of the proposed regulation. In a post dated 20 May, NOYB said the rules would introduce "excessively long deadlines and overly complex procedures." NOYB said it is reviewing options for potentially bringing an annulment procedure "if the regulation passes in its current form." Schrems added, "The regulation is so structurally flawed, that the Court of Justice of the EU may have to annul it."
Wilson Sonsini Partner Yann Padova offered some background on the procedural history of the regulation, noting that the proposal "took into account several requests from the European Data Protection Board," which were originally published in October 2022. Parliament's LIBE committee published its draft report in November 2023 and proposed "substantial changes" to the original text. He said the trilogue process "took place based on substantial divergent views from the Parliament and Council."
In its analysis for the IAPP, the Hogan Lovells team points out that there has been "broad support for harmonizing cross-border enforcement procedures," though the devil is always in the details and "its full impact will depend on how it is implemented in practice." They add that cross-border enforcement has "sometimes been marked by delays" but warn it "is possible that streamlining procedures will lead to more enforcement of cross-border processing activities."
For Gregorová, the rapporteur for the regulation in the LIBE committee, the new rules "will make the system faster, fairer and more transparent. Our deal also ensures that people receive the same strong protections no matter where in Europe their case is handled. Big Tech will no longer be able to hide behind procedural delays, and citizens, NGOs, and businesses alike will finally benefit from greater legal certainty."
She added, "This is a major win for digital rights."
Jedidiah Bracy is the editorial director for the IAPP.
