Swift adoption of Regulation to streamline cross-border enforcement needed

Brussels, 21 September - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion on the European Commission’s Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR. This proposal aims to ensure the timely completion of investigations and the delivery of swift remedies for individuals in cross-border cases, by harmonising a number of procedural differences across the EU and streamlining the cross-border cooperation procedure. The proposal follows a wish list sent by the EDPB to the European Commission in October 2022.

EDPB Chair Anu Talus said: “We welcome the Commission’s swift response to our call for action and we are pleased to see that our wish list has now been transformed into a concrete legislative proposal, which will complement the GDPR. With this Joint Opinion, we aim to ensure that the new Regulation works for all parties involved. Given its high importance, we urge the co-legislators to swiftly adopt this new Regulation.”

EDPS Supervisor, Wojciech Wiewiórowski, said: “The Commission’s proposal is a welcome attempt to address some of the challenges identified by experts and practitioners related to the governance of the One-Stop-Shop mechanism. With our Joint Opinion, we hope to further improve the future legislation and, in particular, to foster timely resolution of cross-border cases, and to ensure that procedural rights of complainants are respected, keeping in mind constraints inherent in the GDPR enforcement model. Moreover, we call on the co-legislators to use this opportunity to address practical obstacles to efficient cooperation between national data protection authorities and the EDPS.”

The EDPB and EDPS welcome the Commission’s efforts to harmonise the information to be provided for a complaint to be considered admissible and they further call for an exhaustive harmonisation of admissibility requirements. They also positively note the clarifications concerning the right of access to an administrative file. In addition, the Commission’s proposal to boost consensus-finding early on in the cooperation procedure, is key to a more efficient and enhanced enforcement cooperation.

Amongst several other recommendations, the EDPB and EDPS consider that the consensus-finding proposals could be further improved by ensuring that concerned supervisory authorities (CSAs) are more involved in the different steps of the procedure, as this would avoid possible disputes at a later stage. In particular, the ‘preliminary findings’ addressed to the parties under investigation and the ‘preliminary view’ to reject the complaint should be shared with CSAs before they are submitted to the parties under investigation or to the complainant. Moreover, time limits, extendable in duly justified circumstances, should be defined for certain procedural steps to allow swift and efficient enforcement.

The EDPB and the EDPS stress that the Proposal should not unduly restrict CSAs' ability to raise relevant and reasoned objections on a draft decision, including on the scope of the investigation. They also urge the co-legislators not to change the current approach to the parties’ right to be heard in the dispute resolution procedure, which is triggered when data protection authorities (DPAs) fail to find a consensus on a case. The proposed change would require the Chair of the EDPB to provide the parties under investigation and the complainant with a ‘statement of reasonsʼ. This appears not to be in line with the architecture of the One-Stop-Shop system; it is also unnecessary in light of the current practice which allows the EDPB to duly take the views of the parties into account and reach a decision within the deadlines.

With regard to the urgency procedure under Art. 66(2) GDPR, the EDPB and the EDPS urge the co-legislators to specify that the final measures are adopted by the competent DPAs and, as appropriate, with a broader scope than the territory of the requesting DPA.

Finally, as underlined by the EDPS in his contribution on the Commission initiative, sent in April 2023 to the Commission, the existing practical obstacles to efficient cooperation between the national DPAs and the EDPS should be addressed. The EDPB and EDPS therefore recommend introducing a specific provision to this effect.

The EDPB and EDPS also adopted a joint contribution in response to the European Commission's public consultation on the template report for the description of consumer profiling techniques pursuant to Art. 15 of the Digital Markets Act (DMA). Under the DMA, designated gatekeepers will have to annually submit such reports to the European Commission. The draft template aims to specify what gatekeepers should include in the independently audited descriptions of their profiling techniques. These descriptions will be transmitted by the Commission to the EDPB and will inform enforcement actions by DPAs.

The EDPB and EDPS formulate several recommendations to clarify the scope of the information sought by the Commission which will be transmitted to the EDPB. They recommend that gatekeepers provide additional information concerning the categories of personal data processed and their sources, the lifecycle of the processing at stake, the legal basis relied on, the measures taken with regard to the rights of data subjects and a description of appropriate technical safeguards implemented by gatekeepers.