The European Commission’s proposal for a General Data Protection Regulation (GDPR) Procedural Regulation is a pivotal step towards streamlining the cross-border enforcement of the landmark regime. The global tech industry is broadly supportive of the proposal. The Commission proposal introduces new rules to improve the effectiveness and efficiency of the GDPR’s cross-border enforcement by enhancing cooperation between national data protection authorities, providing further legal certainty to parties involved, and harmonizing some aspects of the administrative procedure.
However, recent legislative developments have raised concerns. On February 14, the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) of the European Parliament adopted its draft report on this proposal. Some of the Committee’s proposed amendments have the potential to hinder GDPR cross-border enforcement. The current draft also overlooks critical issues raised by the tech industry, such as the weakening of the One Stop-Shop mechanism (OSS). Moreover, the draft restricts the rights of parties under investigation, reduces confidentiality protections, and limits the possibility of amicable settlements. These elements are crucial for a balanced approach to GDPR enforcement, and their absence could significantly impact effective enforcement of the regulation across the single market.
As the European Parliament Plenary prepares to discuss the LIBE Report, ITI encourages lawmakers to consider the following critical aspects:
1. The proposed GDPR Procedural Regulation should not weaken but rather reinforce the OSS and Leading Supervisory Authorities (LSA) independence. The GDPR’s OSS mechanism is a pivotal tool that allows organizations to handle cross-border privacy concerns with a single LSA in a consistent manner across the EU. The Commission's original intent was to bolster the OSS mechanism by introducing additional steps in the cooperation between supervisory authorities without altering existing GDPR procedural rules. On the contrary, the LIBE Report's amendments potentially weaken the LSA’s central role by shifting decision-making and administrative competence to concerned supervisory authorities (CSAs) and the European Data Protection Board (EDPB), thereby fostering fragmented enforcement actions independent actions. For instance, some of the amendments empower CSAs to independently exercise their authority more broadly, by invoking Article 66 of the GDPR. Other amendments would also restrict the power of the LSA to independently judge the admissibility of complaints, thereby limiting its autonomy. Furthermore, the LIBE proposal would allow any single concerned authority to seek a “procedural determination” from the EDPB if there is no agreement between the LSA and one or more CSAs. Therefore, these amendments significantly shift the established power balance.
It is crucial that GDPR Procedural Regulation does not dilute the “leading” competence of the LSA as maintaining its significant role under Article 56 of the GDPR is the most effective way to handle complaints.
2. The proposed GDPR Procedural Regulation must effectively safeguard the investigated parties’ right to be heard in practice at all stages. ITI appreciates that the original EU Commission’s proposal included provisions for the parties to express their concerns and objections at various stages, such as when preliminary findings are communicated, when the LSA believes that the revised draft decision introduces significant new elements for which parties should have the opportunity to make their views known, or before the EDPB makes a binding decision. However, the draft report from the LIBE Committee would substitute these specific protections with a generic provision allowing for parties to “be heard before any measure is taken that would adversely affect the party.” Finally, the LIBE proposals would delete Article 24, which extends the right to be heard to the cases before the EDPB in the context of the GDPR’s Article 65 dispute resolution procedure. These changes would introduce a level of ambiguity and legal uncertainty as to a party’s right to be heard at each stage of the investigative process.
It is crucial that the GDPR Procedural Regulation maintains and clearly articulates the fundamental right to be heard ensuring that it is not just a formality—but a substantive part of every phase of the investigation.
3. The proposed GDPR Procedural Regulation should ensure that there are robust rules on the protection of confidentiality. The original Commission’s proposal rightfully aimed to harmonize rules relating to confidentiality by including provisions on the identification and protection of confidential information. It is essential for parties involved in proceedings to recognize which documents are confidential and to ensure that those who access this information are prohibited from disclosing such information to anyone who is not a party to the proceedings, or using the information they obtain for any purpose other than the conduct of the inquiry. Unfortunately, the LIBE report would dilute in many instances the right to confidentiality for parties under investigation, providing overly broad discretion to the supervisory authorities on sharing confidential information. Keeping inquiry documents confidential is vital for preserving the integrity of the decision-making process, and the proposal should remain strong in this regard. Leaks can jeopardize the decision-making process by introducing external pressures.
It is crucial that the procedural regulation upholds robust confidentiality rights, including through the use of sanctions in case of deliberate breaches of confidentiality. Unless a proper deterrent exists, the likelihood of confidentiality breaches would inevitably increase
4. The proposed GDPR Procedural Regulation must also incentivize early resolution and enhance cooperation and amicable resolutions at all stages. While ITI welcomes in the original Commission’s proposal the new framework for early resolution and amicable settlements to allow for speedier procedures and alleviate some of the burden on supervisory authorities, this framework remains limited and the LIBE Report introduces even more limitations on amicable settlements. For instance, the LIBE Report renders the process more adversarial, restricts the scope for amicable settlement and requires that it can only be reached through explicit consent of both parties and . Those changes will reduce the possibility of resolving proceedings efficiently and discourage parties from seeking such resolution.
It is essential that amicable resolution of complaints is incentivized at all stages of the process. For instance, the parties under investigation should receive any complaint from their LSA at the beginning of the process and be given the opportunity to address it through their internal complaint handling procedures first. The LSA should also be required to facilitate amicable resolution before initiating an investigation.