Tag Archives: GDPR enforcement

GDPR Cross-Border Complaints: a New Regulation Proposal Attempts to Harmonize the Procedural Rules Among the Member States

Legal news, , , , , , , , , , ,

On July 4, 2023, the European Commission has issued a proposal for a new EU regulation laying down additional procedural rules aimed at ensuring a better and uniform enforcement of the GDPR among the Member States, especially with regard to the handling of cross-border complaints (“Proposal”).

The Proposal has been inspired by the findings of the reports issued by the European Commission and the European Data Protection Board concerning the status of the application of the GDPR among the Member States. Such reports stressed the need to make the handling of cross-border complaints more efficient and levelled across the EU, since the proceedings followed by local data protection authorities (“LDPA”) have been found to be differently designed and may thus lead to different application of the GDPR provisions.

The main features of the Proposal may be summarized as follows:

  • Submission and handling of cross-border complaints: The Proposal aims at removing the existing differences among the procedural rules applied by different LDPAs, namely with regard to how complaints on cross-boarder issues should be filed and which contents they should have. In such respect, a template for the filing of cross-border complaints – including a standard pre-determined set of information to be provided – has been drafted. The Proposal further specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles and rights of the lead LDPA and of any other concerned LDPAs. A system of amicable settlement of complaints is also encouraged.
  • Procedural rights of parties under investigation: The Proposal further aims at harmonizing and strengthening the rights of defence in the course of cross-border investigations and proceedings. Specifically, the Proposal recognizes an extended right of the parties to be heard at key stages of the proceedings and imposes the creation of an administrative file and the parties’ rights of access to it.
  • Tools for cooperation between LDPAs: New tools have been designed to ease the building of consensus between the involved LDPAs on the main features of cross-border proceedings since their preliminary phase, in order to limit the recourse to the (time consuming) dispute resolution mechanism provided by section 65 GDPR only in few exceptional cases. LDPAs that are called to handle a cross-border complaint are required to provide other involved LDPAs with a summary of key issues”, wherethe main findings of facts and legal grounds underlying each complaint are set out. Concerned LDPAs will be able to provide their views on such summary and to raise “relevant and reasoned objections”, in which case a specific fast-track procedure is designed in order to ensure that disagreements among LDPAs are settled at the beginning of the process.
  • Acceleration of cross-border proceedings: Lastly, the Proposal, by imposing strict deadlines, aims to prevent undue delays within the proceedings.

At the moment it is still unclear whether the Proposal will be officially adopted and become a binding regulation. Certainly, it has been welcomed by the European Data Protection Board and by the European Data Protection Supervisor and may be a good opportunity to level the difference among Member States and make the proceedings more efficient.

GDPR Turns 5, and Trans-Atlantic Data Flow Remains a Headache

Legal news, , , ,
Happy birthday to the GDPR, who has turned 5 years old on May 25, 2023! Is the European Union (and, given the Brussels effect, perhaps the entire world) a better place than pre-GDPR? This is a difficult question. Surely there has been a lot more focus on data protection by companies. And one of the reasons why companies have attempted to comply (100% compliance appears to be an unachievable goal!) is the possibility of being sanctioned with “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher“. Clearly, while the very same GDPR language applies throughout the EU, data protection legislation is not yet harmonised, not even 5 years after its entry into force. About 30 articles of the GDPR allow Member States to depart from it. Interpretations of the Regulation also vary, so in many areas uniformity has given way to diversity (which, in this case, is not ideal).     Additionally, enforcement of the GDPR is entirely decentralized and data protection authorities have different views, differing resources and different strategies. A list of GDPR sanctions is regularly updated and since the Meta decision of May 22, 2023, the Irish Data Protection Commission has emerged as the champion. While it was previously criticized for “being too cozy to Big Tech”, it has issued the highest ever sanction, along with strong measures ordering Meta to stop further transfers of personal data from the EU to the US and to bring its processing operations of data already transferred to the US into compliance with the GDPR. The problem, once again, stems from the trans-Atlantic data flow from the EU to the US, and from the concerns that such EU personal data is subject to surveillance in the US, without any redress system for EU citizens. (Incidentally, thousands of companies, like Meta, may have the same problem).  The US and EU have yet to reach an agreement that would allow a safe flow of data (although there are hopes that progress will be achieved by July). Further, there is no guarantee that the European Court of Justice will not strike down any such new arrangement, like it did in the past (twice). Meanwhile, the post-GDPR world appears to strongly push towards data localization (or “sovereign cloud”), making data flows out of the EU to non-“adequate” countries very scary.