As varying approaches between national administrative procedures existed along with national laws implementation, the GDPR came into force with the aim of harmonizing data privacy laws across the EEA. Lack of the need for implementation of EU Member States, the Regulation has directly applicable effect which did not create total uniformity as there are more than 30 provisions where Member States have the freedom to adaptions into their national laws which leads Member States to have different national adaptions of GDPR along with practical issues.
European Commission has declared under its published initiative named “Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation” below;
This initiative will streamline cooperation between national data protection authorities when enforcing the General Data Protection Regulation (GDPR) in cross-border cases. To this end, it will harmonise some aspects of the administrative procedure the national data protection authorities apply in cross-border cases. This will support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms.
Having the European headquarters of many big tech companies, the Irish DPC holds the right to manage most GDPR violation cases in the continent and the Commission’s aim is to change that situation. These rules under initiative are expected to clarify and complement the existing rules on cooperation and dispute resolution under GDPR Articles 60 and 65.
According to EDPB’s Statement on enforcement cooperation dated April 28, 2022, the Board members have agreed that below cases can be carried out by a limited number of DPAs for efficiency reasons;
- Cases of strategic importance where such cases fulfill a number of quantitative and qualitative criteria (e.g. cases affecting a large number of data subjects in the EEA, cases dealing with a structural or recurring problem in several member states, cases related to the intersection of data protection with other legal fields …)
Under the direction of the Lead Supervisory Authority, an action plan will be established at the EDPB level to ensure that the work will be conducted in the most efficient manner and within a fixed timeline.
DPAs will place particular emphasis on early and sustained sharing of all relevant information aiming at rapid informal consensus building.
Groups of DPAs may decide to join forces on investigation and enforcement activities and DPAs may share the work within these groups. Where needed, an EDPB taskforce can be created.
EDPB will facilitate the use of all instruments provided for in the GDPR, including Article 62 joint investigations. The EDPB Members agreed that joint investigations.
In EDPB’s letter dated October 10, 2022, which is sent to European Commission, it has been determined that the maximization of the efficiency of the cooperation mechanism can be further harmonized between Data Protection Authorities. The adopted statement of EDPB of April 2022, indicated the enduring commitment to close cross-border cooperation.
Such procedural aspects are determined to be harmonized to maximize the efficiency of the cooperation mechanism.
These aspects are indicated below:
- Identification of the parties to the procedure; status and rights of the complainant
In some Member States, the complainants are regarded as parties to the procedure, and/or specific rights are conferred on them, while it is not the case in such other Member States.
In order to unify that process, any different treatment of complainants arising from national procedural law should be eliminated where the Lead Supervisory Authority is in charge.
- Rights of the parties to the procedure
As procedural rights that the parties are subjected to vary across the EU, uniform application of the GDPR might be fulfilled by listing the procedural rights of parties. In particular, this aspect might be helpful in terms of dispute resolution in accordance with Article 65(1)(a) GDPR.
- Access of the parties to the file and confidentiality
The right of the parties to access the documentation of the proceedings also has differing effects in member states which makes the cooperation mechanism under Article 60 GDPR difficult by reason of what documents will be considered as part of the file is not clear. It is advisable that the documents containing formalized opinions, comments, and positions containing relevant and reasoned objections of Supervisory Authorities might be clarified which can come along with flagged confidential information such as business secrets.
- Right to be heard
The right is enshrined in Article 41 of the EU Charter and reflected under Article 60 of GDPR via cooperation with the Lead Supervisory Authority and other supervisory authorities concerned. Harmonized rules regarding the scope, modalities, and timing of the right to be heard by parties are needed to be unified. In current practice, it differs not only whether the complainant is able to examine and react to a draft decision (and, where this possibility is provided for, this may or may not include the envisaged sanctions and corrective measures), but also the timing is not determined among States.
- Procedural deadlines
Whether the complainant is to be considered as a “party” to the procedure is not unified and such alteration might be done in order to avoid different treatments of complainants depending on the Member State. The representative mentioned under Article 80 (2) GDPR should also be treated in the same way as the individual complainants.
There are many procedures not having a deadline both at the national and cross-border level which may cause undue delay in the finalization of cases.
- Information of the supervisory authorities concerned and the Board’s decisions to be published
Under current practice, Member States have differing rules leading to transparency issues since some Member States allow for the publication of decisions whilst other Member States only publish the decisions which can not be appealed.
The deadline for the feedback period of this initiative was March 24, 2023 and the Commission’s adoption is planned for the second quarter of 2023. It is hoped that the complexity and delay arising from procedural rules of national laws across the EU will be eliminated and legal certainty along with the credibility of enforcement by the introduction of enhanced cooperation will be introduced.