Skip to content

EU - New EU Regulation to complement GDPR by clarifying cross-border enforcement procedures unveiled

The European Commission published its Proposal for a Regulation (on 4 July 2023) laying down additional procedural rules relating to the enforcement of GDPR (the Proposal), which aims to complement the GDPR by specifying the procedural rules for the cross-border enforcement of data protection rules by supervisory authorities (DPAs). 

The Proposal provides a standard form for cross-border complaints, clarifies the role of the lead supervisory authority and the authority with which the complaint was lodged, and deals with various procedural points, such as criteria for the rejection of complaints, the content of the administrative file and deadlines. 

Rights of complainants 

The Proposal seeks to ensure that complainants will have the same procedural rights in cross-border cases regardless of where the complaint is lodged or which DPA leads the investigation. It will also provide for a harmonised approach to, among other things:

  • what is considered a complaint and the criteria for its admissibility;
  • the right to be heard;
  • the right to access the administrative file.  

Rights of parties under investigation 

The Proposal provides for harmonised rules on the right of parties under investigation to be heard and to access the file at key stages of the procedure. The right to be heard is also extended to the dispute resolution procedure by the European Data Protection Board (EDPB).

Under the Proposal, the lead DPA will be required to provide the parties under investigation with preliminary findings, including all relevant facts, supporting evidence, legal analysis and proposed corrective measures, if any. The parties under investigation will be able to respond and the complainants may submit their written observations. The parties under investigation will also be given an opportunity to provide their views where the lead DPA intends to submit a revised draft decision, following any relevant and reasoned objections raised by DPAs concerned.

The Proposal also establishes the content of the administrative file in cross-border cases.

Protection of confidential information

Any information collected or obtained by a DPA in cross-border cases will be excluded from freedom of information or similar laws as long as the proceedings are ongoing. The Proposal provides explicit protection for any “business secrets and other confidential information” of the parties. 

Streamlining DPA cooperation and dispute resolution 

The Regulation will improve the collaboration of DPAs in cross-border cases by, among other things, permitting DPAs to provide their views early on in investigations and make use of tools such as joint investigations and mutual assistance under the GDPR. Specific rules are introduced to streamline the cooperation procedure between the supervisory authorities, the dispute resolution procedure by the EDPB and the urgency procedure under Art. 66 GDPR.

The Proposal is based on input from a wide range of stakeholders. Early responses from privacy rights organisations, however, seem to be critical. For instance, none of your business (noyb), in a somewhat withering analysis, notes that the Proposal does not take a systematic approach to regulating procedural issues, delegates jurisdiction to Member States rather than setting common standards and strips citizens of existing rights rather than ensuring their enforcement.

Next steps

The Proposal will now be considered by the European Parliament and the Council of the European Union.

The press release is available here, the Proposal here and Q&A here. The noyb statement is here.


Related expertise