EU Council, Parliament Agree on Measures for Cross-Border GDPR Enforcement
EU governments and lawmakers agreed provisionally on a law meant to streamline and harmonize General Data Protection Regulation (GDPR) cross-border enforcement processes among national data protection authorities (DPAs), said the Council and the European Parliament on Monday. They also agreed on an early resolution mechanism.
Sign up for a free preview to unlock the rest of this article
The provisional agreement needs final approval by the Council and Parliament.
The deal could improve procedures related to GDPR enforcement but leaves certain elements in doubt, such as whether there will be a harmonized approach to ensuring that complainants have the right to be heard at key times in investigations, the European Consumer Organisation (BEUC) said.
For example, the regulation streamlines administrative procedures, the Council noted. It also harmonizes requirements for admissibility of complaints, allowing cross-border admissibility to be judged on the same basis regardless of where in the EU they're filed.
In addition, it standardizes requirements and procedures for a complainant to be heard if their complaint was rejected previously. It gives organizations and companies under investigation the right to be heard at key stages during the procedure and to be given preliminary findings for comment.
The law sets a deadline for completion of investigations of 15 months, which can be extended by 12 months for the most complex cases. Simple cooperation case investigations should be wrapped up within 12 months, the Council said.
To reduce protracted debates during cases between different data protection bodies, the new law includes measures that aid consensus-building, such as requiring the lead DPA to give its counterparts in other countries a summary of key issues early so they can express their views.
The final text retains a Council proposal for a simple cooperation procedure that offers the option of not applying all the additional rules if a case is more straightforward. That should help DPAs avoid administrative burdens, act swiftly on non-contentious cases, and take advantage of the new cooperation rules in more complicated investigations, the Council said.
"Parliament pushed for improving the rights of complainants and to ensure the rights of parties under investigation," it said. Lawmakers also won consent for setting deadlines, it noted.
The slow pace and divergent procedures in GDPR enforcement in different countries "have hampered this legislation," BEUC said. It pointed to several cases BEUC members filed against Google for its location-tracking measures in 2018 in which there are still no decisions.
BEUC urged authorities to make the procedures faster and to work more cooperatively with consumer organizations. This is important "given the power of multinationals and the snail pace of GDPR enforcement."
During negotiations for the law, Austrian privacy group Noyb slammed attempts to simplify cross-border GDPR enforcement, saying it could lead to a legislative mess that will make procedures slower and more prone to challenge (see 2504170002).
Talks among EU institutions on toughening cross-border GDPR enforcement rules began last November (see 2411040001).