Businesses subject to investigation under the EU General Data Protection Regulation (GDPR) are to obtain new rights of access to information relating to those investigations, under new plans put forward by the European Commission.
The proposals form part of new procedural rules envisaged in relation to the cross-border enforcement of the GDPR.
Under the new rules proposed by the European Commission, the European Data Protection Board (EDPB) would also obtain qualified new powers to direct the scope of investigations in cross-border data protection cases.
Under the EU General Data Protection Regulation (GDPR), responsibility for investigating compliance in cases of cross-border relevance rests primarily with one data protection authority – commonly, the authority based in the country in which the business in question has its ‘main establishment’ in the EU. However, other data protection authorities in other EU countries have a right to input in such cases. Currently, they can raise ‘relevant and reasoned’ objections to the draft findings of the lead supervisory authority. Where consensus cannot be reached on the findings or action to take in relation to them, cases are referred to the EDPB for a binding decision.
However, amidst criticisms that the ‘one stop shop’ mechanism does not deliver speedy outcomes, the Commission has proposed additional procedural rules (36-page / 506KB PDF) that aim to enhance the level of cooperation between authorities. The Commission had obtained input on the issue from stakeholders – including the EDPB, businesses, the governments of EU member states, and lawyers – earlier this year.
While the main thrust of the one stop shop mechanism remains, the Commission has proposed changes aimed at ensuring data protection authorities that are not the lead supervisory authority in a cross-border case have an opportunity to obtain a summary of key information relating to those cases at the earliest opportunity.
Among the information the lead authority would have to provide in their summary is the main relevant facts; a preliminary identification of the scope of the investigation – including which GDPR provisions relate to the alleged infringement to be investigated; identification of complex legal and technological assessments which are relevant for preliminary orientation of their assessment; and preliminary identification of potential corrective measures.
Where other data protection authorities choose to respond, they must do so within four weeks and the comments they provide would need to comply with new standards proposed in relation to their clarity and succinctness. The Commission’s proposal promotes dialogue between the lead authority and the other commenting authorities with a view to consensus being reached over any differences of opinion. However, in a change to the current procedure, it also envisages the referral of matters to the EDPB if there is a lack of consensus on the scope of investigation proposed. The EDPB would have powers to direct the scope of investigation to be undertaken in such circumstances.
Other data protection authorities are not obliged to respond to the summary shared with them. Where none of the concerned supervisory authorities provide comments, the case is considered “non-contentious”. For these cases, the lead supervisory authority must communicate its preliminary findings within nine months of the expiry of the four-week deadline for comments.
The new rights of access to the administrative file maintained by the lead authority in cross-border cases would be triggered only after the authority has issued its preliminary findings. Businesses under investigation would be entitled to access “all documents which have been obtained, produced and/or assembled by the lead supervisory authority during the investigation”, but not the “correspondence and exchange of views between the lead supervisory authority and supervisory authorities concerned”.
In relation to complainants, the Commission’s proposal mandates their completion of a dedicated form for cross-border data protection complaints. Beyond the mandated information to be provided, the form proposed (3-page / 31KB PDF) encourages front-loading of evidence the complainant wishes to rely on – they are encouraged to submit all documentation in their possession relating to the facts set out in the complaint, such as a copy of contracts that confirm the relationship the complainant has with the data controller as well as marketing messages or e-mails, pictures, photographs or screenshots, and expert, witness, or inspection reports. The proposal clarifies that no additional information is required for a complaint to be admissible, to harmonise the processes around information gathering and admissibility.
Complainants would also enjoy new rights to be heard throughout the process under the Commission’s plans.
“It is clear that enforcement of GDPR works, but the procedures in cross-border cases can be still improved,” said EU justice commissioner Didier Reynders. “We have come forward with this proposal to show that we can do better to have quicker and more efficient handling of cases. We have listened to the voices of the European Data Protection Board, data protection authorities, civil society, and the industry. Our proposal addresses their calls and builds on our own findings to better protect Europeans’ right to privacy, provide legal certainty to businesses, and streamline cooperation between data protection authorities on the ground.”
Contact an adviser
