GDPR cross-border enforcement cooperation process to be streamlined

Details of the Commission’s intentions are light at this stage, but it has said it intends to adopt a new regulation on the issue, which concerns data protection enforcement cases with a cross-border element.

A proposed regulation is scheduled to be published some time between the start of April and end of June 2023. The Commission has indicated that it will seek evidence concerning its initiative from industry and other stakeholders.

“This initiative will streamline cooperation between national data protection authorities when enforcing the General Data Protection Regulation (GDPR) in cross-border cases,” the Commission said. “To this end, it will harmonise some aspects of the administrative procedure the national data protection authorities apply in cross-border cases. This will support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms.”

The GDPR provides a so-called 'one stop shop' mechanism of regulation and enforcement, meaning businesses operating across the EU need only deal with one DPA instead of multiple different DPAs in different member states. However, the Regulation makes provision for the cooperation of DPAs in cases where alleged infringement occurs in more than one jurisdiction. In such cases, the lead supervisory authority – commonly, where the business in question has its main establishment in the EU – must enter into dialogue with the other DPAs in the countries where data subjects have been impacted.

While the responsibility for investigating alleged infringement sits with the lead authority, the Regulation gives the other DPAs scope to input to the enquiries and to raise “relevant and reasoned” objections against proposed decisions of the lead authority. Where the DPAs cannot reach a consensus on their own, the case is referred to the European Data Protection Board (EDPB) – an umbrella body that brings together representatives of all the national DPAs in the EU as well as the European data protection supervisor – for a binding decision.

News of planned reform to some of the administrative procedures in the GDPR cooperation mechanism comes at a time when the powers of the EDPB have come under scrutiny in a legal challenge brought before the EU’s highest court.

Earlier this year, the Data Protection Commission in Ireland threatened legal action against the EDPB after it accused the body of going beyond its powers to affect an investigation into social media network provider Meta. A case has now been filed by the DPC against the EDPB before the Court of Justice of the EU (CJEU), though none of the documents pertaining to the case are publicly available yet.