Businesses will gain rights to be heard by data protection authorities investigating them and access administrative files in those cases, under forthcoming changes to the way the EU’s General Data Protection Regulation (GDPR) is enforced.
EU law makers reached agreement on the final wording of the GDPR Enforcement Regulation (80-page / 662KB PDF) in June. That agreement was then formally endorsed – first, by the Council of Ministers on 27 June, and then by the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee.
The LIBE Committee’s endorsement paves the way for the new regulation to be formally adopted by MEPs in October. The Council of Ministers has said it will formally adopt the text too, once the Parliament has done so. It will apply from 15 months after its date of entry into force – so, likely from early 2027.
The new regulation will bring the most significant procedural changes since the GDPR's inception, according to data protection law experts Annabelle Richard and Andreas Carney of Pinsent Masons.
The GDPR provides a so-called 'one stop shop' mechanism of regulation and enforcement, designed to allow businesses to deal with one data protection authority (DPA) in respect of their EU operations instead of multiple different authorities across all 27 EU member states. However, the GDPR also makes provision for the cooperation of national data protection authorities in cases where alleged infringement occurs in more than one jurisdiction.
In cross-border enforcement cases, the lead supervisory authority – that being the authority in the country where a business has its European headquarters or, failing that, where its EU representative is based – must enter into dialogue with the other data protection authorities in the countries where data subjects have been impacted. While the responsibility for investigation alleged infringement sits with the lead authority, the GDPR gives the other DPAs scope to input to the enquiries and to raise 'relevant and reasoned' objections against proposed decisions of the lead authority.
In cases where disagreements between the lead supervisory authority and other DPAs cannot be reconciled, the case will pass to the European Data Protection Board (EDPB), which has powers to issue a binding decision in cross-border enforcement cases.
Critics of the current regime believe enforcement of the GDPR is too complicated, convoluted and lacks transparency, leading to administrative burdens, delayed justice, and uncertainty for businesses. The GDPR Enforcement Regulation is designed to address those criticisms.
Once the regulation is effect, DPAs will have a legal duty, in cross-border cases, to “conduct procedures in an expedient and efficient way” and cooperate “in a sincere and effective manner, including by providing support where necessary and responding to requests without delay”.
The new regulation also sets out the information that people or businesses must provide for their complaints to be admissible – as well as new procedures that provide for “early resolution” and “simple cooperation” among DPAs. Further provisions outline what streamlined information the lead supervisory authority must share with other relevant DPAs as well as a new framework that is designed to ensure cases are referred to the EDPB for an “urgent” decision where consensus between the DPAs is not achieved quickly.
Other changes include a new right to be heard for businesses under investigation – they will be given between three and six weeks to make representations in response to preliminary findings in cases involving them – either in writing or via an oral hearing, depending on what process the lead supervisory authority triggers. The authority will also have to provide those parties with access to the administrative file relevant to the case, although some of the content in that file is exempt from disclosure – including confidential information, trade secrets, and internal correspondence exchanged within the authority.
Where cases are referred to the EDPB for a binding decision, businesses under investigation will have a further right to be heard – they will be able to “make their views known in writing on any new factual or legal elements on which [the EDPB’s] decision is to be based, including on the relevant and reasoned objections which it intends to follow in its decision”.
Richard said: “Once enacted, the regulation will bring some clarity to the resolution of cross-border cases, but more importantly for businesses, it will introduce a right for the parties to be heard and a limited right of access to administrative files.”
Carney added: “The regulation will also provide orientation as regards the interaction between the result of a cross-border investigation and subsequent domestic proceedings, as well as timelines to possibly speed-up cross-border investigations.”
Businesses can be fined up to €20 million, or 4% of their annual global turnover, whichever is highest, for the most severe breaches of the GDPR.
Contact an adviser
