The European Commission Draft GDPR Procedural Regulation and European Parliament Draft LIBE Report: On the Road to Harmony?

Written by: David Dumont , Laura Léonard and Natascha Gerlach CIPP/E

Introduction

On July 4, 2023, the European Commission issued a proposal for a Regulation laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (the “GDPR Procedural Regulation”).

The proposal stems from years of discussions on the effectiveness of GDPR enforcement, in particular in cross-border matters. The enforcement challenge was also one of the focal points of the European Commission in its report on the two years of application of the GDPR [1]. In its report, the European Commission acknowledged that further progress was needed regarding the handling of cross-border cases, including by harmonising the disparities in national administrative procedures and interpretations of key GDPR cooperation mechanism concepts by the various national supervisory authorities (“SAs”). The need for further harmonisation was also emphasised by the European Data Protection Board (“EDPB”) in its “wish list” letter addressed to Commissioner Reynders for better GDPR enforcement [2].

Where We Started: Key Takeaways from the European Commission Proposal

The objective of the European Commission’s proposal is to enhance the efficiency of cross-border data protection enforcement by streamlining specific administrative procedures and providing additional details on the existing rules for cooperation among EU SAs. Importantly, the proposal exclusively applies to enforcement cases involving cross-border processing activities. It is specifically not intended to amend GDPR or impose new regulatory obligations on data controllers or processors that are subject to the GDPR; the focus is on optimising the handling of cross-border cases by removing hurdles stemming from differences in national procedural laws.

Key elements of the proposal include:

• The proposal aims to harmonise the information required when lodging a complaint related to cross-border processing, as well as the rules for accepting or rejecting such complaints.
• The proposal introduces the possibility of resolving complaints through amicable settlements. While this avenue is provided, SAs retain the authority to initiate ex-officio investigations. This dual approach provides flexibility in addressing complaints, offering parties the option of reaching mutually agreeable resolutions while allowing SAs to independently investigate matters when necessary.
• The proposal strives for harmonisation by aligning the rights of the parties under investigation (including controllers or processors). Notably, it emphasises their right to be heard within the framework of the dispute resolution mechanism established by Article 65 of the GDPR.
• The proposal introduces EU-wide rules governing access to the administrative file and safeguarding confidential information for the parties under investigation.

Where We Are Now

On September 19, 2023, the EDPB and European Data Protection Supervisor (“EDPS”) published a Joint Opinion on the proposed GDPR Procedural Regulation [3]. The EDPB and EDPS generally welcomed the proposal while identifying certain areas for improvement, particularly regarding the role of concerned SAs.

On November 9, 2023, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) published its draft report on the proposed GDPR Procedural Regulation [4] (the “LIBE Report”). In the LIBE Report, MEP Sergey Lagodinsky, serving as the Rapporteur, proposed substantial modifications to the content and structure of the proposed regulation. Some of these changes and their potential implications for companies engaged in cross-border proceedings are examined below.

What This Would Mean: Insights with Respect to the Implications of the Draft LIBE Report

The amendments to the GDPR Procedural Regulation suggested in the LIBE Report almost entirely focus on further elevating the procedural position of the complainant. While ensuring that the complainant’s position and related rights are adequately protected is imperative, the suggested changes in the LIBE report do not provide adequate corresponding safeguards for the rights of the defendants. The defendants are, however, the main focus of the administrative enforcement proceedings and face potentially major consequences, including multi-million euro fines.

In addition, it should be noted that the European Commission's proposal for a GDPR Procedural Regulation is designed to establish pan-European administrative and procedural standards for GDPR enforcement without intending to alter the GDPR or other existing laws. However, the LIBE Report introduces significant modifications to the current GDPR governance model, giving rise to constitutional and political concerns. While subsidiary acts are permitted under the GDPR in specific circumstances, the proposed regulation is intended solely to complement the GDPR by providing detailed procedural guidelines for the cross-border enforcement system. It is crucial to recognise that the proposed regulation operates within the framework established by the GDPR and is not intended to alter or deviate from this established framework.

• Equality of arms: The LIBE Report makes reference to the “equality of arms” principle when proposing to strengthen the position of complainants by granting them rights that were initially exclusive to the party under investigation. This includes, for example, a right to be heard in relation to a revised draft decision. However, by doing so, this introduces adversarial elements into what is fundamentally an administrative process between the organisation under investigation and the supervisory authority. Instead, the role and rights afforded to complainants should be circumscribed and proportionate to their status in the proceedings. A parallel might be drawn to a criminal investigation, with an accused party and the investigating authority, where the injured third party (or the civil party) does not have the same status as the defendant, in line with their role in the proceeding. Distinct rights are granted proportionate to the parties’ interests (e.g., a civil party would typically have the right to be informed about the proceedings and heard about certain aspects). Similar considerations should apply to procedures before SAs and in the context of GDPR cross-border enforcement cases.
• Right to be heard: The LIBE Report suggests a horizontal right to be heard for the complainant and the defendant before any measure is taken that would adversely affect them, including before a decision is adopted to fully or partially dismiss or reject a complaint (“right to be heard”). While recognising the positive development of the right to be heard for defendants in enforcement proceedings, this right should not be restricted solely to situations where the measure taken would adversely affect the parties involved; instead, the defendant should be heard throughout the entire proceedings (including preliminary hearings, the proceedings and when the enforcement decision is taken).The LIBE Report also introduces a provision allowing SAs to limit the right to be heard under their national procedural law. This re-opens the door for divergent regimes across EU Member States and, hence, legal uncertainty for companies operating throughout the EU. Importantly, the LIBE Report further deletes the provision from the European Commission’s proposal that mandates the Chair of the EDPB, through the lead SA, to provide the parties under investigation with a statement of reasons for its decision and gives these parties the right to make their views on the decision known. This would curtail the defendants' right to be heard without justification.Additionally, the LIBE Report would want national SAs to establish reasonable time limits for parties to present their views, but with a maximum limit of four weeks. While it is reasonable to impose certain time limits with respect to the right to be heard in the interest of the speediness of the proceedings, there should be flexibility to determine the deadlines on a case-by-case basis, considering the intricacies of cross-border enforcement cases to ensure a fair and comprehensive hearing process. For complex investigations that may have a significant impact on the defendant, four weeks may not suffice. Overall, the defendant’s right to be heard should be standardised uniformly across the European Union. It should be firmly acknowledged as a fundamental defence right and should not be subject to impractical limitations. Harmonising this crucial aspect of procedural fairness will ensure consistency and uphold the principles of justice and due process throughout the European Union in the data protection space.
• Confidentiality: The LIBE Report introduces procedural transparency in the proposed GDPR Procedural Regulation through the introduction of a joint case file containing all information relating to a case. This file is intended to be accessible to all involved parties, including the complainant and SAs. Per the LIBE Report, remote access to the file should be provided to the parties, except for redacted documents and internal deliberations. Apart from every scrap of paper in an investigatory file having limited value to any party, upholding confidentiality is key in enforcement proceedings, as it is an essential element to preserve the integrity of the proceedings and prevent it from turning into a public trial. Moreover, it serves to safeguard trade secrets and intellectual property rights. Granting broad access to the case file to all parties and all concerned SAs raises significant confidentiality challenges and risks. In particular, the LIBE Report omits the protective measures suggested by the European Commission for safeguarding defendants’ confidential information, e.g., it deletes the provision aimed to prevent complainants from using the preliminary findings for purposes other than the ongoing investigation. Furthermore, at present, the proposed GDPR Procedural Regulation remains silent on the repercussions of breaching confidentiality. To ensure full transparency and cooperation, parties undergoing investigation necessitate strong confidentiality safeguards, such as liability standards in the event of a breach of confidentiality and reasonable limitations of access rights to the case file. Access to file procedures are defined and tested, for instance, in antitrust cases and can provide a blue-print.
• Information sharing: The LIBE Report intends to introduce a requirement for the sharing of information acquired during a GDPR investigation with other authorities, including those responsible for competition, financial services, energy, telecommunications and consumer protection. This would be contingent on the SA deciding the relevance of the information to the respective tasks and duties of the other authorities. Apart from the fact that this would essentially place the burden on a SA to evaluate the importance of information in the context of other authorities’ competence, data sharing between authorities tends to be regulated through a Memoranda of Understanding with robust safeguards guarding the procedural rights of the defendant. The proposal does not indicate any such safeguards. Furthermore, it is unclear how this proposal supports the aim of harmonising GDPR procedural rules. ??
• One-Stop-Shop (“OSS”): The GDPR Procedural Regulation, as amended by the LIBE Report, erodes the GDPR’s OSS mechanism and diminishes the influence of the lead SA. It introduces significant new powers for the EDPB, enabling it to intervene in disputes related to procedural matters and to conduct factual investigations within dispute resolution procedures. Among others, the proposal in the LIBE Report grants the EDPB the authority to issue urgent binding decisions in case consensus cannot be reached under the “summary of key issues” procedure (also referred to as “request for procedural determination” in the LIBE Report). The expansion of the urgent binding decision’s scope in the LIBE Report poses challenges. The shift from attempting to reach consensus among SAs amicably and in the spirit of sincere cooperation to a mandatory binding decision if consensus is unattainable contradicts the roles and responsibilities outlined in Articles 56 and 60 of the GDPR. It augments the role of the EDPB and undermines the lead SA in the procedural framework. This approach might be utilised to exert influence, potentially weakening the concept of the lead SA, as disagreements could lead to decisions that adversely impact the process. The absence of a specific list of conditions for a procedure to qualify as urgent further compounds these concerns. Furthermore, the primary aim of the OSS mechanism was to establish a centralised point of contact and streamline compliance interactions with SAs. However, the current trajectory of the proposed regulation, as amended by the LIBE Report, moves away from the original OSS vision, dispersing responsibilities to the EPDB and the national SAs. For example, the introduction of the obligation to draw up a “summary of key issues” and the process set forth by the proposed regulation to reach consensus both have the capacity to reshuffle decision-making and administrative authority from the lead SA to the EDPB. In addition, the EDPB is granted the authority to issue urgent binding decisions in case consensus cannot be reached under the “summary of key issues” procedure. This impedes authentic collaboration among the concerned authorities and may result in obstruction of the process to trigger the urgent binding decision procedure, essentially giving the EDPB the power to make pivotal decisions. This shift in power dynamics poses a risk to the OSS framework and threatens the position of the lead SA. Notably, the LIBE Report introduces the potential for the EDPB to make decisions on the scope of an investigation. This is problematic since the EDPB is typically not endowed with investigative powers. This proposal, therefore, essentially amends the GDPR, which is not its aim. It is imperative to incorporate robust safeguards to carefully balance the distribution of decision-making authority, ensuring that the lead SA retains its rightful role. This approach is essential to uphold the integrity of the GDPR's governance model and to preserve the effectiveness of the OSS mechanism.

What to Expect

The European Parliament’s LIBE Committee is expected to vote on the Parliament’s approach between February and March. Subsequently, the GDPR Procedural Regulation is being discussed at the Council of the EU at the technical level, with an aim to finalise the Council’s general approach before the end of the Belgian Presidency of the Council. Taking into account the European Parliament elections in June 2024, the legislative process will continue with the new Parliament and Commission configuration. The change in Parliament and the Commission might have an impact on the positions these institutions might take during the trilogue negotiations.

Once finalised and adopted, the GDPR Procedural Regulation will enter into force on the twentieth day following its publication in the Official Journal of the European Union and will apply to ex-officio investigations initiated after this date, complaint-based investigations for complaints lodged after this date and all cases submitted for dispute resolution under Article 65 of the GDPR after this specific date.

[1] EDPB EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679, available at https://edpb.europa.eu/system/files/2023-09/edpb_edps_jointopinion_202301_proceduralrules_ec_en.pdf

[2] Draft Report of the Committee on Civil Liberties, Justice and Home Affairs on the proposal for a regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (COM(2023)348 – C9-0231/2023 – 2023/0202(COD)), available at https://www.europarl.europa.eu/doceo/document/LIBE-PR-755005_EN.pdf

[3] Communication from the Commission to the European Parliament and the Council,?Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation (COM/2020/264 final), 24 June 2020, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0264.

[4] EDPB Letter to the European Commission on procedural aspects that could be harmonised at EU level, 10 October 2022, available at https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-letter-eu-commission-procedural-aspects-could-be_en?