27 Mar 2023

Fostering cooperation in GDPR enforcement across Europe 

Executive summary 

DIGITALEUROPE welcomes the European Commission’s initiative to facilitate more harmonised procedural cooperation in cross-border enforcement of the General Data Protection Regulation (GDPR). [1] We believe these efforts will greatly contribute to a reinforced one-stop-shop (OSS) mechanism, which we deem crucial for both businesses and data subjects.[2]

For harmonised enforcement to work in practice, we recommend that the new rules should: 

  • Facilitate amicable settlements, with a reinforced role for lead supervisory authorities (LSAs); 
  • Better define the rights and roles of complainants, their representatives and the parties under investigation in proceedings; 
  • Require hearings before a draft decision is prepared and shared, including as part of the European Data Protection Board’s (EDPB) dispute-resolution proceedings; 
  • Improve transparency about the information shared between authorities, including the elements to establish the LSA; and 
  • Set procedural deadlines that safeguard due process and allow parties to exercise their procedural rights. 

    We encourage the Commission and the EDPB to continue open stakeholder involvement in the preparation of this legislative proposal. 

      Tools to promote cooperation early in the process 

      We welcome the EDPB’s recognition of the role amicable settlements can play in the OSS procedure.[3] Amicable settlements are described in Recital 131 GDPR, and should be facilitated in cross-border cases. 

      Non-contentious case resolutions allow space for trusted and constructive agreements between parties. They can lead to faster case resolution, and remove some of the burden from DPAs and the parties involved. 

      We would further welcome reinforcement of LSAs’ role in amicable settlements as part of the OSS. 

      Status of parties to administrative proceedings 

      Each party’s procedural rights before DPAs should be further defined. Complainants, their representatives and the parties under investigation should have clearly defined, active roles in proceedings. 

      Having clearly defined rights and obligations would increase the parties’ trust and collaboration in resolving cases. It would also help avoid the burden of further litigation before national courts. In this context, the right to a hearing is of particular importance, as discussed below. It can provide key information over different cases, avoid biases and ensure stronger collaboration with authorities. 

      Additionally, we support the EDPB’s recommendation to clarify which part of a file parties should be allowed to access. To this end, it is key that confidential files, which may contain information covered by intellectual property rights or trade secrets, or entail cybersecurity considerations, should be kept highly confidential. Rules for careful assessment, involving the party under investigation, are necessary to avoid economic harm and damages. The inclusion of such confidential information in rules around DPAs’ investigative powers would be further welcomed. 

      Right to a hearing and good administration 

      The right of parties under investigation to be heard should be recognised and balanced with those of complainants. 

      Hearings help to inform DPAs’ decision-making process. We strongly support the EDPB’s recommendation that an obligation be set for hearings to take place before a draft decision is prepared and shared with concerned DPAs. The EDPB’s decision-making process should include the results from hearings. For hearings to inform the decision-making process, they should also be part of dispute-resolution proceedings under Art. 65. 

      The scope, modalities and timing, as described by the EDPB, should be clarified so as to allow for sufficient time to prepare. A level of flexibility should be in place, for instance as to whether the hearing should be in written or in oral form. [4] Summaries of the hearings should be provided to the parties, in the interest of transparency. 

      Information shared about the investigation 

      Transparency about the information shared between authorities is key, particularly in cross-border investigations. The elements taken into account to establish which DPA should take the lead should be clear to the parties involved. 

      Procedural deadlines 

      We welcome the introduction of more granular procedural deadlines. However, new cross-border rules should remain adaptable to different cases and levels of complexity. Decisions should not be rushed, which may lead to increased litigation. Procedural deadlines should safeguard due process and allow parties to exercise their procedural rights. 

      Extensions should be available to authorities, and the parties’ rights, e.g. the right to be heard, should be taken into account in setting new procedural deadlines. 

       

       

      References: 

      [1] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13745-Further-specifying-procedural-rules-relating-to-the-enforcement-of-the-General-Data-Protection-Regulation en.

      [2] DIGITALEUROPE, Two years of GDPR: A report from the digital industry, available at https://www.digitaleurope.org/wp/wp-content/uploads/2020/06/DIGITALEUROPE_Two-years-of-GDPR_A-report-from-the-digital-industry.pdf 

      [3] EDPB letter to the European Commission on procedural aspects that could be harmonised at EU level and EDPB Guidelines 02/2022 

      [4] EDPB Guidelines 03/2021 

      For more information, please contact
      Alberto Di Felice
      Policy and Legal Counsel
      alberto.difelice@digitaleurope.org +32 471 99 34 25
      Béatrice Ericson
      Manager for Data Economy & Privacy
      beatrice.ericson@digitaleurope.org +32 4 90 44 35 66
      Back to Data privacy
      View the complete Policy Paper
      PDF
      Our resources on Data privacy
      09 Feb 2024 resource
      The GDPR six years in: from harmonisation to alignment
      Read more
      PDF
      15 Jan 2024 resource
      DIGITALEUROPE’s response to the public consultation on a reporting scheme for data centres in the EU
      Read more
      PDF
      16 Nov 2023 Position Paper
      One Data Act to rule them all? Avoiding competing data sharing rules: DIGITALEUROPE’s views on the European statistics regulation revision
      Read more
      PDF
      View all resources
      Hit enter to search or ESC to close
      This website uses cookies
      We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
      Decline
      Accept