If adopted, the new law would require European privacy regulators, known as data protection authorities (DPAs), to share more information upfront in major privacy cases, such as those against Google, Amazon, and Meta, and more often settle such cases out of court. The objective of the proposed regulation is to speed up how its GDPR is enforced.
The Commission said it found in its June 2020 evaluation report that “procedural differences applied by DPAs hinder the smooth and effective functioning of the GDPR’s cooperation and dispute resolution mechanisms.” In October 2022, the European Data Protection Board (EDPB) provided to the Commission a list of procedural aspects that it said could benefit from further harmonization at EU level.
The proposed GDPR Procedural Regulation, announced July 4, addresses input from a wide variety of stakeholders, including the EDPB, representatives from civil society, businesses, academia, and legal practitioners, as well as member states.
According to the Commission, the proposed regulation would establish concrete procedural rules for DPAs when applying the GDPR in cases that affect individuals in more than one member state. “For example, it will introduce an obligation for the lead DPA to send a ‘summary of key issues’ to their counterparts concerned, identifying the main elements of the investigation and its views on the case, and therefore allowing them to provide their views early on,” the Commission said.
“Should a DPA disagree with the lead DPA’s assessment, this authority can request a joint operation or mutual assistance mechanism, as provided by the GDPR,” the European Commission stated in a Q&A document. “Should the DPAs still disagree on the scope of a complaint-based case, the proposal empowers the EDPB to adopt an urgent binding resolution to resolve such disagreement early in the process.
The ‘Right to Be Heard’
The proposed regulation would also provide data controllers and data processors under investigation with “the right to be heard at key stages in the procedure, including during dispute resolution by the EDPB,” the Commission said.
Thus, for businesses, the proposed regulation would clarify their due process rights when a DPA investigates a potential GDPR violation and bring more legal certainty, while facilitating early consensus-building in investigations for DPAs, the Commission said.
Aligning GDPR Procedural Rules
The new regulation provides detailed rules to support the smooth functioning of the cooperation and consistency mechanism established by the GDPR, aligning rules in the following areas:
- Rights of complainants: The proposal aligns the requirements for a cross-border complaint to be admissible, removing the current obstacles brought by DPAs following different rules. It establishes common rights for complainants to be heard in cases where their complaints are fully or partially rejected. In cases where a complaint is investigated, the proposal specifies rules for them to be properly involved.
- Rights of parties under investigation (controllers and processors): The proposal provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the European Data Protection Board (EDPB), and clarifies the content of the administrative file and the parties’ rights of access to the file.
- Streamlining cooperation and dispute resolution: Under the proposal, DPAs will be able to provide their views early on in investigations, and make use of all the tools of cooperation provided by the GDPR, such as joint investigations and mutual assistance. These provisions will enhance DPAs’ influence over cross-border cases, facilitate early consensus-building in the investigation, and reduce later disagreements. The proposal specifies detailed rules to facilitate the swift completion of the GDPR’s dispute resolution mechanism, and provides common deadlines for cross-border cooperation and dispute resolution.
“The harmonization of these procedural aspects will support the timely completion of investigations and the delivery of a swift remedies for individuals,” the Commission said in a statement.
“While the independent authorities are doing a tremendous work, it’s time to ensure we can operate faster and in a more decisive way, especially in serious cases in which one violation may have many victims across the EU,” said Věra Jourová, vice president of the European Commission for Values and Transparency. “Our proposal lays down rules to guarantee smooth cooperation among data protection authorities, supporting more vigorous enforcement, to the benefit of the people and businesses alike.” 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.