Changes to the One Stop Shop
In July 2023 the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (the 'GDPR' Regulations).
EU GDPR cross border cooperation: 'the EDPB wish list'
This is with a view to specifying procedural rules, streamlining cooperation and dispute resolutions mechanisms, and harmonising the procedural rights of parties under investigation and complainants respectively in cross border cases. On 19 September 2023 the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion (the Opinion) on the Proposal, which sets out further suggestions as to what should be implemented to enhance these cross-border cooperation procedures.
The Scope and Challenges of the Current Regulations
A key weakness of the current GDPR Regulations is their inability to provide an efficient method to handle cross-border cases in a fair and harmonised way across EU jurisdictions. Such vulnerability has rendered significant challenges including:
- Unfair Outcomes - The absence of a consistent approach towards management of complaints registered with Supervisory Authorities ('SAs') across various jurisdictions in respect of the same incident has sometimes led to differing and, therefore, unfair outcomes. For example, complaints being rejected outright by some jurisdictions on the basis that, in the view of the SA, the complaint lacks merit, while accepted by others where the SA fully upholds them as valid complaints.
- Inconsistent processes - Under the current regulation, the extent to which parties are heard, the timing and length of the hearing and the recourses available to the parties vary significantly across the Member States. As a result, in some jurisdictions the process will allow for the parties to be heard, whereas in others no such stage exists. Further, some jurisdictions will allow a recourse to the final decision whereas in others, the SA's decision will have no recourse. These are fundamental flaws.
- Ineffective Dispute Resolution Process - The current regulations allow SAs to exchange 'relevant information' with a view to seeking a unified resolution to a cross-border case. Once the lead SA reaches a draft decision in the case, other SAs can raise any 'relevant and reasoned objections'. These objections allow for the possibility of dispute resolution. Whilst the process is a positive attempt towards harmonisation of the response from the regulators, it is the lack of cooperation between SAs prior to submission of the draft decision which can lead to complaints by the other SAs.
- Absence of Prescribed Deadlines - The lack of prescribed deadlines has inevitably led to undue delay and confusion in the management of notification procedures for authorities and users alike.
The primary objective of the Proposal is to improve upon procedural regulations to enable harmonisation from the SAs' perspective in cases involving multiple Member States. The specific provisions in the Proposal include:
- General Form -The Proposal calls for the adoption of a General Form which specifies the information required under Article 77 of the GDPR. The aim behind this is for the Form to outline the procedural rules that SAs have to adhere to, in order to reject a complaint in cross-border cases. This should aid the SAs in reaching a consistent outcome once a complaint on the same incident has been received.
- Strengthening the Right of Defence – The Proposal suggests clarifying the content of the administrative file and the parties' rights of access to the file. If adopted, this would serve to strengthen the parties' rights of defence whilst promoting consistency and equal access to administration of these complaints and fair exercise of individual rights under GDPR. The Proposal also sets out an obligation on the Chair of the Board to provide parties under investigation with a statement of reasons explaining the reasoning of the Board, prior to adopting the binding and final decision.
- Active Inter-Authority Cooperation - The Proposal aims to streamline cooperation between SAs in order to achieve a consensus on matters, to reduce the amount of cases that reach the dispute resolution stage. The Proposal creates a framework for all SAs to provide each other with their views early on in the investigation and make use of the tools available under the GDPR. This should facilitate a time sensitive consensus-building approach across authorities. Notably, the Proposal also sets out requirements for any relevant and reasoned objections raised by SAs.
- Dispute Resolution – The Proposal sets out procedural deadlines and clarifies the role of the parties involved in dispute resolution. The aim is to streamline the process so as to ensure a timely completion of the dispute resolution procedure.
EDPB/EDSP's Joint Opinion on the proposal
While the EDPB/EDSP acknowledge the Commission's efforts set out in the Proposal to standardise the information necessary for a complaint to be deemed admissible, they wish to take these changes further and to that extent, have suggested a few key recommendations, notably the following:
- Extension of Role of SAs – Recognising the importance of involving concerned SAs more extensively in various stages of the procedure, not least because this should help to avoid possible disputes at a later stage. As an example, the Opinion suggests that the 'preliminary findings' addressed to the parties under investigation and the 'preliminary view' to reject the complaint should be shared with the concerned Sas before they are finalised and submitted. This would help to strengthen the consensus-finding proposals at a timely stage of proceedings.
- Removal of Unnecessary Formalities – With regards to the form to be used when making a complaint, the Opinion suggests removing certain requirements (proof of identity, signature and telephone number) as they impose unnecessary barriers for complainants.
- Right to Object – With regard to the relevant and reasoned objections that can be raised on a draft decision, the Opinion highlights the importance of ensuring that the proposal does not unfairly restrict the ability of concerned SAs to present relevant and well-founded objections to a draft decision.
- Time Limits - A tighter framework for certain procedural steps should be adopted (with the possibility of an extension in special circumstances).
- Removal of Article 18: Relevant and Reasoned Objections ('RROs') - Whilst the EDPB/EDPS agree with the Proposal's aim to ensure consensus among SAs on key aspects at an early stage, they also believe it is crucial to grant SAs the right to raise objections to the draft decision. Considering the over restrictive basis of the procedure and limitations to changes in scope of the allegations, the EDPB suggests Article 18 of the Proposal to be deleted.
- Introducing a dedicated provision to address existing practical obstacles to efficient collaboration between national Data Protection Authorities and the EDPS.
As rightly noted by the EDPS Supervisor, Wojciech Wiewiórowski, the Proposal is a 'welcome attempt to address some of the challenges identified by experts and practitioners related to the governance of the One-Stop-Shop mechanism". Should the Proposal accept the suggestions incorporated in the Opinion, the EU will have taken a great step towards consolidation of the One Stop Shop through harmonisation of the GDPR processes to the benefit of its citizens.