New Procedural Rules for GDPR Enforcement Proposed by EU Parliament

On April 10, 2024, in a move to strengthen the enforcement of the General Data Protection Regulation (GDPR), the EU Parliament voted to adopt new procedural rules aimed at enhancing cooperation among national data protection authorities (DPAs) and standardizing various aspects of the enforcement process.

With a decisive majority of 329 in favor, 213 against, and 79 abstentions, the EU Parliament’s initiative seeks to iron out inconsistencies and introduce clearer, more streamlined processes for handling data protection complaints across the EU.

According to the official press release, ever since the GDPR came into effect, it has unified the data protection rights of EU citizens while ensuring the free flow of personal data among Member States. However, the enforcement of these rights has faced challenges, largely due to varying procedural standards among countries.

Here's a simplified summary of the main changes proposed:

• Enhanced Cooperation: The new rules aim to improve the cooperation and dispute resolution mechanisms between national data protection authorities (DPAs) when handling cross-border cases.
• Rights of Parties: The proposals emphasize the right of parties involved in data protection issues to be heard before any decision that affects them is made. This includes access to the case details and ensuring impartial treatment across all EU member states. There's a push for greater transparency in procedures, including better access to information for those involved in complaints.
• Streamlining Procedures: The rules aim to make procedures more efficient. For instance, specific deadlines are proposed for DPAs to acknowledge and classify complaints, and decide on them within set timeframes unless there are exceptional circumstances. The deadlines are as follows: 
  • A two-week timeframe for DPAs to acknowledge and assess the admissibility of complaints.
  • A three-week period to determine if a complaint pertains to cross-border issues and to identify the lead authority.
  • A nine-month deadline for issuing draft decisions, except in exceptional circumstances.
• Joint Case Files: A new system of joint case files is proposed, where all information related to a case is accessible to concerned supervisory authorities and, in some cases, to the parties involved, except for internal deliberations.
• Amicable Settlements and Judicial Remedies: The amendments seek to clarify the rules around amicable settlements, emphasizing the necessity of explicit consent from all involved parties. Additionally, the measures would allow DPAs to initiate investigations independently, ensuring that settlements do not hinder further investigatory actions.

The push for these changes comes two years after the GDPR began to be enforced. The European Parliament had previously expressed concerns over the uneven and at times ineffective enforcement of the GDPR by national DPAs. The European Commission's first evaluation also highlighted the need for more efficient and harmonized handling of cross-border cases.

Rapporteur Sergey Lagodinsky of the Greens/EFA group from Germany gave the following statement: 

The GDPR Enforcement Procedures Regulation brings more legal certainty for businesses and citizens. The Parliament today strengthens the rights of complainants and gives parties under investigation clarity in the procedure. We strengthen the fundamental right to data protection in the EU.

With the procedural rules now referred back to the committee, it is expected that further negotiations will take place and it is likely that the outcomes will be pursued by the new Parliament following the upcoming European elections from June 6-9.