In September 2023, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the European Commission’s Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR. The aim of this proposal is to ensure the timely conclusion of investigations and the provision of swift remedies for individuals in cross-border cases by harmonizing several procedural differences within the EU and streamlining cross-bordercooperation. The proposal follows up on the wish list that the EDPB sent to the European Commission in October 2022. The EDPB and the EDPS welcome the Commission’s efforts to harmonize the information that must be provided for a complaint to be considered admissible and further call for comprehensive harmonization of the admissibility requirements. They also note positively the clarifications regarding the right of access to the administrative file. Furthermore, the Commission’s proposal to strengthen the search for consensus at the outset of the cooperation procedure is key to more effective and enhanced cooperation in law enforcement.
In addition to several other recommendations, the EDPB and the EDPS believe that the proposals for reaching a consensus could be further improved by ensuring greater involvement of the relevant supervisory authorities (CSAs) in the individual steps of the process, as this would prevent potential disputes at a later stage. In particular, preliminary findings addressed to the parties under investigation and the preliminary opinion to dismiss a complaint should be made available to the CSAs before they are submitted to the parties under investigation or to the complainant. In addition, time limits should be set for certain procedural steps, which could be extended in duly justified cases to enable swift and effective enforcement.
The EDPB and the EDPS emphasize that the proposal should not unduly restrict the ability of CSA authorities to raise relevant and substantiated objections to the draft decision, including the scope of the investigation. They also urge the co-legislators not to alter the current approach to the parties’ right to be heard in the dispute resolution procedure, which is triggered when data protection authorities fail to reach a consensus on a given matter. The proposed amendment would require the Chair of the EDPB to provide a statement of reasons to the parties under investigation and to the complainant. This does not appear to be consistent with the architecture of the one-stop-shop system; it is also unnecessary given current practice, which allows the EDPB to duly take the parties’ views into account and adopt a decision within the prescribed time limits.
With regard to urgent proceedings under Article 66( 2 of the GDPR, the EDPB and the European Data Protection Supervisor urge the co-legislators to clarify that final measures are adopted by the competent data protection authorities, with a broader scope of competence where necessary, than the territory of the requesting data protection authority.
Finally, as the EDPS emphasized in its contribution to the Commission’s initiative, which it submitted to the Commission in April 2023, existing practical obstacles to effective cooperation between national data protection authorities and the European Data Protection Supervisor should be addressed. The EDPB and the EDPS therefore recommend introducing a specific provision for this purpose.
The EDPB and the EDPS also adopted a joint contribution in response to the European Commission’s public consultation on the template report for the description of consumer profiling techniques pursuant to Article 15 of the Digital Markets Act (DMA). Under the DMA, designated gatekeepers will be required to submit such reports to the European Commission annually. The purpose of the draft template is to specify what gatekeepers should include in their independently verified descriptions of their profiling techniques. The Commission will forward these descriptions to the EDPB, and they will serve as a basis for enforcement actions by data protection authorities.
The EDPB and the EDPS have formulated several recommendations to clarify the scope of the information requested by the Commission, which will be forwarded to the EDPB. They recommend that law enforcement authorities provide additional information regarding the categories of personal data processed and their sources, the lifecycle of the relevant processing, the legal basis relied upon, the measures taken regarding the rights of data subjects, and a description of the appropriate technical safeguards implemented by the controllers.
