INT/1042
General Data Protection Regulation –
additional procedural rules
OPINION
Section for the Single Market, Production and Consumption
Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679
[COM(2023) 348 final – 2023/0202 (COD)]
Rapporteur: Katrīna ZARIŅA
|
Referral
|
European Commission, 13/11/2023
|
|
Legal basis
|
Article 304 of the Treaty on the Functioning of the European Union
|
|
|
|
|
Section responsible
|
Single Market, Production and Consumption
|
|
Adopted in section
|
23/11/2023
|
|
Outcome of vote (for/against/abstentions)
|
37/0/0
|
|
Adopted at plenary
|
DD/MM/YYYY
|
|
Plenary session No
|
...
|
|
Outcome of vote (for/against/abstentions)
|
.../.../...
|
1.Conclusions and recommendations
1.1In principle, the European Economic and Social Committee ("the EESC") welcomes the European Commission's ("the Commission") proposal ("the Proposal") to establish additional procedural rules for cooperation between supervisory authorities of European Union Member States in cross-border cases.
1.2In the EESC's view, the Proposal has been drawn up with the necessary care to increase the participation of individuals in the process of investigating cross-border complaints, and clarifies the scope of the information that an individual needs to provide when submitting a complaint, thus making the process smoother.
The EESC believes that the regulatory improvements proposed by the European Commission are necessary and will bring positive benefits to all parties involved. For organisations (businesses and institutions), the new rules will clarify their right to a fair process, for individuals they will promote the right to be heard in the complaint-handling process, while for data protection authorities, the new rules will facilitate cooperation and improve the effectiveness of enforcement.
1.3Following discussions, the EESC has come to the conclusion that the capacity and performance of Member States' data protection authorities (DPAs) play an important role in the successful and efficient handling of cross-border cases. In this context, the EESC calls on the Member States to closely monitor the funding of their DPAs and to build up their capacity so that individuals and businesses can receive the support they need.
1.4In the EESC's view, the Proposal is aimed at harmonising the implementation of Article 60 of the GDPR in the Member States and defining the related processes more clearly. For the first time, the Proposal harmonises at Member State level the conduct of procedural actions related to the application of the GDPR. The Committee generally welcomes the progress towards harmonisation of the implementation of the GDPR, while taking into account the differences in Member States' national rules. The EESC generally endorses the move towards the harmonisation of processes and calls on the parties concerned to continue their efforts and, as far as possible, to extend the harmonisation of procedural activities to all procedural matters relating to the application of the GDPR.
1.5The EESC has drawn up a number of proposals which, in its view, would improve the Commission's Proposal, and recommends that the Commission clarify and supplement this as follows:
a)set more specific procedural deadlines and maximum time limits in the Proposal where possible and appropriate;
b)clearly inform the Member States' DPAs that the range of information indicated in the annex to the Proposal for inclusion in a complaint is the minimum information to be provided by the complainant, but that the DPA has the right to supplement it with other non-compulsory information fields if they deem so necessary;
c)leave to the discretion of the Member States' DPAs to decide on the most appropriate language for communication between DPAs when investigating a cross-border complaint;
d)leave to the discretion of the Member States' DPAs to decide whether to identify the complainant by requesting that a copy of an identity document be attached to the complaint;
e)improve the complaint form by noting the right of the complainant to request confidential treatment of the information submitted;
f)replace the list of identification documents in the complaint form with a more general designation, such as "identification document", covering all types of identification documents deemed acceptable in the Member State concerned, or, as regards the use of a driving licence for personal identification purposes, add a reservation that this applies only in those Member States where a driving licence is considered to be an identification document;
g)request that DPAs treat the scope of information required by the form in the annex to the Proposal as sufficient not only in the case of complaints about cross-border processing but also in cases where cross-border processing does not initially appear to have taken place;
h)define how the Proposal will apply to the countries of the European Economic Area (EEA).
1.6The EESC draws attention to the need, when further clarifications and proposals are drawn up, for greater involvement of the social partners and civil society in the preparation, evaluation and follow-up of those proposals. Close cooperation between the parties involved is one of the principles of good governance and improves overall regulatory quality and the effectiveness of implementation.
2.General comments
2.1The European Commission has drawn up a new proposal for a regulation providing for the establishment of additional procedural rules for cooperation between personal data supervisory authorities in European Union Member States in cross-border cases, which is currently governed by Article 60 of the
General Personal Data Protection Regulation
(GDPR). The Commission has also drawn up a uniform complaint format for cross-border cases as an annex to the Proposal.
2.2Since its entry into force in 2018, supervision in connection with the GDPR has been entrusted to the independent data protection authorities (DPAs) of the Member States. The "one-stop-shop" decentralised enforcement system included in the GDPR aims to ensure consistent interpretation and application of the GDPR while implementing the principle of proximity, where individuals must have the possibility to contact their local DPA and receive an answer. In such cases, the "lead" DPA (the DPA of the main establishment of the controller or processor under investigation) conducts the investigation, and is required to cooperate with other "concerned" DPAs in an endeavour to reach consensus.
2.3The lead DPA must exercise its competence within a framework of close cooperation with concerned DPAs. Where DPAs are unable to reach consensus in a cross-border case, the GDPR provides for dispute resolution, on specific matters raised by "relevant and reasoned objections", by the European Data Protection Board ("the Board"), which is composed of the heads of the DPAs of each Member State and the European Data Protection Supervisor and which includes the participation of the Commission.
2.4The Proposal complements the GDPR by specifying procedural rules for key stages of the investigation process established by the GDPR. The Proposal aims to ensure consistent application of the GDPR in the Member States and to address issues in a number of areas. The implementation of the procedural rules will lead to an interaction with national procedural law within the (data protection) authority.
2.5For individuals, the new rules will clarify the information needed to file a complaint and ensure the participation of the complainant in the investigation process. For businesses, the new rules will clarify their right to a fair process, while for data protection authorities, the new rules will facilitate cooperation and improve the effectiveness of enforcement. The EESC believes that such regulatory improvements are necessary and will bring positive benefits to all parties involved.
2.6Data subjects' rights in cross-border cases At present, some DPAs afford complainants equal rights to parties under investigation, while others either do not include complainants or involve complainants to a very limited extent; some DPAs adopt a formal decision rejecting all complaints which are not accepted, while other DPAs do not. These differences mean that the treatment of complaints and the involvement of complainants varies depending on the Member State where the complaint is lodged, or on which DPA is the lead DPA for a given case. As a result, these differences hinder the completion of investigations and the application of remedies in cross-border cases. The Proposal aims to reduce these differences and promote a common approach to this issue across the Member States. The proposal provides for new procedural rights for the complainant equally in all Member States, which have not until now been guaranteed.
2.7At present, DPAs have varying interpretations on requirements for the contents of a complaint, the involvement of complainants in the procedure, and the rejection of complaints. Complaints accepted by some DPAs could be rejected by others on the basis that they provide insufficient information. Therefore, in addition to procedural rights and obligations, the Proposal introduces a uniform complaint format, which determines the scope of information to be provided when submitting a complaint to any of the DPAs.
2.8Procedural rights of parties under investigation The Proposal brings about targeted harmonisation of procedural rights in cross-border cases. It provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the Board, and clarifies the content of the administrative file and the parties' rights of access to the file. The Proposal strengthens the parties' rights of defence and ensures consistent observance of these rights regardless of which DPA is leading the investigation.
2.9The EESC welcomes the fact that the Proposal provides greater procedural certainty for economic operators and extends their right to be heard at the most important stages in the investigation of a case. At the same time, the Committee would point out that the Member States have different legal systems, and this may hinder the successful application of the solutions introduced by the Proposal.
2.10Cooperation between DPAs and dispute resolution by the Board Article 60 GDPR outlines the procedure for DPAs to cooperate with each other in cross-border cases, but it is not described in sufficient detail. In cross-border cases, DPAs are required to exchange "relevant information" in an endeavour to reach consensus. Once the lead DPA submits a draft decision in the case, other DPAs have the opportunity to raise "relevant and reasoned objections". These objections make it possible to resolve the dispute. While the dispute resolution procedure in Article 65 GDPR is an essential element of ensuring consistent interpretation of the GDPR, it should be reserved for exceptional cases where cooperation between DPAs has not yielded consensus.
2.11The Commission's experience in the enforcement of the GDPR in cross-border cases shows that there is insufficient cooperation between DPAs prior to the submission of a draft decision by the lead DPA. The Proposal therefore brings about targeted harmonisation of procedural rights in cross-border cases. It equips DPAs with the tools necessary to achieve consensus by giving added substance to the requirement for DPAs to cooperate and to share "relevant information" set out in Article 60 GDPR. Under the Proposal, a framework is established for all DPAs to meaningfully impact a cross-border case by providing their views early in the investigation procedure and making use of all tools provided by the GDPR.
2.12The Proposal lays down requirements for the form and structure of the "relevant and reasoned objections" raised by DPAs, thereby facilitating the effective participation of all DPAs and the swift resolution of the case. The Proposal sets out the procedural rules for the rejection of complaints in cross-border cases and clarifies the role of the lead DPA and of the DPA with which the complaint has been lodged in such cases. The content of the administrative file and the right of parties to have access to the file have been clarified. The Proposal recognises the importance and the legality of amicable settlement of complaint-based cases.
3.Specific comments
3.1While one of the main objectives of the Proposal is to lay down procedural arrangements for the settlement of disputes between DPAs in the case of cross-border data processing, and it provides for a number of procedural time limits, in many places these are vague or the provision does not set a maximum time limit (e.g. Articles 8(1), 12(2), 14(4), 17(2)). In order to achieve the objective of the Proposal to achieve a faster and transparent process, and to ensure that the complainant and the party against whom proceedings have been brought can rely on the GDPR and the procedural arrangements provided for in the Proposal, the EESC recommends setting out deadlines and maximum time limits in the relevant articles of the Proposal, where possible and where setting such a deadline would contribute to procedural efficiency.
3.2Article 3(5) of the Proposal provides that the complainant may request the confidentiality of the information contained in the complaint, but the annex to the Proposal (complaint form) does not contain any reference to such a right. Given that individuals are not obliged to know in detail all the legal nuances of legislation in the field of data protection, including the fact that they have the right, at a certain point, to request the confidentiality of information, the EESC recommends that the form be supplemented with information on the right laid down in Article 3(5) of the complainant to request the confidentiality of the information contained in the complaint.
3.3Articles 11-13 of the Proposal provide for the complainant's right to be heard by the DPAs in the international cooperation process. Taking note of the joint opinion issued by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on the Proposal, in section 8 of which the two bodies analyse in detail shortcomings identified in the Proposal – the possibilities for the complainant to exercise their procedural rights in the light of the different possible scenarios in which a complaint may be dealt with under the GDPR – and taking into account the different practices of the DPAs of the Member States with regard to the involvement of the complainant in the proceedings, the EESC recommends clarifying the arrangements for implementing the complainants' rights set out in the aforementioned Articles so that their implementation contributes to the effectiveness of the handling of intended cross-border complaints.
3.4Article 6(1) of the Proposal provides that the authority that receives the complaint is responsible for translating the complaint and the complainant's views into the language used by the lead DPA before they are transmitted to the lead DPA, as well as translating the documents received from the lead DPA into a language understood by the complainant. Given that DPAs communicate with each other primarily in English, but that the majority of Member States' DPAs use the official language(s) of that Member State as their language of communication, it is necessary to clarify whether the translation of documents and other information to be handed over to a DPA for its internal use is to be done into the Member State language or whether the supervisory authorities may continue to implement the current practice of agreeing among themselves on a language of communication comprehensible to all the supervisory authorities involved.
3.5At the same time, the EESC believes that the translation of documents into a language understood by the complainant, i.e. the national language of the Member State concerned, should be fully supported in order to respect the complainant's right to communicate with the authorities in a language he/she understands.
3.6At the same time, the EESC is concerned that the obligation to provide for the translation of complaints and all materials received could impose a disproportionate administrative burden on the DPAs. It is also concerned that the DPA organising the translation will not be able to check its correctness if the translation is not made into English. Given the often technical nature of terms used in the field of data protection, an imprecise and unverified translation may lead to a misunderstanding of what has happened. This creates a risk that the lead DPA will not be sufficiently impartially and fully informed of the content of the complaint submitted and of the factual background. Taking note of the current practice of the DPAs on this matter, the EESC notes that in the case of cross-border infringements, the DPAs of the Member States often agree among themselves on the use of English for mutual communication. The information obtained by the EESC indicates that DPAs currently use machine translation tools to translate documents exchanged between them in the course of investigations quickly and with minimal use of resources. Final decisions, however, are translated by professional translators.
3.7In the EESC's view, an excessive requirement for translation into and from several languages so that DPAs can exchange documents among themselves entails unnecessary costs for institutions, businesses and society. In the Committee's view, DPAs should be allowed to agree on the use of a mutually comprehensible language when dealing with a cross-border dispute, and the opportunities offered by digital technologies, artificial intelligence and machine translation should be actively exploited.
3.8Article 31 of the Proposal provides that the new rules will be directly applicable in all Member States. Given that the GDPR currently also applies to European Economic Area (EEA) countries, it would be necessary to clarify whether the Proposal will also apply to the EEA, in order to ensure a common approach to the application of the GDPR and effective cooperation between EEA DPAs and EU DPAs in cross-border complaint-handling cases.
3.9The complaint form provides for a procedure to identify the data subject and requires the data subject to submit a "form of identification" (presumably a paper or electronic copy rather than the original). At present, there are Member States where the complaint procedure does not provide for the identification of the person and the authority trusts that the information they provide about their identity is true. The DPAs of the Member States have different practices as to whether they check the complainant's identification document upon receipt of a complaint: some Member States' DPAs apply this practice, while others do not. The imposition of such an obligation on DPAs which have not done this so far may create an additional administrative burden and also entails additional information security risks relating to the secure transmission and storage of identification document data by the DPA. This view is also expressed in the joint opinion of the EDPB and the EDPS on the Proposal. The EESC recommends that the decision on this issue should be left to the DPAs, allowing them to choose whether or not to continue their established practice.
3.10In addition, footnote 2 of the annex provides that the identification document may be a passport, a driving licence or a national identity card. It should be noted that there are differences among the Member States as to whether a driving licence is considered an official identification document. For example, in Latvia it is not considered an identification document. If, however, the Commission decides to maintain the requirement to identify the complainant, the EESC recommends replacing the list with a more general term, such as "identification document", covering all types of identification documents deemed acceptable in the Member State concerned, or amending the list of documents with the text "driving licence (only in Member States where this is considered an identification document)".
3.11It is also provided that the form set out in the annex is to indicate the scope of information to be provided by the complainant when submitting a cross-border complaint. At the same time, Article 3(2) of the Proposal provides that "the supervisory authority with which the complaint was lodged shall establish whether the complaint relates to cross-border processing". This may lead to situations where the complaint submitted does not concern cross-border processing or where the form was not used but cross-border processing has taken place, while the complainant was unaware of or unable to establish this. In order to prevent such situations and undue delays in the process due to insufficient information, it would be advisable for DPAs to treat the scope of information required by the form in the annex to the Proposal as sufficient not only in the case of complaints about cross-border processing but also in cases where cross-border processing does not initially appear to have taken place. There is also a need for clear communication to the DPAs of the Member States that they have the right to ask for information not referred to in the annex, but if the complainant is not able to provide it, this cannot constitute an obstacle to the acceptance of the complaint.
Brussels, 23 November 2023
Sandra PARTHIE
The president of the Section for the Single Market, Production and Consumption
_____________