A PYMNTS Company

EC Proposes New Regulation to Address Cross-Border GDPR Cases

 |  July 9, 2023

As the European Commission (EC) published a proposed regulation to address cross-border GDPR cases, the European Consumer Organisation said the new rules are “unlikely to be of much help to consumers.”

The proposed regulation builds upon the procedural rules laid down in the GDPR and introduces elements which are focused on handling complaints and conducting investigations into cross-border cases, with an aim to harmonize complaint admissibility, strengthen due process rights and streamline cooperation between supervisory authorities (SAs).

The EC is alleging that with the introduction of these new procedural rules, quicker remedies will be provided to individuals and more legal certainty for companies will be established.

Despite the EC’s exhortations, the European Consumer Organisation shot back with a statement to say that the proposal “is unlikely to be of much help to consumers.” They stated: “We regret that the proposal by the Commission does not give consumers the possibility to bring collective redress actions, and fails to introduce measures to ensure the availability of effective remedies to EU consumers across the single market.”

Wilson Sonsini Goodrich & Rosati, a law firm speaking on the proposed regulation said that: “Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. The EC’s proposed regulation, which addresses procedural issues related to the enforcement of the GDPR, addresses the difficulties that have arisen with respect to disputes concerning complaints and investigations with a cross-border element.”

Read more: Global Merger Control and Foreign Direct Investment Considerations Associated with Cross-Border Transactions

The GDPR provides that if a complaint has a cross-border element, then an SA may take the lead in carrying out the investigation, in cooperation with other concerned SAs. Since the GDPR was established in 2018, SAs have handled over 2,000 such cross-border cases.

The introduction of the proposed regulation would introduce standardizing rules on complaint admissibility, the right to challenge the SA’s decision to reject the complaint in court, and a standardized complaint form. As well as this, the GDPR’s one-stop-shop system would be left untouched, but the defendant parties would have access to an administrative file, the right to submit a written reply to the SA’s preliminary findings, and new rules on the treatment of confidential information provided by the defendant company.

In addition to this, the proposal introduces new rules for SAs must cooperate early on in the process, with the lead SA able to provide a summary of its investigation with facts and the lead SA’s views on the case. If not able to reach consensus, the lead SA may refer to the EDPB to take a binding decision on the scope of the investigation.

If the regulation is adopted, it would have significant implications for companies, with an increase in the number of complaints, and easier enforcement of these GDPR regulations in multiple Member States. It remains to be seen if the proposed legal measures are enough to assuage the concern of the common consumer.