New GDPR rules in cross-border cases: better cooperation in sight?

27/07/2023 - On 4 July 2023, the European Commission (hereinafter: Commission) published a proposal (hereinafter: proposal) to improve the one-stop shop mechanism under the GDPR (hereinafter: OSS). The proposal aims to contribute to better cooperation between authorities of different Member States. To this end, the proposal steers towards more effective legal protection and greater legal certainty through harmonisation. In the blog below, you can read more about the current shortcomings of the OSS and the concrete proposals the Commission is putting forward.

The one-stop shop mechanism

The OSS is a procedural mechanism which applies to cross-border data processing. In cases where organisations process personal data of data subjects in multiple Member States, the OSS allows organisations to engage with a single authority. In such cases, one authority, based in the country where the organisation has its headquarters, can be referred to as 'lead authority’.

The OSS is primarily designed to promote consistent interpretation of the GDPR in cases where different authorities are involved in cross-border data processing. In addition, the OSS allows organisations to communicate about a dispute with the lead authority rather than multiple authorities involved at the same time. Also of note is the fact that, through the OSS, data subjects can turn to their local authority, thereby eliminating the requirement for data subjects to engage with authorities in other Member States.

In practice, however, the current OSS is associated with inefficient dispute resolution. Procedural differences between authorities often cause administrative problems. This hampers effective cooperation. Partly based on recommendations from the EDPB, which documented the shortcomings of the OSS in 2022, the Commission's new proposal has now been published.

Shortcomings OSS

In the proposal, the Commission identifies three shortcomings of the current OSS.

Complaints

First, the Commission explains that, under the current OSS, authorities have different interpretations regarding the form of a complaint, the involvement of complainants in the procedure and the rejection of complaints. What is considered a valid complaint by some authorities may be rejected by others due to the lack of relevant information. Moreover, some authorities grant complainants the same rights as the parties under investigation, while others involve complainants minimally or not at all. Also, some authorities take a formal decision to reject all complaints that are not pursued, while others do not follow this approach. This means that the rights of complainants depend heavily on the policy adopted by the competent authority.

Procedural rights of affected parties

There is also much discrepancy between authorities regarding the procedural rights of parties under investigation. For instance, the extent to which these parties claim the right to be heard or enjoy the right of access varies across Member States. This results in legal uncertainty and ambiguity for companies under investigation. The Commission explains that the right of defence is a fundamental principle in the European Union and that, given the severity of the sanctions that can be imposed, parties under investigation should enjoy similar safeguards as parties in criminal proceedings. The different interpretations of authorities stand in the way of this. These different approaches are not compatible with Article 60 GDPR, which oversees the exercise of due process prior to the draft decision which is submitted by the lead authority.

International cooperation mechanism and dispute resolution

As a solution to differing interpretations, the OSS allows authorities to still reach consensus in cross-border cases - where different rules apply. However, the Commission also sees shortcomings in this 'solution tool'.

After the lead authority has submitted a draft decision to the other authorities, they can submit 'relevant and reasoned objections'. If there is no consensus between the authorities, this may lead to a dispute resolution procedure based on Article 65 GDPR. In such a dispute resolution procedure, the EDPB then adopts a binding decision. While recognising that the aforementioned dispute resolution procedure is an essential element for the consistent enforcement of the GDPR, the Commission notes that it should only be used in exceptional cases. Indeed, the dispute resolution procedure is time-consuming.

To avoid excessive use of Article 65 GDPR, cooperation between authorities should be improved before the draft decision of the leading authority. A lack of sufficient cooperation at this early stage could result in a large number of cases being subjected to lengthy dispute resolution procedures.

Commission recommendations

To address the aforementioned issues surrounding the OSS, the Commission intends to establish procedural rules for certain stages of the investigative process in cross-border cases. The proposals to improve the functioning of the cooperation mechanism and dispute resolution are summarised below.

With regard to the complaint procedure, the proposal includes a form setting out the requirements for a 'proper' complaint. Each authority should use this form to assess whether the complaint should be upheld or rejected. By doing so, the Commission seeks to avoid disagreements between different authorities. This serves both the legal certainty of complainants and better and faster cooperation between authorities.

The proposal should also harmonise the procedural rights of parties under investigation. For instance, the proposal provides affected parties with the right to be heard at key points in the proceedings. The right to information is also addressed in the proposal. This ensures that these rights are consistently enforced regardless of the competence of the authority responsible for conducting the investigation.

On the cooperation mechanism, the Commission provides a framework for the various authorities to put forward their views early in the investigation phase - not only after a decision proposal has been published. The Commission wants to give more substance to the requirement for authorities to cooperate early and exchange relevant information. Thus, to give substance to early cooperation, the proposal lays down detailed rules on the form and structure of relevant objections by the authorities concerned. The proposal also seeks to set deadlines for cooperation between authorities. 

Now what?

As mentioned, the proposal should improve the OSS in three main areas. Although the text of the new proposal can certainly bring about improvements, concerns have already been raised about the actual improvements for stakeholders, including by BEUC and NOYB.

To what extent the current proposal will hold up will have to be seen. The proposal will now first have to go through the EU's ordinary legislative procedure, involving the European Parliament and the Council of the European Union. So it remains to be seen what the views of these bodies will be.