On February 24, 2023, the European Commission (EC) opened a public consultation on its initiative (Initiative) to revise procedural rules relating to the enforcement of the EU General Data Protection Regulation (GDPR). The EC invites companies to give feedback on the Initiative by March 24, 2023.
Background
The GDPR is enforced by national supervisory authorities (SAs) in each EU country. The location of a company’s main establishment in the EU determines which SA is competent. In cross-border matters, SAs need to follow certain cooperation rules set out in the GDPR. However, since the GDPR became applicable in May 2018, divergences between SAs’ local enforcement procedures have become apparent, and cooperation has not always been smooth. For instance, there have been tensions among SAs regarding the way the Irish SA has handled enforcement procedures of large U.S. tech companies who have their EU headquarters in Ireland. With the Initiative, the EC aims to streamline cooperation among SAs and harmonize enforcement procedures.
Key Points
Key elements of the Initiative include:
- specifying procedural deadlines for cooperation between SAs on cross-border cases;
- providing tools to SAs to promote cooperation early in the investigation process;
- clarifying the position of complainants in the investigation process, including the possibility for complainants to make their views known;
- streamlining the way the parties under investigation are heard during the procedure; and
- clarifying how information is to be shared between the investigating SA and other SAs at the various stages of the procedure.
Public Consultation
Companies can provide feedback on the Initiative here. The feedback will be published on the EC’s website.
Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Laura De Boel, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.