The EU Council has published a working document outlining proposed new procedural rules for enforcing the General Data Protection Regulation (GDPR), aiming to streamline the handling of cross-border data protection complaints. The document, dated 12 May 2024, details provisions on complaint admissibility, investigation procedures, access to administrative files, and protection of confidential information, which would affect national supervisory authorities, businesses, and individuals involved in cross-border data disputes.
Document Details and Scope The working document, prepared under the current Council Presidency, serves as a basis for discussion among member states. It is a non-binding orientation paper that identifies key areas where procedural harmonisation could improve cooperation between lead and concerned supervisory authorities in cross-border cases. The proposed regulation would introduce mandatory rules on the admissibility of complaints, including time limits and requirements for complainants to specify the alleged infringement and the controller or processor concerned.
Policy Orientations and Trade-offs The document reflects a tension between efficiency and procedural safeguards. On one hand, streamlining procedures could reduce the average time to resolve cross-border complaints, benefiting businesses facing prolonged investigations. On the other hand, stricter admissibility criteria may limit access to redress for individuals, particularly those with less detailed knowledge of GDPR requirements. The proposal also balances transparency (access to files) with confidentiality protections for trade secrets and personal data, potentially slowing down information exchange.
Impact on Stakeholders - National Supervisory Authorities (DPAs): Would benefit from clearer procedures and reduced administrative burden, but may face constraints on discretion in handling complaints. - Businesses (especially data controllers/processors): Could see faster resolution of complaints and greater legal certainty, but may incur costs to adapt internal procedures to new admissibility and file access rules. - Individuals (data subjects): May face higher barriers to filing complaints due to stricter admissibility requirements, potentially reducing access to justice. - EU Institutions: The European Commission and Parliament will need to negotiate the final text, with potential disagreements over the level of harmonisation and protection of individual rights.
Expected Institutional Follow-up The Council working group will continue discussions based on this document, with a view to reaching a general approach. The European Parliament is expected to adopt its position later in 2024, followed by trilogue negotiations. The regulation, once adopted, would directly apply in all member states, amending the GDPR's procedural framework.
← Atlas › News › Digital & Communication