Data protection: clearer rules for cross-border enforcement
- Harmonised rules to improve co-operation in cross-border cases
- Aim is to speed up procedures and build consensus between authorities
- Easier access to information for complainants
Parliament has given its final green light to rules clarifying the cross-border enforcement of the General Data Protection Regulation.
The European Parliament has approved additional rules to speed up the cross-border enforcement of the General Data Protection Regulation (GDPR) and clarify the relevant procedures and rights. The new law fleshes out earlier provisions on cross-border enforcement, including co-operation and dispute resolution. MEPs voted to approve the outcome negotiated with the Council with 533 votes in favour, 43 against, and 68 abstaining.
Faster procedures
The law establishes deadlines for procedures to ensure complaints are dealt with in a reasonable time. Once a lead supervisory authority has been established, it must finish the investigation and submit a draft decision within 15 months, unless the complexity of the case requires an extension of maximum 12 months.
It also introduces a simplified cooperation procedure streamlining the rules when the scope of the investigation is clear, no objection is raised by the other authorities, and the lead authority has faced similar investigations in the past. In such cases the deadline for investigations is 12 months, with a possible extension in cases where national law requires subsequent procedures.
The law encourages national authorities to work towards a consensus from an early stage and introduces an early resolution procedure for cases where an authority can demonstrate that the infringement has ceased, and the complainant does not object within four weeks.
Complainants’ rights
The regulation boosts a complainant’s right to be heard, giving them an opportunity to make their views known before a decision regarding their complaint is made.
At the same time, it improves complainants’ access to information. Member states can also provide for greater access if they so choose.
Quote
Rapporteur Markéta Gregorová (Greens/EFA, CZ) said: “This regulation will address long-standing issues with the enforcement of the GDPR in cross-border cases. It sets clear deadlines for procedures and speeds them up by requiring national authorities to work towards a consensus from an early stage. The system will also become fairer, with improved rights for both complainants and companies to receive information and be heard. This way, EU citizens’ fundamental right to privacy will become easier to enforce.”
Next steps
The legislation still needs to be formally adopted by the Council. Once approved, it will enter into force 20 days after its publication in the EU Official Journal and start to apply 15 months after the entry into force.
Background
The GDPR, which harmonised the data protection rights of EU citizens and ensured the free flow of personal data between the Member States, has been applicable since 25 May 2018. The public enforcement of the GDPR is handled by independent national data protection authorities (DPAs), which must cooperate on cross-border cases.
Contacts:
-
Janne OJAMO
Press Officer (FI)