The GDPR Procedural Regulation (GPR) raises practical concerns, based on the text of the provisional agreement of the EU Council & Parliament, notably re the scope of complaints.
I was discussing it with Sara Brandstätter @ MLex (who obtained the text) – here are some key concerns of mine:
1) This GPR will likely have a de facto influence on *all* Data protection complaints, not just those of a cross-border nature, because it may be difficult for any supervisory authority (SA) to have separate rules (notably on admissibility and on the right to be heard) for cross-border complaints and those that are purely national.
2) Right for the lead SA (LSA) to modify the scope of a complaint:
(A) Art. 3(1) sets out admissibility requirements for complaints, and 3(1)(e) requires “information which facilitates the identification of the controller or processor which is the subject of the complaint”. I hope this is only used to determine which group company is the right one, and not (i) to *add* a controller/processor to the proceedings or (ii) to *redirect* a complaint. The scope & subject-matter of a complaint is and should remain decisive.
(B) Changes to the scope of an investigation are mentioned *in addition* to the right to initiate a new investigation, in sections on the information to be provided by the LSA to other SAs (Art. 8(2)(ea)), on the right of complainants to express their views (Art. 15(2)). So is modification only limitation?
3) Right for SAs to limit the length of submissions (Art. 2a(5)): I hope no one limits the length in technical cases, otherwise it’s a clear violation of the rights of defence under the EU Charter of Fundamental Rights.
4) This was already partly in the Commission’s proposal, but the GPR requires the “preliminary findings” (the most important document before an actual decision) to not just list the facts, legal assessment and evidence but also the corrective measures the LSA considers using (Art. 14(2)). This is a mistake in my view, as it is pre-judging. “We’ve investigated and think you’ve done this, so we want to fine you / prohibit your processing / …”. SAs already act as both as prosecutor and judge – keeping the two roles distinct is better for the rights of defence.
5) Again on the rights of defence: 3-6 weeks for a controller/processor to “provide their views in writing” *OR* for an oral hearing. No “and”, no extra time for a hearing (Art. 14(4)). Compatibility with the rights of defence unclear but doubtful.
[+ complainants get the same timeframe – Art. 15(1). So simultaneous yet opposed submissions? No right to respond?]
6) Confidentiality: confidential information (not to be shared with the complainant) appears limited to trade secrets or “other confidential information in accordance with [EU or Member State] law” (Art. 21(1)). So only regulated confidential information is covered (e.g. protected by attorney-client privilege) but not the rest?
I don’t know if it really improves things.
privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗