Enhanced rights in cross-border GDPR cases under EU proposed regulation

The Proposal introduces the possibility for complainants and defendants to reach amicable settlements while granting DPAs an critically important role in the process, but on balance, it needs some refinements in order to sufficiently guarantee legal certainty. The Proposal also grants parties a right to be heard at different stages of cross border procedures which would benefit from further protections. Lastly, the Proposal organises access to the case administrative file and the treatment of confidential information but additional safeguards are required to preserve business secrets.

Amicable settlements between complainants and defendants

The Proposal introduces the possibility of resolving complaints by amicable settlements between the complainant and the defendants (Article 5).

This is certainly a positive development that would allow parties to reach an agreement without subjecting them to a lengthy and burdensome administrative procedure. However, as drafted, this provision risks not providing the "legal framework" the EU Commission intends to offer (p. 11) and raises some issues which require some additional work. Just to name a few:

• What types of cases could be concerned by such amicable settlements? As currently drafted, Recital 9 specifies that complaints should be resolved amicably “where appropriate”. It would therefore be advisable if the regulation made it clear that all complaints, including those lodged by individual data subjects as well as those complaints lodged by privacy associations, may in principle benefit from this approach. There is clearly room for greater certainty and hence active encouragement towards this novel route.
• What role would DPAs play in the process of reaching an amicable settlement and how much control would they have over the content of the agreement? As currently drafted, DPAs would play a key role in the settlement process. Recital 9 suggests that it would be up to the DPAs to suggest amicable settlement ("supervisory authorities should endeavour, where appropriate, to resolve complaints by amicable settlement"). However, it should also be a possibility for parties to proactively suggest such settlements. Likewise, Article 5 provides that it is only when DPAs consider that a settlement has been found that the draft settlement is communicated to the complainant. This seems to imply a review of the settlement by the DPA. Again, it might be worth granting parties greater independence in the negotiation process.
• What would be the effects of an amicable settlement vis-à-vis the parties at hand, DPAs and third parties? As currently drafted, Recital 9 states that amicable settlements would not prevent DPAs from pursuing ex officio cases. This element would also benefit from some refinement so that it does not have the effect of discouraging the parties from agreeing to enter into such settlements. For the sake of legal certainty, it would also be helpful for the regulation to confirm the scope of the right to confidentiality in respect of such an amicable settlement.

The intent to favour amicable settlement is laudable but, as the Proposal stands, there are a number of grey areas which should be addressed in order to maximise its practical benefits. This is clearly an ongoing and live process that requires further work to inject additional clarity, and we will be closely monitoring the legislative progress.

Right to be heard

The Proposal grants complainants and defendants the right to be heard at different stages of cross-border procedures:

• Complainants can make their views known when the lead DPA decides to reject their complaint (Article 11). This must take place within a time-limit set by the lead DPA which cannot be less than 3 weeks.
• Complainants and defendants can make their views known when the lead DPA transmits its preliminary findings (Articles 14 and 15). This must take place within a time-limit freely defined by the lead DPA. The obligation to draft preliminary findings is a new requirement set by the Proposal to ensure cooperation amongst DPAs before the draft decision. These findings would present the allegations under investigation and the corrective measures that the lead DPA intends to order.
• Complainants and defendants can make their views known when the revised draft decision of the lead DPA raises elements on which they should have the opportunity to make their views known again (Articles 12 and 17). This must take place within a time-limit freely defined by the lead DPA.
• In case of a dispute before the EDPB on the basis of Article 65(1)(a) (i.e., lack of consensus on a relevant and reasoned objection between DPAs), defendants and/or, in the case of rejection of a complaint, complainants, can make their views known when the EDPB transmits its statement of reasons (Article 24). The statement of reason is another step which would be required by the Proposal, this time prior to the EDPB adopting a binding decision. The statement of reasons is meant to explain the EDPB’s reasoning. Defendants and complainant would have 1 or 2 weeks to make their views known, depending on whether the EDPB extends its period for the adoption of the binding decision in accordance with Article 65(2) of the GDPR.

The reinforcement of the right to be heard is a positive development. However, the Proposal does not set any time-limit for parties to comment on a lead DPA's preliminary findings and revised draft decision and leaves the DPAs free to set the time‑limit they deem appropriate. According to the EU Commission, this would be justified by the fact that "the varying complexity of investigations and the discretion of DPAs to investigate infringements of the GDPR" which would make it "not desirable to prescribe deadlines for every stage of the procedure" (p. 4). Currently a minimum time-limit is only set for complainants when their complaint is rejected by a lead DPA. The setting of minimum time limits should be extended to the parties' right to be heard in relation with the lead DPA's preliminary findings and revised draft decision in order for the Proposal to better achieve its objectives. The harmonisation and reinforcement of the parties' procedural rights are key in the Proposal which concedes that such rights may greatly vary from a Member State to another. As for the time-limits set to respond to the EDPB’s statement of reasons, it surely is too short and unsuited to the complexity of the cases which are referred to the EDPB. It could have been worth considering a concurrent amendment of the GDPR itself to take account of this new procedural step – the statement of reasons – introduced by the Proposal.

In addition to the issue of time-limits, the Proposal could have made it clear that the right to be heard also applies before the EDPB to disputes brought on the basis of Article 65(1)(b) of the GDPR (i.e., conflicting views on which DPA concerned is competent for the main establishment). Indeed, the correct identification of a controller’s main establishment in the EU is crucial to the legitimacy of the one-stop-shop mechanism.

Once again, the Proposal is more than welcome insofar as it seeks to protect and reinforce parties' procedural rights. As with the amicable settlement issue, the Proposal should have gone further. In light of the increasing globalisation of society and regulatory scrutiny on privacy issues, cross-border GDPR cases will become even more frequent than they already are. In parallel, the amount of administrative fines are increasing. One should thus ensure that defence rights are protected equally in all Member States through greater harmonisation. 

Access to the administrative file and treatment of confidential information

In order to ensure an effective exercise of the right to be heard, the Proposal also grants complainants and defendants access to certain relevant documents concerning the case.

Under the Proposal, the lead DPA would grant access to the administrative file to defendants after it notifies its preliminary findings (Article 20). The administrative file is comprised of all inculpatory and exculpatory documents obtained, produced and/or assembled by the lead DPA during the investigation (Articles 19 and 20). However, the right of access of the administrative file does not extend to correspondences between DPAs (Article 19).

If the lead DPA considers that it is necessary for the complainant to be provided with documents included in the administrative file in order to effectively make their views known on its preliminary findings, they would be granted access to non-confidential versions of such documents (Article 15). In such a case, complainants would be required to conclude a confidentiality declaration prior to receiving these documents (Article 15) and "treat such information with utmost respect for its confidentiality" (Article 21). Complainants would also be granted access to non-confidential versions of the documents on which a proposed rejection on their complaint is based (Article 11).

The Proposal additionally lays out a procedure for the identification and protection of confidential information (Article 21). Notably, entities submitting information that they consider to be confidential shall clearly identify the information as such and provide reasons for the confidentiality claimed. The lead DPA may require defendants to identify the documents containing business secrets or confidential information and set a time-limit to notably provide information substantiating their claims. Failure to comply with these requirements may cause the lead DPA to assume that the information is not confidential.

While it is understandable that an effective right to be heard requires access to certain aspects of the administrative file, this may increase the risk of leaks or could spark new complaints based on the non-confidential information complainants receive. The EU Commission's attempt to introduce safeguards through the confidentiality declaration is however not enough to prevent that risk. Indeed, the Proposal does not lay out any associated sanction which would ensure that this confidentiality commitment is actually complied with by complainants. This lack of safeguards is all the more problematic given that the consequences of a leak of confidential information could go far beyond the mere privacy field and seriously jeopardise the very existence of some businesses.

The new rules for identifying and protecting confidential information also mean that defendants need to be prepared to defend their confidentiality claims before the lead DPA. In other words, this will create additional proceedings within existing regulatory proceedings. By adding complexity to proceedings that are already difficult to navigate through, this will deviate from one – if not the – main objectives of the Proposal which is to "provide for the smooth and effective function of the […] dispute resolution mechanism" (Recital 2).

While the Proposal rightfully seeks to conciliate transparency and confidentiality, additional safeguards should be introduced to protect business secrets.

Looking forward

In conclusion, the Proposal is a big step forward towards the harmonised handling of cross-border GDPR procedures by national DPAs and the enhanced protection of parties' procedural rights in the context of such cross-border cases. It could however go further to offer a better protection of defence rights, which should correspond to the (financial) stakes of cross-border cases.

The EU Parliament and Council will now examine the Proposal, which has received contrasting views. Overall welcomed by the industry, the Proposal has been heavily criticised by privacy associations and the likes. Will the EU legislative process result in a text which both sides will find legitimate to protect their interests? The challenge is big. We’ll continue to report on the Proposal.

* All pages number, Recitals and Articles refer to pages number, Recitals and Articles of the Proposal unless otherwise specified.

Authored by Eduardo Ustaran, Christine Gateau, Bérengère Moin, and Alexis de Kouchkovsky.