EU Commission Adopts New Rules for GDPR Enforcement

First Steps to Implementing a Centralized Enforcement Model

Paul L. Kendall, PhD, MBA, CDPSE, CGEIT, CISSP, CISM, GDPR-P

August 31, 2023

Principal Advisory Service Consultant, Core Insights

On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to use when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The new Regulation and procedural rules are designed to improve cooperation between EU Member State Data Protection Authorities (DPAs) in these cases.

Currently, GDPR has used a decentralized enforcement model, EU Member State DPAs are enforcing GDPR on their respective territories. In cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate following GDPR’s integrated approach vis its defined cooperation and consistency methodologies. These approaches are intended to establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU.

Over time, however, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action. Numerous EU organizations, officials and Member State DPAs have repeatedly emphasized the importance of GDPR enforcement, which they believe to be a significant aspect of the operation of a single EU digital market as well as vital piece of legislation that codifies a vital human-centric approach to technology implementation and use across the EU and its Member States. GDPR enforcement cases frequently have cross-border elements within them, driven by not only the ever-increasing need for data but also key emerging technologies such as AI. These elements are almost never restricted by territorial or jurisdictional boundaries.

On May 25th of this year, GDPR recently celebrated its 5th anniversary – and more cross-border enforcement and cooperation is predicted for the next 5 years. The proposal may signal a move towards a more centralized GDPR enforcement model. With this being the case, it is expected that the European Data Protection Board (EDPB) and EU Commission will take on a much more prominent role.

The new GDPR Procedural Regulation should not be considered a one-off enforcement modification case; there is ample history behind this decision that have served to drive this change:

1. We have seen a significant uptick in GDPR regulatory enforcement as well as private litigation in the EU.

2. In many cases, enforcement has dealt with key concepts and principles that have been clarified and interpreted by the EU’s highest court (the EU Court of Justice or “CJEU”). This enhances the need for consistency in cross-border enforcement.

What Happens Next

The GDPR Procedural Regulation has just been proposed by the EU Commission and will now move to being considered in the relevant European Parliament committees. It will be interesting to see how the text progresses throughout the legislative review process.