February 2024
Research themes:
This legal analysis was commissioned by the Computer & Communications Industry Association (CCIA Europe). The opinions offered herein are purely those of the author, and do not necessarily represent the views of CCIA Europe.
The European Commission submitted a proposal for a regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/6791 (the ‘Proposal’). The Proposal aims to specify procedural rules for certain stages of the investigation process in cross-border cases, thereby supporting the smooth functioning of the GDPR cooperation and dispute resolution mechanisms. The Committee on Civil Liberties, Justice and Home Affairs (‘LIBE’) published its amendments on the Proposal. This short legal analysis focuses on the amendments proposed in the LIBE Committee and their compatibility with the Charter of Fundamental Rights and consistency with the basic structure of the Regulation 2016/679 (the GDPR).
Contrary to the original intent of the Commission’s Proposal, the LIBE Report undermines the key pillars of the GDPR’s structure — notably the ‘one-stop-shop’ mechanism as well as the GDPR’s balance of discretion and independence of supervisory authorities.
Even though the requirement of independence of data protection authorities under the Charter of Fundamental Rights is not absolute, the EU legislator must respect it. The Report arguably goes too far and disproportionately restricts the independence of supervisory authorities (especially the lead supervisory authority).
Insufficient provision for procedural rights of the party under investigation also raises doubts as to compatibility with the Charter. This applies in particular to the way the Report weakens the right to be heard compared to the Commission’s Proposal by removing more specific provisions, which carries lower risk of arbitrary application.