EEA EFTA States seek to strengthen proposed enforcement rules on GDPR

Published 29-02-2024

In a joint EEA EFTA Comment, Iceland, Liechtenstein and Norway welcome the European Commission’s proposed regulation on improving the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. 

The GDPR is a comprehensive data protection regulation that grants individuals control over their data, imposes obligations on organisations regarding data processing, mandates consent requirements, enforces data breach notifications and imposes penalties for non-compliance. The law came into effect in the EU in May 2018 and was incorporated into the EEA Agreement later that year to ensure legal homogeneity throughout the entire European Economic Area. 

In its recent proposal, the Commission aims to strengthen the GDPR by implementing additional procedural rules on enforcing data privacy law in cross-border cases. 

The cross-border enforcement mechanism established by the GDPR facilitates collaboration and coordination among data protection authorities (DPAs) across the EEA in enforcing GDPR requirements for data processing activities that cross national borders. 

The EEA EFTA States endorse the Commission’s overarching goal of improving the efficient cooperation and consistency mechanism set forth by the GDPR. They acknowledge that a well-functioning cross-border enforcement system is essential to ensuring EEA citizens’ right to personal data protection. 

However, they believe that certain procedural rules in the Commission’s proposal should be revised. 

The EEA EFTA States deem it necessary to clarify at what stage the new procedural rules should apply when assessing cross-border cases. This is important to provide the necessary guidance to national DPAs and ensure the rights and obligations of all parties concerned. 

The EEA EFTA States are concerned that some of the additional procedural rules proposed, particularly with regard to translation, will increase the administrative burden for national DPAs without contributing to the swifter resolution of cases. The Commission proposes translating all documents into the language of both the lead DPA and the complainant. The EEA EFTA States believe that this requirement will create additional costs for national DPAs, and that translation into English should be sufficient. 

Additionally, while Norway and Iceland recognise that the proposal harmonises rules on information access for the complainant, the party/ies under investigation and the public, they find the proposed limitation on access to information, particularly non-confidential information, too strict.  

EEA EFTA Comments are one of the tools used by the EEA EFTA States to participate in shaping EU policies, programmes and legislation.   

Read the full EEA EFTA Comment here.  

All EEA EFTA Comments are available here

Was the content helpful?