On May 25, 2023, it marked 5 years since the European Data Protection Regulation came into force.

Regulations that changed the paradigm and regulation until then of the protection of citizens' data, so much so that although it will begin to be applied in 2018, it was in 2016 when it was approved, but up to 2 years were given for those responsible and in charge of the treatment adapt their organization to the new legal stipulations, even more so as they contemplated maximum sanctions of 20 million euros or up to 5 % of the organizations' annual turnover.

During the time that the GDPR has been in force, it has meant greater protection for interested parties, as well as a challenge for organizations that have been forced to hire Data Protection Officers and specialists to adapt their operation and business to the European legislation in order to avoid high penalties. Even so, there have been minor sanctions against thousands of small and medium-sized companies up to large multinationals, with exorbitant amounts; €10,000,000 to Google, €2,000,000 to Amazon Road, €3,940,000 to Vodafone or €900,000 to Movistar. At the European Union level, the record holder is Meta, owner of platforms such as Facebook, Instagram and WhatsApp. Among all the sanctions that have been imposed, it amounts to 2.5 billion euros.

Why is the European Commission going to approve the “Development” Regulation?

It all comes because of one of the latest sanctions against Meta (390 million euros), where through the basis of legitimation of the “execution of a contract”, it used the data of Facebook and Instagram users for advertising purposes. The European Data Protection Board established that express consent was required. This case was raised to Court of Justice of the European Union which ruled this week through the ruling in case C-252/21 , in which the CJEU rules that “the personalization of advertising through which the online social network Facebook is financed cannot justify, as a legitimate interest pursued by Meta Platforms Ireland or the execution of a contract, the processing of data in question, in the absence of the consent of the interested party”. This case caused quite a lack of coordination between the Control Authorities of each Member State and the European Data Protection Committee itself, in terms of investigation procedures for possible violations of European regulations.

The European Commission is to adopt new rules to ensure stricter application of the GDPR in cross-border cases. The new Regulation will establish specific procedural rules for authorities when applying the GDPR in matters affecting persons located in more than one Member State. Detailed rules will be established to support the proper functioning of the cooperation and coherence mechanism established by the GDPR. The rules will allow for faster resolution of matters, which means faster avenues of appeal for individuals and greater legal certainty for companies.

How to maintain the correct functioning of the cooperation mechanism

RIGHTS OF WHISTLEBLOWERS: The proposal harmonizes the requirements for a cross-border complaint to be admissible, removing the obstacles currently posed by data protection authorities adhering to different rules. Establishes the common rights of complainants to be heard in cases where their complaints have been totally or partially dismissed. In cases where a complaint is investigated, the proposal specifies the rules for appropriate participation.

RIGHTS OF CONTROLLERS AND PROCESSORS OF THE TREATMENT: The proposal grants the investigated parties the right to be heard in the main phases of the procedure, also during the resolution of disputes by the European Data Protection Board.

COOPERATION AND DISPUTE RESOLUTION: The Supervisory Authorities will be able to express their points of view at an early stage of the investigations and use all the cooperation instruments provided for in the GDPR, such as joint investigations and mutual assistance. These provisions will strengthen the influence of data protection authorities in cross-border cases, facilitate early consensus in the investigation and reduce later disagreements.

The presented proposal takes into account suggestions from a wide range of stakeholders, for example the EDPB, representatives of civil society, business, academia and legal professionals, as well as Member States. This week, the European Commission presented the draft the “Development” Regulations of the General Data Protection Regulation, which can be consulted on the authority's website: CLICK HERE

Don't miss all the latest news on Data Protection & Regulatory Compliance from the best professionals in the sector in our Professional Master in Compliance & Data Protection Management

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

*I give my express consent and accept the Privacy Policy.

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad