Procedural Challenges of Cross-border Cooperation and Consistency in Personal Data Protection in the EU

Abstract

Abstract Data protection is an increasingly important topic in the European administrative field at national and cross-border levels. Such a trend reflects different phenomena in contemporary society, which further leads to a more focused concern for a harmonised elaboration by the Member States despite their autonomy, in principle, regarding EU law implementation. However, as revealed by the Slovenian case in this article, the European Data Protection Board and national supervising authorities, mostly information commissioners, express the need to regulate some issues more decidedly. Interestingly, yet not surprisingly, their focus is on procedural aspects, as according to administrative science and several European Commission documents, procedure strongly influences the results. As a result, the article elaborates on the relevant procedural issues to be addressed to ensure a harmonised enforcement of the General Data Protection Regulation (GDPR) in force since 2018. Various research methods are employed, combining qualitative, normative, and comparative analyses and quantitative approaches, emphasising statistical data obtained from annual reports for 2020, 2021, and 2022. The results show a lack of procedural provisions in several aspects, including the definition of the parties to the procedure and their defence rights, particularly access to the file, to be heard, and complain, as well as one-stop-shop access to legal protection, deadlines, and investigation powers. Such gaps are expected to be covered by procedural institutions enshrined in National Administrative Procedure Acts (APA). However, as suggested by the Slovenian experience, such a solution is minimal due to differing national regulations and relatively low awareness of APA relevance in data protection even among supervising authorities. Hence, the authors argue that there is a need to develop and adopt standard EU rules to regulate such issues. Points for Practitioners The article refers to data protection within theoretical, normative, practical, comparative, and national dimensions. In addition to analysing statistical data regarding procedural issues of cross-collaborative application of GDPR in the Member States - primarily Slovenia - the article provides practical implications of legislative, organisational, and IT adaptations required for harmonising EU-wide enforcement of GDPR. The insights provided herein can support the development of similar solutions in other EU countries. Therefore, the research findings are relevant for practitioners from various European administrations who are in charge of implementing GDPR and, specifically, supervising its implementation, as well as for policymakers and legislators in their respective areas of data protection and administrative procedural law. The findings will also benefit the European Commission when drafting new legislation to enhance cooperation and consistency between Member States in enforcing personal data rights set by GDPR.