Navigating the Potential Implications for Global Life Sciences Companies of the Evolving GDPR Enforcement Landscape

On April 10, 2024, the European Parliament (EP) voted on its amendments to the European Commission’s (EC) July 4, 2023 proposal for a GDPR Enforcement Regulation (the Proposal). While the EC’s Proposal aimed to streamline and expedite enforcement procedures in cross-border cases, some of the EP’s amendments have introduced complexities that might be important for global companies, especially those processing sensitive personal data, such as health data. This post delves into some of the amendments made by the EP that might impact global life sciences companies and the next steps towards the adoption of the final regulation.

EC’s Proposal

The Proposal furthered the EU’s pursuit of a more robust and streamlined enforcement of the General Data Protection Regulation (GDPR) in cross-border cases through:

• Strengthened cooperation between DPAs: The Proposal aims to establish a framework for improved communication and information sharing between Data Protection Authorities (DPAs) in cross-border investigations that require cooperation between and consensus among the lead supervisory authority and any other DPAs involved (see Article 60 of the GDPR). The Proposal introduces means to facilitate that consensus, including, for example, a “summary of key issues” through which the lead supervisory authority shares its findings early on in the process with the other DPAs to obtain their views and work towards achieving consensus as early as possible.
• Effective enforcement and legal certainty for complainants: The Proposal contains a streamlined admissibility procedure for complaints lodged with DPAs, harmonized time frames, and the introduction of a cross-border complaint form, all of which contribute to legal certainty and effective enforcement of complainants’ rights under the GDPR.
• Clearer procedures for companies: The Proposal aims to provide companies under investigation with greater clarity regarding their rights and obligations, including by outlining timeframes for responses, the right to be heard, and access to relevant information.

EP’s Amendments

The EP introduced several notable amendments to the Proposal, including:

• Expansion of the definition of “parties under investigation”: A significant amendment broadens the definition of “parties under investigation.” The expanded definition could include a company’s appointed EU data protection representative, which would expand the circle of parties involved in investigations to possibly include individuals outside the core data processing structure of the data controller/data processor. Contrary to the intent of the Proposal, this amendment could complicate investigations. This definition could also be perceived as increasing the effective liability of the EU data protection representatives. That change may add complexity for companies established in third countries and seeking to appoint an EU data protection representative, in terms of contract negotiations, liability, indemnification mechanisms, and overall cost.
• Introduction of the definition of “parties” with extended rights: The EP introduced “parties” as a defined term, including the parties under investigation, the complainant(s), and “any third party involved in the proceedings as defined under national law.” Moreover, the EP extends several rights — e.g., the right to be heard — to all of these parties as opposed to only the parties under investigation, as the EC initially proposed. Connecting enhanced rights in cross-border investigations to parties that will be defined differently in the EU Member States might effectively undermine the efficient and expedient enforcement of the GDPR the Proposal intends. Additionally, the right to be heard, granted to all parties under the amended version, could further delay the process.
• Introduction of the “joint case file”: Most importantly, the EP proposed the creation of a central repository, accessible to all parties involved in an investigation, known as the “joint case file.” This file would house all investigation-related documents, potentially including confidential internal documents. While access to this file could enhance transparency, it has significant drawbacks. The EP’s introduction of a very broad definition of “parties” would make potentially sensitive information accessible to not only the parties under investigation and the DPAs, but also to the EU representatives and nationally defined third parties that would be involved in the proceedings.

Potential Impact on Global Life Sciences Companies

The EP’s amendments could have specific consequences for life sciences companies, even if located outside the EU. Some concerns to take into account:

• Disclosure concerns: The inclusion of the EU representative in the definition of “parties under investigation” means information typically residing within the non-EU company could be disclosed during investigations. Additionally, the accessibility of the proposed joint case file to “any third party involved in the proceedings as defined under national law” might cause concern. This creates challenges in managing internal data flows and ensuring compliance with both EU and U.S. (or other relevant) data protection laws.
• Confidentiality concerns: Even with trade secret and confidentiality protections included in the Proposal and amendments, companies must carefully navigate the process of providing information to DPAs. Sensitive health data and trade secrets could inadvertently be shared, creating potential breaches of confidentiality. Companies need to develop robust procedures for identifying and segregating confidential information, as we know from the EP’s amendments that all the investigation documents would be included in the joint case file, accessible by all “parties,” including competitors, if national laws allow it.

Conclusion: A Moving Target That Demands Close Monitoring

The EP’s vote marks a significant step, but the journey towards a finalized GDPR Enforcement Regulation is far from over. The Proposal, along with the EP’s amendments, will now be subject to negotiations with the Council of the EU. Reaching an agreement could take several months. These negotiations will take place only after the EU elections in June 2024. Additionally, the final shape of the regulation could be influenced by the composition of the new EP and Council, with different political parties potentially advocating for either stricter or more business-friendly enforcement measures.

The proposed GDPR Enforcement Regulation, with the EP’s amendments, presents companies with a moving target when it comes to data protection compliance. While the text of the regulation is still under discussion, companies are advised to closely monitor developments and prepare for the final version. It remains to be seen whether the broad definition of “parties” and the “joint case file” will survive the negotiation process and make it to the final text, as adopted.

For questions about the proposed GDPR Enforcement Regulation or the EP’s amendments, or any other data protection, privacy, or compliance questions, please contact the authors or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.