Faster or slower? EU moves to reinforce GDPR, critics warn of red tape

Extra steps, extra paperwork. That’s what critics fear as the European Parliament adopts new rules meant to strengthen GDPR enforcement.

The European Parliament adopted new procedural rules to accelerate the enforcement of the General Data Protection Regulation (GDPR) on Tuesday. The final text was adopted by a large majority, 533 votes in favour, 43 against and 68 abstentions.

Deadlines for investigations

The new regulation, led by Greens/EFA MEP Markéta Gregorová, aims to speed up investigations and close long-standing enforcement gaps in cross-border GDPR cases. This relates to the cases where data protection authorities from several EU countries must work together to handle a complaint.

Slow procedures and weak coordination were some of the criticisms pointed out in the current procedures. As a response to delays, the new law introduces enforceable time limits. Twelve months for straightforward cases and fifteen for complex ones, with extensions granted only in exceptional circumstances.

Umíte si představit, že se soudíte o používání SVÝCH osobních údajů s obří firmou pět let, a pak vám ani není zpřístupněn výsledek? 🤯 Už nikdy víc. I díky mé maličkosti se osobní data budou v EU chránit férověji. Soudy jen pár měsíců a přístup všech stran ke spisu. Nejen! 💪🏻 pic.twitter.com/AH87ohHGKY
— Markétka Gregorová 🦄 (@MarketkaG) October 21, 2025

“We’ve finally secured a long-overdue regulation on GDPR enforcement procedures, ending years of legal limbo in cross-border cases”, said MEP Gregorová, rapporteur on the file. To the MEP, this reform tackles “never ending cases against Big Tech” and strengthens cooperation between national regulators by ensuring early consensus on the case. According to her, the new framework is “a long-overdue regulation on GDPR enforcement procedures, ending years of legal limbo in cross-border cases”.

The regulation now awaits formal adoption by the Commission. That’s the last step required for the new GDPR procedures to enter into force.

Critics fear longer and more complex procedures

However, privacy groups remain unconvinced. The NGO noyb argues that the new regulation makes GDPR procedures “unworkable”. They argue the proposed systems are overcomplicated and undermine users’ rights.

“The entire regulation is tilted against users. In almost every article, companies are preferred and users are discriminated. There is absolutely no ‘equality of arms’ in this procedure” – Max Schrems, noyb

“This regulation adds tons of extra steps and extra paperwork to the existing procedures. Authorities and businesses will have more work with GDPR procedures – not less”, said Max Schrems, Honorary Chair at noyb. “The entire regulation is tilted against users. In almost every article, companies are preferred and users are discriminated. There is absolutely no ‘equality of arms’ in this procedure”.

Other civil society groups have voiced similar concerns. EDRi (European Digital Rights), although recognising the need for clearer procedural rules, argued that the final text “falls short of what is needed, and that it does not fix the systemic weaknesses that have slowed enforcement or made it inaccessible to many”. They caution that the new procedures could “make it harder for people to exercise their rights”.

Even more concerning, according to EDRi, is the risk that it used as a political pretext to reopen the GDPR. “Some actors already argue that the GDPR is too complex or too strict. If this new law does not lead to stronger and fairer enforcement, it could be cited as proof that the entire framework needs to be overhauled”, the group warned.

Upcoming reforms

That warning comes as Brussels prepares a new wave of legislative updates under the Commission’s Digital Omnibus. The proposal seeks to simplify compliance obligations for small and medium-sized. For example, to extend GDPR exemptions for record-keeping to “small mid-caps” with up to 750 employees.