Two of the EU’s three co-legislating bodies finalised a provisional deal on Monday to overhaul how national data regulators collaborate on cross-border cases under the General Data Protection Regulation, or GDPR.
The agreement, negotiated by the European Parliament and the Council under Poland’s rotating presidency on 16 June, aims to resolve persistent inefficiencies in enforcing the bloc’s landmark privacy rules, which have governed digital rights across most of the continent since May 2018.
Central to the reform is a harmonised approach to handling complaints. Under the new rules, individuals and organisations filing grievances about cross-border data processing—such as cases involving companies operating in multiple member states—will face uniform admissibility criteria across the EU. This addresses longstanding frustrations over procedural disparities, where outcomes often hinged on the jurisdiction of the complaint’s origin. “This ensures a swift enforcement of citizens’ rights, no matter where they live,” said Krzysztof Gawkowski, Poland’s Deputy Prime Minister and digital affairs minister.
A 15-month deadline
The regulation introduces binding deadlines to curb bureaucratic delays. Most investigations must now conclude within 15 months, extendable by a year for highly complex cases. Simpler procedures, such as those involving uncontested breaches, are capped at 12 months. To accelerate resolutions, a new “early resolution” mechanism allows authorities to settle cases before formal cross-border processes begin—provided the offending company rectifies the issue and the complainant raises no objections.
Complainants and investigated firms gain clearer procedural rights. Both parties must receive preliminary findings before final decisions, enabling them to rebut evidence. National regulators, meanwhile, will face stricter obligations to share case summaries early in investigations, reducing protracted disputes between lead authorities and their EU counterparts. For straightforward cases, a simplified cooperation procedure lets regulators bypass redundant administrative steps, focusing resources on intricate disputes.
You might be interested
Inconsistency, or cutting through the clutter?
The deal retains a controversial Council proposal allowing regulators to disregard certain procedural rules in non-contentious cases. Critics argue this risks inconsistent enforcement, but proponents insist it prevents minor breaches from clogging the system.
Final adoption by Parliament and the Council is expected by late 2025. Once in force, the rules will mark the first major update to GDPR enforcement since its inception, reflecting lessons from high-profile clashes over tech giants’ data practices. The GDPR’s “one-stop shop” mechanism, which designates a lead regulator for cross-border cases, remains intact but will now operate under tighter timelines and transparency requirements.
This ensures a swift enforcement of citizens’ rights, no matter where they live. Krzysztof Gawkowski, Poland’s Deputy Prime Minister
The reforms respond to mounting criticism that GDPR enforcement has been sluggish and fragmented. With cross-border complaints surging—often targeting multinational firms—the EU hopes streamlined cooperation will reinforce trust in its digital governance framework. As data flows increasingly define global commerce, the bloc’s ability to enforce its rules efficiently will test its ambition to set global standards.
The Council’s three amendmends
The development comes three day after the Council agreed its position maintaining the general thrust of the proposal but amends the draft regulation in the following aspects. It sets:
– clearer timelines: Member states introduce specific timelines that intend to speed up the cooperation process
– enhanced and efficient cooperation: The Council supports the new enhanced cooperation procedure between data protection authorities but also provides the option of not applying all additional rules when a case is more simple and straightforward. This allows data protection authorities to avoid administrative burden and to act swiftly on non-contentious cases and take advantage of the newly introduced additional cooperation rules for more complex investigations
– early resolution mechanism: The Council introduces an early resolution mechanism which allows authorities to resolve a case prior to initiating the standard procedures for handling a cross-border complaint. This can be the case when the company or organisation in question has addressed the infringement or when an amicable settlement to the complaint has been found.
A fundamental EU right
Since the signing of the Lisbon Treaty in 2007, protection of personal data has become a fundamental right under EU law, as both the Treaty on the Functioning of the European Union and the EU Charter of Fundamental Rights recognise it. This means that the EU has a specific legal basis on which to adopt legislation protecting this fundamental right. Article 8 of the EU Charter of Fundamental Rights stipulates that everyone in the EU has the right to the protection of personal data concerning him or her, access to any data subject to collection concerning him or her, and the right to rectification.
