EU reaches agreement on cross-border GDPR enforcement reform
The provisional deal now awaits formal approval by both the Council and the European Parliament. Once adopted, the new regulation will come into force across all member states.
The Council of the European Union and the European Parliament have reached a provisional agreement on a new regulation designed to improve how cross-border data protection cases are handled across the EU. The initiative aims to streamline cooperation between national data protection authorities and ensure that citizens’ rights under the General Data Protection Regulation (GDPR) are enforced more efficiently.
Announced under the Polish presidency of the Council and backed by Deputy Prime Minister Krzysztof Gawkowski, the deal introduces procedural clarifications and deadlines to reduce delays in investigations and decision-making. Once formally adopted, it will standardise how cross-border complaints are assessed and managed throughout the EU, regardless of the member state in which the complaint is filed.
One of the central features of the regulation is the harmonisation of admissibility criteria for complaints. This ensures that whether a citizen files a complaint in France or Slovenia, the same information will be required to determine whether it can proceed. The new rules also clarify the rights of both complainants and entities under investigation. Complainants will have the right to be heard if their case is dismissed, while companies and organisations will be entitled to respond to preliminary findings before a final decision is made.
To increase efficiency, the agreement introduces binding deadlines. Investigations under the new regime should be concluded within 15 months, with a possible 12-month extension for particularly complex cases. For simpler matters involving only one or two national authorities, the process should be completed within 12 months.
The regulation also introduces mechanisms for early resolution of complaints. Where a company has remedied a violation and the complainant agrees, the matter can be closed without engaging the full cross-border cooperation procedures. Additionally, a ‘simple cooperation procedure’ will allow national authorities to handle straightforward cases without the full set of new rules, helping to reduce administrative burdens.
The agreement follows long-standing concerns that GDPR enforcement has been too slow and inconsistent in cross-border cases. By refining the cooperation process and introducing consistent procedural rules, EU institutions hope to improve accountability and legal certainty for all parties involved.
The provisional deal now awaits formal approval by both the Council and the European Parliament. Once adopted, the new regulation will come into force across all member states, reinforcing the mechanisms originally established by the GDPR, which has been in effect since May 2018.
