Background: the need for reform
Since its entry into force in 2018, the GDPR has provided a robust legal framework for data protection across the EU. However, its enforcement — particularly in cross-border contexts — has been shaped by procedural complexity, fragmented practices among supervisory authorities and significant delays in resolving complaints.
Under the current regime, the lead supervisory authority is responsible for investigating cross-border complaints, in cooperation with other concerned authorities. This cooperation, governed by Article 60 of the GDPR, has proven to be complex and, at times, inefficient.
Investigations have often taken years to conclude, and the lack of harmonized procedural rules has led to inconsistent treatment of complaints and uncertainty for both individuals and businesses. The European Commission acknowledged these shortcomings and published the present proposal on 4 July 2023.
The proposal seeks to establish a coherent procedural framework to complement — not amend — the existing GDPR enforcement mechanism. It includes measures to harmonize the cooperation between data protection authorities, the handling of complaints and the rights of parties involved in enforcement proceedings. It also establishes clear timelines for each stage of cooperation and dispute resolution.
Key features of the new Regulation
The political agreement that has been reached confirms the core objectives of the European Commission's original proposal while introducing practical improvements.
Under the terms of the agreement, the Regulation will introduce the following:
- 15-month deadline for the completion of investigations in cross-border cases, with the possibility of a 12-month extension in particularly complex matters.
- 12-month deadline for simpler cooperation procedures.
The Regulation also provides for a standardized complaint form and common admissibility criteria, ensuring that complaints are assessed consistently across member states.
Both the parties under review and the complainants will have the right to access and comment on preliminary findings before a final decision is adopted, reinforcing procedural fairness and transparency.
In addition, the Regulation introduces a new early resolution mechanism, allowing supervisory authorities to resolve complaints at an earlier stage before involving other national authorities. This is expected to reduce the administrative burden and accelerate outcomes. The role of the European Data Protection Board in resolving disputes between authorities will also be clarified and streamlined.
Together, these measures are expected to strengthen the consistency, transparency and timeliness of GDPR enforcement in cross-border contexts.
Next steps
The provisional agreement will now need to be formally adopted by both the European Parliament and the Council. Once adopted, the new Regulation will be directly applicable across the EU without the need for national implementation.
Implications for businesses
Businesses should start reviewing their internal procedures now to ensure they are prepared for the new enforcement landscape.
The reform represents a significant step toward greater predictability and efficiency in the enforcement of the GDPR, especially for large multinationals operating across several member states.