European Union: EU reaches agreement to streamline cross-border GDPR enforcement

In brief

On 16 June 2025, the Council of the European Union and the European Parliament reached a political agreement on a new regulation introducing additional procedural rules for the enforcement of the General Data Protection Regulation (GDPR) in cross-border matters ("Regulation").

The new Regulation seeks to fix the delays and inconsistencies that have undermined the handling of cross-border GDPR complaints. It sets out a common set of rules for how national data protection authorities cooperate, how complaints are processed and how parties are heard — bringing more clarity and predictability to enforcement across the EU.

Businesses engaged in cross-border data processing should begin assessing the practical implications of the new procedural requirements, particularly in relation to the defined timelines, enhanced rights for complainants and more formalized cooperation with supervisory authorities.

To understand how these changes may affect your business and how best to prepare, please contact your usual Baker McKenzie contact.


Background: the need for reform

Since its entry into force in 2018, the GDPR has provided a robust legal framework for data protection across the EU. However, its enforcement — particularly in cross-border contexts — has been shaped by procedural complexity, fragmented practices among supervisory authorities and significant delays in resolving complaints.

Under the current regime, the lead supervisory authority is responsible for investigating cross-border complaints, in cooperation with other concerned authorities. This cooperation, governed by Article 60 of the GDPR, has proven to be complex and, at times, inefficient.

Investigations have often taken years to conclude, and the lack of harmonized procedural rules has led to inconsistent treatment of complaints and uncertainty for both individuals and businesses. The European Commission acknowledged these shortcomings and published the present proposal on 4 July 2023.

The proposal seeks to establish a coherent procedural framework to complement — not amend — the existing GDPR enforcement mechanism. It includes measures to harmonize the cooperation between data protection authorities, the handling of complaints and the rights of parties involved in enforcement proceedings. It also establishes clear timelines for each stage of cooperation and dispute resolution. 

Key features of the new Regulation

The political agreement that has been reached confirms the core objectives of the European Commission's original proposal while introducing practical improvements.

Under the terms of the agreement, the Regulation will introduce the following:

  • 15-month deadline for the completion of investigations in cross-border cases, with the possibility of a 12-month extension in particularly complex matters.
  • 12-month deadline for simpler cooperation procedures.

The Regulation also provides for a standardized complaint form and common admissibility criteria, ensuring that complaints are assessed consistently across member states. 

Both the parties under review and the complainants will have the right to access and comment on preliminary findings before a final decision is adopted, reinforcing procedural fairness and transparency.

In addition, the Regulation introduces a new early resolution mechanism, allowing supervisory authorities to resolve complaints at an earlier stage before involving other national authorities. This is expected to reduce the administrative burden and accelerate outcomes. The role of the European Data Protection Board in resolving disputes between authorities will also be clarified and streamlined.

Together, these measures are expected to strengthen the consistency, transparency and timeliness of GDPR enforcement in cross-border contexts.

Next steps

The provisional agreement will now need to be formally adopted by both the European Parliament and the Council. Once adopted, the new Regulation will be directly applicable across the EU without the need for national implementation.

Implications for businesses

Businesses should start reviewing their internal procedures now to ensure they are prepared for the new enforcement landscape.

The reform represents a significant step toward greater predictability and efficiency in the enforcement of the GDPR, especially for large multinationals operating across several member states.


Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.