On 16 June 2025, representatives of the EU Council and the European Parliament reached a provisional agreement on a new regulation designed to strengthen the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases.
The agreement follows two years of negotiations and builds on the European Commission's July 2023 proposal, which sought to address enforcement shortcomings by accelerating procedures and harmonising rules across member states.
Since its entry into force in 2018, the GDPR has required national supervisory authorities to cooperate on cases involving cross-border data processing, often transferring responsibility to the authority of the member state where the company is headquartered. However, this one-stop-shop mechanism has faced criticism for its inefficiency, with many complaints taking years to reach resolution. A notable example of this challenges is seen in cases concerning major technology companies headquartered in specific member states, such as Ireland, with its Data Protection Commission serving as the lead supervisory authority for organisations like Google, Meta, Apple, and X.
The newly agreed regulation aims to overcome these challenges by streamlining cooperation among data protection authorities, standardising procedural safeguards and introducing binding deadlines to ensure more timely and consistent enforcement across the EU.
Key highlights of the draft regulation
Uniform Admissibility Standards
The regulation will introduce harmonised criteria for the admissibility of cross-border complaints, ensuring that all cases are evaluated consistently, regardless of the member state where they are filed.
Procedural Safeguards
New rules will guarantee the right of both complainants and investigated organisations to be heard at key stages. Parties will also be entitled to review preliminary findings prior to a final decision.
Investigation Timelines
The new rules introduce deadlines for the completion of investigations. It was agreed on an overall investigation deadline of 15 months, which can be extended by 12 months for the most complex cases.
In the case of a simple cooperation procedure between national data protection bodies, the investigation should be concluded within 12 months.
Early Resolution Mechanism
Authorities may close cases early when the infringement is addressed and the complainant does not object, avoiding the need for a full cross-border procedure.
Implications for Businesses
The new framework will impact all entities engaged in cross-border data processing within the EU, with particular relevance for digital platforms and multinational enterprises, often subject to multi-jurisdictional oversight.
Next Steps
The agreement must now be formally approved by both the Council and the European Parliament. Once adopted, the regulation will become directly applicable in all EU Member States.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
