ARTICLE
23 June 2025

EU Deal To Enhance GDPR Cross-border Enforcement

GA
GVZH Advocates

Contributor

GVZH Advocates is a modern, sophisticated legal practice composed of top-tier professionals and rooted in decades of experience in the Maltese legal landscape. Built on the values of acumen, integrity and clarity, the firm is dedicated to providing the highest levels of customer satisfaction, making sure that legal solutions are soundly structured, rigorously tested, and meticulously implemented.
On 16 June 2025, representatives of the EU Council and the European Parliament reached a provisional agreement on a new regulation designed to strengthen the enforcement of the General Data Protection Regulation (GDPR)...
European Union Privacy

On 16 June 2025, representatives of the EU Council and the European Parliament reached a provisional agreement on a new regulation designed to strengthen the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases.

The agreement follows two years of negotiations and builds on the European Commission's July 2023 proposal, which sought to address enforcement shortcomings by accelerating procedures and harmonising rules across member states.

Since its entry into force in 2018, the GDPR has required national supervisory authorities to cooperate on cases involving cross-border data processing, often transferring responsibility to the authority of the member state where the company is headquartered. However, this one-stop-shop mechanism has faced criticism for its inefficiency, with many complaints taking years to reach resolution. A notable example of this challenges is seen in cases concerning major technology companies headquartered in specific member states, such as Ireland, with its Data Protection Commission serving as the lead supervisory authority for organisations like Google, Meta, Apple, and X.

The newly agreed regulation aims to overcome these challenges by streamlining cooperation among data protection authorities, standardising procedural safeguards and introducing binding deadlines to ensure more timely and consistent enforcement across the EU.

Key highlights of the draft regulation

Uniform Admissibility Standards

The regulation will introduce harmonised criteria for the admissibility of cross-border complaints, ensuring that all cases are evaluated consistently, regardless of the member state where they are filed.

Procedural Safeguards

New rules will guarantee the right of both complainants and investigated organisations to be heard at key stages. Parties will also be entitled to review preliminary findings prior to a final decision.

Investigation Timelines

The new rules introduce deadlines for the completion of investigations. It was agreed on an overall investigation deadline of 15 months, which can be extended by 12 months for the most complex cases.

In the case of a simple cooperation procedure between national data protection bodies, the investigation should be concluded within 12 months.

Early Resolution Mechanism

Authorities may close cases early when the infringement is addressed and the complainant does not object, avoiding the need for a full cross-border procedure.

Implications for Businesses

The new framework will impact all entities engaged in cross-border data processing within the EU, with particular relevance for digital platforms and multinational enterprises, often subject to multi-jurisdictional oversight.

Next Steps

The agreement must now be formally approved by both the Council and the European Parliament. Once adopted, the regulation will become directly applicable in all EU Member States.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More