EURO AREA | EU Strengthens Cross-Border Enforcement of the General Data Protection Regulation

On 16 June, the Council of the EU and the European Parliament reached a provisional agreement on a new regulation to improve the efficiency of enforcing the General Data Protection Regulation (GDPR) in cross-border cases. The agreement particularly strengthens the cooperation mechanism among data-protection authorities to better safeguard citizens’ data rights. Core provisions include:

(i) Unified Complaint Acceptance Criteria

Irrespective of where in the EU a citizen files a cross-border data-processing complaint, admissibility will be assessed against uniform criteria, preventing procedural discrepancies from delaying proceedings.

(ii) Clarified Party Rights

The regulation harmonizes the rights and obligations of complainants and investigated entities: if a complaint is dismissed, the complainant has the right to be heard; investigated enterprises or institutions will be entitled to present their views at key stages; both parties must be informed of preliminary findings before the final ruling and may respond.

(iii) Investigation Time Limits

Standard cross-border cases must be completed within 15 months; complex cases may be extended to 27 months; simplified cooperation cases must be concluded within 12 months.

(iv) “Early-Resolution Mechanism”

If the investigated enterprise has already rectified the infringement and the complainant does not object to expedited handling, the data-protection authority may close the case without launching the full cross-border procedure, accelerating resolution of non-contentious matters.

(v) Streamlined Cooperation Procedure

The regulation allows the lead supervisory authority to skip certain complex steps when handling simpler cases, reducing administrative burden, while pre-sharing key information to avoid prolonged inter-authority consultations.

The provisional agreement still requires formal approval by the European Parliament and the Council. Once adopted, it will enter into force as law. Since its implementation on 25 May 2018, GDPR has established a unified data-protection framework across the EU. For cross-border data processing involving multiple member states, GDPR mandates supervisory authorities to cooperate, led by a single “lead supervisory authority” in coordination with others. The new regulation addresses inefficiencies and inconsistencies in this cooperation, further strengthening the protection of personal data rights.

Reference: Council of the EU website