The European Parliament and the Polish Presidency of the Council of the European Union struck a provisional deal to overhaul the enforcement of cross-border cases under the General Data Protection Regulation (GDPR). This agreement marks a pivotal moment in addressing long-standing delays and inconsistencies that have frustrated individuals, businesses, and regulators alike. By introducing clearer procedures, enforceable timelines, and enhanced rights for all parties involved, the regulation aims to make GDPR enforcement faster, more equitable, and transparent. While the deal awaits final approval, it signals a bold step toward strengthening data protection across the EU’s complex regulatory landscape.
The GDPR, enacted in 2018, set a global standard for data privacy, but its enforcement in cross-border cases where data processing spans multiple EU countries has often been bogged down by bureaucratic hurdles and differing interpretations among national data protection authorities (DPAs). This new regulation seeks to tackle those challenges head-on, ensuring that citizens’ complaints are resolved swiftly and fairly, while businesses gain clarity on their obligations and rights.
Key Features of the Provisional Agreement
The agreement introduces several transformative changes to how cross-border GDPR cases are handled. Here’s a breakdown of its core components:
- Defined Timelines for Investigations: A lead supervisory authority, typically the DPA in the country where a company’s main EU operations are based, must now complete its investigation and issue a draft decision within 15 months. For simpler cases, this deadline shrinks to 12 months. Extensions of up to 12 months are allowed for complex cases, but only when absolutely necessary. These deadlines aim to eliminate the prolonged delays that have left complainants in limbo.
- Enhanced Rights for Complainants and Companies: The regulation grants both individuals filing complaints and businesses under investigation the right to access case files and be heard during the process. This ensures greater transparency and fairness, addressing criticisms that the current system often leaves parties in the dark about case progress.
- Streamlined Cooperation Between DPAs: The agreement strengthens coordination among national DPAs, clarifying procedures for collaboration and dispute resolution. This is critical in cross-border cases, where disagreements between authorities have often stalled progress. The new rules aim to create a more cohesive enforcement framework across the EU.
- Focus on Transparency and Accountability: By setting clear procedural guidelines, the regulation ensures that DPAs operate with greater consistency and predictability. This benefits all stakeholders, from individuals seeking redress to businesses navigating compliance.
Voices from the Frontlines
Markéta Gregorová, a Member of the European Parliament and rapporteur for the Committee on Civil Liberties, Justice and Home Affairs, championed the agreement. In a statement to the International Association of Privacy Professionals (IAPP), she expressed pride in the outcome: “This regulation ends the years-long limbo citizens have faced in cross-border GDPR cases. We’ve fought for clear, enforceable deadlines and strong protections for both complainants and companies. The result is a system that’s faster, fairer, and more transparent.”
Poland’s Deputy Prime Minister and Minister for Digital Affairs, Krzysztof Gawkowski, echoed this sentiment, emphasizing the regulation’s role in improving cooperation among DPAs. “This is a major step toward ensuring citizens’ rights under the GDPR are upheld efficiently,” he said. “By speeding up the handling of cross-border complaints, we’re making data protection work better for everyone.”
Challenges and Criticisms
Despite the optimism, not everyone is convinced the regulation goes far enough—or in the right direction. Privacy advocacy group NOYB, led by Max Schrems, has raised significant concerns. In a May 20 post, NOYB criticized the proposed rules for introducing “excessively long deadlines and overly complex procedures.” Schrems argued that the regulation’s structure could undermine its goals, potentially leading to further delays rather than resolving them. He even suggested that the regulation’s flaws might warrant an annulment challenge before the Court of Justice of the European Union if it passes in its current form.
The criticism highlights a tension at the heart of the agreement: balancing speed with thoroughness. While the 12- and 15-month deadlines are a marked improvement over the open-ended timelines of the past, critics argue they may still be too lenient for straightforward cases or too rigid for highly complex ones. Additionally, some businesses worry that the shorter deadlines could pressure DPAs to rush decisions, potentially compromising the quality of investigations.
What’s Next?
The provisional agreement is not yet set in stone. It requires formal approval from both the European Parliament and the Council of the European Union before it can take effect. The final text of the regulation has not been released as of June 20, 2025, and likely won’t be until the co-legislators reach a definitive agreement. Once adopted, the new rules will reshape how cross-border GDPR cases are handled, with implications for regulators, businesses, and individuals across the EU.
For businesses, the regulation offers both opportunities and challenges. Clearer procedures and timelines could reduce uncertainty, making it easier to anticipate and manage compliance risks. However, the tighter deadlines may increase pressure on companies to respond promptly to investigations, requiring robust internal data protection processes. Legal experts from Hogan Lovells, in an analysis for the IAPP, noted that the agreement incorporates elements from the European Commission, Parliament, and Council, but some contentious issues—such as the feasibility of the proposed timelines—remain unresolved.
Broader Implications
This regulation arrives at a critical juncture for data protection in the EU. As digital economies grow and data flows become increasingly global, the need for effective, harmonized enforcement of the GDPR has never been greater. Cross-border cases often involve tech giants with operations spanning multiple countries, making coordination among DPAs essential to avoid loopholes or inconsistent rulings. By addressing these challenges, the EU aims to reinforce its position as a global leader in data privacy.
For individuals, the regulation promises a more responsive system. Too often, citizens filing GDPR complaints have faced years of delays, eroding trust in the system. The new deadlines and procedural clarity could restore confidence, ensuring that data protection rights are not just theoretical but enforceable in practice.
Yet the road ahead is not without obstacles. The regulation’s success will depend on how well DPAs adapt to the new rules and whether they can balance speed with thoroughness. Additionally, the ongoing debate over the regulation’s structure suggests that further refinements may be needed to address critics’ concerns.
Looking Forward
As the EU moves toward finalizing this regulation, all eyes will be on how it shapes the future of GDPR enforcement. For now, the provisional agreement represents a significant step toward a more efficient and equitable system. By setting clear timelines, enhancing rights, and fostering cooperation among regulators, the EU is signaling its commitment to making data protection work for the digital age.
For businesses operating in the EU, now is the time to review compliance strategies and prepare for a more streamlined—but potentially more demanding—enforcement landscape. For individuals, the promise of faster resolutions offers hope that their data rights will be upheld with greater urgency. And for regulators, the challenge lies in implementing these changes effectively, ensuring that the GDPR remains a cornerstone of global privacy standards.
