The core issue? While the GDPR provides robust internal cooperation mechanisms among EEA authorities (e.g., the one-stop-shop and consistency mechanism), international enforcement outside the EEA relies heavily on soft, informal tools. Binding instruments are scarce, practical use is limited, and structural barriers prevent deeper collaboration. Yet, as global tech giants operate worldwide, fragmented enforcement risks undermining the credibility of data protection regimes everywhere.
The Current Landscape: Limited Tools, Even More Limited Action
The report begins by mapping the existing framework for international enforcement cooperation in data protection. At its foundation lies Article 50 GDPR, which enables mutual assistance—including notifications, complaint handling, investigative support, and information exchange—between EEA DPAs and third-country authorities. However, this provision is often interpreted narrowly and requires supplementary arrangements in many jurisdictions (e.g., French DPAs need ministerial approval for certain actions).
Multilateral binding instruments include the modernized Convention 108+ (which details mutual assistance but is not yet widely in force) and specific arrangements like the EU-U.S. Data Privacy Framework (DPF), which commits the FTC and Department of Commerce to enforcement cooperation and joint meetings. Bilateral binding agreements, however, are virtually nonexistent in the data protection space.
Soft law fills much of the gap: bilateral Memoranda of Understanding (MoUs) focus on dialogue, best-practice sharing, and technical assistance rather than enforcement; global fora like the Global Privacy Assembly (GPA), Global Privacy Enforcement Network (GPEN), and Global Cooperation Arrangement on Privacy Enforcement (Global CAPE) facilitate informal exchanges, joint letters, workshops, and coordinated sweeps (e.g., GPEN’s actions on deceptive design or children’s privacy). The GPA’s Cross Border Arrangement enables secure information exchange among participants like Estonia, Germany, and others.
In practice, cooperation remains predominantly “soft.” Respondents to the EDPB questionnaire reported that most interactions involve sharing general trends, legal analyses, or participating in awareness campaigns. Enhanced forms—like joint investigations—are rare. Notable exceptions include the UK and Canada’s collaboration on the 23andMe case (2024-2025), where authorities exchanged evidence, contributed to reports, and engaged in bankruptcy proceedings. Yet, over half of surveyed DPAs reported no or only one formal cooperation instance in the past five years. Smaller authorities face particular operational hurdles, and enforcement of decisions abroad is generally impossible without local mechanisms.
Key Challenges: Legal, Practical, and Structural Barriers
The report identifies a stark discrepancy between legal possibilities and real-world application. Legal barriers include restrictions on sharing confidential information (e.g., inspection evidence), personal data (subject to strict GDPR rules), and investigatory powers abroad. Reciprocity requirements—such as dual unlawfulness (the conduct must be illegal in both jurisdictions) or identical legal standards—further complicate matters. Some countries, like Switzerland or Korea, impose strict conditions on sharing investigative documents.
Practical challenges compound these: resource constraints (especially for smaller DPAs), lack of dedicated structures or contact points, procedural mismatches, language barriers, and trust issues. Structurally, overlapping multilateral fora lead to fragmentation and duplication, diluting impact.
These hurdles create a vicious cycle: limited practical experience erodes trust and willingness to cooperate, perpetuating underutilization of even existing tools like Article 50 or MoUs.
Learning from Mature Frameworks: Consumer Protection and Competition Law
One of the report’s strongest contributions is its comparative analysis. In consumer protection, the International Consumer Protection and Enforcement Network (ICPEN)—with over 70 members, including most EEA DPAs and many adequacy countries—operates econsumer.gov, a secure platform for sharing complaints and investigative information with consent-based safeguards and confidentiality agreements. Initiatives like Internet Sweep Days and joint letters demonstrate effective coordination. The OECD’s enforcement toolkit helps reduce legal barriers, while UNCTAD guidelines advocate technological solutions.
Competition law offers even more mature models. The European Competition Network (ECN) enables seamless mutual assistance within the EU. Globally, “second-generation” bilateral agreements (e.g., EU-U.S. agreements from 1991 onward) allow investigative assistance, information exchange without always requiring consent, and coordination via principles of negative comity (avoiding interference) and positive comity (assisting where conduct is illegal locally). The International Competition Network (ICN) promotes model waivers for confidential information sharing, and the OECD’s 2014 Recommendation has driven legislative improvements in many jurisdictions.
Key differences explain the maturity gap: competition law benefits from convergent substantive norms (e.g., cartel prohibitions), proactive merger notifications, and economic incentives for cooperation. Data protection, by contrast, is more individual-rights focused, with stricter confidentiality rules and fewer enforcement levers against third-country entities.
Yet the parallels are instructive. Consumer protection’s secure platforms and sweep mechanisms could inspire data-specific equivalents. Competition’s waivers, comity principles, and second-generation agreements offer blueprints for overcoming confidentiality and reciprocity barriers.
Recommendations: A Forward-Looking Roadmap
The report concludes with actionable, multi-layered recommendations to bridge the gaps:
- Maximize existing frameworks: Interpret Article 50 and Convention 108 more broadly, presuming cooperation where adequate safeguards exist. Develop model waivers (adapted from ICN) for consent-based sharing of confidential or personal data.
- Enhance legal instruments: Pursue “second-generation” bilateral agreements with detailed provisions on investigative aid, information exchange, comity, and enforcement coordination. Integrate cooperation commitments into adequacy decision reviews.
- Build technical and operational tools: Create a secure, encrypted platform (modeled on econsumer.gov) for complaint submission, information sharing, notifications, and access controls. Establish joint investigation frameworks with clear terms of reference, dedicated cooperation units, resource pooling, and training programs.
- Government intervention: Allocate resources to DPAs, negotiate reciprocity solutions, and enact cross-border enforcement mechanisms.
- Guidance and standard-setting: The EDPB should issue comprehensive guidance on Article 50 interpretation, secrecy rules, and best practices. Develop model agreements, toolkits (inspired by OECD), and templates for waivers or complaints with informed consent options.
- Institutional strengthening: Strengthen global fora engagement (GPA, GPEN, etc.), reduce duplication, and expand EDPB working groups on international cooperation.
Implementing these would require leadership from DPAs, governments, and the EDPB. Without it, the report warns, data protection enforcement risks remaining theoretical in a global digital economy dominated by cross-border actors.
Why This Matters Now
As AI, big data, and cloud services accelerate cross-border data flows, uncoordinated enforcement allows bad actors to exploit jurisdictional gaps. High-profile cases—like those involving U.S. tech firms—underscore the need for credible international mechanisms. The report’s emphasis on adequacy-linked cooperation is particularly relevant, as adequacy decisions (e.g., for the UK, Japan, or the U.S. DPF) already presuppose equivalent protection levels—yet fall short on enforcement alignment.
By adapting proven tools from consumer and competition domains, the data protection community can evolve from fragmented, soft cooperation to structured, effective enforcement. The EDPB’s initiative—launched amid growing partnerships with adequacy-country DPAs—signals a strategic shift toward global resilience.
In the end, strong international cooperation isn’t optional—it’s essential for upholding fundamental rights in a connected world. The EDPB report provides not just diagnosis, but a prescription. The question now is whether stakeholders will act on it.
