The Council of the European Union has adopted new rules to accelerate how national data protection authorities handle cross-border complaints under the General Data Protection Regulation (GDPR), marking the most significant procedural update to EU privacy enforcement since the landmark law took effect in 2018.
The regulation, endorsed on Tuesday, aims to streamline cooperation among data protection authorities (DPAs) when cases involve companies operating across multiple EU member states. Such cases — common for major tech platforms — have often been slowed by procedural disagreements, inconsistent standards, and lengthy back-and-forth between national regulators.
Under the new law, DPAs across the EU will apply harmonized criteria when determining whether a complaint is admissible. This means that no matter where a complaint is filed, authorities must use the same conditions to decide whether to open an investigation.
The rules also introduce common standards governing complainant participation, as well as the rights of companies under investigation. Businesses will have a clearer right to be heard and to receive preliminary findings before regulators issue decisions.
To reduce administrative burden, the legislation creates a “simple cooperation procedure” for straightforward cases, allowing authorities to resolve issues without relying on the full, more complex GDPR cooperation mechanism.
Importantly, the law establishes strict deadlines for regulators. Standard investigations must be completed within 15 months, with a possible 12-month extension for the most complex cases. Simple cooperation procedures must conclude within 12 months.
The Council’s approval marks the final legislative step. The regulation will enter into force 20 days after publication in the Official Journal of the EU and will become applicable 15 months later.
Cross-border cases arise when data processing affects individuals in multiple EU countries — for example, when a user files a privacy complaint in one country about a company headquartered in another. Under the GDPR’s “one-stop-shop” system, a lead authority oversees the investigation but must coordinate closely with its counterparts.
EU officials say the new rules will reduce procedural deadlock, strengthen enforcement, and provide greater legal certainty for citizens and companies operating across the bloc.
Need Help?
If you have questions or concerns about these, or any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
