Breaking Borders: How the EU’s New GDPR Procedural Deal Fast-Tracks Cross-Border Enforcement

Introduction

On 16 June 2025, the Council of the European Union (under the Polish Presidency) and the European Parliament reached a provisional agreement on a new GDPR Procedural Regulation, designed to streamline cooperation among national data-protection authorities (DPAs) in cross-border enforcement cases.

Why a Procedural Regulation?

Since the GDPR entered into force in May 2018, a “one-stop shop” mechanism (Art. 60 GDPR) has empowered a Lead Supervisory Authority (LSA) to coordinate cross-border complaints. Yet, fragmented national procedures, divergent admissibility criteria, and limited resources have often delayed investigations and diluted enforcement consistency across Member States.

Key Elements of the Provisional Deal

1. Harmonised Admissibility Criteria
   Complaints filed in any Member State will be judged on the same minimum information requirements (e.g., identity of the parties, description of the data processing activity, and alleged infringement).
2. Early-Resolution Mechanism
   DPAs may resolve straightforward cases unilaterally—without triggering full cross-border procedures—when the organisation has remedied the issue and the complainant consents to an expedited settlement.
3. Binding Lead Authority Deadlines
   Once appointed, an LSA must draft a decision within 15 months—and resolve simpler cases within 12 months—subject only to narrowly defined extensions for demonstrable complexity.
4. Stronger Cooperation & Dispute Resolution
   Where DPAs disagree, the EDPB’s binding-consistency mechanism (Arts 63–65 GDPR) will be triggered more quickly, ensuring uniform outcomes.

Legislative & Political Context

• Commission Proposal (July 2023): Laid out procedural rules to support Art. 60–65 GDPR.
• Parliament’s Position (April 2024): Advocated for tighter deadlines and enhanced complainant rights.
• Council’s General Approach (June 2024): Emphasised flexibility for DPAs, reflecting concerns over resource constraints in smaller states.
• Trilogue Negotiations: Concluded on 16 June 2025 under the Polish EU Presidency.

Implications & Analysis

For DPAs: The Regulation forces authorities to bolster investigative capacity or risk procedural breaches—potentially prompting new budget increases for data-protection offices.

For Businesses: While harmonisation reduces legal uncertainty, tighter deadlines may compress compliance timelines and expand enforcement risk. Proactive data-governance programmes will be essential.

For Citizens: Clearer procedures and binding deadlines promise faster complaint resolution—strengthening trust in the GDPR as a rights-enforcement tool. Effectiveness will hinge on DPAs’ willingness to use early-resolution rather than defer to formalities.

Looking Ahead

The provisional text now awaits formal adoption by both co-legislators (expected in Q3 2025) and publication in the Official Journal. Member States will then have six months to transpose the new Regulation into their supervisory frameworks. As the EU braces for the full application of the AI Act in August 2025, this Procedural Regulation could serve as a blueprint for procedural cooperation in other cross-sectoral rulebooks—such as those for AI and digital services. Ultimately, the deal is a forward-looking model for agile, consistent enforcement in a fast-evolving data economy.