Briefly
On 16 June 2025, the Council of the European Union and the European Parliament reached a political settlement on a brand new regulation introducing further procedural guidelines for the enforcement of the Common Knowledge Safety Regulation (GDPR) in cross-border issues (“Regulation“).
The brand new Regulation seeks to repair the delays and inconsistencies which have undermined the dealing with of cross-border GDPR complaints. It units out a standard algorithm for the way nationwide information safety authorities cooperate, how complaints are processed and the way events are heard — bringing extra readability and predictability to enforcement throughout the EU.
Companies engaged in cross-border information processing ought to start assessing the sensible implications of the brand new procedural necessities, significantly in relation to the outlined timelines, enhanced rights for complainants and extra formalized cooperation with supervisory authorities.
To grasp how these adjustments might have an effect on your corporation and the way finest to arrange, please contact your common Baker McKenzie contact.
Contents
- Background: the necessity for reform
- Key options of the brand new Regulation
- Subsequent steps
- Implications for companies
Since its entry into drive in 2018, the GDPR has supplied a sturdy authorized framework for information safety throughout the EU. Nonetheless, its enforcement — significantly in cross-border contexts — has been formed by procedural complexity, fragmented practices amongst supervisory authorities and important delays in resolving complaints.
Beneath the present regime, the lead supervisory authority is liable for investigating cross-border complaints, in cooperation with different involved authorities. This cooperation, ruled by Article 60 of the GDPR, has confirmed to be advanced and, at occasions, inefficient.
Investigations have usually taken years to conclude, and the shortage of harmonized procedural guidelines has led to inconsistent remedy of complaints and uncertainty for each people and companies. The European Fee acknowledged these shortcomings and revealed the current proposal on 4 July 2023.
The proposal seeks to determine a coherent procedural framework to enrich — not amend — the present GDPR enforcement mechanism. It consists of measures to harmonize the cooperation between information safety authorities, the dealing with of complaints and the rights of events concerned in enforcement proceedings. It additionally establishes clear timelines for every stage of cooperation and dispute decision.
The political settlement that has been reached confirms the core goals of the European Fee’s authentic proposal whereas introducing sensible enhancements.
Beneath the phrases of the settlement, the Regulation will introduce the next:
- 15-month deadline for the completion of investigations in cross-border circumstances, with the potential for a 12-month extension in significantly advanced issues.
- 12-month deadline for easier cooperation procedures.
The Regulation additionally supplies for a standardized grievance kind and customary admissibility standards, guaranteeing that complaints are assessed constantly throughout member states.
Each the events beneath evaluation and the complainants may have the proper to entry and touch upon preliminary findings earlier than a ultimate determination is adopted, reinforcing procedural equity and transparency.
As well as, the Regulation introduces a brand new early decision mechanism, permitting supervisory authorities to resolve complaints at an earlier stage earlier than involving different nationwide authorities. That is anticipated to cut back the executive burden and speed up outcomes. The position of the European Knowledge Safety Board in resolving disputes between authorities may also be clarified and streamlined.
Collectively, these measures are anticipated to strengthen the consistency, transparency and timeliness of GDPR enforcement in cross-border contexts.
The provisional settlement will now must be formally adopted by each the European Parliament and the Council. As soon as adopted, the brand new Regulation shall be straight relevant throughout the EU with out the necessity for nationwide implementation.
Companies ought to begin reviewing their inner procedures now to make sure they’re ready for the brand new enforcement panorama.
The reform represents a big step towards larger predictability and effectivity within the enforcement of the GDPR, particularly for big multinationals working throughout a number of member states.
Briefly
On 16 June 2025, the Council of the European Union and the European Parliament reached a political settlement on a brand new regulation introducing further procedural guidelines for the enforcement of the Common Knowledge Safety Regulation (GDPR) in cross-border issues (“Regulation“).
The brand new Regulation seeks to repair the delays and inconsistencies which have undermined the dealing with of cross-border GDPR complaints. It units out a standard algorithm for the way nationwide information safety authorities cooperate, how complaints are processed and the way events are heard — bringing extra readability and predictability to enforcement throughout the EU.
Companies engaged in cross-border information processing ought to start assessing the sensible implications of the brand new procedural necessities, significantly in relation to the outlined timelines, enhanced rights for complainants and extra formalized cooperation with supervisory authorities.
To grasp how these adjustments might have an effect on your corporation and the way finest to arrange, please contact your common Baker McKenzie contact.
Contents
- Background: the necessity for reform
- Key options of the brand new Regulation
- Subsequent steps
- Implications for companies
Since its entry into drive in 2018, the GDPR has supplied a sturdy authorized framework for information safety throughout the EU. Nonetheless, its enforcement — significantly in cross-border contexts — has been formed by procedural complexity, fragmented practices amongst supervisory authorities and important delays in resolving complaints.
Beneath the present regime, the lead supervisory authority is liable for investigating cross-border complaints, in cooperation with different involved authorities. This cooperation, ruled by Article 60 of the GDPR, has confirmed to be advanced and, at occasions, inefficient.
Investigations have usually taken years to conclude, and the shortage of harmonized procedural guidelines has led to inconsistent remedy of complaints and uncertainty for each people and companies. The European Fee acknowledged these shortcomings and revealed the current proposal on 4 July 2023.
The proposal seeks to determine a coherent procedural framework to enrich — not amend — the present GDPR enforcement mechanism. It consists of measures to harmonize the cooperation between information safety authorities, the dealing with of complaints and the rights of events concerned in enforcement proceedings. It additionally establishes clear timelines for every stage of cooperation and dispute decision.
The political settlement that has been reached confirms the core goals of the European Fee’s authentic proposal whereas introducing sensible enhancements.
Beneath the phrases of the settlement, the Regulation will introduce the next:
- 15-month deadline for the completion of investigations in cross-border circumstances, with the potential for a 12-month extension in significantly advanced issues.
- 12-month deadline for easier cooperation procedures.
The Regulation additionally supplies for a standardized grievance kind and customary admissibility standards, guaranteeing that complaints are assessed constantly throughout member states.
Each the events beneath evaluation and the complainants may have the proper to entry and touch upon preliminary findings earlier than a ultimate determination is adopted, reinforcing procedural equity and transparency.
As well as, the Regulation introduces a brand new early decision mechanism, permitting supervisory authorities to resolve complaints at an earlier stage earlier than involving different nationwide authorities. That is anticipated to cut back the executive burden and speed up outcomes. The position of the European Knowledge Safety Board in resolving disputes between authorities may also be clarified and streamlined.
Collectively, these measures are anticipated to strengthen the consistency, transparency and timeliness of GDPR enforcement in cross-border contexts.
The provisional settlement will now must be formally adopted by each the European Parliament and the Council. As soon as adopted, the brand new Regulation shall be straight relevant throughout the EU with out the necessity for nationwide implementation.
Companies ought to begin reviewing their inner procedures now to make sure they’re ready for the brand new enforcement panorama.
The reform represents a big step towards larger predictability and effectivity within the enforcement of the GDPR, particularly for big multinationals working throughout a number of member states.
