The EU Council has published a working document detailing progress on a proposed regulation to harmonise procedural rules for enforcing the General Data Protection Regulation (GDPR), with a focus on cross-border complaints. The document, dated 28 November 2024, outlines key provisions under negotiation, including rules on complaint admissibility (Article 3) and a new 'early resolution' procedure (Article 5) that would allow supervisory authorities to swiftly settle cases where an infringement has ended and the complainant does not object. The initiative aims to streamline handling of cross-border data protection cases, impacting EU regulators, businesses, and citizens.
Document Context and Type
The working document originates from the Council's preparatory bodies and reflects the state of play in interinstitutional negotiations between the Council, European Parliament, and European Commission. It is a non-binding discussion paper intended to guide further talks, not a final legislative text. The proposed regulation would supplement the GDPR by establishing common procedures for national data protection authorities when dealing with cross-border complaints, addressing current fragmentation in enforcement.
Policy Orientations and Trade-offs
The document signals significant progress, with provisional agreements on several points. However, a key tension remains between harmonising EU procedural rules and respecting national procedural autonomy. The early resolution mechanism, for instance, aims to reduce case backlogs and speed up redress for complainants, but some member states have raised concerns about potential circumvention of thorough investigations. This reflects a broader cleavage between efficiency and due process, as well as between EU-level harmonisation and national discretion.
Impact on Stakeholders
- EU consumers and data subjects: Positive impact from faster resolution of complaints, but risk of weaker enforcement if early resolution is used to avoid full scrutiny of systemic violations.
- Businesses (especially tech firms): Benefit from clearer, more predictable procedures across member states, reducing compliance costs. However, early resolution may lead to quicker closure of cases but potentially less legal certainty.
- National data protection authorities: Gain streamlined tools but may face constraints on their procedural autonomy, particularly those with established national practices.
- EU institutions: The Council's progress strengthens its negotiating position vis-à-vis the European Parliament, which has pushed for stronger complainant rights.
Expected Institutional Follow-up
The working document will inform the next trilogue meeting between the Council, Parliament, and Commission. The Parliament adopted its position in 2023, and the Council aims to finalise its general approach in early 2025. Once agreed, the regulation will be adopted under the ordinary legislative procedure, requiring qualified majority in the Council and majority in Parliament.