The EU Council has published a working document proposing a new regulation to establish clearer procedural rules for enforcing the General Data Protection Regulation (GDPR) in cross-border cases. The proposals aim to standardise the handling of cross-border complaints, define admissibility requirements, and outline procedures for the right to be heard, targeting the smooth and effective functioning of cooperation and dispute resolution mechanisms between national data protection authorities (DPAs). The document, dated 22 July 2024, falls under the EU policy area of data protection and privacy.
Document metadata and type The working document, published by the Council of the European Union, is an early-stage legislative proposal. It is not yet a formal legislative act but serves as a basis for internal Council discussions. The document focuses on Articles 60 and 65 of the GDPR, which govern cooperation between DPAs and binding decisions by the European Data Protection Board (EDPB). The proposed regulation seeks to harmonise procedural steps, such as complaint admissibility criteria and the right to be heard, to reduce inconsistencies that have led to delays and legal uncertainty in cross-border enforcement. Currently, DPAs apply divergent national procedural rules, which the Council argues undermines the GDPR's 'one-stop-shop' mechanism.
Policy orientations and trade-offs The proposals involve trade-offs between efficiency and national procedural autonomy. For EU consumers and data subjects, clearer rules could speed up resolution of cross-border complaints, enhancing privacy protection. However, for businesses subject to GDPR enforcement, standardised procedures may reduce compliance costs by providing predictability, but could also impose new administrative burdens if admissibility requirements become more stringent. National DPAs may face reduced flexibility in handling cases, potentially limiting their ability to adapt to local contexts. The EDPB would gain a stronger role in dispute resolution, centralising authority but risking overburdening the Board.
Impact on stakeholders The most impacted stakeholders are: EU consumers and data subjects, who may benefit from faster complaint resolution; businesses subject to GDPR enforcement, which face more predictable but potentially more stringent procedures; national DPAs, which lose procedural flexibility; and the EDPB, which gains a stronger dispute resolution role but may face increased workload.
Expected institutional follow-up The working document is an early stage in the legislative process. The Council will discuss the proposals internally before seeking input from the European Parliament and the European Commission. The EDPB is also expected to provide an opinion. The timeline for adoption remains uncertain, but the document signals the Council's intent to address procedural fragmentation in GDPR enforcement.
← Atlas › News › Digital & Communication