The Council of the European Union has published a working document proposing additional procedural rules to enforce the General Data Protection Regulation (GDPR) in cross-border cases, aiming to standardise and clarify enforcement procedures among national supervisory authorities. The proposals, which draw on the European Parliament's position, would introduce common procedural standards, cooperation mechanisms, specific investigation timelines, and a right to effective judicial remedy for parties. These changes would directly impact data controllers, processors, and individuals involved in cross-border data processing, as well as national data protection authorities (DPAs).
The document, dated 22 July 2024, was prepared under the Hungarian Presidency of the Council. It is a working document, meaning it is not yet a formal legislative proposal but a basis for discussion among member states. The proposals are non-binding at this stage and do not set concrete numerical targets; instead, they outline procedural orientations.
Policy Orientations and Trade-offs
The document reflects a tension between harmonising enforcement across the EU and preserving national autonomy. On one hand, standardised procedures could reduce fragmentation and legal uncertainty for businesses operating across borders, potentially lowering compliance costs. On the other hand, some member states may resist uniform timelines or judicial remedy rules that limit their discretion. The trade-off is between efficiency and sovereignty: clearer rules may speed up investigations but could also impose rigidities on DPAs accustomed to different national practices.
Impact on Stakeholders
- EU businesses (data controllers/processors): Positive impact, moderate. Standardised procedures and timelines would provide predictability and reduce the burden of navigating multiple national regimes, lowering legal costs.
- National data protection authorities: Mixed impact, moderate. While cooperation mechanisms could improve cross-border case handling, new procedural obligations and timelines may strain resources and limit flexibility.
- EU citizens (data subjects): Positive impact, moderate. A right to effective judicial remedy and clearer investigation timelines would strengthen individual enforcement of GDPR rights.
- EU institutions (Commission, Parliament): Positive impact, minor. The document aligns with the Parliament's position, facilitating inter-institutional progress on the file.
Expected Institutional Follow-up
The Council working document will be discussed among member states in the Council's data protection working party. Following revisions, the Council may adopt a general approach, after which trilogue negotiations with the European Parliament and Commission would begin. The Parliament has already adopted its position, so the next major step is Council agreement.