On June 16, 2025, the Council of the EU (Council) and the European Parliament (EP) reached an agreement on a new regulation (the Draft Regulation) to enhance enforcement of the General Data Protection Regulation (GDPR). The Draft Regulation aims to improve cooperation between national data protection authorities (DPAs) to speed up their handling of cross-border GDPR complaints and related investigations.

The Draft Regulation intends to simplify administrative procedures, such as the criteria for when DPAs can accept and investigate complaints under GDPR, and harmonize complainants’ rights across the EU. The one-stop-shop mechanism under GDPR will remain, but new requirements will be introduced to enhance cooperation among DPAs in cross-border cases. This development will affect all businesses operating across the EU, especially organizations with EU-wide activities. The final text has not yet been published. The publication date remains unclear.

Background

EU bodies, consumer representative groups, and companies have all highlighted shortcomings in GDPR enforcement since its entry into force and advocated revisiting its procedural rules. While GDPR sets common rules for cross-border cooperation, national procedural differences have hindered and slowed down effective enforcement. In response, the European Commission (EC) issued the first version of the Draft Regulation to strengthen GDPR enforcement in July 2023. After a lengthy process and final negotiations, the Council and the EP announced on June 16, 2025, that they had reached a provisional agreement on the Draft Regulation.

Highlights

Key elements of the Draft Regulation:

1. Admissibility: The Draft Regulation aims to expedite the processing of cross-border GDPR complaints by introducing clear and uniform criteria for when DPAs, across Member States, must accept a complaint and investigate the facts described therein.
2. A fast-track process for resolving complaints: A new early resolution mechanism aims at enabling DPAs to resolve cases amicably before initiating the cross-border process and involving other DPAs. This new process could be used when the company has addressed the alleged issue under investigation and the complainant agrees with the early resolution of their complaint.
3. Investigation deadlines: The Draft Regulation will introduce a deadline of 15 months for DPAs to complete their investigations, with the possibility of a 12-month extension for complex cases. This change aims to address long-standing concerns about the slow-moving nature of GDPR enforcement. The Draft Regulation is not expected to affect ongoing investigations, but it remains to be seen how this is addressed in the final version.
4. Simple cooperation procedure: The final text would retain the Council’s proposal for a simplified cooperation procedure for straightforward cases, for which investigations should be concluded within 12 months. This would allow DPAs to act quickly on non-controversial matters while also benefiting from the new cooperation rules for more complex investigations, thereby reducing their administrative burden.
5. Rights of complainants: The new rules aim to clarify the rights of complainants and entities under investigation, including their ability to participate in the proceedings and access relevant case files while maintaining confidentiality. An entity under investigation would be guaranteed the right to be heard at key stages of the proceedings, and both the complainant and the investigated entity would have the right to review preliminary findings before a final decision is made.

Next Steps

The new Draft Regulation represents a significant step towards strengthening the EU’s enforcement of its data protection rules. The provisional agreement must still be formally approved by both the Council and the EP. Once adopted, the Draft Regulation will introduce important procedural changes. Organizations operating in the EU or handling the personal data of EU citizens should closely monitor these developments and assess their potential impact on enforcement risk.

For further information or assistance regarding GDPR compliance or the impact of these new rules on your organization, please contact Cédric Burton, Laura De Boel, Yann Padova, or Nikolaos Theodorakis.

Laura Brodahl, Carol Evrard, and Jessica O’Neill contributed to the preparation of this alert.