A planned refit of the EU's General Data Protection Regulation (GDPR) Procedural Regulation intended to clarify and streamline cross border cooperation between data protection authorities (DPAs) risks further complicating the system, privacy advocates have warned.
Introduced in 2018, the GDPR shields citizens rights over how their personal data is used. But when a complaint is filed against a company based in another EU or EEA country, the case must go through a cooperation process between the data protection authority in the complainant’s country and the authority where the company is headquartered.
This cross-border system is often slow and opaque, with complaints taking years to resolve and no clear way to hold national authorities accountable if they fail to act. Critics say this has led to a broader failure to properly enforce the GDPR across the bloc.
In an attempt to fix these shortcomings, the European Commission proposed a new regulation in 2023 to harmonise procedural rules and accelerate decisions. However, privacy advocate organisation noyb has warned that trilogue negotiations between the Commission, the European Parliament and the Council have yielded a “legislative mess” that could slow down investigations even further.
The regulation was originally intended to address procedural inconsistencies between member states, such as different requirements for hearing parties, evidence sharing and on issuing decisions. But rather than simplifying the framework, noyb said the current draft would create as many as ten different types of GDPR procedures, with legal variants, adding more complexity to the procedure.
“We initially very much supported having clear procedural rules,” said Max Schrems, lawyer and founder of noyb. “But this proposal risks becoming the biggest legislative mess I have seen in a long time.”
The NGO argues that the draft law fails to address fundamental problems in cross-border enforcement and instead introduces a multitude of complex procedural paths. This could make it harder for DPAs to resolve cases, many of which already take several years to reach a conclusion, according to Schems.
Noyb and other privacy advocates like EDRi are pushing to safeguard the right to be heard during the process, the right to appeal and to streamline processes. Currently DPAs procedures vary in length, and in the extent to which they offer parties access to documents.
Noyb said the European Commission should have conduct an impact assessment before introducing the proposal, that the Council was hasty in reaching its position and that MEPs lacked ambition in their approach to the proposal.
“We have been hearing the concerns of NGOs throughout the whole process and implemented many inputs,” said MEP Markéta Gregorová (Czechia/Greens), a European Parliament negotiator on the issue, adding: “I want to reassure them again: our focus is not on weakening the text, but on delivering a fair and functional process that works for people, authorities, and businesses alike."
“As Parliament, we are committed to ensuring timely decisions, effective remedies, and a stronger voice for all parties involved, especially complainants,” said Gregorová.
"This law will not solve problems - but generate more disputes,” warned Schrems.
The file remains under discussion in so-called trilogue negotiations between the European Parliament, the Council and the Commission, with a next round scheduled for 21 May.
