Since its implementation in 2018, the European Union's General Data Protection Regulation (GDPR) has aimed to ensure that individuals can exercise their right to data protection across the EU. However, as the regulation nears its seventh anniversary, significant issues remain, particularly regarding enforcement and cooperation among member states. Many of these problems stem from the complex mechanisms in place for handling complaints when companies are based in different EU or EEA countries.
The EU has attempted to address these enforcement challenges through the introduction of a "GDPR Procedural Regulation." This new regulation is intended to streamline processes and improve cooperation between data protection authorities. However, the ongoing trilogue negotiations among the EU Parliament, member states, and the Commission have resulted in what many are calling legislative chaos.
Critics argue that the proposed changes may complicate the already convoluted enforcement landscape even further. Max Schrems, the chairman of the privacy advocacy group noyb.eu, has been particularly vocal in his criticism. In a statement released on April 17, 2025, he described the direction that EU institutions seem to be taking as a "procedural nightmare," suggesting that rather than simplifying the GDPR, the new regulation would "worsen" it.
One of the core issues with the GDPR has been the slow pace of decision-making by data protection authorities. According to Schrems, decisions currently take an average of around eight months, while in member states with established deadlines, the average is approximately 4.5 months. In contrast, the EU Parliament has proposed a deadline of three months for simple cases and up to nine months for more complex ones. However, reports indicate that the Council is advocating for a much longer deadline of up to 33 months, which would significantly hinder timely enforcement.
The GDPR was designed to empower individuals, granting them rights such as the ability to request data deletion from large online platforms. However, the reality has been fraught with complications. Complaints often get lost in the bureaucratic maze of cooperation among the 30 EU and EEA countries, leading to delays that can stretch for years. This has resulted in a perception that the GDPR is failing to deliver on its promises.
In 2022, data protection authorities coordinated within the European Data Protection Board and sent a letter to then EU Justice Commissioner Didier Reynders, outlining suggestions for improving cooperation. This led to the drafting of the GDPR Procedural Regulation, which was intended to clarify processes and establish more effective frameworks for cross-border data protection enforcement.
However, the legislative process has been anything but smooth. The EU Commission's initial proposal has faced criticism for lacking a proper impact assessment and failing to adequately involve stakeholders. Many experts have pointed out that the proposal demonstrates a clear lack of procedural knowledge, which could lead to even more complex and inefficient regulations.
Markéta Gregorová, a member of the European Parliament from the Greens party, has been working to ensure that the new regulation provides effective and practical remedies for individuals while simplifying processes for straightforward cases. She noted that while the Greens, along with the Left, Social Democrats, and Liberals, initially supported significant reforms to the Commission's proposal, they now find themselves needing the support of the center-right Christian Democrats to move forward.
This political landscape has made it challenging to maintain ambitious goals for the GDPR reform. Gregorová expressed concern about the potential dilution of important provisions that would ensure timely decisions and effective remedies for individuals.
Schrems has called for a six-month pause on the regulation's progress to allow for a thorough re-evaluation of the proposal. However, he acknowledges that this is unlikely to happen. Instead, he suggests that the Parliament should vote against the current proposal to block it, although this would only provide a temporary reprieve. The EU Commission has already indicated plans to revisit the GDPR soon, focusing on reducing regulations for small businesses, which could further complicate matters.
Critics are wary that the Commission's upcoming "Omnibus Package" will not prioritize effective enforcement of data protection rights but instead aim to ease regulations for businesses. Gregorová has cautioned against reopening the "Pandora's box" of GDPR regulations, fearing it could undermine the legal certainty that both individuals and businesses rely on.
As the negotiations continue, the stakes remain high. The GDPR was meant to set a global standard for data protection, yet the ongoing struggles within the EU to enforce it effectively raise questions about its future viability. The current trajectory suggests that instead of achieving a streamlined and efficient process, the EU may be on the brink of creating an even more cumbersome regulatory framework.
In a landscape where data privacy is increasingly critical, the ability of the GDPR to adapt and function effectively will be crucial. The upcoming months will determine whether the EU can navigate these complex waters and deliver on the promise of robust data protection for its citizens.
