Sign in Subscribe
Data

EU's attempt to fix GDPR enforcement backfires spectacularly

How a well-intentioned regulation became a bureaucratic nightmare.

Luís Rijo

6 min read
GDPR maze: EU bureaucracy illustrated as complex flowcharts, DPA boxes and ticking clocks from 2018-2025.
GDPR maze: EU bureaucracy illustrated as complex flowcharts, DPA boxes and ticking clocks from 2018-2025.

As European regulators struggle with ineffective GDPR enforcement, a new procedural regulation meant to streamline cooperation between data protection authorities is poised to make things significantly worse. Instead of addressing core problems, the legislation risks creating unprecedented complexity that will further delay privacy enforcement across Europe.

Since 2018, the General Data Protection Regulation (GDPR) has promised Europeans unified privacy rights throughout the EU. However, the "cooperation mechanism" between Data Protection Authorities (DPAs) - central to cross-border enforcement - has proven deeply flawed.

When citizens' rights are violated by companies based in another EU/EEA member state, their complaints must navigate a complex system involving both their local DPA and the authority in the company's home country. This enforcement mechanism is widely acknowledged as a primary reason for GDPR's underwhelming enforcement record.

Is Ireland enforcing GDPR?
Germany, France, Spain, and Italy show concerns with Ireland’s lack of action in enforcing GDPR.
PPC LandLuís Rijo

According to documents published by privacy advocacy organization noyb on April 17, 2025, the European Union's attempt to address these problems through a "GDPR Procedural Regulation" is heading toward disaster. The regulation, currently in final "trilogue" negotiations between EU institutions, appears to be creating even more bureaucratic hurdles than it solves.

"We initially very much supported having clear procedural rules. But this proposal risks to become the biggest legislative mess I have seen in a long time," said Max Schrems, Chairman of noyb.eu, in the organization's press release. "The result is an overloaded system that will make procedures even more complex and slower. Many elements are of such poor legal quality that this law will not solve problems - but generate more disputes."

From bad to worse: The current situation

Under the current system, complaints often get lost in bureaucratic limbo. Decisions routinely take years, and citizens have virtually no recourse against inactive authorities. Simple cases, such as an access to information request, can take five or more years to resolve.

The problems with the existing system include:

  1. Widely differing national procedures between the 30 EU/EEA countries
  2. Conflicting requirements for hearings, evidence, and decision issuance
  3. Failure of basic information sharing between authorities
  4. Extremely slow resolution timeframes
  5. Limited accountability for inactive DPAs

The European Commission originally promised that its GDPR Procedural Regulation would deliver "faster, streamlined and simpler procedures." Yet according to noyb's analysis, the current draft achieves precisely the opposite.

A procedural nightmare in the making

What started as an effort to simplify has evolved into an extraordinarily complex framework. Rather than streamlining the core procedure, the draft texts would create approximately ten different types of possible GDPR procedures, each with various sub-variants and exceptions.

"This Regulation could have been a game changer for exercising people's fundamental rights. Instead, it looks like it will waste thousands of hours in already overworked authorities by prescribing various useless and overly complex procedural steps, which translates to Millions in taxpayer money," noted Schrems.

The European Commission's original proposal has been criticized for favoring an outdated "inquisitorial system" approach. This medieval-inspired model shields lead DPAs (particularly the notoriously slow Irish Data Protection Commission) from meaningful cooperation with other authorities or engagement with affected parties.

EU court orders Irish data watchdog to investigate Meta privacy complaint
General Court rules Irish DPC must examine noyb’s 2018 complaint over Meta’s handling of sensitive user data.
PPC LandLuís Rijo

Structural flaws in the legislative process

One fundamental problem appears to be a lack of procedural law expertise among those drafting the regulation. According to noyb, the European Commission failed to conduct proper impact assessment and stakeholder consultation before introducing its proposal.

"There is a special breed of lawyer who deals with procedural law. This know-how was clearly lacking in this dossier. It's as if I were to start practicing astrophysics tomorrow - the result would probably be of no benefit to humanity," said Schrems.

The Belgian EU Presidency reportedly pushed to "close" the file quickly by summer 2024, resulting in a "half-baked" Council position. Meanwhile, the European Parliament, despite promising initial reform efforts, has apparently abandoned most ambitions under new leadership.

Deadlines that aren't deadlines

One particularly controversial element involves procedural deadlines. Currently, Data Protection Authorities report an average case processing time of around eight months. In member states that already have deadlines, the average drops to about 4.5 months.

The European Parliament had proposed reasonable deadlines of three months for simple cases and up to nine months for complex ones. However, according to noyb, the Council has suggested extending the deadline to 33 months - nearly three years.

Even more problematic, there's currently no agreement on whether users can bring cases in their home countries. Instead, they might have to sue foreign DPAs in other EU jurisdictions over delays - a practical impossibility for most citizens.

"On average, the authorities report a duration of about 8 months for procedures. Some of the proposals by Member States are 33 months. This would be the first time you could even raise a delay with a Court, which can in turn take years to decide about a lawsuit over a delay. This is basically a free pass for DPAs to drag out procedures forever," Schrems explained.

Implications for businesses and citizens

The regulation's flaws will impact both businesses and individuals. Companies will likely face increased legal uncertainty, potentially inaccurate decisions due to limited party involvement, and higher legal costs from complicated paperwork and appeals.

For ordinary citizens, enforcing GDPR rights will become even more difficult, with longer wait times and more complex processes. The authoritarian approach in the Commission's proposal severely limits participation rights of the parties involved.

"The EU Commission's approach was to assume that DPAs know it all. Instead of hearing the parties, as is the case in almost all EU Member States, the EU Commission foresaw that parties would only be heard at the end of the investigation via a 'preliminary decision'. The rights of the parties would therefore be extremely limited," said Schrems.

Political momentum over substance

Despite widespread concerns about the regulation's effectiveness, political momentum appears to be driving it forward regardless of its flaws. Behind closed doors, many officials have reportedly acknowledged the regulation's serious problems but seem unwilling to delay its passage.

According to noyb, a common sentiment among decision-makers has been "pass it one way or another - as long as it's off my table." This prioritization of political expediency over effective legislation threatens to undermine the EU's data protection regime for years to come.

The failure is particularly concerning given the EU's recent promises to take Europeans' fundamental privacy rights more seriously and to demonstrate that GDPR represents a global "gold standard" beyond mere regulatory text.

Why marketers should care

For marketing professionals globally, this development represents a significant setback in regulatory clarity. The continued dysfunction in GDPR enforcement creates uncertainty about compliance requirements and inconsistent application of privacy rules across EU markets.

Marketing teams working with European data will face extended periods of uncertainty during compliance investigations, potentially conflicting guidance from different national authorities, and continued frustration from consumers unable to effectively exercise their privacy rights.

Rather than establishing clear, harmonized standards that would benefit both consumers and ethical marketers, the procedural regulation appears set to perpetuate a system where enforcement depends heavily on which national authority handles a case.

Timeline of GDPR procedural regulation developments

  • May 2018: GDPR enforcement begins with cooperation mechanism between national DPAs
  • 2018-2024: Widespread acknowledgment of enforcement failures and procedural problems
  • Late 2023: European Commission proposes GDPR Procedural Regulation to address cooperation issues
  • Early 2024: European Parliament begins work on reforming Commission's proposal
  • Summer 2024: Belgian EU Presidency pushes to quickly finalize Council position
  • Fall 2024-Winter 2025: "Trilogue" negotiations between EU institutions reveal serious problems
  • April 17, 2025: Noyb issues public warning about fundamental flaws in the regulation
  • 2025-onward: Unless substantial changes are made, implementation will likely create new procedural hurdles

Stories like this, in your inbox

Enter your email
Subscribe