EU lawmakers announce deal on cross-border GDPR enforcement procedures

On 16 June, the Council of the European Union and European Parliament announced a provisional agreement on the long-awaited General Data Protection Regulation Procedural Regulation — a key legislation aimed at harmonizing cooperation between EU member state data protection authorities in cross-border enforcement cases.

The agreement marks a near-final step in the EU's legislative effort to formalize consistent procedural rules for the operation of the GDPR's cooperation and consistency framework.

The procedural regulation supplements the GDPR by harmonizing procedural rules that apply when an investigation by a data protection authority involves processing activities affecting individuals in more than one EU member state — for example, cross-border processing.

The GDPR's cooperation and consistency framework

The GDPR's one-stop-shop mechanism, under Article 56, is designed to streamline supervision of cross-border data processing. When a controller or processor operates in multiple EU member states, or when its processing activities substantially affect individuals in more than one EU member state, a single lead supervisory authority — typically located where the controller or processor has its main establishment — is designated to lead the investigation.

The LSA coordinates with other concerned supervisory authorities under Article 60, sharing information, consulting on draft decisions and resolving disagreements. If consensus cannot be reached, the matter may be referred to the European Data Protection Board under the consistency mechanism set out in Articles 63 to 65. The EDPB may issue binding decisions to ensure uniform application of the GDPR across the EU.