Making cross-border GDPR enforcement work better for consumers

The General Data Protection Regulation (GDPR) upholds people’s fundamental right to personal data protection in the EU. However, consumers and consumer organisations and organisations representing them face disproportionate hurdles when lodging complaints before data protection authorities, particularly in cross-border cases. These have a knock-on effect in delaying timely resolutions to potential GDPR breaches by companies and undermining the success of the GDPR. For example, as of November 2024, BEUC and its members are still waiting for a resolution to complaints they filed in 2018 against Google for the company’s location-tracking practices.

To resolve some of these issues, the European Commission proposed a Regulation laying down additional procedural rules relating to the enforcement of the GDPR in July 2023. The amendments proposed by the co-legislators bring several improvements to the Commission’s proposal. While both the Council and the European Parliament seem to largely agree on the need for changes to the Commission proposal, both versions would benefit from technical changes to ensure more effective and rights-protective enforcement as well as legal certainty.

This paper sets out how BEUC would improve cross-border enforcement of the GDPR so that the law benefits consumers as much as possible. Recommendations include:

• Establishing comprehensive and specific time limits for both the lead and concerned authorities under the cross-border mechanism.

• Guaranteeing the right to be heard of complainants at relevant stages of the procedure, including following the preliminary findings and at the draft decision stage.

• Ensuring that it is easy to lodge complaints for individuals and civil society groups and that investigations are opened in a timely manner.