A missed opportunity for enforcement: what the final GDPR Procedural Regulation could cost us

A new law, a familiar problem

In June 2025, EU policymakers agreed on the final version of the so-called ‘General Data Protection Regulation (GDPR) Procedural Regulation’. This new law is supposed to make it easier and faster for national privacy watchdogs and Data Protection Authorities (DPAs) to handle complaints when more than one EU country is involved, a process that has become known for long delays, conflicting interpretations, and missed opportunities to uphold people’s rights.

The need for such a law was widely recognised. From complaints about surveillance-based advertising to data-driven discrimination, enforcement failures have allowed some of the most powerful actors to continue violating the GDPR with little consequence.

The Regulation includes some important changes. It introduces a 12-month deadline for issuing a draft decision in ‘regular’ procedures, formalises new cooperation tools between regulators, and includes a long-overdue requirement to issue a decision in every case. These are welcome improvements, and the result of long-standing efforts by civil society and committed negotiators.

But overall, we are afraid that the text falls short of what is needed, and that it does not fix the systemic weaknesses that have slowed enforcement or made it inaccessible to many. Instead, it could make it harder for people to exercise their rights, reduce transparency, and create new risks for human rights across the EU, particularly when it comes to Big Tech corporations but also in other contexts.

Why this matters for digital rights

This may sound like a technical regulation. But the consequences are deeply political.

When enforcement is slow, confusing or unfair, those already facing discrimination and marginalisation are hit the hardest. People whose data is misused – from racialised communities to gig workers and other vulnerable communities – are often left without answers or support.

If this law allows complaints to be reshaped behind closed doors, or lets authorities withhold information from complainants, it risks making meaningful redress impossible. The Regulation creates rules that potentially treat people as passive observers in their own cases, rather than active participants. It allows national authorities to limit access to the case file and withhold critical information (resorting to doubtful claims of confidentiality that impede accountability), change the scope of complaints, or settle disputes early, potentially even without hearing from those directly affected.

For someone trying to challenge the misuse of their personal data, this could mean never understanding what happened, never being heard, and never getting justice.

That is not just a bureaucratic issue. It is a direct threat to people’s ability to protect their dignity, safety, and equality in a digital world.

What’s at stake: from slow enforcement to no enforcement

The 12-month deadline for issuing a draft decision is a meaningful step forward. It provides, for the first time, an overall timeframe that applies to most cross-border GDPR procedures. This deadline, combined with the formal requirement to issue a decision in every case, could help address long-standing delays, particularly in cases that were previously allowed to stagnate indefinitely.

But those positive steps exist within a broader system that still grants disproportionate discretion to lead supervisory authorities (normally Ireland) and provides few safeguards for complainants or concerned regulators. The ‘simplified procedure’, which was meant to fast-track easy cases, can be simply bypassed, and is not necessarily simpler. Authorities can also engage in early resolution with companies without strong procedural guarantees or clear transparency requirements. Both complainants and companies might be left with even less legal certainty than what they have now.

Amongst other issues, the law does not include a Joint Case File – a record of the case accessible to all involved in the process – which could have ensured shared access to information for all parties. Instead, national DPAs are allowed to withhold documents on broad confidentiality grounds, making it more difficult for people to challenge dismissals or access legal remedy.

What should have been a tool to improve cooperation may instead reinforce procedural imbalances and shield under-enforcement from scrutiny.

A missed chance, and a dangerous opening

For civil society, this is a missed opportunity. EDRi and many of its members – including Access Now, noyb, and others – together with other organisations like The European Consumer Organisation (BEUC) and academics have been deeply engaged in trying to improve this Regulation. We have published position papers, shared real-life examples of procedural injustice, and warned against the risks of disempowering complainants or replicating the very enforcement failures the law was meant to solve.

Some of our concerns were heard. But many remain unresolved. Or worse still, entirely dismissed.

Even more concerning is what might come next

There is now a real risk that this Regulation will be used as a stepping stone to reopen the GDPR itself. Some actors already argue that the GDPR is too complex or too strict. If this new law does not lead to stronger and fairer enforcement, it could be cited as proof that the entire framework needs to be overhauled. This will not fix the political and structural causes of under-enforcement. It will simply open the door to proposals that weaken rights in the name of simplification.

That is why this moment matters. A weak procedural law doesn’t just fail to fix enforcement: it could become the justification for dismantling the GDPR.

Because ‘simplification’ seems to be the name of the game, it’s important to emphasise how little this new piece of law simplifies access to justice for people in the EU. It can even make life harder for DPAs attempting to implement the new rules. The Regulation creates a paradox where processes might look more streamlined on paper but are actually more opaque and restrictive in practice.

What now? Focus on real enforcement, not more excuses and red herrings

The EU now faces a choice. Either it treats the adoption of this Regulation as a springboard for robust and consistent enforcement – something that it should have done years ago – or it allows it to become another symbolic law that leaves the hardest problems untouched.

Fixing enforcement does not require more legislation. It requires political will, proper resourcing of DPAs, clear transparency and oversight mechanisms, and the courage to challenge powerful actors when rights are at stake.

Institutions and regulators must:

• prioritise enforcement that protects people, not procedures;
• ensure the new Regulation is implemented in a way that upholds access to remedy, transparency, and equality;
• monitor the enforcement of the Regulation and include an ad-hoc section evaluating its application and efficiency in the periodic documents that provide an assessment of the implementation of the GDPR;
• resist any future pressure to water down the GDPR itself under the guise of fixing its enforcement.

At EDRi, we will continue to monitor how this Regulation, and GDPR as a whole, are implemented. We will continue to support people and communities harmed by unlawful data practices, and advocate for enforcement that delivers on the GDPR’s promise.