Before the summer of 2023, the European Commission (EC) will propose a new law that is aimed at improving how the privacy regulators of various European Union (EU) countries’ will enforce the General Data Protection Regulation (GDPR).


A watershed moment in global tech regulation occurred in 2016, when the GDPR was adopted, as companies were forced to abide by new privacy standards which included asking for consent to collect people’s data online. Also, the possibility of receiving substantial fines for noncompliance was introduced.

Five years down the road, activists, experts and some national privacy watchdogs have become frustrated at what they see as an inefficient system to tackle major cases, especially in instances when Big Tech companies are involved.

Another aspect to receive attention is the powerful role that the Irish Data Protection Commission has under the one-stop shop rule, which directs most major investigations are to be handled by the Irish authorities as tech companies like Meta, Google, Apple and others have established their headquarters there. The Irish and – to a lesser extent – Luxembourg authorities have received frequent and mounting criticism in recent  years.

The EC is set to introduce a new EU regulation in the second quarter of 2023, which will set clear procedural rules for national data protection authorities dealing with cross-border investigations and infringements. The EC has been quoted as saying that the law “will harmonize some aspects of the administrative procedure in cross-border cases and support a smooth functioning of the GDPR cooperation and dispute resolution mechanism.”

Last year, the European Data Protection Board (EDPB) sent the EC a “wishlist” of procedural law changes to improve the enforcement. Some ideas included setting deadlines for different procedural steps in handling cases and harmonizing the rights of the different parties involved in EU-wide investigations.

The EC wants to keep the new regulation very targeted and limited. This partly because it is expecting that tense discussions with data privacy watchdogs, campaigners and Big Tech lobbyists will result from the new regulation.

Furthermore, it is not only lobby groups that are expected to jump on the EC’s new privacy regulation. Regulators have also clashed over how to interpret and enforce the GDPR. The result has often triggered dispute resolutions and the delay of cases. The EC has said that “nobody will be happy with the Commission proposal as usual, because the data protection authorities agree on the problem but they do not agree on the solutions.”

The EU executive only has a short window of time to push this new text through the EU legislation train as European elections are set for Spring 2024.

While this new law is expected to solve the enforcements flaws of the GDPR, it could open a Pandora’s box of lobbying and regulator infighting. This a development that will definitely be closely monitored.

Do you have any questions about developments within privacy and data protection? Contact us, the Experts in Data Privacy, at for more information.