Introduction

Enforcement of the General Data Protection Regulation (Regulation 2016/679 or GDPR) is primarily organised through a decentralised framework, where national supervisory authorities (SAs) are tasked with monitoring and supervising the diverse market of small and large data controllers and processors. The rapid pace of technological developments and the increasing prevalence of cross-border data flows have introduced new challenges to the effective protection of individuals’ rights to privacy and personal data protection through public enforcement mechanisms. In particular, the frequent cross-border nature of personal data processing has rendered enforcement inherently transnational.

To address this, the GDPR establishes a (complex) cooperation mechanism according to which national SAs across different Member States are required to coordinate the outcome of enforcement procedures and address GDPR violations together – potentially with involvement of the European Data Protection Board (EDPB) too. This mechanism has been criticised from the outset for its procedural complexity. These concerns have been reinforced by emerging evidence of under-enforcement in cross-border cases (Gentile and Lynskey 2022). The recently agreed (provisional agreement has been reached amongst the EU Parliament and the Council on 16th June 2025) GDPR Procedural Regulation, intended to clarify and streamline these processes, may in fact seem to add further layers of complexity to an already intricate system.

Administrative cooperation under the GDPR

When addressing cross-border violations of the GDPR, a single SA – referred to as lead SA – takes the lead in the enforcement process. However, it is required to cooperate closely with other concerned authorities pursuant to the GDPR’s cooperation and consistency mechanisms for several reasons. First, administrative cooperation facilitates access to evidence and relevant information across Member State borders, effectively mitigating concerns tied to territorial sovereignty and enabling cross-border oversight and control. For that purpose, SAs are enabled to exchange information, provide mutual assistance, and carry out joint operations under Articles 61 and 62 of the GDPR. Beyond practical reasons for cooperation, the GDPR establishes obligations aimed at fostering consistency in enforcement. This includes a duty to work towards consensus among the authorities involved in cross-border cases (Article 60 GDPR). As Advocate General Bobek observed in his Opinion in Case C-645/19, such form of cooperation may function as a means to overcome administrative inertia – akin to ‘peer pressure’ among supervisory authorities. Thereby the cooperation mechanism also reflects the principle of proximity according to which every SA should be able to protect its data subjects, also if these data subjects are affected by processing that physically takes place outside its territory (see Council Doc. 14149/13 of 7 and 8 October 2013, p. 7). However, in the absence of more clearly defined procedural rules, the cooperation mechanism may fall short of fulfilling its intended role in ensuring robust and harmonised enforcement of the GDPR.

The challenge of cooperation without defined procedures

While the GDPR envisions that the outcome of a cross-border enforcement procedure follows from collaborative efforts among the lead and all concerned SAs, the practical reality often diverges from this ideal. Several shortcomings undermine the effectiveness of the GDPR’s cooperation mechanism.

First, the cooperation procedure under the GDPR is notably under-proceduralised and leaves the lead SA discretion as to what information to share with concerned authorities, how it should be presented, and at what stage of the enforcement procedure (Gentile and Lynskey 2022). This lack of harmonisation leads to inconsistencies in practice and grants the lead SA disproportionate control over the process. In particular, the lead SA can effectively limit the effective involvement of concerned SAs by withholding relevant information. When concerned SAs are excluded in this way, they will be unable to meaningfully participate in the consensus-building process intended by Article 60 (Mustert 2021).

Second, conflicts between national procedural law and the GDPR may further complicate effective enforcement cooperation. One example forms the exchange of confidential information among authorities. In Luxembourg, for example, SA members and officials are authorised to share such information with SAs in other Member States only where these authorities are covered by an obligation of professional secrecy equivalent to the Luxembourg standard and insofar as these authorities provide the same information to the Luxembourgish SA (see Articles 42 and 44 of the Luxembourgish Act of 1 August 2018).

Third, there is growing reliance on informal forms of cross-border GDPR enforcement. On the one hand, because various SAs have a strong preference for settling or resolving cases without lifting it to the formal enforcement procedure (González Fuster 2024; Hofmann and Mustert 2024). These cases will side-line concerned SAs as the matter will never be submitted to the GDPR’s cooperation procedure for consensual decision-making, which reinforces the lead SA’s dominant position. On the other hand, when cases proceed to the formal enforcement stage, informal cooperation practices – often carried out through voluntary workflows within the Internal Market Information System (IMI), the designated IT network for administrative cooperation – remain commonplace. This reliance on informal mechanisms is characterized by the absence of binding legal deadlines or enforceable consequences for non-compliance with the duty of sincere cooperation (Mustert 2023). As a result, the necessary degree of peer pressure to ensure effective enforcement is insufficiently maintained.

These concerns do not only influence horizontal cooperation among the SAs, but also the vertical relationship with the EDPB. The EDPB, when exercising its dispute resolution or urgent decision-making powers under Articles 64 to 66 GDPR, is entirely dependent on the information submitted by national SAs. As the EDPB lacks independent investigatory powers, its effectiveness is therefore compromised when the case file it receives is incomplete.

The Commission Proposal streamlining GDPR enforcement cooperation

In view of the concerns outlined above, the EU Commission’s proposal in July 2023 for a Regulation to ensure stronger enforcement of the GDPR was a welcome and necessary development. The proposed Regulation seeks, among other objectives, to streamline the cooperation and dispute resolution mechanisms applicable to cross-border cases. While this initiative is currently being discussed by the Parliament and Council in the trilogue, leaked drafts of the negotiations indicate that substantial concerns persist. In fact, already early on the EDPS and EDPB had highlighted key issues in their Joint Opinion 1/2023.

The Commission’s Proposal seeks to enhance the existing enforcement framework under the GDPR by setting out more structured cooperation procedures among SAs. A key objective is to ensure the meaningful involvement of concerned SAs from the early stages of the enforcement process and throughout its course. For instance, the Proposal requires the lead SA to prepare and share a summary of key issues after forming a preliminary view on the main aspects of an investigation, and again once preliminary findings have been established. This initiative is intended to mitigate the disproportionately influential role of the lead SA, which under current practice may limit the flow of information to concerned SAs until the final stages of enforcement – at which point their ability to meaningfully intervene is significantly reduced.

However, the Proposal and amendments made by the Council and the Parliament have faced criticism. NGOs such as NOYB and Access Now have expressed serious concerns and warn that the draft agreement risks undermining effective enforcement through the introduction of prolonged deadlines and unnecessarily complex procedures. More particularly, NOYB has rightly raised concerns that the proposed system introduces a proliferation of procedural steps and administrative burdens – with cases now potentially being subject to various forms of ‘regular cooperation’ or ‘enhanced cooperation’ procedures. Furthermore, documents are shared in different files – administrative and cooperation files – in multiple versions for different authorities and parties. Rather than establishing a centralised digital system to manage all documentation, the draft agreement envisions a limited repository for select documents while the majority of case files are to be stored and manually exchanged between more than 40 national SAs. Therefore, NOYB has indicated the possibility of initiating an action for annulment before the CJEU. In similar veins, Access Now warns for further embedding of the lead SA’s outsized role – particularly regarding case file ownership and management of confidential information – while sidelining the concerned SAs. They even argue that “the increased complexity by overlapping procedures and routes increase legal uncertainty and risk bureaucratic deadlocks contradicting the EU’s aspiration to simplify procedures and improve legal quality”.

Enforcing the right to personal data protection through other sectoral laws

Enforcement of the EU’s personal data protection framework is increasingly challenged by ongoing legislative developments. In particular, the EU’s broader digital regulatory agenda – comprising instruments such as the Digital Markets Act (DMA), Digital Services Act (DSA), Artificial Intelligence Act (AI Act), and Data Governance Act (DGA) – presents significant substantive and procedural overlap with the GDPR. This overlapping regulatory landscape risks undermining the coherence of personal data protection in the EU, potentially leading to legal uncertainty and regulatory fragmentation (Beems 2023; Demkova and de Gregorio 2025). These risks inevitably spill over into the enforcement domain.

Although effective and consistent enforcement may be partially safeguarded through administrative cooperation among the various authorities established under these instruments and the SAs, such cooperation is not always sufficiently embedded or proceduralised. A prominent illustration can be found in the Meta Platforms case. Confronted with a legislative gap, the CJEU articulated the need of cooperation and coordination between SAs and competition authorities. It affirmed that national competition authorities may consider compliance with the GDPR in the context of abuse of dominance investigations. In its argumentation, the Court invoked the principle of sincere cooperation under Article 4(3) TEU to promote such coordinated enforcement action (see paras. 53–54 and 62–63). The importance of structured cooperation has also been recently underscored by the EDPS in its EDPS’ concept note on the Digital Clearinghouse 2.0. The note advocates for enhanced cooperation among authorities across the digital regulatory spectrum, proposing the Clearinghouse 2.0 as a potential platform to facilitate this objective.

Nevertheless, despite references to cooperation in the relevant legislative acts, such provisions often remain underdeveloped in procedural terms. This raises concerns not only about the clear allocation of competences among supervisory authorities but also about the preservation of the independent supervision of the EU’s data protection standards, as mandated by primary EU law (Art. 8 CFR and Art. 16 TFEU). In particular, there is a risk that authorities established under legal frameworks other than the GDPR may not be subject to the same stringent independence requirements, thereby compromising the integrity of the data protection supervisory architecture.

Concluding remarks

While the CJEU has emphasized that “the lead supervisory authority cannot, in the exercise of its competences […] eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned” in Facebook Ireland Ltd v Gegevensbeschermingsautoriteit, significant concerns persist. These concerns are amplified by ongoing legislative developments and questions of whether sincere, informed, and effective participation by all SAs – and by SAs and authorities established in other legislative initiatives – in the enforcement process will be improved, or in fact worsened.

To ensure effective transnational enforcement of the EU’s data protection rules, it is crucial that cooperation between authorities is established early on and throughout the enforcement procedure, in which authorities have equal and transparent access to relevant documentation through joint case files, and that effective escalation mechanisms to the EU level in instances where sincere cooperation is lacking are available. Only through such measures can the national supervisory authorities ensure consistent and effective cross-border enforcement of the GDPR. This is essential not only to uphold the GDPR’s integrity but also to safeguard the fundamental rights and freedoms of individuals throughout the European Union.

—

Posted by Lisette Mustert, Assistant Professor of Administrative Law at Utrecht University, member of the Utrecht Centre for Regulation and Enforcement in Europe (RENFORCE).

This blog piece draws on the chapter ‘Administrative cooperation in data protection policy’ in E Chevalier, M Eliantonio and R Lanceiro (eds) Administrative cooperation in the European space (Bruylant 2025) 263-286

Editorial note: This blog piece has been updated on 28th June 2025 to take into account that the GDPR procedural regulation has been provisionally agreed whilst this piece was scheduled for publication.