Dear Representatives of the European Parliament, the European Council, and the European Commission,
Access Now — an international organisation defending and extending the digital rights of people and communities at risk around the world — demands urgent action on the proposed General Data Protection Regulation (GDPR) Procedural Regulation, ahead of its final trilogue on May 21.
The GDPR is a landmark legislation for fundamental rights and a robust legal framework on paper; however, its enforcement has fallen short. GDPR complaints are resolved very slowly and inconsistently across the European Union (EU), cross-border cooperation is hampered, and the application of the law remains fragmented. This continues to undermine people’s access to justice, delay outcomes, and allow companies to evade accountability — fostering a system of “business as usual.” Recognising these enforcement gaps, we strongly supported the Commission’s decision to launch an initiative aimed at establishing clear, harmonised procedural rules and their decision to focus their efforts on strengthening the practical impact of the GDPR. This effort represents a crucial step toward closing loopholes that have long hindered effective enforcement. Without such harmonisation, the GDPR risks becoming a set of lofty principles with little practical impact — leaving people’s rights unprotected.
Yet, with negotiations nearing their conclusion, the current draft — without critical improvements — risks becoming a missed opportunity that weakens people’s access to justice and undermine its core goal: strengthening GDPR enforcement by partially harmonising procedures, rendering Data Protection Authorities (DPAs) cooperation simpler and faster, ensuring consistency, and reducing discrepancies across Member States. While the proposed regulation clarifies how DPAs should work together, the current draft falls short by:
- Limiting party rights by involving both the party under investigation and the complainant too late in the process, restricting their ability to contribute meaningfully and contradicting the need for timely, fact-based decision-making;
- Specifically placing limits on how people can participate in complaints they bring to DPAs around misuse of their data. The draft places an extra barrier to the complainant’s enjoyment of their right to be heard and access to file, as guaranteed by in Article 41 of the Charter of Fundamental Rights of the EU, further weakening their ability to meaningfully participate in the process — especially compared to the already powerful counterpart;
- Over centralising some powers in the Lead Supervisory Authorities (LSAs) — particularly regarding file ownership and confidentiality management — while sidelining the concerned Supervisory Authorities (CSAs). This weakens cooperation and endangers the principle of proximity (local access to justice) — placing extra hurdles on the CSAs, ultimately causing delays.
- Adding unnecessary complexity by introducing overlapping procedures and routes that increase legal uncertainty and risk bureaucratic deadlocks contradicting the EU’s aspiration to simplify procedures and improve legal quality
- (Possibly) introducing very long deadlines without robust accountability mechanisms — contradicting the main goal of faster enforcement;
- Disregarding possible inconsistencies with national protections as some Member States may lose stronger existing safeguards or end up with much longer procedures than what they currently have. The interplay with national law should be more strongly addressed.
This regulation must close the enforcement gap — not deepen it. To achieve this, we call on EU negotiators to:
- Set short, enforceable deadlines for both the regular and simplified procedures with only limited justified extensions;
- Prioritise legal clarity, coherence, and ground the regulation in EU Law — specifically the Right to Good Administration and relevant Court of Justice EU jurisprudence to ensure legal clarity;
- Take the time necessary to implement the required substantial improvements and to ensure the regulation is effective, rights-respecting, and enforceable in practice. The provisions must be coherent and guide practical enforcement across Member States. In procedural law, every detail matters. The law’s quality will determine its impact;
- Revisit problematic provisions and preliminary trilogue agreements
- Reinforce party rights, guaranteeing prompt and equal access to file and the right to be heard by both parties.
- Protect proximity and cooperation by avoiding over-centralisation of powers in the LSAs and ensuring all CSAs are meaningfully involved.
- Revisit the necessity of complex extra procedures, reconsidering the need for additional mechanisms like the early resolution procedure in Article 5, and focusing instead on a strong, core process.
- Reassess confidentiality provisions to ensure rules of the LSA’s country do not override other Member States and obstruct further transparency or access to justice.
Access Now urges the EU to stay focused on what matters most: strong, effective GDPR enforcement and protecting people’s fundamental rights — not reopening its core rules. This regulation is a critical opportunity to remove barriers that prevent people from exercising their rights and to fix the enforcement gap that has long undermined the GDPR’s promise. Simplify procedures for people to enjoy their rights, not core data protection obligations; and strengthen accountability and support the instrument of putting people in control of their personal data, not ease corporate obligations. Now is the time to prove that the EU stands by its commitment to fundamental rights and that the GDPR is not just a gold standard on paper, but a living, enforceable safeguard for people in the digital age. We stand by you in prioritising GDPR enforcement and call for the time and effort needed to get it right.