Incoming rules to harmonize European Union cross-border data protection enforcement are overall welcome by Ireland's Data Protection Commissioner Dale Sunderland, whose office is among the bloc’s most active data protection authorities. But Sunderland, a keynote panelist at the IAPP Europe Data Protection Congress 2025, was unsure about the long-term efficacy of the new enforcement framework.
The Council of the European Union adopted rules aimed at speeding up cross-border data protection complaints on 17 Nov. Key among those changes are setting requirements for how long investigations should take — no longer than 15 months with exceptions for more complex cases — and simplifying the cooperation process and harmonizing the requirements for cross-border action admissibility.
Sunderland said there was a “question mark” over the impact of the new time limits, saying it could lead to a significant need for more resources to handle complaints. Ireland’s DPC has seen a 50% increase in complaints this year, he said, and already dedicates about 45% of its staff to complaints — not including those working on large-scale enforcement efforts.
“We also want to be very careful that we don't end up with the unintended consequence that it takes resources away from more proactive, interventionist work,” Sunderland told the IAPP following his appearance on the keynote stage. “So, there's still a number of things to be considered, but overall, very supportive.”
A time of change
Sunderland's comments come as the bloc faces digital regulatory upheaval. The long-rumored omnibus package from the European Commission was unveiled hours after the IAPP keynote panel.
IAPP Editorial Director Jedidiah Bracy reported from European Commission press conference unveiling the draft simplification package. GDPR-related proposals include allowing legitimate interests to be a legal basis for processing data for AI-related purposes, cookie banner reform and a data breach notification portal.
While the fate of the omnibus is likely to play out slowly over a fraught political process, the enforcement harmonization changes are set to take effect 15 months after its entry into force.
The changes could change the shape of enforcement in Ireland, where Sunderland’s office is the lead supervisory authority for many high-profile tech companies with EU headquarters in-country. Ireland’s DPC has levied 4.5 billion euros in fines since the EU General Data Protection Regulation was implemented. Among its landmark cases are steep fines against Meta, TikTok and LinkedIn, addressing a range of issues including cross-border data transfers, targeted advertising and children’s data protection standards.
Sunderland said the harmonization changes will not impact the DPC’s ongoing investigations since they apply to future cases. He said some elements, like common rules for rights of complainants and for companies and organizations to be heard, are already in line with how the DPC operates.
Other updates, like the timeline requirements, will require a “big body of work” from regulators before the rules come online, he said.
The effect of the omnibus was less certain. In remarks before the Commission officially published the draft package, Sunderland said he expected his office would closely monitor for any potential impact on individual protections and actively engage with the European Data Protection Board as it shapes its opinion on the Commission’s proposal.
Ireland’s DPC is open to changes that keep the principles and protective nature of the GDPR intact. Sunderland indicated there could be better enforcement outcomes down the line if, for instance, certain aspects of the GDPR are clarified, which would help data protection authorities do their jobs quicker.
“There may be upsides too, perhaps, if there are other measures which reduce more administrative burdens on companies, perhaps that may have an advantage too,” he said.
Caitlin Andrews is a staff writer for the IAPP.
