The European Data Protection Board asked the European Commission on 17 July 2026 to propose a legal basis that would let regulators in different fields exchange information, including confidential information, as data protection authorities warn that a rising volume of complaints driven partly by artificial intelligence is stretching their capacity to enforce the General Data Protection Regulation.

The request came out of a high-level meeting held in Dublin on 16 and 17 July 2026, where the Board, which brings together the data protection authorities of the European Economic Area, set two priorities: a statutory route for cross-regulatory information sharing, and a set of practical measures to make cross-border enforcement of the GDPR faster and less resource-intensive. Both point to the same underlying strain. Data protection sits next to competition law, consumer law, digital markets rules and cybersecurity, and enforcement in one field increasingly depends on facts held by regulators in another.

What the Board asked for

The core ask is narrow but consequential. The Board called on the Commission to propose a legal basis for cross-regulatory information sharing that would allow regulators to exchange information relevant to enforcement within their respective areas of competence. The point of emphasis is that this would extend to confidential information, which regulators generally cannot pass to one another without an explicit statutory gateway. Without such a gateway, an authority investigating, for example, a consent mechanism that raises simultaneous questions under data protection, competition and consumer law cannot freely share what it finds with the other regulators looking at the same conduct.

EDPB Chair Anu Talus framed the request as a lesson drawn from practice rather than theory. According to the EDPB, Talus said that first-hand experience of cooperating with other EU digital regulators at both national and EU level "has highlighted the need for stronger legislation to facilitate more effective cross-regulatory cooperation, including enhanced information sharing." She added that this "will help remove barriers to cooperation and help improve enforcement outcomes and cross-regulatory coherence."

The problem is not new to the Commission. Its own second report on the application of the GDPR, adopted on 25 July 2024, identified the same gap. That report noted that data protection issues increasingly intersect with competition law, consumer law, digital markets rules, electronic communications regulation and cybersecurity, citing the assessment of "pay or OK" models as a case where several bodies of EU law apply at once. New digital regulations have created bespoke coordination structures, among them the Digital Markets Act high-level group, the European Data Innovation Board and the European Board for Digital Services. The report concluded that these were not sufficient and that there was a need for more structured and efficient means of cooperation, in particular to address situations that affect a large number of individuals and involve several regulators.

The AI dimension

The Dublin meeting connected that structural point to a workload problem. According to the EDPB, data protection authorities are facing a considerable rise in the number and complexity of complaints, among other reasons as a result of the increased use of AI, and this is placing additional strain on already stretched resources. The Board described the effect plainly: the pressure is limiting all authorities' ability to perform their tasks and exercise their powers under the GDPR efficiently.

The figures in the Commission's second report give a sense of the baseline against which that increase is landing. Data protection authorities across the EU collectively receive over 100,000 complaints per year. They have launched over 20,000 own-initiative investigations since the regulation took effect. The report also recorded a resourcing picture that authorities themselves considered inadequate despite improvement: between 2020 and 2024, all but two authorities saw staff increases, with the rise exceeding 25 percent in 14 member states, yet the authorities still reported that they lacked sufficient human resources and, in particular, the specialised technical knowledge needed for new and emerging technologies. That gap in technical expertise is precisely the one that AI-related complaints test.

The strain has a documented downstream effect. PPC Land reported that Portugal's data protection authority opened 3,201 cases and 2,037 investigations in 2025 but applied just two fines totalling 47,000 euros across the entire year, a gap that illustrates how case volume and enforcement output can diverge sharply.

Boosting cross-border enforcement

The second strand of the Dublin discussions concerned the machinery that already exists for cross-border cases, and how to make it work harder. Under the GDPR's one-stop-shop system, a lead supervisory authority handles a case involving cross-border processing and coordinates with the other authorities concerned. That system has generated a large body of activity. The Commission's second report recorded almost 2,400 case entries in the Board's information exchange system, around 1,500 draft decisions issued by lead authorities, of which 990 resulted in final decisions finding an infringement, and almost 1,000 formal mutual assistance requests alongside around 12,300 informal ones.

Set against those numbers, one cooperation tool has barely been used. The report noted that although the Board adopted guidelines on joint operations in 2021, authorities have still not made significant use of them, citing differences in national procedures and a lack of clarity on the procedure as the main reasons. Only five joint operations had been initiated, involving authorities from seven member states. The Dublin meeting returned to this tool directly. To further boost cross-border enforcement, the Board discussed how to pool resources, including the possibility for complaint-receiving authorities to make resources available to lead supervisory authorities where useful.

Des Hogan, Chairperson and Commissioner for Data Protection in Ireland, tied the joint-operations question to the resource question. According to the EDPB, Hogan said that greater use of joint operations "will help DPAs pool resources and carry out their enforcement actions with greater efficiency." He added that through information sharing and joint operations, authorities would "support consistent and effective enforcement, better protect individuals and provide greater regulatory clarity and certainty for industry."

The Procedural Regulation as the backdrop

Hovering over both strands is a piece of legislation still in negotiation. The Commission adopted a proposal for a Regulation on procedural rules in July 2023, drawing on a list of issues the Board submitted in October 2022. The proposal lays down detailed rules on cross-border complaints, the involvement of the complainant, the due-process rights of the parties under investigation, and cooperation between authorities. At the time of the second report it was being negotiated by the European Parliament and the Council. The Dublin statement indicated that authorities will organise a series of workshops on enforcement procedures and to exchange information on national practices, explicitly in the context of implementing what the Board called the upcoming Procedural Regulation, and Hogan noted that the regulation codifies many authorities' existing practices.

The reform has drawn scrutiny rather than uniform welcome. As PPC Land documented in its coverage of the OpenAI cross-border ruling, the proposed Procedural Regulation has been criticised for risking additional complexity, with the potential to add roughly ten different types of GDPR procedures rather than streamlining the system. That tension, between codifying practice and multiplying procedural steps, is part of what the workshops announced in Dublin will have to navigate.

Why consistency is hard to guarantee

The Board was candid about the limits of its own reach. It noted that consistency depends on a broad range of actors and actions, sometimes going beyond what the EDPB itself can control, for example where the issue relates to national legislation or case law. In response, members committed to expanding the Board's dialogue with other actors across the data protection ecosystem.

The candour reflects a documented pattern. The Commission's second report found that data protection authorities continue to adopt diverging interpretations of key concepts, which stakeholders identified as the principal obstacle to consistent application of the GDPR. The report gave concrete examples: authorities in three member states each took a different view on the appropriate legal basis for processing personal data in a clinical trial, and there were frequently diverging views on whether an entity is a controller or a processor. It also recorded that in some cases authorities do not follow the Board's guidelines, or publish national guidelines that conflict with them, a problem compounded when multiple authorities within a single member state adopt conflicting interpretations.

National courts have added their own layer of unpredictability to the enforcement picture, particularly where the largest penalties are concerned. PPC Land reported that a Luxembourg court annulled Amazon's 746 million euro GDPR fine and sent the case back to the regulator, finding that the supervisory authority had applied what amounted to near-automatic issuance of a fine without properly assessing fault or weighing alternative corrective measures. Separately, PPC Land covered an analysis finding that nearly 40 percent of the 7.1 billion euros in announced GDPR fines have been annulled or are under active legal challenge. Against that record, the Board's push for smoother information sharing and joint operations reads as an attempt to build enforcement that can survive judicial review, not only reach a decision.

The Helsinki inheritance

The Dublin meeting also took stock of what the Board had done since its previous high-level statement. The EDPB reviewed the actions taken following the 2025 Helsinki Statement on enhanced clarity, support and engagement, listing improvements in the speed and quality of its guidance, the adoption of cross-regulatory guidance, the provision of templates and stronger stakeholder engagement, and committed to continue building on that work.

Several of those Helsinki commitments have produced concrete outputs that PPC Land has tracked. The Board's first-ever data protection impact assessment template, a direct Helsinki deliverable, was adopted on 10 March 2026, giving controllers a standardised starting point for the assessments the GDPR requires. On the cross-regulatory front specifically, the Board's 2025 annual report described the October 2025 joint guidelines on the interplay between the Digital Markets Act and the GDPR as the first guidelines ever jointly prepared by the EDPB and the European Commission, addressing the overlap that has driven enforcement against gatekeepers designated under the DMA. The Board has also issued guidance clarifying how the DSA and GDPR interact for platforms subject to both. Those guidelines show the Board attempting cross-regulatory coherence through interpretation. The Dublin request is a bid to secure the same coherence through a statutory information-sharing gateway that interpretation alone cannot supply.

What it means for the advertising and marketing sector

For companies whose data practices are examined under more than one body of EU law at the same time, the significance is direct. Behavioural advertising has repeatedly sat at the intersection of data protection, competition and consumer rules. The Meta "consent or pay" saga is the clearest example: the European Consumer Organisation found in March 2026 that Meta's updated consent-for-ads mechanism still failed to comply with the DMA, the GDPR and the Unfair Commercial Practices Directive simultaneously, a finding addressed to the Commission, the Consumer Protection Cooperation Network and national data protection authorities at once. A statutory gateway that let those bodies share confidential findings would change how such overlapping cases proceed.

The AI angle raises the stakes further for advertising technology specifically. As AI-driven campaign automation becomes standard across major demand-side platforms, the processing that advertisers and their technology partners carry out is more likely to trigger data protection obligations and, in turn, complaints. The strain the Board described is therefore not confined to regulators. It shapes the pace and predictability of the enforcement that martech and adtech firms operate under, in a market where European digital advertising reached 118.9 billion euros in 2024 according to IAB Europe's AdEx Benchmark data.

The Board's requests now sit with other institutions. The legal basis it wants requires the Commission to draft a proposal and the Parliament and Council to negotiate it, a process that has no fixed timetable. The joint-operations and resource-pooling measures depend on authorities choosing to use tools that have so far seen limited uptake. Whether either shifts the enforcement picture will be measured against the Commission's next report on the application of the GDPR, due in 2028.

Timeline

  • 25 May 2018: The GDPR takes effect across the EU and EEA
  • 2021: The Board adopts guidelines on joint operations, a tool authorities subsequently make little use of
  • October 2022: The Board submits a list of procedural issues to the Commission
  • July 2023: The Commission adopts its proposal for a Regulation on procedural rules
  • 25 July 2024: The Commission adopts its second report on the application of the GDPR, flagging the need for structured cross-regulatory cooperation
  • 2025: The EDPB adopts the Helsinki Statement on enhanced clarity, support and engagement
  • 10 March 2026: The Board adopts its first data protection impact assessment template, a Helsinki deliverable
  • 16 to 17 July 2026: The EDPB holds a high-level meeting in Dublin
  • 17 July 2026: The EDPB calls on the Commission to propose a legal basis for cross-regulatory information sharing
  • 2028: The Commission's next report on the application of the GDPR is due

Summary

Who: The European Data Protection Board, the body representing the data protection authorities of the European Economic Area and chaired by Anu Talus, alongside Des Hogan, Chairperson and Commissioner for Data Protection in Ireland.

What: A call for the European Commission to propose a legal basis allowing regulators in different fields to exchange information, including confidential information, for enforcement, together with a set of measures to strengthen cross-border GDPR enforcement, including greater use of joint operations and pooling of resources between authorities.

When: The call was made on 17 July 2026, following a high-level meeting held in Dublin on 16 and 17 July 2026.

Where: Dublin, Ireland, with the requested legal basis intended to operate across the European Union and the European Economic Area.

Why: Data protection authorities report that a rising number and complexity of complaints, driven partly by the increased use of AI, is straining already limited resources, while data protection questions increasingly overlap with competition, consumer and digital markets rules that are enforced by separate regulators lacking a clear statutory route to share what they find.