GDPR Weekly Dispatch: Cross-Border Complaints Streamlined & TikTok Under Fire
Dec 17, 2025
🚨 Headline Story: EU Streamlines Cross-Border GDPR Complaints
The Council of the European Union has adopted a new regulation designed to accelerate the processing of cross-border GDPR complaints. This long-awaited reform establishes uniform admissibility criteria, defines clear rights for complainants and investigated parties, and introduces a simplified cooperation procedure.
Key provisions include strict investigation deadlines: 15 months for standard cases and 12 months for simpler ones. This addresses one of the most significant criticisms of the GDPR enforcement mechanism—the "bottleneck" effect where cross-border cases languish in procedural limbo for years. The new law aims to harmonize procedural rules across Member States, ensuring that the "One Stop Shop" mechanism functions as originally intended.
Why it matters:
For businesses operating across the EU, this means faster resolution of complaints but potentially more aggressive enforcement timelines. The era of indefinite delays in cross-border investigations may be coming to an end. Companies should expect quicker inquiries and stricter adherence to procedural deadlines from Lead Supervisory Authorities.
⚖️ Enforcement & Fines
Password Manager Provider Fined £1.2m by ICO: The UK Information Commissioner's Office (ICO) has fined a password manager provider £1.2 million for a data breach affecting up to 1.6 million people. The breach exposed user data, highlighting critical failures in security measures for sensitive credentials.
Insight/Summary: This fine underscores the critical responsibility of security vendors. When your core product is security, the bar for compliance and data protection is exceptionally high.
Sources: ICO
🏛️ Legal & Regulatory Updates
CJEU Clarifies Online Ad Platform Liability: The Court of Justice of the European Union (CJEU) has ruled in Case C-492/23 (X v Russmedia Digital SRL) on the responsibilities of online platforms hosting user advertisements. The court clarified that operators of online marketplaces are considered data controllers for personal data in user-generated ads, shifting them from a passive hosting role to one of active responsibility.
Sources: Curia (Case C-492/23)
CNIL Launches "FantomApp" for Teens: The French regulator CNIL has released "FantomApp," a mobile application designed to educate and protect teenagers (10-15 years old) online. It offers tools to manage privacy settings and report violations.
Sources: CNIL
🌐 Industry & Tech News
NOYB Files Complaint Against TikTok: Privacy advocacy group NOYB has filed a complaint alleging that TikTok unlawfully tracks users' shopping habits and even their use of dating apps. The complaint argues that this extensive tracking occurs without valid consent, violating GDPR principles of data minimization and purpose limitation.
Sources: NOYB
💡 Opinion & Analysis
The "One Stop Shop" Reboot: With the new cross-border rules, we might finally see the "One Stop Shop" mechanism work efficiently. However, the 15-month deadline is ambitious. DPOs should prepare for a potentially faster cadence of regulatory queries in 2026.
