The 31 EU/EEA data protection authorities signed a joint declaration for the GDPR's 10th anniversary. Most coverage focused on the celebration; the actionable signal for SaaS is in three commitments hidden in the diplomatic language.
Signal 1: harmonized enforcement going forward
The authorities committed to align their interpretations on specific contested topics: cookie consent thresholds, automated decisions under Article 22, retention defaults for marketing data. For SaaS that operated under the assumption that French CNIL is strict and Irish DPC is permissive, that gap is closing.
Signal 2: faster cross-border procedures
The one-stop-shop mechanism, criticized for years as slow, is being shortened. Target: 12 months from complaint to binding decision in the typical cross-border case. For SaaS with EU customers in multiple states, this changes risk math: a single complaint can become an EU-wide finding faster.
Signal 3: outcomes over paperwork
The declaration emphasizes that compliance is judged by what the company does, not by what it documents. The era of binders that protect against findings is fading; the era of audits comparing policy to production is here.
| Old posture | New posture |
|---|---|
| Forum shop to the lenient authority | Authorities increasingly aligned |
| Slow cross-border procedures | 12-month target |
| Documentation as compliance | Outcomes as compliance |
The declaration is non-binding but politically significant. It signals where enforcement will go even before specific guidance is published. SaaS that adjusts now is ahead of the curve.
What to do this quarter
- Drop the assumption that one EU authority is more lenient. Build to the strictest interpretation (typically CNIL).
- Verify your privacy policy matches actual product behavior. The next finding will compare both.
- Track which authority handles your one-stop-shop and watch their enforcement priorities monthly.
Conclusion
The joint declaration is the EU's most visible signal that GDPR's second decade will be about consistent application rather than evolving definitions. The compliance work shifts from interpreting the law to executing on it.
To keep policy versions, sub-processor lists and data flow documentation in a single audit-ready format, try Termerly free.


