Last week the
EU General Data Protection Regulation became enforceable. Every organization that touched the personal data of European residents had spent the preceding two years — some of them, anyway — scrambling to understand what it required, what it would cost, and whether regulators would actually enforce it.
Eight years on from enforcement and ten years since the regulation entered into force in May 2016, those questions have been comprehensively answered. The GDPR is enforced. It has reshaped data protection law on every continent. It has generated billions in fines, hundreds of landmark decisions, and an entire professional discipline that barely existed before it passed. And it has raised more questions than it has resolved — which, depending on your perspective, is either its greatest failure or proof that it was built for a world that didn’t stop moving.
This is a look at what a decade of GDPR has actually produced — what changed, what didn’t, where enforcement went, and what the next ten years are already beginning to look like.
What the GDPR Actually Changed
Before the GDPR, data protection in Europe was a patchwork. The 1995 Data Protection Directive set common principles but left implementation entirely to member states, producing 28 different national regimes with different rules, different authorities, and wildly inconsistent enforcement. A company operating across Europe faced a compliance matrix that was expensive to navigate and easy to arbitrage — establish a subsidiary in a permissive jurisdiction and process data from there.
The GDPR ended that arbitrage in theory, though the one-stop-shop mechanism — where a company’s lead supervisory authority is the DPA in the member state of its EU establishment — created its own complications. Ireland, home to the European headquarters of most major US technology companies, became the de facto lead authority for some of the most consequential cases in the regulation’s history. The Irish Data Protection Commission’s pace of decision-making drew sustained criticism from other European DPAs, the European Parliament, and civil society organizations for years before a series of landmark decisions — including a record €1.2 billion fine against Meta in 2023 for unlawful data transfers — demonstrated that the one-stop-shop could produce major enforcement outcomes.
The GDPR also changed the global conversation about privacy. Before 2018, comprehensive privacy legislation outside Europe was the exception. In the years since, California passed the CCPA and CPRA. Brazil enacted the LGPD. India passed the Digital Personal Data Protection Act. Japan, South Korea, Thailand, Singapore, and dozens of other jurisdictions have updated or introduced comprehensive privacy frameworks. The GDPR did not cause all of this — digital privacy was becoming a policy priority globally for reasons that predate the regulation — but it provided a template, a vocabulary, and a demonstration that comprehensive privacy regulation was legislatively and operationally viable.
Ten Years of Enforcement: What the Numbers Show
The enforcement record across a decade tells a story of gradual escalation and increasing sophistication. Early enforcement was tentative — the first years produced fines that privacy professionals noted were dramatically below the regulation’s maximum penalties and concentrated on relatively straightforward violations. That changed.
Total GDPR fines issued across European DPAs now exceed €5 billion. The largest individual fines have targeted the technology sector — Meta’s €1.2 billion transfer fine, Amazon’s €746 million fine from Luxembourg, WhatsApp’s €225 million fine, Google’s multiple-hundred-million-euro penalties across different jurisdictions. But enforcement has not been confined to technology giants. Healthcare organizations, financial institutions, telecoms operators, retailers and public sector bodies have all faced significant penalties.
The 2025 annual reports from European DPAs paint a consistent picture of where enforcement is heading. Spain’s AEPD received over 30,000 complaints in 2025 — the highest in its history — with fines and warnings also at record levels, particularly in healthcare where enforcement activity increased by 278 percent year on year. France’s CNIL reported record complaint volumes, record fines, and a record number of personal data breach notifications. Norway’s Datatilsynet flagged that complaints are growing in complexity, driven in significant part by AI-related issues.
The pattern is clear: volume is rising, complexity is rising, and AI is driving both. The GDPR enforcement machinery that spent its first years processing relatively straightforward consent and breach notification cases is now handling questions that the regulation’s drafters could not fully have anticipated.
The Questions That Are Still Open After Ten Years
The GDPR’s tenth anniversary arrives with several foundational questions still unresolved — a fact that reflects both the regulation’s ambition and the pace of technological change it has had to absorb.
What is personal data? The definition in Article 4 — data relating to an identified or identifiable natural person — has generated more litigation and regulatory debate than almost any other provision. The Court of Justice of the European Union addressed it again in 2025 in European Data Protection Supervisor v. Single Resolution Board, and the question is now at the center of the Digital Omnibus Regulation debate moving through the EU legislative process. A decade in, the boundaries of the regulation’s core concept remain contested.
How does consent work in practice? The GDPR’s consent requirements — freely given, specific, informed, unambiguous — were clear enough as principles. Their application to the realities of digital services has proved considerably more complicated. Pay-or-consent models, the legality of consent walls, the validity of consent obtained through dark patterns, and the interaction between consent and legitimate interest as alternative legal bases have generated years of regulatory guidance, court decisions, and ongoing litigation. The EDPB’s opinion on pay-or-consent models in 2024 was a landmark, but it did not close the debate.
How do cross-border data transfers work? The Schrems I decision in 2015 invalidated Safe Harbor.
Schrems II in 2020 invalidated Privacy Shield and cast doubt on standard contractual clauses. The EU-US Data Privacy Framework adopted in 2023 re-established a transfer mechanism, but Max Schrems and his organization NOYB have already challenged it and a further CJEU ruling remains possible. The transfer question has never been fully stable for the ten years the GDPR has been in force and shows no signs of becoming so.
Where does the GDPR end and other digital regulation begin? The EU’s digital regulatory agenda has expanded dramatically since 2018. The Digital Services Act, the Digital Markets Act, the AI Act, the Data Act, the Data Governance Act, and the proposed Digital Omnibus Regulation are all now part of the framework within which the GDPR operates. Their interaction — where they overlap, where they conflict, which takes precedence — is a question that regulators, courts, and compliance teams are working through in real time.
AI Has Changed Everything the GDPR Has to Answer
If there is a single development that has most dramatically changed the GDPR compliance landscape in the past three years, it is artificial intelligence — and specifically the deployment of large language models and generative AI systems at enterprise scale.
The GDPR was not written for AI. Its core concepts — a data controller who determines purposes and means of processing, a data subject who can exercise defined rights, a processing activity that can be described and assessed in a DPIA — fit relatively cleanly onto traditional data processing. They fit considerably less cleanly onto a generative AI model that was trained on vast quantities of personal data, that generates outputs which may contain personal data, and whose processing logic is not fully transparent even to its developers.
European DPAs have been grappling with these questions since ChatGPT’s public release in late 2022 triggered a wave of regulatory scrutiny. Italy temporarily banned ChatGPT in early 2023. The EDPS established a specialized AI unit and launched an AI regulatory sandbox pilot for EU institutions. Norway’s Datatilsynet flagged that AI tools are being used in complaints themselves — increasing their complexity from the inside. The
EU AI Act, now in force, adds a new regulatory layer that interacts with the GDPR in ways still being worked out.
For organizations, the practical challenge is significant. AI systems that process personal data are subject to the GDPR. The legal basis for that processing — whether consent, legitimate interest, or another basis — must be established. Data subject rights including access, erasure and portability must be honored in relation to data processed by AI systems, even where doing so is technically complex. DPIAs are required for high-risk AI processing. And the AI Act’s own requirements — transparency, human oversight, documentation — layer on top of GDPR obligations rather than replacing them.
Organizations that have not yet developed a documented approach to
AI data governance within their GDPR compliance programs are running behind where European enforcement is heading.
What Is Coming in the Next Twelve Months
The European digital policy calendar for the remainder of 2026 is dense with developments that will affect data protection compliance directly.
The European Commission’s tech sovereignty package, expected in early June, includes the EU Cloud and AI Development Act — a proposal aimed at strengthening European digital infrastructure by increasing data center capacity and reducing dependence on non-European cloud providers. The data sovereignty implications for organizations processing European personal data in non-European infrastructure will need to be assessed as the proposal develops.
Ireland takes over the rotating presidency of the Council of the EU on 1 July, chairing Council meetings and coordinating legislative work for six months as part of a trio with Lithuania and Greece covering through 2027. The Irish Presidency’s digital policy priorities, due to be published 10 June, will shape which legislative files move forward and at what pace during a period when several significant digital regulation proposals are in progress.
European Commission President Ursula von der Leyen has signaled that a proposal for an EU-wide social media restriction or ban for minors may come during the summer — a development with significant data protection implications given the consent and age verification questions it would raise under the GDPR.
The review of the 2019 Copyright Directive is approaching, with the Commission consulting stakeholders on a proposal expected early next year covering creative content licensing for AI training. How that proposal interacts with the GDPR’s requirements around data minimization, purpose limitation and rights of data subjects whose content may have been used in AI training will be one of the most significant compliance questions of 2027.
In the UK, the
Data (Use and Access) Act comes into force on 19 June — the most significant update to the UK’s post-Brexit data protection framework since the UK GDPR came into effect. The UK Information Commissioner has issued guidance urging organizations to establish compliant data protection complaints processes ahead of the deadline. Organizations operating in both the EU and UK need to ensure their compliance programs address both regimes, which are diverging incrementally with each legislative update.
What Ten Years of GDPR Actually Teaches Compliance Teams
The most durable lesson from a decade of GDPR enforcement is one that was stated clearly in the regulation’s text from the beginning and has been proved consistently by the enforcement record: accountability is not a documentation exercise. It is an operational posture.
The organizations that have fared best in enforcement proceedings and regulatory scrutiny are not necessarily the ones with the most comprehensive privacy policies. They are the ones that can demonstrate — with evidence, with records, with documented decision-making — that their privacy obligations were genuinely considered at the point where decisions were made, not retrofitted after the fact.
The organizations that have faced the largest penalties and the most damaging regulatory outcomes are generally those where the gap between documented privacy commitments and actual data practices was widest. Where consent mechanisms said one thing and the technical implementation did another. Where privacy policies described data retention limits that the underlying systems did not enforce. Where DPIAs were conducted for form rather than substance.
A decade in, European regulators are more experienced, better resourced, and more technically sophisticated than they were in 2018. The enforcement record shows it. The next ten years of GDPR will be enforced by authorities that have spent a decade building the capability and the precedent to hold organizations accountable for the gap between what they say about privacy and what they actually do.
Closing that gap — with genuine privacy program infrastructure, with
consent management that reflects actual practice, with documentation that a regulator can actually audit — is not a compliance project with an end date. It is an ongoing operational commitment. That is what the GDPR was always asking for. A decade of enforcement has made clear it will keep asking.
