GDPR at 10: The Law That Rewrote the Internet’s Rulebook — and What Comes Next

Ten years ago this week, on 27 April 2016, the European Parliament and Council put their signatures on Regulation (EU) 2016/679 — a 99-article statute that, at the time, most of the technology industry treated as a distant problem for European subsidiaries. Two years later, when the General Data Protection Regulation became applicable on 25 May 2018, the same industry treated it as an emergency. A decade on, it is something else entirely: a load-bearing piece of global digital infrastructure, copied in its outline by lawmakers from São Paulo to Seoul, and the de facto baseline against which every newer law — the Digital Services Act, the Digital Markets Act, the AI Act, the UK’s evolving regime, and counterparts in California, Brazil, India, China, and beyond — is measured.

The European Data Protection Board’s 10-year note this week is appropriately ceremonial. The reality is messier, more interesting, and worth taking stock of honestly. Below is a candid retrospective on what the GDPR actually changed, where it fell short, and what compliance leaders should be doing differently in the next ten years than they did in the last.

A Quick Reset on What the GDPR Did

It is easy to forget, after a decade of cookie banners, that the GDPR’s actual structural innovations were relatively few and very deliberate.

It elevated data protection from a national patchwork — implemented unevenly under the 1995 Data Protection Directive — into a single regulation with direct effect across the EU. It introduced a one-stop-shop mechanism, designating a lead supervisory authority for cross-border processing. It armed Data Protection Authorities with administrative fines of up to 4% of global annual turnover. It imported a set of operational obligations — records of processing, DPIAs, breach notification within 72 hours, mandatory DPOs in defined cases, privacy by design and default — that made data protection a board-level subject for the first time. And it gave individuals enforceable, portable rights: access, rectification, erasure, portability, objection, and the right not to be subject to solely automated decisions with legal effect.

What it did not do — and this is where ten years of hindsight matter — is actually centralise enforcement. That tension has shaped almost everything that has happened since.

From Article 29 Working Party to the EDPB

The GDPR replaced the Article 29 Working Party with the European Data Protection Board, formally established on 25 May 2018. The EDPB now coordinates the work of 31 European data protection authorities (the 27 EU member states plus three EEA EFTA states, with the European Data Protection Supervisor sitting alongside). Its job is to produce binding decisions where DPAs disagree, issue guidelines, run consistency procedures, and broadly hold the line on harmonised interpretation.

In practice, the EDPB has spent a decade doing two jobs in tension. The public job is guidance: dozens of guidelines on everything from territorial scope to legitimate interests to anonymisation, plus an expanding library of consistency findings. The harder, less visible job is refereeing fights between national regulators that often share a border but not a worldview. The Article 65 binding-decision mechanism — invoked when DPAs cannot agree on a draft cross-border decision — has been used repeatedly, including in some of the headline cases against the largest US platforms.

That coordination layer matters because the law’s effectiveness depends on it. A regulation only delivers harmonisation if interpretation is harmonised, and the past decade has been the EDPB’s slow, often grinding effort to make that real.

Enforcement: The Long Climb From Quiet to Loud

For the first two or three years after May 2018, GDPR enforcement was widely caricatured as toothless. The fines were modest, the cross-border cases stuck in procedural mud, and large platforms operated as though the substantive rules were a starting point for negotiation. That story is now out of date.

A non-exhaustive list of decisions that materially changed the calculus:

• The Irish DPC’s 1.2 billion euro fine against Meta in May 2023 for unlawful EU–US transfers, the largest individual fine to date, which forced a structural rethink of every transfer programme on the continent.
• The Luxembourg CNPD’s 746 million euro fine against Amazon in 2021 over advertising-related processing.
• A series of decisions against TikTok, WhatsApp, Google, and Clearview AI, addressing issues from children’s data to facial recognition to lawful basis for advertising.
• France’s CNIL has been the most consistently aggressive on cookie compliance under the ePrivacy Directive, issuing significant fines against Google, Amazon, and Meta for non-compliant banners and dark-pattern designs.
• A growing strand of cases on automated decision-making, scoring, and profiling, including the SCHUFA and related rulings from the Court of Justice clarifying the scope of Article 22.

Two themes run through this enforcement record. First, the slow cases are getting faster. The Irish DPC, long criticised as the bottleneck of the one-stop-shop system, has accelerated significantly under regulatory and political pressure, particularly after the EDPB’s binding decisions and the EU’s Cross-Border Enforcement Procedural Regulation, which entered the legislative pipeline in 2023 to streamline disputes. Second, the substantive interpretive work is now happening in court. The CJEU has handed down a steady stream of GDPR rulings — Schrems II, Bundeskartellamt v Meta, SCHUFA, Lindenapotheke, and dozens more — that have gradually replaced “compliance vibes” with concrete doctrine. Privacy law in Europe is, finally, law.

The Brussels Effect, Realised

It is hard to overstate how much the GDPR shaped data protection legislation worldwide. Anu Bradford coined “the Brussels Effect” to describe the EU’s tendency to export its regulatory standards through the simple mechanics of market access; the GDPR is the textbook case.

Within five years of its application, the world’s privacy map looked different:

• California passed the CCPA in 2018 and upgraded it to the CPRA in 2020, creating a state-level regulator (the CPPA) and rights that consciously mirror — without copying — GDPR’s architecture. By 2026, roughly twenty US states have comprehensive privacy laws on the books, with broadly similar consumer rights and notice obligations.
• Brazil’s LGPD, in force since 2020, is the closest non-European analogue, including a dedicated authority (ANPD) and a similar lawful-basis structure.
• China’s PIPL (2021) borrowed the GDPR’s structural vocabulary while bending it sharply toward state interests, particularly on cross-border transfers.
• India’s Digital Personal Data Protection Act, passed in 2023, took several years to operationalise but follows a recognisably GDPR-shaped lifecycle of consent, notice, rights, and enforcement.
• Saudi Arabia, the UAE, Indonesia, Thailand, South Korea, Japan, Singapore, and many others have either passed or modernised laws within GDPR’s gravitational field.
• The United Kingdom retained the GDPR substantively after Brexit (the UK GDPR plus the Data Protection Act 2018), and the Data Use and Access Act has since trimmed and refined rather than dismantled it.

The result is that a large multinational’s privacy programme today looks structurally similar regardless of where it operates. That is, in essence, what regulators in Brussels were trying to achieve in 2012 when this drafting process began.

Where the GDPR Has Underperformed

A serious anniversary deserves serious criticism.

Cookie banners. The single most visible artefact of GDPR-era compliance is also its most universally despised. The fault is partly with the ePrivacy Directive, partly with industry, and partly with the GDPR’s high consent threshold being applied to a tracking ecosystem that was never designed to operate transparently. The result has been a decade of dark patterns dressed up as choice. The EDPB’s ongoing work on cookie compliance, the EU’s stalled ePrivacy Regulation, and national efforts (most notably the CNIL’s) have improved things at the margin, but every honest reader knows what their last cookie banner looked like.

Enforcement asymmetry. The one-stop-shop mechanism was designed to make life easier for businesses while preserving substantive rights. In practice, it concentrated cases against the world’s largest platforms in jurisdictions where those platforms were headquartered — most prominently Ireland and Luxembourg — and produced bottlenecks, public friction with other DPAs, and years-long delays. The system is improving, but the design choice has cost the regulation real credibility in its first decade.

SME burden. The GDPR is genuinely demanding, and the proportionality concessions in the text (Article 30(5), the risk-based approach to DPIAs) have not been enough to prevent compliance overhead from landing disproportionately on small organisations and the public sector. The German Conference of DPAs and the EDPB have both gestured toward simplification; the European Commission’s “GDPR Procedural Regulation” and the broader simplification debate now underway is, in part, a response to this.

The transfer problem. Schrems II in July 2020 invalidated the Privacy Shield, threw thousands of transfer arrangements into legal uncertainty, and triggered four years of regulatory and political work culminating in the EU–US Data Privacy Framework adopted in July 2023. That framework is now itself the subject of Schrems III-style litigation. Whatever the merits, the transfer regime under the GDPR has been a recurring source of strategic risk and remains the single area where compliance teams need a Plan B at all times.

AI and Article 22. The GDPR’s automated-decision rules were drafted with a 2014-era understanding of algorithmic systems. The CJEU has done meaningful work patching the doctrine — particularly in SCHUFA — but the AI Act, the Platform-to-Business Regulation, and a wave of national soft law have stepped in where Article 22 alone was never going to be sufficient.

The Next-Generation Stack: GDPR Plus

The GDPR is no longer a standalone regulation. Compliance teams now operate inside a stack:

• The Digital Services Act (in force 2024) governs content, transparency, and risk on online platforms.
• The Digital Markets Act (in force 2024) imposes structural obligations on “gatekeepers,” including data-related interoperability and combination restrictions that overlap directly with GDPR purpose limitation.
• The AI Act (entering into force in stages from 2025) regulates AI systems by risk class, with significant interaction points around training data, profiling, and high-risk decision-making.
• The Data Act and Data Governance Act create new sharing rights and intermediary regimes that sit alongside GDPR.
• Sector-specific regimes — the Financial Data Access Regulation, eIDAS 2.0 and the EU Digital Identity Wallet, the European Health Data Space — add additional layers.

The practical implication is that the modern privacy or data protection function is no longer just a GDPR function. It is a horizontal coordination function across overlapping regulators, overlapping definitions, and overlapping enforcement risks. The teams that have made that shift in the past two or three years are the ones that will spend the next decade ahead, rather than catching up.

What the Next Ten Years Probably Look Like

A short, opinionated forecast:

• Procedural harmonisation will arrive. The Cross-Border Procedural Regulation — and the political will behind it — will close most of the one-stop-shop gaps within the next two to three years. Expect faster decisions, more consistent timelines, and fewer Article 65 spectacles.
• AI governance will eat a significant share of the privacy team. DPIAs and FRIAs (Fundamental Rights Impact Assessments under the AI Act) will converge in practice if not in form, and the privacy function will absorb model governance for any system processing personal data.
• Consent will continue to recede as a primary lawful basis for analytics and personalisation in favour of legitimate interests, contractual necessity, and — eventually — the long-promised ePrivacy Regulation. Recent UK and EU rulings, including the RTM v Bonne Terre judgment from the Court of Appeal earlier this month, have stabilised the consent doctrine but have not made consent any less operationally fragile.
• International transfers will remain the biggest single source of strategic risk, with the DPF facing ongoing legal challenge, Standard Contractual Clauses requiring increasingly serious supplementary measures, and the BCR landscape gradually filling the gap.
• The Brussels Effect will keep going, but with friction. Newer laws — India’s DPDPA, Saudi Arabia’s PDPL, the patchwork of US state laws — have begun to diverge in meaningful ways, and the next decade will see global organisations spending more time on jurisdictional fit and less on uniform GDPR-shaped programmes.

What Compliance Teams Should Actually Do With This Anniversary

If the past ten years were about building privacy programmes, the next ten will be about pruning them. Three concrete suggestions for any team that wants to use the anniversary productively:

First, audit the assumptions baked into your programme in 2018 that no longer hold. The threat model has shifted (AI training, generative model outputs, third-party tracking via server-side tagging), the enforcement model has shifted (faster CJEU output, growing CNIL/Garante/AEPD assertiveness, EDPB binding decisions), and the regulatory perimeter has shifted (DSA, DMA, AI Act, NIS2, DORA). A 2018 RoPA, a 2018 transfer impact assessment, and a 2018 DPIA template are all now slightly wrong in different ways.

Second, pick a hard cutover date for legacy cookie and consent flows. The drift between what banners look like and what regulators now expect has become significant. Treat cookie compliance as a 2026 problem, not a 2019 problem — because the fines are now being issued against 2026 designs.

Third, integrate. The privacy team that does not have a working relationship with security, AI governance, marketing, product, and procurement is not going to be effective in the next decade. The GDPR put data protection in the boardroom; the regulations that have followed have put it on every other floor.

Bottom Line

The GDPR did not perfect data protection. It did something more important: it made data protection a normal, expected, internationally legible component of how digital businesses operate. Ten years on, it has problems, critics, and unfinished business — and it has also done more to shape the global handling of personal data than any other piece of legislation in the digital era. The question for the next decade is not whether the GDPR will survive in something like its current form. It will. The question is whether the institutions and the practitioners around it can keep up with a regulatory environment that the GDPR itself helped to produce.