The Seven Year Itch: On the GDPR’s Anniversary, A Look At Its History, Legacy, and Uncertain Future

It’s been seven years since the GDPR came into force, enshrining privacy rights for EU residents and changing the global privacy landscape. Throughout its history, the GDPR has been both lauded and criticized. It has inspired privacy regulations throughout the world and changed the way international companies do business, sometimes to their chagrin. With a seven-year view, we want to look back on the history and application of the GDPR and look forward to its legacy and ongoing challenges. Let’s dive in.

How did the GDPR come to be?

The EU’s General Data Protection Regulation (“GDPR”) was finalized in 2016, but Europe’s tradition of recognizing privacy as a strong, fundamental right dates back even further. The Data Protection Directive from 1995 defined the basic elements of data protection that member states transposed into national law. Each EU member managed regulating and enforcing data protection within its jurisdiction, and data protection commissioners from EU member states participated in a working group at the community level, pursuant to Article 29 of the Directive. In 2000, the European Charter of Fundamental Rights (“the Charter”) established explicit, fundamental privacy rights in two forms: the right to data protection and the respect of an individuals’ private and family life, home, and communications. In 2009, the Treaty of Lisbon made the Charter a legally enforceable document, not only for the EU generally, but for its institutions and the member states as a constitution with supremacy over member state law. In 2011, the EU published a draft version of the GDPR, building on existing regulatory documents to revise the 1995 Data Protection Directive. Importantly, this new regulation would be a rights-based instrument grounded in the recognition of personal data protection as a fundamental right. After years of back and forth and movement through the EU’s notoriously bureaucratic legislative process (including some input from EPIC), the GDPR was finalized in 2016 and became enforceable on May 25, 2018. 

The EU’s data protection regime serves as a comprehensive model for privacy legislation across the world. The core assumption of the GDPR is that it is illegal to process personal data unless there is a legitimate basis for doing so. The six recognized processing bases are listed in Article 6. “Processing” personal data is defined extremely broadly, including collecting, recording, organizing, structuring, storing, using, or erasing data. Nearly any collection and/or use of personal data in the EU implicates the GDPR. Another hugely important aspect of the GDPR is that it applies to all personal data of those based in the EU, regardless of the established nationality of the person whose data is being processed OR the entity doing the processing.

Seven years later, the GDPR is now the cornerstone of a first-of-its-kind technology and digital rights regulatory system. Some industries, such as the financial sector, have increased obligations with regard to data processing, but otherwise, the floor is same regardless of who the data controller and processors are, with one important caveat. The GDPR does not apply to law enforcement’s processing of personal data—instead, the Law Enforcement Directive controls. The Law Enforcement Directive closely mirrors the GDPR as the two pieces of legislation were drafted in concert, but noticeably diverge as to the rights of data subjects and transparency requirements due to the EU’s self-imposed limitation in regulating national security measures

Has the GDPR done anything?

Despite criticisms that GDPR enforcement is slower and more infrequent than it should be (which we will address in the next section), significant actions have been taken in the seven years since the GDPR went into effect: at least 2,632 violations have been subject to enforcement actions coming to a total of €6,195,900,683 in GDPR fines between May 2018 and May 2025. Though the companies penalized have been truly international, including many European companies, the largest fines have been issued to U.S. Big Tech companies and TikTok, as they process a much higher volume of personal data than most other entities.

One of the most consequential decisions under the GDPR not only resulted in the largest GDPR fine to date (€1.2 billion ultimately issued in May 2023 for continuing non-compliant data transfers), but completely invalidated Privacy Shield – the primary data transfer mechanism used between the EU and U.S. at the time. The court ultimately determined that Privacy Shield did not confer an adequate level of data protection to EU resident personal data because (1) it provided no protections or restrictions on U.S. surveillance programs that scan protected data in ways that are neither necessary nor proportional and (2) there was no structure allowing EU residents to receive meaningful judicial redress or remedy for those grave violations of GDPR rights.

In addition to that decision and its fines, the ten largest GDPR fines have all been issued to major tech companies. Six of the top ten largest GDPR fines have been issued to Meta and Meta-owned companies:

• €1.2 billion for improper data transfers (May 2023)
• €405 million for processing children’s personal data without a proper legal basis (September 2022)
• €390 million for forcing users to accept personalized ads in order to use Facebook (January 2023)
• €265 million for a massive data leak and insufficient security measures (November 2022)
• €251 million for an additional data breach and failure to document the breach and notify those affected (December 2024)
• €225 million to WhatsApp for violating GDPR transparency requirements (September 2021)

The other largest fines in the top 10 have been issued to:

• Amazon: €746 million for Amazon’s targeted advertising system operating without proper consent (July 2021)
• TikTok: €345 million for violations in data processing, transparency, and fairness in how it handled children’s personal data (September 2023)
• LinkedIn: €310 million for misusing user data for targeted advertising and behavioral analysis (October 2024)
• Uber: €290 million for improper data transfers of EU resident data to the U.S. (July 2024)

Overall, the violations drawing the most fines have been noncompliance with data processing principles (violations of transparency, fairness, etc.), insufficient or improper legal basis for data processing, insufficient security measures, insufficient disclosure and documentation, and insufficient data subject rights fulfilment.

The GDPR’s Legacy

Evaluations of the GDPR’s impact have been mixed, drawing both criticism and praise. This law has centered digital rights in the global economy, required companies to factor in digital rights as a critical part of business plans, and created a worldwide infrastructure to enforce those rights. However, the government bodies in charge of enforcing this law have been slow to act due to a combination of jurisdictional challenges, resource shortages, and political considerations. Even as privacy advocates and individuals have criticized enforcement for being lax, American companies like Meta and Apple have lambasted the EU for prioritizing human rights over industry bottom line.

The internet has created a deeply interconnected global economy and, due to the GDPR’s broad scoping that covers a robust population, the EU has forced the rest of the world to play by its rules. The regulation’s scoping is based not on where the entities processing personal data are located, but where the data subjects are located. Any entity that processes personal data of data subjects who are physically located in the EU is subject to the GDPR. For example, a German citizen located in Berlin scrolling on Instagram is protected by the GDPR. A Canadian citizen visiting Paris for vacation and looking up nearby restaurants on Google is protected by the GDPR. However, a Spanish citizen visiting the United States and pulling up a museum’s website to buy entry tickets would not be protected by the GDPR.

Any entity that wants to process protected data must guarantee GDPR rights, which leads to complex cross-border data transfer agreements among governments and commercial entities. The GDPR lists some acceptable methods of data transfer consistent with its rights-protection regime, including standard contractual clauses, binding corporate rules, or an inter-governmental mechanism that the GDPR calls an “adequacy decision.” If the EU determines that a country’s privacy laws provide comparable protections to its data subjects, then it can render an official adequacy decision and any entity based in that country can transfer protected data on the basis of that adequacy decision. However, these decisions are, in the case of the United States, unstable, leading to commercial uncertainty.

This scoping, along with copycat laws around the world, has resulted in a more unified baseline for privacy and data protection requirements that allows companies to streamline and simplify their compliance systems. The GDPR has set a standard for companies that requires them to understand what data they are collecting and how that data is being used, maintained, and deleted. Instead of having to adjust procedures for every jurisdiction, the GDPR provides a widely accepted standard that companies can use across data streams. Even if a country doesn’t require the same high standards as the GDPR, the data mapping and cataloguing of data processing necessary for GDPR compliance smooth the way for legal compliance and reporting elsewhere.

Importantly, the GDPR standard centers enforceable digital rights. Data subjects have several rights regarding their personal data, including the right to access personal data an entity may hold relating to them, the right to correct such data, and the right to have that data deleted in certain circumstances. These rights exist in addition to the data subject’s pre-existing fundamental rights under the EU Charter, including the rights to nondiscrimination, freedom of thought, freedom of expression, and freedom of assembly. In turn, entities processing personal data have obligations and responsibilities to ensure data subject rights. These rights are protected by a private right of action, which allows individuals to bring claims protecting their rights at greater speed than regulatory bodies are typically able. However, since government bodies must ultimately pursue, investigate, and enforce these claims, the private right of action is still somewhat dependent on the abilities, resources, and choices of government bodies.

One of the major criticisms of the GDPR is that its enforcement is slow and weak. Investigations into violations of the GDPR and enforcement actions are organized such that the default enforcement body for a violation will be located in the same jurisdiction as the violating entity’s agent or establishment. In the EU, this often means Ireland, as they have intentionally put a tax structure in place that incentivizes foreign entities to establish themselves there. This concentration leads to both bottlenecking and political concerns. In the first 6 months after the GDPR came into effect, Ireland alone received 1,928 complaints, but issued 0 penalties within that time period. In the past seven years, Ireland has faced a massive backlog in case resolution and nearly 86% of Ireland’s cross border complaints in 2021 have ended in an “amicable resolution” rather than tangible consequences. Civil society and even the EU government itself have noted this uneven and slow enforcement of the GDPR. Monetary penalties are the best incentive for companies to comply with data protection laws, yet the data shows that as few as 1.3% of GDPR cases are resolved using fines.

The enforcement actions against American companies have led to complaints from both the companies and American politicians. Apple, for instance, tried to get the United States government to intervene on their behalf when Apple failed to pay major fines and taxes for violations. Mark Zuckerberg has also repeatedly and publicly lambasted the EU for “institutionalizing censorship” and for enforcing their own laws – a sharp shift from his initial praise of the GDPR. In just the past few months, the U.S. administration has accused EU regulators of treating U.S. Big Tech companies unfairly as well as complaining about social media censorship, antitrust regulation, and AI regulation. These baseless claims are a shameful pressure campaign to avoid basic data responsibilities and ignore both individual and collective privacy rights.

If these technology companies want access to the hundreds of millions of EU citizens, their personal data, and their wallets, tech companies must abide by the laws of the land. The regulators in Europe are not targeting American companies because of national origin or political bias—these American companies just happen to process personal data at incomparable volumes and repeatedly fail to meet basic data privacy and security standards, which leads to steep fines and repeat offenses. Unfortunately, the threats from Big Tech and the U.S. administration seem to be working, as various European leaders are now trying to gut major technology bills, including the GDPR.

What’s Next?

So where does the GDPR stand now? Since its adoption, several proposals have been floated to adapt the regulation to better address any sticking points that have arisen. For example, there was a multi-year process to harmonize some procedural portions of the GDPR that had varied a bit across state authorities (for example, handling complaints, cooperative actions, clarifying individual rights in complaints, etc.). Thus far, these actions have mainly focused on clarifying the original GDPR text rather than making substantive changes. However, that may change.

The GDPR, along with several other EU regulations, is coming under fire in a broad deregulatory movement within the EU called the “Omnibus Simplification Package.” Packaged by politicians as a way to “reduce administrative burdens,” the far-ranging proposals include modifications on reporting, audits, requirements on small to medium sized enterprises, and more. This package is a marked pivot from the EU’s traditional legislative process and looks likely to modify several of the most influential privacy and digital laws in the EU – reportedly, the GDPR, AI Act, Eprivacy Directive, DMA, and DSA may all be addressed in the Omnibus IV package, purported to reduce record-keeping requirements for small and medium sized organizations, among other goals. It is unclear how extensive the proposed changes will be.

This regulatory shift towards “reducing compliance burdens” stems from multiple sources. First, Big Tech (and, at times, U.S. administration members) have not slowed their constant (and spurious) argument that regulatory protections stifle innovation or are anti-competitive.  Simultaneously, the EU has grown concerned about their dependency on American technology and companies, particularly in an uncertain political environment where they may at any point have access to that technology cut off. Some of these changes are an effort to create an environment friendly to new business and developing technology. It is unfortunate that European politicians appear to have accepted the argument that competition and innovation can only occur at the cost of basic data safety processes. If bare-bones consumer and human rights protections truly render companies unable to innovate, we would contend that these companies lack creativity. Civil society groups in the EU and the U.S., including EPIC, are highly engaged in this process to ensure that individual rights and privacy protections remain intact.

Conclusion

The GDPR has been one of, if not THE, most globally influential privacy regulations ever seen. Its tenets of accountability, data stewardship, individual rights, bases for data processing, division of responsibilities, and more have been the inspiration for similar requirements at local, state, and national levels far beyond the EU. In many ways, the GDPR has set a more consistent and uniform standard for data processing all over the world. Though no regulation is perfect – and the GDPR certainly can improve in its enforcement – is a foundational piece of privacy legislation. We hope that remains the case.