The European Union’s General Data Protection Regulation entered force on 25 May 2018, replacing the 1995 Data Protection Directive. It promised to harmonise privacy law across the EU, give individuals new rights over their data, and impose meaningful penalties on organisations that mishandled personal information. Eight years in, the picture is mixed. The regulation has done more than any other privacy law to shift global practice, and at the same time it has produced unintended consequences and persistent enforcement gaps that nobody fully anticipated.
What GDPR actually requires
The core obligations, simplified:
Lawful basis for every processing activity. Six grounds: consent, contract, legal obligation, vital interests, public task, legitimate interests. Many organisations have spent years arguing that "legitimate interests" covers more than it does.
Data subject rights. Access (request a copy of your data), rectification, erasure (the "right to be forgotten"), portability (machine-readable export), restriction, objection, and rights related to automated decision-making.
Breach notification. Notification to supervisory authorities within 72 hours of becoming aware; notification to affected individuals "without undue delay" if there is high risk.
Privacy by design and by default. Privacy considerations baked into systems from the outset, not bolted on.
Data Protection Impact Assessments for high-risk processing.
Specific rules for transfers of personal data outside the EU/EEA.
Data Protection Officers for organisations that process certain categories of data at scale.
Penalties of up to €20 million or 4 percent of global annual turnover, whichever is greater.
The full regulation is at eur-lex.europa.eu/eli/reg/2016/679/oj. The European Data Protection Board’s guidelines, at edpb.europa.eu, interpret and operationalise it.
Enforcement, by the numbers
The European Data Protection Board’s annual report and the GDPR Enforcement Tracker at enforcementtracker.com maintain running totals. As of 2026, total cumulative GDPR fines exceed €5.5 billion across more than 2,500 published decisions.
The headline cases:
Meta / Facebook: cumulative GDPR fines exceeding €2.5 billion across multiple decisions, including a €1.2 billion fine in 2023 for transfers of EU user data to the US without adequate safeguards.
Amazon: €746 million in 2021 (Luxembourg) for advertising-related processing.
TikTok: €345 million for processing of children’s data; €530 million for transfers to China.
Google: multiple fines totalling over €100 million, the largest being €50 million for inadequate consent for personalised ads.
WhatsApp / Instagram: €225 million and €405 million respectively for transparency failures.
The pattern: fines are concentrated on a small number of US technology companies operating at scale, with proportionally fewer cases against European or non-tech organisations. The "one-stop-shop" mechanism, which routes cross-border cases through the lead supervisory authority (Ireland for many US tech firms), has been controversial because it concentrated enforcement decisions in jurisdictions perceived as friendlier to industry.
What changed in practice
Cookie banners everywhere. The single most visible consequence. The ePrivacy Directive (separate from GDPR but closely related) requires consent for non-essential cookies; GDPR’s standard for valid consent, freely given, specific, informed, unambiguous, raised the bar. The result has been the cookie-banner wave, often poorly implemented in ways that violate the spirit of the law. The "I have read and agree to all 487 partners’ use of my data" dark patterns are well-documented.
Privacy-by-design adoption. Larger organisations now have privacy review processes embedded in product development. Privacy engineering is a recognised discipline. Tools like consent management platforms (OneTrust, TrustArc, Cookiebot) form a billion-dollar market.
Brussels Effect on global law. GDPR has been the model for laws in California (CCPA / CPRA), Brazil (LGPD), India (DPDP Act), South Korea (PIPA reforms), Switzerland (revised FADP), the UK (UK GDPR), and dozens of others. Even US states without comprehensive laws have adopted breach-notification standards modelled on the regulation.
Operational data minimisation. The "do we actually need this data?" question is now asked seriously in many organisations. Retention schedules are shorter than they were a decade ago.
Data Subject Access Requests as routine. Requesting your own data, once a paper-based, multi-week process, is now an online form at most organisations of any size. Quality of responses varies wildly.
What did not change
Surveillance advertising survived. The advertising-technology ecosystem of bid streams, behavioural profiling, and real-time auctions has continued largely unchanged, with consent layers added on top. The ICO’s 2019 finding that the entire RTB ecosystem was unlawful under GDPR has not been enforced to its conclusion.
Government data collection. GDPR’s exemption for national security and law enforcement, expressed through the Law Enforcement Directive (Directive (EU) 2016/680), means that mass-surveillance practices are addressed by separate, weaker frameworks.
Data brokers in the US. The People-Search and data-broker industries operate largely outside any meaningful US privacy regime. GDPR has cleaned up some EU-facing practice; the US data-broker economy is intact.
Consent fatigue. The cumulative effect of cookie banners, privacy policy updates, and rights notifications has trained users to click through everything. Whether this is regulatory failure or human-nature failure is debated.
The Schrems II problem
The largest unresolved issue is international data transfers, particularly to the United States. The Court of Justice of the European Union’s Schrems II ruling in July 2020 invalidated the EU-US Privacy Shield because of US surveillance practices that fell short of GDPR’s "essentially equivalent" standard.
The replacement, the EU-US Data Privacy Framework signed in 2023, faces ongoing legal challenge. The case Schrems III is broadly expected. The practical consequence for organisations transferring data to the US has been years of uncertainty, expensive Standard Contractual Clauses paperwork, and the rise of European cloud alternatives.
Max Schrems, the lawyer behind both Schrems cases, runs the NGO NOYB at noyb.eu, which is the most prolific filer of GDPR complaints in Europe. Their docket is the closest thing to a leading indicator of where enforcement will move next.
What comes next
The European Commission has signalled that it will not reopen the GDPR text. The interpretive work, through EDPB guidelines, court cases, and supervisory authority decisions, continues. Adjacent regulations are filling specific gaps:
The Digital Services Act and Digital Markets Act, both effective in 2024, address platform-specific harms and gatekeeper power.
The AI Act, with provisions phasing in through 2026 and 2027, governs high-risk AI systems including those processing personal data.
The ePrivacy Regulation, perpetually delayed, would replace the 2002 ePrivacy Directive and modernise the rules for tracking, communications privacy, and direct marketing.
The Data Act and Data Governance Act regulate access to and reuse of industrial and government data.
Eight years on, GDPR has done less than its idealistic backers hoped and more than its sceptical critics expected. It is now the default reference point for any privacy regulation anywhere in the world. The next decade of privacy law will be written, on net, in the language GDPR established. Whether that language describes a privacy-respecting digital economy or a more compliant version of the same surveillance economy remains an open question.