16. Modern Challenges and Final Reflections
Chapter outline
Without aiming to be exhaustive, the main aim of this last chapter of the book is to provide a quick reflection in the way the data protection legal framework has operated thus far in the Union. Furthermore, it introduces current developments and challenges that the legal framework is facing due to data driven innovation developments.
In 2016, when the new data protection package was introduced in the European Union, including the GDPR, LED, and other laws, it was a clear achievement in the field. While technology and digital services are advancing daily, clear data protection rules gave the message that technology should develop in compliance with legal rules to benefit the people and not vice versa. Controllers were presented with one set of harmonized rules for all their processing activities in the Union and data subjects with a set of rights that were meant to give them back control over their data. The extra territorial scope of application of the GDPR, ensured that data subjects in the EU are protected independently of the location of the controllers and processors.
Big corporations in various sectors of the digital economy faced high fines, the highest thus far being the 1.2 billion Euro fine that Meta received in May 2023 for violating the rules on transfers of data to the US based on the appropriate standards of article 46 GDPR.
At the same time, the so called, Brussels effect, motivated third countries, including China, to adopt national rules mirroring the GDPR provisions in order to help their businesses and digital corporations to continue processing data from the EU. The GDPR rules are seen as the gold standard for the introduction of new data protection policies around the world.
However, almost 10 years after the adoption, the initial success story and enthusiasm of the GDPR is showing some cracks. While Supervisory Authorities that follow the same rules and procedures are created and operate in all the Member States, they have not been able to enforce the rules in a harmonized way. Each Member State of the Union has its own legal tradition and priorities. With regards to the GDPR, different approaches are seen in the way the law is enforced. Some countries, as for example Spain, are focusing on small perpetrators, others, like the Netherlands are focusing on serious infringements. Thus, the incentives for compliance towards controllers in various Member States differ. The second report on the implementation of the GDPR shows that:
Data protection authorities have launched over 20 000 own-initiative investigations.
They collectively receive over 100 000 complaints per year.
The median time for data protection authorities to handle complaints (from receipt to closure of the case) ranges from 1 to 12 months, and is 3 months or less in five Member States (Denmark (1 month), Spain (1.5 months), Estonia (3 months), Greece (3 months) and Ireland (3 months)).
Over 20 000 complaints have been resolved through amicable settlement. It is most commonly used in Austria, Hungary, Luxembourg and Ireland.
In 2022, data protection authorities in Germany adopted the highest number of decisions imposing a corrective measure (3 261), followed by Spain (774), Lithuania (308) and Estonia (332). The lowest number of corrective measures was imposed in Liechtenstein (8), Czechia (8), Iceland (10), the Netherlands (17) and Luxembourg (22).
Data protection authorities have imposed over 6 680 fines amounting to around EUR 4.2 billion. The authority in Ireland has imposed the highest total amount of fines (EUR 2.8 billion) followed by Luxembourg (EUR 746 million), Italy (EUR 197 million) and France (EUR 131 million). Liechtenstein (EUR 9 600), Estonia (EUR 201 000) and Lithuania (EUR 435 000) have imposed the lowest amount of fines.
The high fines issued on big tech companies show the seriousness of Supervisory Authorities with regards to GDPR infringements, but at the same time have been hardly having the desired deterrent effects. In the list of fines, companies like Meta appear to be repeat offenders. In other cases, like with regards to the US company ClearView AI, the execution of multiple fines given by different Supervisory Authorities seems difficult to be achieved due to the lack of any assets in the EU.
In the current data driven economy, the original right-based approach of the GDPR, focusing on the protection of the fundamental right to data protection as embedded in the EU Charter of Fundamental Rights was seen as too restrictive. A risk-based approach was quickly supported. The adoption of other laws in the European Union that are closely linked to the GDPR due to reliance on personal data processing for various purposes, like the Data Act, Data Governance Act, Digital Services Act, AI Act, etc. as well as the creation of common European Data Spaces, focus mainly on the internal market and rely on this risk-based approach. Thus, the standards of data protection as a fundamental right are weakened in various ways.
In September 2024, a report outlining the barriers to growth that Europe currently faces was published. In this report, from former European Central Bank President Mario Draghi, highlights the fact that Europe needs to re-focus the energies if it wants to be a player in the global digital economy.
If Europe cannot become more productive, we will be forced to choose. We will not be able to become, at once, a leader in new technologies, a beacon of climate responsibility and an independent player on the world stage. We will not be able to finance our social model. We will have to scale back some, if not all, of our ambitions.
In this framework, the GDPR is seen as too restrictive, complicated and a heavy burden for small and medium size enterprizes. The costs that SMEs face for compliance with the GDPR are calculated as extensive and prohibitive for innovation. Thus, the report advocates for regulatory light-handed rules to promote EU investment and innovation instead of stronger ex ante regulatory safeguards for fundamental rights and product safety.
Finally, while the ambitions of the EU’s GDPR and AI Act are commendable, their complexity and risk of overlaps and inconsistencies can undermine developments in the field of AI by EU industry actors. The differences among Member States in the implementation and enforcement of the GDPR (as detailed in the Governance Chapter), as well as overlaps and areas of potential inconsistency with the provisions of the AI Act create the risk of European companies being excluded from early AI innovations because of uncertainty of regulatory frameworks as well as higher burdens for EU researchers and innovators to develop homegrown AI. As in global AI competition ‘winner takes most’ dynamics are already prevailing, the EU faces now an unavoidable trade-off between stronger ex ante regulatory safeguards for fundamental rights and product safety, and more regulatory light-handed rules to promote EU investment and innovation, e.g. through sandboxing, without lowering consumer standards.
At the time of writing, a reform of the GDPR is being discussed. On one side this reform initiated in 2023 aims to simplify the work of Supervisory Authorities and to speed up disputes that have a cross-border dimension by introducing strict deadlines for each stage of the procedure before the Authorities.
On the other side, following the Draghi report, in May 2025, the Commission presented an additional proposal to cut €300 million in annual administrative cost for Small and Medium Enterprises (SMEs) and Small and Mid-Caps companies (SMCs). As a result, targeted changes to the rules on record-keeping for small and medium-sized companies and organisations under 750 employees are proposed. The proposal does not affect the rest of the provisions of the GDPR.
This is just a quick synopsis of the current state of affairs in European data protection law. As technology evolves, also priorities in the field of data protection change making the right to data protection an ever complicated, dynamic and why not…. a fascinating one.
Feedback/Errata