Has Europe given up on GDPR?
Among IT professionals, it was said from the very first drafts that GDPR was nonsense – a bureaucratic creation by people who don’t understand the internet. And as it later turned out, they were right: GDPR significantly worsened the user experience, burdened small businesses, and overlooked those it was truly intended for.
The official goal? To protect personal data from leaking to the USA. The result? Data continues to flow – today, even to China.
While European bureaucrats complicated forms and regulations, Meta, TikTok, and others found loopholes, legal workarounds, and innovative interpretations. Meanwhile, the internet has already entered a new phase: artificial intelligence now extracts data “between the lines” – without anyone even realizing what they are giving away.
Today, all data proves that GDPR was a mistake:
- Those it was intended for remained untouched.
- Personal data still easily crosses borders.
- Big players quickly adapted, while small ones pay the price.
Negative consequences are borne primarily by smaller companies – and end-users, who got an internet full of cookie banners, conditional logins, and false consents.
The story is, in its essence, typically European. We would still understand design flaws. But what is truly worrying is that we persist in this mistake – as often happens. Until when?
GDPR as the great promised shield for the user
Initially, GDPR promised:
- greater transparency over how companies process data,
- greater user control over their own data,
- high penalties for infringers,
- and an extensive role for national supervisory authorities.
However, it quickly became apparent that companies, especially the largest ones (Google, Meta, TikTok), found ways around the regulations – either through complex terms of access, selective interpretation, or legal maneuvers.
For example, after GDPR came into force, Meta unilaterally changed its terms of use and justified the processing of personal data for advertising with so-called “contractual necessity” – meaning that personalized advertising is an essential part of their service. This allowed them to avoid obtaining explicit consent for targeted advertising, as the user was supposedly automatically agreeing to data processing upon registration. This interpretation was later exhaustively challenged by organizations such as NOYB, and it was only years later that it received condemnation from the EU Court of Justice and high penalties. In the meantime, the company continued to collect data almost unchanged with new forms and so-called “pseudo-consents.”
The regulation is not being enforced
The key problem remains the enforcement of the regulation. While individual advocacy groups (e.g., Max Schrems’s NOYB) fight against big players, the procedures are lengthy, often lasting several years. Penalties themselves are rare and often lower than expected (given the potential profit of infringers).
National authorities (e.g., Ireland as the main regulator for tech giants) are under scrutiny for slowness, compromises, and occasional passivity.
GDPR caused user desensitization
With a multitude of cookie notifications, automated “accept all” forms, and lengthy terms, most users have become desensitized. In the eyes of many, GDPR has become a bureaucratic obstacle, not an actual tool for protection.
Instead of transparency, we have digital fatigue. Companies, too, often focus solely on formal compliance, rather than actual ethical handling of user data.
AI, biometrics, and digital identity
GDPR was written before the boom of artificial intelligence. Today, however, we have:
- mass use of profiling algorithms,
- use of biometric data (e.g., in stores, at borders),
- and digital identities that will link even more personal data into a single profile.
In all these technologies, there is a silent shift from consent to systemic data processing without actual user choice.
For example, artificial intelligence today effortlessly categorizes individuals by gender, age, emotional state, location, and even socio-economic status – without the user even knowing it.
Biometric data (facial recognition, fingerprints) are often used for security purposes, but at the same time, they enable constant tracking and identification in real-time.
Digital identities (as developed by the EU and private platforms) promise to simplify identification, but at the same time, they combine health, tax, banking, and travel data into a single point, which represents an enormous security and ethical challenge. GDPR also covers these technologies, but its principles are often too broad, too general, or insufficiently focused on specific technological practices.
Legislation is not agile enough to adequately respond to these challenges. The European Commission is preparing the AI Act, Data Governance Act, and other supplementary regulations, but the question remains: will this be fast enough – and above all, decisive enough?
Is GDPR dead?
No. But its core is under question: can it ensure the protection of the digitally illiterate individual (for whom GDPR is actually intended in its idea) in the digital age?
Europe has not formally abandoned GDPR, but practice shows that there is a need for:
- thorough overhaul of implementation and supervision,
- harmonization of practices among countries,
- and strengthening user rights also in the context of new technologies.
Is it time for GDPR 2.0?
If Europe wants to remain a model in digital rights and a leader in hindering economic growth, it will have to find a way for legislation not to remain just a dead letter. We therefore need a more complicated GDPR system that will be impractical to implement, where compliance integration will be more expensive, especially for smaller companies, where reporting on obtained consents will be required, and at the same time, more inspectors who can check business compliance.
What is happening with GDPR in 2025?
1. Simplifications for Small and Medium-sized Enterprises (SMEs)
In May 2025, the European Commission presented a proposal to simplify certain GDPR obligations for SMEs. The goal is to reduce administrative burdens, especially regarding the keeping of data processing records, without compromising the fundamental rights of individuals. The proposal includes extending existing exemptions for companies with fewer than 250 employees to companies with up to 500 employees, with certain obligations being limited to high-risk cases, such as the processing of health data. euronews.com
2. Criticism regarding GDPR enforcement
Despite the existence of GDPR, criticism is emerging regarding its enforcement, especially in cases of cross-border infringements. Procedures are often lengthy and complex, which reduces the effectiveness of the legislation. The European Commission has therefore proposed a new regulation to improve GDPR enforcement procedures, but some critics have warned that the proposed changes could further complicate already complex procedures. euronews.com
3. Integration with other legislative frameworks
The EU is striving to align GDPR with other legislative initiatives, such as the AI Act and the DSA (Digital Services Act). The goal is to ensure a comprehensive and coordinated approach to regulating the digital environment, which will simultaneously protect individual rights and foster innovation.
Although GDPR faces challenges and the need for adaptations, there are no indications that the EU plans to abandon it. Instead, it focuses on reforms that would make the legislation more effective and adapted to modern technological challenges, while maintaining a high level of personal data protection.