10 years GDPR: A Decade of Europe’s Top Privacy Law
The GDPR turns 10 in 2026. Over the past decade, EU data protection authorities have issued more than €8 billion in fines, and over 700,000 organisations have registered Data Protection Officers. Hundreds of court rulings have changed how we define personal data, who is considered a data controller, and when companies must pay compensation. What started as a compliance panic has become a working enforcement system.
This one regulation changed the rules for consent, made companies around the world rethink how they transfer data, and created the new role of Data Protection Officer. By 2025, it also became the legal foundation for regulating AI. When the European Parliament passed the GDPR on April 27, 2016, lead rapporteur Jan Philipp Albrecht said it would “change not only the European data protection laws but nothing less than the whole world as we know it.” Here’s what happened next.
The GDPR decade: The Timeline
2016: GDPR adopted April 27, enters into force May 24. EU-U.S. Privacy Shield adopted, replacing Safe Harbour.
2017: Germany becomes the first EU state to align national law with the GDPR. First CJEU judgment references the regulation.
2018: Fully enforceable from May 25. European Data Protection Board replaces Article 29 Working Party.
2019: Planet49 ruling confirms pre-ticked cookie boxes are invalid. EU-Japan mutual adequacy adopted.
2020: Schrems II invalidates Privacy Shield. COVID-19 data protection guidance issued. Brexit transition ends.
2021: New Standard Contractual Clauses published. Cookie banner task force launched. Fines cross €1 billion for the first time.
2022: First EU-wide decision on children’s data rights. Right to be forgotten strengthened.
2023: ChatGPT task force established. Over 700,000 DPOs registered across the EEA.
2024: DPA roles expanded under AI Act, Digital Markets Act and Digital Services Act.
2025: Omnibus reform proposals for SMEs tabled. Breach notifications exceed 400 per day.
2026: GDPR Procedural Regulation enters into force. Brazil adequacy adopted.
What were the most important GDPR court rulings?
Between 2017 and 2026, the CJEU made dozens of GDPR rulings. A few of these decisions had a big impact on how companies operate every day.
C-673/17 Planet49 (2019): pre-ticked boxes don’t count as consent. C-311/18 Schrems II (2020): the Privacy Shield is invalid. C-460/20 Google (2022): The right to be forgotten was strengthened. C-807/21 Deutsche Wohnen (2023): A company can be fined for a GDPR infringement without identifying the specific employee responsible.
Compensation cases used to be rare, but now they are common. In 2023, the C-300/21 Österreichische Post case clarified that people can claim compensation for nonmaterial damage. In 2024, C-507/23 confirmed that just losing control over your personal data is enough for a claim; you do not have to show financial loss. The C-590/22 PS case in 2024 said that even a temporary loss of control during a data breach can be compensated. By 2026, the C-526/24 Brillen Rottler case added a limit: a first access request can still be rejected as abusive in some situations.
Does GDPR apply to companies outside the EU?
Yes. The GDPR applies to any organisation that handles the personal data of people in the EU, regardless of where the organisation is located. This is why it became a global standard.
The adequacy framework extended the reach further. The EU struck a mutual adequacy with Japan in 2019. South Korea and the UK got adequacy decisions in 2021. The EU-U.S. Data Privacy Framework replaced the invalidated Privacy Shield in 2023. In 2024, the Commission renewed adequacy decisions for 11 countries, including Argentina, Canada, Israel, New Zealand and Switzerland. In 2025, the first adequacy decision was issued for an international organisation (the European Patent Office) rather than a country.
In 2026, mutual adequacy decisions with Brazil created what the Commission called the largest area of free and safe data flows in the world.
What does GDPR compliance actually require from organisations today?
By 2023, more than 700,000 organisations had registered Data Protection Officers across the European Economic Area. By 2024, the average organisation was handling close to 5,000 privacy compliance-related requests per year.
Building the compliance system took time, but it happened. Germany was the first EU country to update its national law for the GDPR in 2017. The Commission released new Standard Contractual Clauses for international data transfers in 2021. In 2024, DPA roles grew with the arrival of the Digital Markets Act, Digital Services Act, Data Governance Act, Data Act, and AI Act. Data protection authorities began handling enforcement and advisory functions beyond privacy, becoming part of a broader digital regulatory system.
The EDPB established a ChatGPT task force in 2023, which expanded in 2025 to examine broader AI enforcement. This meant that AI systems that use personal data were subject to direct review under the GDPR. In 2025, the EDPB also released guidance on pseudonymization, blockchain, and the connection between the Digital Services Act and the GDPR.
What is changing in GDPR right now?
The GDPR is being updated. In 2025, the Commission’s Omnibus IV proposal aimed to make recordkeeping easier for small and medium-sized businesses. The Digital Omnibus suggested specific changes to the GDPR text itself.
In 2026, the GDPR Procedural Regulation entered into force, giving the one-stop-shop mechanism clearer procedural rules for cross-border cases. The same year, the CJEU confirmed in C-97/23 WhatsApp Ireland v. EDPB that companies can directly challenge binding EDPB decisions before EU courts.
Cross-border enforcement also became much faster.
In 2018, there were 43 OSS procedures and only 2 decisions. By 2025, there were 1,299 procedures and 572 final decisions. The difference between cases started and cases finished is getting smaller.
What happened when GDPR first became enforceable in 2018?
The GDPR became fully enforceable on May 25, 2018. The first fine went to a betting shop owner in Austria, who had to pay €4,800 for a surveillance camera that recorded a public sidewalk. That year, EU data protection authorities gave out a total of €458,688 in fines. While that amount seems small now, the main point was not the size of the fines.
In 2018, the UK Information Commissioner’s Office got about 500 GDPR-related questions each week. Many companies reported even minor problems out of concern, showing that the regulation was taken seriously even before enforcement became routine.
The European Data Protection Board replaced the Article 29 Working Party in 2018. That year, it issued 26 consistent opinions to set rules for cross-border cases. In 2018, 255 cross-border cases were initiated, but only 2 resulted in final decisions.
How much did GDPR fines grow across the decade?
GDPR fines grew from €458,688 in 2018 to €1.97 billion in 2023 (the peak year), with Ireland accounting for €1.55 billion of that total and Germany issuing the most individual fines at 469. By 2025, EU authorities had issued over €8 billion in cumulative amounts. The trajectory was not linear.
In 2019, fines went over €72 million for the first time. In 2020, they reached €171 million. By 2021, fines had jumped to €1.28 billion; in 2022, they were €842 million. Fines were lower in 2024 and 2025 compared to 2023, but Ireland still issued €530 million in 2025. These numbers show not just the number of violations, but also how long it took DPAs to build the teams and systems needed to handle complex cross-border cases.
What does a decade of GDPR tell us?
The first decade of the GDPR shows that the law has worked as intended, though progress has been slower than many expected in 2018. As Isabelle Falque-Pierrotin, former Chair of the Article 29 Working Party, said in 2018: “People now really want their data protected.” Over time, enforcement caught up with public expectations through court decisions, stronger DPAs, and an adequacy framework that spread the GDPR’s influence far beyond Europe.
By 2025, there were more than 400 breach notifications every day, and organisations were handling almost 5,000 compliance requests each year. The GDPR is not perfect; speed and consistency of enforcement still need improvement. Still, the data protection landscape in 2026 is clearly different from 2016. That’s the result of 10 years of real legal change.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.