Marking 7 years of the GDPR: reflecting on the past, shaping the future

1. Enforcement

Over the past seven years, data protection authorities across the EU have issued decisions that continue to clarify the practical application of the GDPR. While some cases have made headlines, enforcement trends show a steady, maturing approach focusing on both major players and sector-specific compliance.

2. EU-US Data Transfers

Transatlantic data transfers have long been a legal challenge. After the Court of Justice of the EU invalidated both Safe Harbor and the Privacy Shield, the European Commission adopted the EU–US Data Privacy Framework (DPF) in 2023 to re-establish a lawful basis for transfers to certified US companies.

The DPF aims to address earlier concerns by introducing safeguards such as limiting US government access to EU personal data and creating a new redress mechanism for EU individuals via the Data Protection Review Court.

Despite this, critics remain sceptical – arguing that the reforms do not go far enough to meet the standards set by the Schrems II ruling. Civil society groups and privacy advocates have questioned the independence and effectiveness of the redress mechanism, and a legal challenge is already pending before the CJEU.

In May 2024, the European Data Protection Board (EDPB) adopted its first report on the DPF. The report acknowledges improvements, particularly in redress mechanisms and oversight structures. However, it also highlights areas for continued monitoring, including transparency of US government access requests and the long-term effectiveness of the safeguards in practice.

3. A Growing EU Digital Legal Ecosystem

The GDPR now operates alongside a broader set of EU digital regulations designed to create a coherent framework for the data economy and platform governance. Notable examples include:

• the AI Act, introducing requirements for AI systems, with strong links to GDPR principles such as data minimisation and transparency;
• the Data Act (DA), aiming to regulate access to and sharing of non-personal and co-generated data, with implications for mixed datasets;
• the Data Governance Act (DGA), designed to facilitate data sharing, particularly for altruistic purposes, and to create a trustworthy environment for data intermediaries; and
• the Digital Services Act (DSA) and the Digital Markets Act (DMA), regulating online platforms and gatekeepers, including obligations around algorithmic transparency and systemic risk assessments.

Together, these instruments reflect the EU’s ambition to build a comprehensive legal framework for the digital world, reinforcing data protection as a foundational value.

1. A New Regulation to Streamline Enforcement Procedures

Currently under negotiation, the proposal for a regulation laying down additional procedural rules for GDPR enforcement aims to improve cooperation and consistency among data protection supervisory authorities, especially in cross-border cases and to address long-standing criticism of the GDPR's enforcement delays and fragmentation.

The proposal introduces procedural rules to:

• clarify the rights of complainants and controllers/processors in cross-border procedures;
• harmonise deadlines for procedural steps; and
• improve coordination within the One-Stop-Shop mechanism.

2. Simplification of Article 30 Record-Keeping Obligations

On 21 May 2025, the European Commission published a proposal for a regulation aiming at simplifying the GDPR. The changes include a few articles, including Article 30(5) GDPR.

Under Article 30 GDPR, controllers and processors must maintain a Record of Processing Activities (RoPA), a key accountability tool.

There is an exemption for organisations with fewer than 250 employees. However, this only applies under strict conditions, namely, that the processing is occasional, involves no sensitive data, and poses no risk to individuals. As a result, many SMEs still must comply with the full record-keeping requirements.

The new proposal aims to simplify and clarify this derogation by:

• making record-keeping mandatory only when the processing is likely to result in a high risk to data subjects’ rights and freedoms;
• broadening the scope of the exemption to cover:
  • small and micro-enterprises; and
  • organisations with fewer than 750 employees.

In a joint letter to the European Commission, the EDPB and EDPS have already expressed their support for the initiative.

3. The ‘Three-Layered’ GDPR Reform Proposal

A more ambitious reform has been floated by MEP Axel Voss, with support from Max Schrems. It proposes a three-layered revision of the GDPR, consisting of:

• a “Mini-GDPR” layer, which would apply to around 90% of businesses. It would reduce documentation requirements, simplify transparency obligations, and remove the need to appoint a data protection officer;
• a “Normal GDPR” layer, which would preserve most existing rules and apply to companies that process sensitive personal data or operate on a larger scale; and
• a “GDPR Plus” layer, which would target very large online platforms and companies whose business model heavily relies on personal data processing, such as advertising firms. These entities would be subject to, amongst others, mandatory external audits.

While still at the concept stage, this proposal could significantly reshape how the GDPR is applied in practice, especially if political momentum builds.

4. EDPB Strategy 2024–2027

The EDPB recently published its strategic priorities for the next three (3) years, signalling a focus on:

• enhancing harmonisation and promoting compliance;
• reinforcing a common enforcement culture and effective cooperation;
• safeguarding data protection in the developing digital and cross-regulatory landscape; and
• contributing to the global dialogue on data protection.

This strategy reinforces the EDPB’s leading role in steering the future of data protection in Europe and beyond.

5. Conclusion

The GDPR remains a living instrument, rooted in strong principles, but continuously evolving. As the regulatory landscape shifts and new expectations emerge, staying informed and adaptive will be more important than ever.