Ten Years of GDPR: Commission Reviews Data Protection Framework Amid AI Era

The European Commission has launched a comprehensive review of the General Data Protection Regulation as the landmark legislation marks its tenth anniversary, with officials pledging targeted reforms to address mounting challenges posed by generative artificial intelligence and persistent enforcement gaps across member states.

During commemorative events held between 22 and 24 May, Commission officials acknowledged that whilst the GDPR has established the EU as a global standard-bearer for data protection, the framework now requires recalibration to meet the demands of rapidly evolving technologies that were barely conceived when the regulation was drafted.

Enforcement Challenges Take Centre Stage

Justice Commissioner Michael McGrath confirmed that the Commission will present a targeted revision package by the fourth quarter of 2026, addressing several structural weaknesses that have emerged during the regulation’s implementation. Chief amongst these concerns is the so-called ‘one-stop-shop’ mechanism, designed to streamline cross-border enforcement but which has instead become a source of frustration for both complainants and regulators.

Under the current system, companies with operations across multiple EU countries are supervised primarily by the data protection authority in their main establishment. However, this arrangement has led to significant delays and coordination difficulties, particularly in high-profile cases involving major technology platforms.

„After ten years of implementation, we have identified clear areas where the framework needs strengthening,” McGrath stated during the anniversary proceedings. „The one-stop-shop mechanism requires refinement to ensure truly effective cross-border enforcement whilst maintaining the single market principles that underpin our approach.”

AI Training Data in Legal Grey Zone

The explosive growth of generative AI systems has thrust data protection law into uncharted territory, particularly regarding the legality of using vast datasets to train large language models and other AI systems. The Commission’s review will specifically examine how GDPR provisions apply to AI training practices, an issue that has generated considerable legal uncertainty for developers and rights-holders alike.

The intersection between the GDPR and the recently adopted AI Act represents another focal point for the upcoming revision. Whilst both frameworks address aspects of algorithmic systems and automated decision-making, questions remain about how their respective requirements should be harmonised to avoid regulatory overlap and conflicting obligations.

A Decade of Data Protection by Numbers

Since the GDPR’s application began in May 2018, national Data Protection Authorities across the EU have processed more than 350,000 complaints from individuals asserting their rights under the regulation. This substantial caseload reflects both growing public awareness of data protection rights and the increasingly complex digital ecosystem that citizens navigate daily.

The enforcement landscape has evolved considerably over this period, with authorities developing sophisticated approaches to investigating and sanctioning violations. High-profile penalties against major technology companies have demonstrated the regulation’s teeth, whilst smaller-scale enforcement actions have shaped business practices across sectors.

Global Influence and International Adequacy

Beyond the EU’s borders, the GDPR has exerted remarkable influence on data protection frameworks worldwide. Numerous jurisdictions have adopted GDPR-inspired legislation, creating a degree of global convergence around core principles such as consent, transparency, and individual rights.

The Commission’s adequacy decisions, which determine whether non-EU countries provide sufficient data protection to receive personal data from Europe, have become powerful diplomatic tools. These decisions will likely feature in the review process, particularly as geopolitical tensions increasingly intersect with questions of data governance and digital sovereignty.

Balancing Innovation and Protection

The revision process promises to reignite debates about the balance between protecting fundamental rights and enabling innovation. Industry representatives have long argued that certain GDPR requirements impose disproportionate compliance burdens, particularly on smaller enterprises, whilst civil society organisations maintain that enforcement remains inadequate given the scale of data protection violations.

The Commission faces the delicate task of addressing legitimate concerns about regulatory friction without undermining the core principles that have made the GDPR a landmark achievement in fundamental rights protection.

As the review process unfolds over the coming months, stakeholders across the digital economy will be watching closely to see how Brussels intends to future-proof its data protection architecture. With the 2026 revision deadline approaching, the Commission must navigate complex technical questions about AI, resolve persistent enforcement challenges, and maintain the EU’s position as the global leader in data protection standards—all whilst ensuring that reforms command the political support necessary for adoption by Parliament and member states in an increasingly fragmented political landscape.