GDPR at 10: A Look Back at the Past 10 Years

• April 27: The GDPR is adopted.
• May 24: The GDPR entered into force.
• The European Commission adopted its adequacy decision for the EU-U.S. Privacy Shield, replacing the invalidated Safe Harbour agreement.

• Germany became the first EU member state to align its national law with the GDPR.
• The Article 29 Working Party published GDPR-related guidance, including on the appointment of data protection officers, identification of a lead supervisory authority, data portability and the data protection impact assessments.
• One of the first Court of Justice of the European Union judgments references the GDPR. C-434/16 Nowak v. Data Protection Commissioner confirmed a broad interpretation of “personal data.”

• May 25: The GDPR entered into application, making it fully enforceable.
• In 2018 alone, there were 255 cross-border cases and 43 procedures initiated under the one-stop-shop mechanism, resulting in 2 final decisions.
• EU DPAs issued a total of 458,688 euros in fines.
• First GDPR enforcement. U.K. Information Commissioner’s Office issued enforcement notice against AggregateIQ, ordering it to cease data processing for analytics, political campaigning or other advertising.
• First GDPR monetary fine issued by Austria’s Data Protection Authority, which fined the owner of a betting shop 4,800 euros plus legal costs for a surveillance camera that captured a public sidewalk.
• Reports emerged that, out of fear of heavy fines, companies overreported minor GDPR issues. For example, the U.K. Information Commissioner’s Office received around 500 GDPR-related inquiries per wer week.

EDPB:

• The EDPB endorsed 16 GDPR-related guidelines of the Article 29 Working Party and adopted four more guidelines, including on the territorial scope of the GDPR.
• The EDPB adopted 26 consistency opinions.

• EU-Japan mutual adequacy decisions adopted.
• There were 585 cross-border cases and 142 procedures initiated under the OSS mechanism, resulting in 79 final decisions.
• The Netherlands’ Autoriteit Persoonsgegevens was the first DPA to issue a formal policy on setting administrative fines under the GDPR.

EDPB:

• The EDPB adopted seven guidelines on topics including privacy by design and default and the right to be forgotten.
• The EDPB adopted 16 consistency opinions, including on DPIAs and the interplay between the ePrivacy Directive and the GDPR.

CJEU judgments included:

• C‑136/17 GC and Others: The ruling addressed the territorial scope of the right to be forgotten.
• C-673/17 Planet49: The court concluded that consent must be active and informed and pre-ticked boxes for cookie consent are not valid.
• C-40/17 Fashion ID: The CJEU concluded that website operators using social plugins can be joint controllers with providers of those plugins.

• The Commission published its first review and evaluation report of the GDPR.
• The Brexit transition period ended. Although it preserved much of the GDPR in its law, the U.K. became a “third country” regarding EU data protection law.
• The Commission issued a toolbox for the development and use of GDPR-compliant COVID-19 contact tracing apps.
• There were 628 cross-border cases and 203 procedures initiated under the OSS mechanism, resulting in 93 final decisions.
• EU DPAs issued a total of 171,770,179 euros in fines.

EDPB:

• The EDPB adopted 12 guidelines and recommendations related to the data protection requirements concerning the COVID-19 pandemic, concept of consent, interplay between the revised Payment Services Directive and the GDPR, targeting social media users and international transfers.
• The EDPB adopted its first binding decision on the fine issued by the Data Protection Commission, Ireland’s DPA, for Twitter’s violation of GDPR data breach obligations.
• The EDPB adopted 32 consistency opinions, including on Binding Corporate Rules.

CJEU judgments included:

• C-623/17 Privacy International: The CJEU concluded that EU law prohibits national laws from requiring providers to transmit bulk personal data to public authorities for national security purposes.
• C-311/18 Facebook Ireland and Schrems: The ruling invalidated the EU adequacy decision for the EU-U.S.

• The Commission published new, modernized Standard Contractual Clauses for international data transfers.
• The EDPB established a cookie banner taskforce to coordinate actions against noncompliant banners across Europe.
• The Commission adopted adequacy decisions for South Korea and the U.K.
• There were 506 cross-border cases and 209 procedures initiated under the OSS mechanism, resulting in 141 final decisions.
• EU DPAs issued a total of 1,283,689,683 euros in fines.

EDPB: 

• The EDPB adopted 14 guidelines and recommendations, including on breach notifications, codes of conduct, credit card data storing, virtual voice assistants and controller and processor concepts.
• The EDPB adopted one binding decision and its first urgent binding decision concluding that no final measures must be adopted at the time by Ireland’s DPA, but it must investigate Facebook’s role as a processor or (joint) controller concerning WhatsApp user data.
• The EDPB issued 35 consistency opinions, including on Standard Contractual Clauses.
• The EDPB adopted 15 consultations and statements on legislative developments.

CJEU judgments 

• C-645/19 Facebook Ireland and Others: The court clarified the competence of non-lead supervisory authority under the OSS mechanism.

• The EDPB launched its first coordinated enforcement action on the use of cloud-based services by the public sector.
• The EDPB launched the Support Pool of Experts program.
• There were 310 cross-border cases and 714 procedures initiated under the OSS mechanism, resulting in 330 final decisions.
• EU DPAs issued a total of 842,204,165 euros in fines.

EDPB:

• The EDPB adopted 12 guidelines and recommendations, including on breach notifications, codes of conduct, data subject rights, deceptive design patterns and administrative fines.
• The EDPB adopted five binding decisions, including the first EU-wide decision on children’s rights.
• The EDPB adopted 32 consistency opinions.
• The EDPB adopted eight documents on legislative developments.

CJEU judgments included:

• C-460/20 Google: The court strengthened the right to be forgotten under the GDPR.
• C-319/20 Meta Platforms Ireland: The ruling confirmed that consumer protection associations can bring representative actions for GDPR infringements.

• The Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework.
• The Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework.
• More than 700,000 organizations reported to have registered DPOs across the European Economic Area under the GDPR.
• There were 366 cross-border cases and 1,023 procedures initiated under the OSS mechanism, resulting in 442 final decisions.
• EU DPAs issued a total of 1,973,832,107 euros in fines. Germany issued the greatest number of fines with 469. The largest total amount was issued in Ireland with 1,551,782,500 euros.

• The EDPB established a ChatGPT taskforce to coordinate enforcement across Europe.

EDPB:

• The EDPB adopted 12 general guidance and recommendations, including on deceptive design patterns in social media platform interfaces and the use of facial recognition technology in law enforcement.
• The EDPB adopted two binding decisions and one urgent binding decision.
• The EDPB adopted 37 consistency opinions.
• The EDPB adopted four opinions and contributions on legislative developments.

CJEU judgments included:

• C-60/22 Bundesrepublik Deutschland: The court concluded that not every violation of the GDPR renders all related processing unlawful.
• C-154/21 Österreichische Post: The CJEU clarified the right of access and that data subjects are entitled to information about the recipients of their personal data.
• C-300/21 Österreichische Post: The ruling clarified the right to compensation for nonmaterial damages.
• C-807/21 Deutsche Wohnen: The court established that companies may be fined for an infringement without identifying a specific individual.
• C-252/21 Meta Platforms and Others: The ruling addressed the interplay between competition authorities and data protection supervisory authorities and GDPR interpretation.
• C-307/22 FT v. DW: The CJEU stated that individuals have the right to a free initial copy of their personal data regardless of the purpose.

• The Commission published its second review and evaluation report of the GDPR.
• DPA roles were expanded due to emerging EU digital laws, including the Digital Markets Act, Digital Services Act, Data Governance Act, Data Act and Artificial Intelligence Act.
• There were 350 cross-border cases and 982 procedures initiated under the OSS mechanism, resulting in 485 final decisions.
• EU DPAs issued a total of 1,254,684,666 euros in fines. Germany issued the greatest number of fines with 416. The largest total amount was issued in Ireland with 652,029,500 euros.
• The Commission renewed 11 adequacy decisions for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
• On average, organizations were processing nearly 5,000 privacy compliance-rel0ated requests per year.

EDPB:

• The EDPB did not adopt any binding decisions for the first time since 2020.
• The EDPB adopted four guidelines, including on the scope of the ePrivacy Directive and the processing of personal data based on Article 6(1)(f) GDPR.
• The EDPB adopted 28 consistency opinions, including on consent or pay models, the processing of personal data in the context of AI models and the notion of “main establishment.”
• The EDPB adopted six statements on legislative developments, including on the DPA’s role in the AI Act framework.

CJE judgments included:

• C-741/21 GP v. juris GmbH: The court confirmed that compensation requires actual damage and is not meant to be punitive.
• C-507/23 Patērētāju tiesību aizsardzības centrs: The CJEU confirmed that “loss of control” over data can be sufficient for nonmaterial damage compensation.
• C-768/21 Land Hessen: The ruling confirmed that DPAs are not required to use corrective powers if a breach is already resolved.
• C-21/23 Lindenapotheke: The court clarified the GDPR’s relationship with competition and consumer law when it comes to remedies.
• C-590/22 PS: The CJEU established that a temporary loss of control over personal data due to data breach can constitute compensable nonmaterial damage.

• The Commission tabled Omnibus IV, which proposed simplified recordkeeping requirements under the GDPR for small and medium-sized enterprises and small mid-cap companies, and the Digital Omnibus, which proposed targeted amendments to the GDPR.
• This year marked the first time since 2018 that the daily average of personal data breach notifications exceeded 400.
• The Commission adopted the first adequacy decision for an international organization rather than a country — the European Patent Office.
• There were 414 cross-border cases and 1,299 procedures initiated under the OSS mechanism, resulting in 572 final decisions.
• EU DPAs issued a total of 1,145,760,374 euros in fines. Slovakia issued the greatest number of fines with 542. The largest total amount was issued in Ireland with 530,773,000 euros.

• The EDPB extended the scope of its ChatGPT taskforce to broader AI enforcement across Europe.

• The Commission renewed its adequacy decision for the U.K.

EDPB: 

• No binding decisions were adopted by the EDPB.
• The EDPB adopted six general guidance and recommendations, including on pseudonymization, blockchain technologies and the interplay between the DSA and the GDPR.
• The EDPB endorsed its first guidelines, jointly developed with the Commission, on the interplay between the DMA and GDPR.
• The EDPB adopted 29 consistency opinions.
• The EDPB adopted nine opinions and statements on legislative developments, including on age assurance.
• The EDPB published “Position paper on Interplay between data protection and competition law.”

CJEU judgments included:

• T-354/22 Bindl v. European Commission: The case highlighted that data subjects can be awarded nonmaterial damages for uncertainty concerning their personal data processing resulting from unlawful data transfers.
• C-492/23 Russmedia Digital and Inform Media Press: The ruling confirmed that online marketplace operators are data controllers for personal data in advertisements on their platforms.
• T-553/23 Latombe v. European Commission: The case concerned the validity of the EU-U.S. Data Privacy Framework.
• T-70/23 Data Protection Commission v. European Data Protection Board: The court clarified the competences of the EDPB.
• C-416/23 Österreichische Datenschutzbehörde: The ruling concluded that the number of requests by a data subject does not automatically make them manifestly excessive.

• The GDPR Procedural Regulation entered into force. 
• Mutual adequacy decisions with Brazil adopted, creating the biggest area of free and safe data flows in the world.

CJEU judgments included:

• C-526/24 Brillen Rottler: The CJEU ruled that even a first request for access to personal data may be deemed abusive and rejected.
• C-97/23 WhatsApp Ireland v. EDPB: The court concluded that companies can directly challenge binding decisions of the EDPB before EU courts.