A decade ago, a European law gave ordinary people the right to ask any company: what data do you hold on me? The GDPR became the world’s most influential data protection rule, with European authorities imposing more than €7bn in fines. Now, as it turns ten, it has narrowly avoided being weakened from within, but the fight is not over.
When the General Data Protection Regulation (GDPR) entered into force in May 2016, many dismissed it as bureaucratic box-ticking. Turning 10 this May, it finds itself in a very different climate. Europeans can now demand a copy of their data from any company, ask for it to be corrected or deleted, and expect regulators to act when companies refuse. The Irish Data Protection Commission alone has imposed a €1.2bn fine on Meta, the largest single penalty in GDPR’s history.
In 2025, European authorities averaged 443 data breach notifications per day, a 22 per cent increase on the year before. The cookie consent banners that clutter every website are an irritant, but they are proof that GDPR changed corporate behaviour. Companies that once harvested data without a second thought must now justify why they do so.
A threat from within
In November 2025, the European Commission published the Digital Omnibus, a sweeping package of amendments to the EU’s digital rulebook, including the GDPR. Framed as a simplification exercise to boost competitiveness, it contained one proposal that alarmed privacy experts: a new, narrower definition of personal data.
The idea was simple, and its implications significant. Under the Commission’s plan, whether your data counted as “personal” would depend on who was holding it. A company could argue that, because it could not identify you from the data it held, that data fell outside GDPR altogether. Critics said this would benefit companies working with large datasets, including those used to train artificial intelligence systems, at the expense of individuals’ rights.
You might be interested
Regulators pushed back hard. In February 2026, the European Data Protection Board and the European Data Protection Supervisor issued a joint opinion warning that the proposal went “far beyond a targeted or technical amendment” to the GDPR and would significantly narrow the concept of personal data.
Member states listened. A Council compromise text leaked in February dropped the proposed new definition entirely. It also removed related changes to automated decision-making rules and the Commission’s proposed powers over pseudonymised data. Member states had walked back the most contentious provisions.
The fight is not over
The broader Digital Omnibus package still contains proposals that privacy advocates consider risky. Changes to the right of access, new exemptions tied to company size, and rules on AI training all remain under negotiation. EDRi, the European digital rights network, described the Council’s retreat as “a step back from the brink” and warned that the risks are far from resolved.
The Digital Omnibus regulation is still moving through committee stage in the European Parliament and the Council. No provisional agreement has been reached, and trilogue negotiations lie ahead.
Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights.
— Anu Talus, Chair, European Data Protection Board
GDPR at 10 is neither a triumph nor a cautionary tale. It reshaped global data protection standards, gave individuals real rights, and forced the world’s most powerful companies to justify how they use personal data. EDPB Chair Anu Talus captured the moment: “Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights.” The question is whether the EU will use the Digital Omnibus to build on that legacy or quietly chip away at it.
