Ireland: Reflections on the significance of the GDPR – 8 years on

Today, the 25th May 2026, marks 8 years since the GDPR came into effect. In this article we explore 8 significant developments since its inception and consider how this landmark piece of legislation has been interpreted, challenged and integrated into everyday life in Ireland, the EU and beyond.

1.      Increased Public Awareness and Understanding: Over the past 8 years, data protection has become increasingly embedded in the everyday experience of individuals across the EU. Citizens are now considerably more aware of their data protection rights, driven by guidance from regulatory bodies such as the DPC, privacy notices, cookie consent mechanisms, and the growing use of data subject access requests. 

2. Data Breaches and Cyber Attacks: The number of data breach notifications made to regulatory bodies across Europe has risen significantly since 2018. High-profile cyber-attacks on public bodies, such as the HSE, have led to an increase in data breach claims and heightened awareness of the security and technological standards required of IT systems when handling personal data.

3. Data Breach Litigation: Data-related litigation has increased considerably, particularly in respect of claims for damages arising from data breaches and unlawful processing. In the UI v Österreichische Post AG case, the CJEU provided clarity that mere infringement of GDPR does not automatically entitle a claimant to compensation, some demonstrable harm must be established before a claimant will be entitled to compensation.

4. The Evolving Role of the DPC: The DPC has been subject to significant scrutiny since its establishment as Ireland’s data protection authority under the GDPR. As the EU headquarters for many of the world’s leading technology companies, the DPC is in the position of lead supervisory authority for the majority of significant GDPR investigations and rulings since 2018. As a result, it is one of the most influential, and closely watched, data protection authorities in Europe.

5. Record Fines: Fines imposed under GDPR have reached considerable sums, demonstrating that failure to comply with data protection law carries significant financial consequence. In 2023 the DPC issued Meta with a record €1.2 billion fine for the unlawful transfer of personal data to the United States. Luxembourg’s CNPD issued a €746 million fine against Amazon in 2021, with the DPC’s €405 million fine against Meta in respect of Instagram also ranking among the largest penalties issued to date. Despite the scale of these penalties, their practical enforcement remains far from straightforward in circumstances where DPAs face considerable difficulty in recouping fines pending the outcome of appeal proceedings. 

6. Enforcement disparities: Perhaps one of the most persistent criticisms of the GDPR enforcement regime has been the significant inconsistency in how investigations are carried out and penalties imposed. Much of the criticism centres on claims that certain DPAs are not enforcing GDPR compliance on major tech companies to an appropriate level. Over the years, the EDPB has exercised its intervention powers with increasing frequency, most notably through the binding decision mechanism under Article 65 GDPR, directing lead supervisory authorities to revise draft decisions and, in several instances, to impose significantly higher sanctions than those initially proposed. However, there are signs that this inconsistency is improving, with a significant reduction in decisions and fines being challenged by DPAs. The European Commission has proposed a Digital Omnibus package which is expected to build on this progress by reducing delays in cross border investigations, encouraging cooperation between DPAs and harmonising enforcement procedures.

7. Artificial Intelligence: The rapid growth of AI has emerged as one of the most significant and complex challenges for the GDPR. Large language models and automated decision-making systems are at the forefront of these concerns, as data protection authorities grapple with how established GDPR principles apply to these evolving technologies. Considerable uncertainty remains for controllers seeking to deploy AI systems in a GDPR-compliant manner. The Digital Omnibus includes targeted clarifications aimed at reducing legal uncertainty for controllers deploying or developing AI systems, including clarifications on the definition of personal data in the context of AI model training.

8. Proposed Reforms: Following 8 years of observing how GDPR has been interpreted and enforced across the EU, certain challenges have been persistently identified, including consent fatigue and the administrative burden associated with data protection impact assessments. The cumulative weight of incoming EU digital regulation has placed a significant compliance burden on data controllers, particularly SMEs, which have often struggled with the cost and complexity of meeting all of their obligations. The Digital Omnibus is expected to clarify the definition of personal data, provide for the refusal of abusive data subject access requests, simplify and streamline breach reporting obligations, and introduce a harmonised DPIA template.

On balance, in a world where “data” is the new oil, the GDPR has ensured in so far as possible the protection of fundamental privacy rights; it is ever more relevant with technological advancements and the commercialisation of personal data. Although it can sometimes give rise to ambiguities, the principles it espouses are solid and worth defending. 

By Byrne Wallace Shields, Ireland, a Transatlantic Law International affiliated firm. 

For further information or for any assistance please contact ireland@transatlanticlaw.com.

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 84 Brook Street, London W1K 5EH, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.