Ten Years of GDPR: Commission Reviews Data Protection Framework Amid AI Era

The European Commission has launched a comprehensive review of the General Data Protection Regulation as the landmark legislation reaches its tenth anniversary, signalling potential reforms to address mounting challenges posed by artificial intelligence and persistent enforcement gaps across member states.

Justice Commissioner Michael McGrath announced during commemorative events held between 22-24 May that Brussels would table a targeted revision package by the fourth quarter of 2026, marking the most significant reassessment of the framework since its implementation transformed global data protection standards in 2018.

Decade of Implementation Reveals Enforcement Strains

National Data Protection Authorities across the EU have processed more than 350,000 complaints since the GDPR came into force, underscoring both the regulation’s sweeping reach and the considerable strain on enforcement mechanisms. The anniversary review comes as regulators confront an increasingly complex technological landscape that bears little resemblance to the digital environment the legislation was designed to govern.

The Commission’s assessment will focus particularly on so-called ‘one-stop-shop’ provisions, which were intended to streamline cross-border enforcement by designating a single lead authority for companies operating across multiple jurisdictions. These arrangements have faced criticism from consumer advocates and some national regulators for creating bottlenecks and enabling forum shopping by technology giants.

Generative AI Presents Novel Legal Questions

The explosive growth of generative artificial intelligence systems has emerged as a central challenge for the GDPR framework, with fundamental questions about the legality of training large language models on personal data remaining unresolved. The review will examine how existing provisions on data processing purposes, consent mechanisms, and automated decision-making apply to AI systems that can generate novel content based on vast datasets potentially containing personal information.

“We must ensure our data protection framework remains fit for purpose in an era where AI systems are trained on unprecedented volumes of information,” McGrath stated during the anniversary proceedings. “The GDPR’s principles remain sound, but we need targeted adjustments to provide clarity for innovators whilst maintaining robust protections for citizens.”

Harmonisation with AI Act Under Scrutiny

The planned revision package will also address coordination between the GDPR and the recently adopted AI Act, which establishes its own governance structures and compliance requirements. Legal experts have identified potential overlaps and contradictions between the two regulatory frameworks, particularly regarding requirements for transparency, human oversight, and data quality standards in high-risk AI applications.

The Commission faces a delicate balancing act in harmonising these instruments without undermining the distinct objectives of each regulation or creating additional compliance burdens that could disadvantage European companies competing with international rivals subject to lighter-touch regimes.

Cross-Border Enforcement Remains Contentious

The one-stop-shop mechanism, designed to reduce regulatory fragmentation, has become one of the most contentious aspects of GDPR implementation. Critics argue that concentrating lead authority status with regulators in countries like Ireland and Luxembourg—home to many technology companies’ European headquarters—has resulted in slower, more conservative enforcement compared to a distributed model.

Several member states have pushed for reforms that would expand the circumstances under which national authorities can take direct action against companies, even when another regulator serves as the lead authority. The Commission’s review will need to navigate these competing interests whilst preserving legal certainty for businesses operating across borders.

Global Standard-Setting Legacy at Stake

Beyond the EU’s borders, the GDPR has inspired similar legislation in jurisdictions from California to Brazil, establishing what observers have termed the ‘Brussels effect’ in global data protection standards. How the Commission approaches this review will likely influence regulatory developments worldwide, particularly regarding the intersection of privacy rights and artificial intelligence governance.

The revision process will include extensive consultations with national regulators, industry stakeholders, civil society organisations, and international partners, with preliminary proposals expected in the first half of 2026 ahead of the formal legislative package later that year. As generative AI continues its rapid evolution and cross-border data flows become ever more central to the digital economy, the stakes for getting this recalibration right extend far beyond Europe’s borders, potentially shaping the global governance framework for decades to come.