May 2026

by Adela Nuță

“We have updated the terms and conditions.” “Your privacy matters to us.” This was the content of the emails received simultaneously, on 25 May 2018, by millions of people from companies they had forgotten for years. The GDPR had entered into force. Companies responded as they knew best to the new requirements imposed by the European Union: with a lot of text and little substance.

Eight years later, it is worth asking: did anything truly change?

The short answer is yes. The long answer is yes, but not as we would have expected.

What truly worked?

The GDPR produced something difficult to quantify — it exported a standard. Dozens of countries modelled their own legislation after it: Brazil, Japan, South Korea, India, etc. The right to erasure, the right of access, the obligation to notify breaches within 72 hours, all are now global concepts, not merely European ones. Even American companies with no establishment in the EU revised their internal policies to avoid friction with European customers.

Concretely, within technology companies, the GDPR created professions that did not previously exist: the Data Protection Officer became a mandatory function, Privacy by Design transitioned from theory into a legal requirement, and Data Protection Impact Assessments became an integral part of the standard development cycle of any product engaging with personal data. Prior to 2018, privacy was a footnote. Today, it is an architectural criterion.

The shift was equally felt at the level of the relationship between companies and users. Before the GDPR, the question companies posed to themselves was: “how do we collect as much data as possible?” Today, at least in Europe, that question has become: “do we genuinely need this data?” It is a shift in mindset that appears in no annual report, yet one that transformed the manner in which ordinary users began to ask, for the first time, what becomes of their information.

What has not worked?

The GDPR was, in practice, a regulation more readily observed by the large than by the small. Major corporations afforded themselves entire legal departments dedicated to compliance, Data Protection Officers, and automated consent management systems. For small and medium-sized enterprises, the costs of compliance were disproportionate to the actual risk they presented — a paradox for a regulation conceived to protect the citizen from the abuses of the powerful.

The second major failure is fragmentation. The GDPR injected an enormous degree of regulatory uncertainty: disagreements between national supervisory authorities created a state of disorder in which the same conduct was treated differently depending on the country in which the company held its European establishment. Companies swiftly learned to play this game, carefully selecting the jurisdiction that offered them the most lenient supervisory regime.

Perhaps the most profound limitation of the GDPR is that it was drafted in a world without ChatGPT. Large language models raise questions the 2018 regulation could not have answered: is data used for training “processed” within the meaning of the GDPR? Does the data subject retain a genuine right to erasure when their data has been ingested into a model comprising hundreds of billions of parameters? Data minimisation, purpose limitation, the right of access, all are principles conceived for classical databases, not for systems that absorb the entirety of the internet and whose “memories” cannot be extracted and erased on demand. This is the terrain upon which the GDPR enters its eight year, without a clear answer.

What comes next?

The European Commission has acknowledged that the framework has become excessively cumbersome and has proposed, through the Digital Omnibus, the simplification of certain obligations that have stifled small companies without affording greater protection to users. This is not a retreat, it is a recalibration.

The next frontier is artificial intelligence. Joint guidelines on the intersection between the AI Act and the GDPR are anticipated throughout 2026, and their purpose is to clarify whether a regulation from 2018 can still govern a technology that no one had anticipated at the time.

Eight years after its entry into force, the GDPR remains the most ambitious experiment in digital regulation in history. It has not resolved everything. But it has demonstrated that regulation can matter, and that Europe is willing to use it. It remains to be seen whether it can also keep pace.

Details about our Data Privacy and Personal Data Processing practice are available HERE.