Seven years in, GDPR faces growing challenges from AI and ‘consent or pay’ models

Europe’s pioneering data protection legislation turned seven years old in May, but the compliance and enforcement difficulties that have dogged the rules since they came into force look set to present both companies and data regulators with fresh headaches for some time to come. 

The EU-wide regulator of the General Data Protection Regulation (GDPR) has issued its latest annual report detailing some of the enforcement trends from 2024. And two of the European Data Protection Board’s (EDPB) key concerns still center on organizations’ level of GDPR compliance, and how national data protection authorities (DPAs) should foster better co-operation to achieve a more harmonised enforcement culture.

A look at the EDPB’s own list of each country’s total number of fines and their fine tallies shows the differences in enforcement approach: data regulators in Germany, Spain and Italy are the most likely to issue sanctions (issuing 416, 281, and 140 fines respectively), ranging from small to large penalties. A dozen other countries, including Belgium and Sweden, have issued fewer than 10 fines each in the past year. However, one of these—Ireland—accounts for the largest fine tally of any regulator at €652 million, thanks to its €310 million penalty against LinkedIn, and €251 million and €91 million penalties against Meta.