Skip to main content

Why the GDPR's Backstory Matters Today

·10 mins
GDPR Regulatory Guidance Case Law Horizon Scanning Strategic Planning

GDPR Backstory

If you work in the fields of data protection, compliance, or digital policy, you do not need reminding that the EU GDPR became fully applicable on 25 May 2018. What’s less spoken about is how it came to be. All the political back and forth, the judicial interventions, and the geopolitical influences that help shape its 99 articles.

I’ve worked with governance, risk and compliance for over 20 years in global companies, managing projects and programmes, and heading up departments that included high level data protection responsibilities but I took a more dedicated data protection route in 2015 for a global emergency services company in Denmark. Legal was part of the team, not driving the team and I think that mattered a great deal because it was clear that to succeed we needed to look beyond the legal text and focus very much on the HOW. This post isn’t just about legal history. To understand why the articles and recitals exist does not require a law degree. Getting insight into why the regulation prioritises certain rights, includes strange compromises, and continues to evolve through enforcement, court rulings, and a number of reform proposals now reshaping its operation in 2026 and the years to come.

Key dates and what happened #

Phase 1: Laying the groundwork (2009–2011) #

1 December 2009 – The Treaty of Lisbon entered into force. This provided the Treaty basis for the GDPR project. Article 16 TFEU provided a clear Treaty basis across EU policies. Previously, rules were fragmented across different “pillars” of EU law. At the same time, the Charter of Fundamental Rights became legally binding, elevating data protection as a standalone fundamental right (Article 8) distinct from the right to privacy (Article 7).

4 November 2010 – The European Commission published its strategic communication, “A comprehensive approach on personal data protection in the European Union” (COM(2010) 609). It confirmed that the 1995 Data Protection Directive (95/46/EC) was obsolete in a globalised, digital economy and outlined core objectives: strengthening individual rights, reducing fragmentation, and simplifying rules for businesses. Think back to 2010 - Facebook and LinkedIn were already major platforms, while the broader social media boom was accelerating.

Phase 2: The proposal and early debates (2012–2013) #

25 January 2012 – Commission Vice-President Viviane Reding (Commissioner for Justice, Fundamental Rights and Citizenship) unveiled the formal legislative package: the draft GDPR (to replace Directive 95/46/EC) and the draft Law Enforcement Directive (to replace Framework Decision 2008/977/JHA). A key point to note is the Commission opted for a regulation (directly applicable) rather than a directive, seeking to end the patchwork of national implementations.

21 October 2013 – The LIBE Committee’s vote

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), led by rapporteur Jan Philipp Albrecht (Greens/EFA, Germany), adopted its compromise report. The committee’s version introduced a number of key concepts:

  • Much higher administrative fines (up to 5% of global annual turnover or €100 million, whichever is higher. As we know, this was later reduced to 4% / €20 million in the final text)
  • Extended territorial scope (Article 3) applying to non-EU entities targeting EU data subjects
  • Mandatory DPOs under specific conditions
  • Stronger consent requirements and data subject rights

The file attracted thousands of amendments and reflected strong lobbying and lots of political scrutiny.

Phase 3: The Trilogue negotiations (2014–2015) #

12 March 2014 – The European Parliament adopted its first-reading position with a majority: 621 in favour, 10 against, 22 abstentions. Occurring just before European elections, this vote made the reform irreversible from a politically perspective regardless of the incoming Parliament.

15 June 2015 – The Council of the EU (representing Member States) reached its “general approach”, enabling the start of formal trilogue negotiations between the Commission, Parliament, and Council.

15 December 2015 – The Political Agreement

After months of negotiations, the three institutions came to an informal agreement on the final GDPR text. The compromise was endorsed by the LIBE Committee on 17 December and by COREPER (Committee of Permanent Representatives) on 18 December.

Phase 4: Formal adoption and entry into force (2016) #

  • The Council and Parliament completed adoption in April 2016, and the Regulation was signed on 27 April 2016.
  • 4 May 2016 – The final text was published in the Official Journal (OJ L 119, 4.5.2016, p. 1–88) in all 24 official EU languages as Regulation (EU) 2016/679.
  • 24 May 2016 – The GDPR entered into force 20 days after publication, under Article 99(1), beginning a two-year implementation period.

Phase 5: Implementation and application (2017–2018) #

During 2017–2018, EU member states enacted national legislation to exercise the numerous opening clauses allowing national specifications (e.g. setting the age of digital consent, employment data rules). The Article 29 Working Party (established under Article 29 of Directive 95/46/EC and predecessor to today’s EDPB) issued critical guidance on DPOs, DPIAs, the one-stop-shop mechanism, and breach notification.

25 May 2018 – The day remembered most

The GDPR became fully applicable across the EU/EEA. At the same time, the EDPB was established under Article 68 GDPR as an EU body, replacing the Article 29 Working Party and taking on the responsibility for consistent application.

What really shaped the GDPR (the hidden influences) #

1. Judicial interventions that pre-legislated key provisions #

Google Spain (C-131/12) – 13 May 2014

The CJEU’s landmark judgment arrived between the Parliament’s first reading and the Council’s general approach. Relying on Articles 12(b) and 14(a) of the 1995 Directive, the Court established a right to delisting against search engines. This supported the case for what would become Article 17 GDPR. It became very difficult for the Council to weaken erasure provisions during trilogues, because doing so would have meant offering less protection than the existing Directive.

Schrems I (C-362/14) – 6 October 2015

This judgment invalidating the EU-US Safe Harbor framework came during trilogue negotiations, and only two months before the final agreement. It validated the European Parliament’s stance on international data transfers and made it untenable for the Council to weaken Chapter V. The case also elevated Max Schrems, (at the time a Austrian privacy activist running the Europe v Facebook initiative), into a prominent voice in the closing stages of the reform debate.

2. Geopolitical events that changed the political climate #

Snowden helped intensify concerns that are reflected in Article 48, which provides that foreign court orders or administrative decisions are only recognised or enforceable if based on an international agreement such as an MLAT. They are not, on their own, a valid legal basis for transfer.

The Cambridge Analytica Scandal (March 2018), breaking just two months before GDPR application, transformed the regulation from a dry compliance exercise into a political and public vindication. Google searches for “GDPR” peaked globally on 25 May 2018, dramatically increasing boardroom awareness and budget allocation during the critical final weeks.

3. Lobbying #

The GDPR is often described as “the most lobbied law in EU history.” LobbyPlag.eu, a transparency initiative launched by digital rights activists and journalists, publicly mapped MEPs’ amendments against industry and lobby documents. This revealed verbatim copy-pasting and the backlash increased Parliament’s focus on profiling, consent, and DPIAs.

4. Constitutional traditions #

German constitutional law was especially influential:

  • The German Federal Constitutional Court’s 1983 Census Judgment established “informational self-determination” (informationelle Selbstbestimmung) as a fundamental right
  • The 2008 IT-Grundrecht judgment on the confidentiality and integrity of IT systems influenced the regulation’s security obligations
  • Germans in the process. Rapporteur Albrecht, the Federal Data Protection Commissioner, and the activist Länder DPAs – played large roles throughout the process

5. The digital single market #

Under Commission Vice-President Andrus Ansip (Juncker Commission, 2014–2019), the GDPR was reframed from a fundamental rights measure (Reding’s framing) into a Digital Single Market instrument. This repositioning won over some sceptical EU member states. It also explains the internal market language throughout the regulation and the one-stop-shop mechanism – a single-market construct.

6. The one-stop-shop #

Articles 60–67 resulted after from a battle between:

  • France and Germany, wanting strong local DPA powers
  • Ireland and Luxembourg (hosting major tech HQs), favouring a single lead authority

The result was a political compromise which could be the reason for many of the cross-border enforcement delays seen since 2018, and potentially why the GDPR Procedural Regulation (Regulation (EU) 2025/2518) was eventually needed to fix them.

Post-application evolution #

Schrems II (C-311/18) – 16 July 2020 – Invalidating the EU-US Privacy Shield, this judgment had huge impacts on international transfer, leading to:

  • New Standard Contractual Clauses (Commission Implementing Decision 2021/914 of 4 June 2021)
  • The EU-US Data Privacy Framework (adequacy decision of 10 July 2023), whose first periodic review took place in July 2024 and which is already subject to complaints by noyb and others (a potential “Schrems III”)
  • Significant fines including Meta’s €1.2 billion penalty (May 2023) for transfers to the US without adequate safeguards which is still the largest GDPR fine to date

Meta Platforms Ireland v Bundeskartellamt (C-252/21) – 4 July 2023 – The CJEU clarified the relationship between competition and data protection law, confirming that antitrust authorities can consider GDPR violations when assessing abuse of dominance.

The EDPB’s expanding guidance covers breach notification, controller-processor relationships, data protection by design and by default, virtual voice assistants, connected vehicles, and more.

NOYB’s role – Max Schrems’ non-profit (launched 2018) has been behind a lot of the most consequential post-GDPR enforcement through strategic complaints.

GDPR reform #

Since 2023, the EU has enacted – or proposed – a number of measures that adjust, clarify, or operationalise the GDPR framework. These reforms are targeted, addressing specific shortcomings identified since 2018.

1. GDPR Procedural Regulation – Regulation (EU) 2025/2518 ADOPTED #

The new procedural regulation was adopted to harmonise cross-border enforcement procedures.

  • Harmonises procedural rules across EU member states for cross-border cases
  • Sets binding timelines for cooperation and consistency procedures
  • Enhances transparency and stakeholder (including complainant) participation
  • Strengthens the EDPB’s role in dispute resolution

It entered into force on 1 January 2026 and will apply from 2 April 2027 to complaints lodged after that date. This is not an amendment to the GDPR’s rules, more of a regulation on how the rules are enforced.

2. Second GDPR Evaluation Report – published 25 July 2024 #

I line with Article 97 GDPR, the Commission published its second evaluation report (COM(2024) 357 final) on 25 July 2024. Key findings included:

  • GDPR enforcement has matured but still is inconsistent across EU member states
  • Cross-border cooperation is too slow (this justifies the Procedural Regulation)
  • SMEs continue to face disproportionate compliance burdens which directly triggered the Omnibus IV proposal
  • There is no need for an immediate amendment of the GDPR rather targeted simplification

3. Omnibus IV – simplification package (proposed 21 May 2025) #

The Commission’s Omnibus IV simplification package proposes amendments to:

  • Article 30 GDPR – raising the threshold for record-keeping exemptions to cover Small Mid-Caps (SMCs) and more SMEs
  • Article 40 – adapting codes of conduct for smaller entities
  • Article 42 – making certification more accessible to SMEs/SMCs

It is currently still under negotiation in Parliament and Council.

4. Digital Omnibus (proposed 19 November 2025) #

A wider reaching reform package published on 19 November 2025 proposing changes across the EU’s digital rulebook such as targeted GDPR amendments, alignment with the Data Act, and streamlining of overlapping transparency and risk-assessment obligations across the DSA, DMA, AI Act, and GDPR. In my view, it is the largest overhaul of the EU’s digital rules since 2018 and is now under negotiation.

Purpose and Means works with organisations on data protection strategy, governance, and compliance — going beyond the legal text to focus on how things actually get done. If you’d like to discuss what this means for your organisation, book a call or explore our services.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts