Why the GDPR's Backstory Matters Today

If you work in the fields of data protection, compliance, or digital policy, you do not need reminding that the EU GDPR became fully applicable on 25 May 2018. What’s less spoken about is how it came to be. All the political back and forth, the judicial interventions, and the geopolitical influences that help shape its 99 articles.

I’ve worked with governance, risk and compliance for over 20 years in global companies, managing projects and programmes, and heading up departments that included high level data protection responsibilities but I took a more dedicated data protection route in 2015 for a global emergency service company in Denmark. Legal was part of the team, not driving the team and I think that mattered a great deal because it was clear that to succeed we needed to look beyond the legal text and focus very much on the HOW. This post this isn’t just about legal history. To understand why the articles and recitals exist does not require a law degree. Getting insight into why the regulation prioritises certain rights, includes strange compromises, and continues to evolve through enforcement, court rulings, and a number of reform proposals now reshaping its operation in 2026 and the years to come.

Key dates and what happened #

Phase 1: Laying the groundwork (2009–2011) #

1 December 2009 – The Treaty of Lisbon entered into force. This was the constitutional prereq for the entire GDPR project. Article 16 TFEU created, for the first time, a unified legal basis for data protection legislation across all EU policy areas. Previously, rules were fragmented across different “pillars” of EU law. At the same time, the Charter of Fundamental Rights became legally binding, elevating data protection as a standalone fundamental right (Article 8) distinct from the right to privacy (Article 7).

4 November 2010 – The European Commission published its strategic communication, “A comprehensive approach on personal data protection in the European Union” (COM(2010) 609). It confirmed that the 1995 Data Protection Directive (95/46/EC) was obsolete in a globalised, digital economy and outlined core objectives: strengthening individual rights, reducing fragmentation, and simplifying rules for businesses. Think back to 2010 - Facebook, Linkedin, Snapchat, Instagram were everywhere and remember Mark Zuckerberg was only 11 years old when the Data Protection Directive was adopted.

Phase 2: The proposal and early debates (2012–2013) #

25 January 2012 – Commission Vice-President Viviane Reding (Commissioner for Justice, Fundamental Rights and Citizenship) unveiled the formal legislative package: the draft GDPR (to replace Directive 95/46/EC) and the draft Law Enforcement Directive (to replace Framework Decision 2008/977/JHA). A key point to note is the Commission opted for a regulation (directly applicable) rather than a directive, seeking to end the patchwork of national implementations.

21 October 2013 – The LIBE Committee’s vote

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), led by rapporteur Jan Philipp Albrecht (Greens/EFA, Germany), adopted its compromise report. The committee’s version introduced a number of key concepts:

• Much higher administrative fines (up to 5% of global annual turnover or €100 million, whichever is higher. As we know, this was later reduced to 4% / €20 million in the final text)
• Extended territorial scope (Article 3) applying to non-EU entities targeting EU data subjects
• Mandatory DPOs under specific conditions
• Stronger consent requirements and data subject rights

The file attracted approximately 4.000 amendments. This was believed to be a record for a single EU legislative file at the time and reflected strong lobbying and lots of political scrutiny.

Phase 3: The Trilogue negotiations (2014–2015) #

12 March 2014 – The European Parliament adopted its first-reading position with a majority: 621 in favour, 10 against, 22 abstentions. Occurring just before European elections, this vote made the reform irreversible from a politically perspective regardless of the incoming Parliament.

15 June 2015 – The Council of the EU (representing Member States) reached its “general approach”, enabling the start of formal trilogue negotiations between the Commission, Parliament, and Council.

15 December 2015 – The Political Agreement

After months of negotiations, the three institutions came to an informal agreement on the final GDPR text. The compromise was endorsed by the LIBE Committee on 17 December and by COREPER (Committee of Permanent Representatives) on 18 December.

Phase 4: Formal adoption and entry into force (2016) #

• 8 April 2016 – The Council adopted its position at first reading, formally approving the compromise text.
• 14 April 2016 – The European Parliament approved the Council’s first-reading position, completing the ordinary legislative procedure.
• 4 May 2016 – The final text was published in the Official Journal (OJ L 119, 4.5.2016, p. 1–88) in all 24 official EU languages as Regulation (EU) 2016/679.
• 24 May 2016 – The GDPR entered into force under Article 99(1), beginning a two-year implementation period.

Phase 5: Implementation and application (2017–2018) #

During 2017–2018, EU member states enacted national legislation to exercise the roughly 60–70 “opening clauses” allowing national specifications (e.g. setting the age of digital consent, employment data rules). The Article 29 Working Party (established under Article 29 of Directive 95/46/EC and predecessor to today’s EDPB) issued critical guidance on DPOs, DPIAs, the one-stop-shop mechanism, and breach notification.

25 May 2018 – The day remembered most

The GDPR became fully applicable across the EU/EEA. At the same time, the EDPB was established under Article 68 GDPR as an EU body, replacing the Article 29 Working Party and taking on the responsibility for consistent application.

What really shaped the GDPR (the hidden influences) #

1. Judicial interventions that pre-legislated key provisions #

Google Spain (C-131/12) – 13 May 2014

The CJEU’s landmark judgment arrived between the Parliament’s first reading and the Council’s general approach. Relying on Articles 12(b) and 14(a) of the 1995 Directive, the Court established a right to delisting against search engines. This supported the case for what would become Article 17 GDPR. It became very difficult for the Council to weaken erasure provisions during trilogues, because doing so would have meant offering less protection than the existing Directive.

Schrems I (C-362/14) – 6 October 2015

This judgment invalidating the EU-US Safe Harbor framework came during trilogue negotiations, and only two months before the final agreement. It validated the European Parliament’s stance on international data transfers and made it untenable for the Council to weaken Chapter V. The case also elevated Max Schrems, (at the time a Austrian privacy activist running the Europe v Facebook initiative), into a prominent voice in the closing stages of the reform debate.

2. Geopolitical events that changed the political climate #

The Snowden Revelations (June 2013) influenced discussions around third-country access to EU data. They directly influenced Article 48 GDPR, which provides that foreign court orders or administrative decisions are only recognised or enforceable if based on an international agreement such as an MLAT. They are not, on their own, a valid legal basis for transfer.

The Cambridge Analytica Scandal (March 2018), breaking just two months before GDPR application, transformed the regulation from a dry compliance exercise into a political and public vindication. Google searches for “GDPR” peaked globally on 25 May 2018, dramatically increasing boardroom awareness and budget allocation during the critical final weeks.

3. Lobbying #

The GDPR became known as “the most lobbied law in EU history.” LobbyPlag.eu, a transparency initiative launched by digital rights activists and journalists, publicly mapped MEPs’ amendments against industry and lobby documents. This revealed verbatim copy-pasting and the backlash increased Parliament’s focus on profiling, consent, and DPIAs.

4. Constitutional traditions #

German constitutional law was especially influential:

• The German Federal Constitutional Court’s 1983 Census Judgment established “informational self-determination” (informationelle Selbstbestimmung) as a fundamental right
• The 2008 IT-Grundrecht judgment on the confidentiality and integrity of IT systems influenced the regulation’s security obligations
• Germans in the process. Rapporteur Albrecht, the Federal Data Protection Commissioner, and the activist Länder DPAs – played large roles throughout the process

5. The digital single market #

Under Commission Vice-President Andrus Ansip (Juncker Commission, 2014–2019), the GDPR was reframed from a fundamental rights measure (Reding’s framing) into a Digital Single Market instrument. This repositioning won over some sceptical EU member states. It also explains the internal market language throughout the regulation and the one-stop-shop mechanism – a single-market construct.

6. The one-stop-shop #

Articles 60–67 resulted after from a battle between:

• France and Germany, wanting strong local DPA powers
• Ireland and Luxembourg (hosting major tech HQs), favouring a single lead authority

The result was a political compromise which could be the reason for many of the cross-border enforcement delays seen since 2018, and potentially why the GDPR Procedural Regulation (Regulation (EU) 2025/2518) was eventually needed to fix them.

Post-application evolution #

Schrems II (C-311/18) – 16 July 2020 – Invalidating the EU-US Privacy Shield, this judgment had huge impacts on international transfer, leading to:

• New Standard Contractual Clauses (Commission Implementing Decision 2021/914 of 4 June 2021)
• The EU-US Data Privacy Framework (adequacy decision of 10 July 2023), whose first periodic review took place in July 2024 and which is already subject to complaints by noyb and others (a potential “Schrems III”)
• Significant fines including Meta’s €1.2 billion penalty (May 2023) for transfers to the US without adequate safeguards which is still the largest GDPR fine to date

Meta Platforms Ireland v Bundeskartellamt (C-252/21) – 4 July 2023 – The CJEU clarified the relationship between competition and data protection law, confirming that antitrust authorities can consider GDPR violations when assessing abuse of dominance.

The EDPB’s expanding guidance covers breach notification, controller-processor relationships, data protection by design and by default, virtual voice assistants, connected vehicles, and more.

NOYB’s role – Max Schrems’ non-profit (launched 2018) has been behind a lot of the most consequential post-GDPR enforcement through strategic complaints.

GDPR reform #

Since 2023, the EU has enacted – or proposed – a number of measures that adjust, clarify, or operationalise the GDPR framework. These reforms are targeted, addressing specific shortcomings identified since 2018.

1. GDPR Procedural Regulation – Regulation (EU) 2025/2518 ADOPTED #

Cross-border enforcement under the one-stop-shop mechanism has been criticised as slow, opaque, and inconsistent, with cases against large platforms often taking years to resolve.

After trilogue agreement in mid-2025, Regulation (EU) 2025/2518 was adopted by the Council on 17 November 2025. It:

• Harmonises procedural rules across EU member states for cross-border cases
• Sets binding timelines for cooperation and consistency procedures
• Enhances transparency and stakeholder (including complainant) participation
• Strengthens the EDPB’s role in dispute resolution

It entered into force on 1 January 2026 and will apply from 2 April 2027 to complaints lodged after that date. This is not an amendment to the GDPR’s rules, more of a regulation on how the rules are enforced.

2. Second GDPR Evaluation Report – published 25 July 2024 #

I line with Article 97 GDPR, the Commission published its second evaluation report (COM(2024) 357 final) on 25 July 2024. Key findings included:

• GDPR enforcement has matured but still is inconsistent across EU member states
• Cross-border cooperation is too slow (this justifies the Procedural Regulation)
• SMEs continue to face disproportionate compliance burdens which directly triggered the Omnibus IV proposal
• There is no need for an immediate amendment of the GDPR rather targeted simplification

3. Omnibus IV – simplification package (proposed 21 May 2025) #

The Commission’s Omnibus IV simplification package proposes amendments to:

• Article 30 GDPR – raising the threshold for record-keeping exemptions to cover Small Mid-Caps (SMCs) and more SMEs
• Article 40 – adapting codes of conduct for smaller entities
• Article 42 – making certification more accessible to SMEs/SMCs

It is currently still under negotiation in Parliament and Council.

4. Digital Omnibus (proposed 19 November 2025) #

A wider reaching reform package published on 19 November 2025 proposing changes across the EU’s digital rulebook such as targeted GDPR amendments, alignment with the Data Act, and streamlining of overlapping transparency and risk-assessment obligations across the DSA, DMA, AI Act, and GDPR. It is the largest overhaul of the EU’s digital rules since 2018 and is now under negotiation.

Purpose and Means works with organisations on data protection strategy, governance, and compliance — going beyond the legal text to focus on how things actually get done. If you’d like to discuss what this means for your organisation, book a call or explore our services.