Ten years have passed since the General Data Protection Regulation (GDPR) came into force, and the results are mixed. While data protection has become more firmly established in European companies — and beyond — than ever before, the business world remains critical of the regulation due to increasing bureaucracy, legal uncertainty, and competitive disadvantages.
From a data protection perspective, this is a success story. According to a 2018 Bitkom study, shortly before GDPR came into effect that year, only 7% of German companies had fully or largely implemented the requirements. Six years later, 71% of German companies said they had done so.
Furthermore, GDPR has significantly increased awareness of the protection of personal data — both among companies and consumers. Customers are paying closer attention to transparency, consent, and data security. For many companies, data protection has now become a competitive factor in building customer trust.
At the same time, record fines against data giants such as Meta, TikTok, and Uber show that the GDPR is serious business, with the total amount of publicly known GDPR fines having exceeded €6 billion for the first time in March 2026. Still, just 60% of fines have been paid to date, with other fines having been annulled or remaining under appeal.
Also, according to law firm CMS, there has been a clear shift in focus for GDPR enforcement: Supervisory authorities are increasingly concentrating on practical compliance issues and less on isolated, high-profile cases. What began with landmark proceedings and record fines has now evolved into a routine, operational review of companies’ day-to-day data protection practices.
Companies complain of increasing burden
At the same time, dissatisfaction within the business community is increasing. What was originally intended to provide greater legal certainty and uniform rules across Europe is now perceived by many companies as a constant burden.
In a Bitkom survey from 2025, 81% of companies surveyed stated that the GDPR was making their business processes more complicated. In 2016, only 25% held this view. By 2025, 97% rated the effort required as high, with 44% rating it as very high.
There are many reasons for this discontent. Four out of five companies surveyed (82%) by Bitkom cited uncertainty regarding the precise data protection regulations as a challenge in 2025. At the same time, 86% believe that implementation is never truly complete because companies must continuously react to technical and legal developments. Data protection is thus perceived as a particularly challenging, ongoing compliance task.
AI: GDPR’s new test
Data-driven projects are particularly affected. In 2025, 59% of study participants reported that the development of data pools had failed or not even been initiated due to data protection regulations. The figures remain high for data analysis tools, AI applications, and the digitization of business processes as well. Data protection regulations are thus perceived as a hurdle primarily where — as is particularly the case with AI — innovations depend on large volumes of data.
The result: According to Bitkom, 59% of companies see European data protection as an advantage for AI development in Germany and Europe compared to other countries. In practice, however, they experience the opposite. For example, in 2025, 69% of respondents stated that data protection makes it difficult to train AI models with sufficient data.
“The reality is: AI is not being developed in Europe because of our data protection practices, but the models are still being used here,” commented Bitkom President Ralf Wintergerst on the findings. “This means nothing is gained for the protection of European citizens’ data, but much is lost for Europe as a business location.”
Bitkom is therefore calling for a reform that strengthens data protection where real risks to people arise — and relieves companies of the burden where formal obligations offer no additional protection. Specifically, this means a consistent risk-oriented approach to the GDPR and a unified understanding that the training and operation of AI systems must also be possible in Europe, says Wintergerst.
Whether the industry association’s demand for a relaxation of data protection standards in favor of technological competitiveness is also in the interest of consumers is another matter. What is certain is that the GDPR has not lost its relevance even 10 years after its entry into force (or eight years since its application).
Or, as lawyer Anna Lena Füllsack from CMS puts it: “The enforcement of the GDPR has outgrown its infancy and is now an integral part of the regular legal landscape throughout Europe. For companies, it will remain a key strategic issue in the coming years.”
No Responses