GDPR not useful for systemic issues – Dixon
Former data protection commissioner Helen Dixon
21 May 2026 data law Print

GDPR not useful for systemic issues – Dixon

Lawyers have heard that the GDPR has largely achieved its core objectives but, due to the lack of a detailed implementation plan, enforcement remains fragmented and some of the biggest cases remain unresolved.

Helen Dixon, former Data Protection Commissioner and currently global digital regulatory consultant at MHC, and Professor Herke Kranenborg of the European Commission Legal Service were speaking at the Irish Centre for European Law’s (ICEL) annual Privacy and Data Protection conference (15 May).

ICEL is an educational charity that seeks to promote knowledge, understanding, and the good practice of EU law and European human-rights law across the island of Ireland.

It is based at Trinity College Dublin and operates on a not-for-profit basis.

The event was themed Ten Years of GDPR: Reflections, Insights and Lessons, and the first panel Looking Forward, Looking Back was moderated by David Fennelly SC.

27 April marked ten years since the GDPR was first published. It became law in Ireland in May 2018.

The GDPR was built on a framework already established by the 1995 data-protection directive, Friday’s event heard.

Helen Dixon said that, despite the GDPR being one of the most lobbied-against laws in the EU at the time, she felt, from the perspective of the regulator’s office in 2016, that it was broadly welcomed.

Weak enforcement

“All of the [data protection] principles were there,” she said, “but there were definite issues of fragmentation and weak public and private enforcement,” to which it was hoped the GDPR would bring clarity.

Prof Kranenborg, who stressed that he was speaking on a personal level and not on behalf of the European Commission Legal Service, drew a contrast between the position of the GDPR at adoption and that of the AI Act today.

With the AI Act, there are no pre-existing rules, the technology being regulated is novel and evolving, and the guidance required must come not from a board such as the Article 29 Working Party, which guided the development of the GDPR, but from the commission itself.

That concentration of responsibility, he suggested, had generated pressure to deliver workable guidance before the act took full effect, and had contributed to the recent agreement to postpone elements of its application.

Where the GDPR implementation period was defined by compliance, the AI Act, in his view, remains "much more uncharted territory”.

Both speakers agreed that the GDPR had achieved its core objectives: closing the gap between law and practice, raising public awareness, and reducing fragmentation across member states.

Dixon noted the professionalisation of data-protection officers and the resolution of thousands of individual complaints as concrete successes.

Herke Kranenborg added that the GDPR had made individuals more aware of their rights, which in turn strengthened the rights of individuals.

Narrow band of cases

However, Dixon said that, although harmonisation was one of the GDPR's central ambitions, it had been achieved only for a narrow band of cases, leaving the bulk of enforcement as fragmented as it had been under the 1995 directive.

She identified several reasons:

  • The GDPR never laid down detailed procedures for cross-border cases, leaving national administrative law to fill the gap and producing disputes "at every single step" of the early cases, many of which remain unresolved,
  • National authorities had developed entrenched interpretations over years of practice, illustrated by the Dutch DPA's long-held position that commercial interests could ‘never be legitimate interests under the GDPR’,
  • Most complaints were handled at national level and never passed through the co-operation and consistency mechanism, meaning harmonisation engaged only a subset of cases,
  • Private enforcement through compensation claims before national courts fell entirely outside any harmonisation mechanism,
  • The One Stop Shop, while delivering "some of the strongest harmonised interpretations" through the dispute resolution mechanism, remained "at best a partial success".

Partial correction

Dixon welcomed the Procedural Regulation as a partial correction but noted that it addressed only cross-border cases, leaving admissibility and process questions at national level untouched.

Prof Kranenborg said that he could see the benefits of the One Stop Shop and the new Procedural Regulation.

However, he expressed agreement with the idea, which he said was not his own, “that the bigger cases, the cross-border cases, should go to the European level directly, instead of this very complicated, cumbersome system of One Stop Shop”.

Both speakers identified the breadth of the GDPR's scope as a concern.

Dixon said that the GDPR “hasn't, in my view, always been the most useful lens through which to look at some of the big systemic issues.”

Volume of complaints

She explained: “Not just the volume of complaints, but the type and nature of complaints that authorities are dealing with is just so incredibly broad.

“So, an awful lot of what are effectively employment-law disputes come as data-protection issues,” she said.

Dixon cited disputes between neighbours over CCTV cameras and members of golf clubs accessing CCTV in fights over scores as falling into the GDPR remit.

“And, because the GDPR doesn't set out any enforcement priorities, you end up as an authority dealing chronologically with this endless list of complaints that are of different severity in terms of any potential impact on fundamental rights, and it becomes a somewhat inefficient system in terms of tackling what are the big issues.”

CJEU expanding scope

Prof Kranenborg expressed the view that the EU Court of Justice, in consistently expanding that scope while ignoring the regulation's second objective – the free flow of data – risked undermining compliance.

He cited the recent Russ Media case in which the CJEU, faced with questions about the interplay between the GDPR and the liability exemption principles of the e-commerce and Digital Services Acts, addressed the GDPR questions in full while, in his view, leaving the DSA framework largely unresolved.

He described the CJEU's conclusion that the DSA applied only where personal data was not involved as difficult to square with the without-prejudice clause, warning that the relationship between the two regimes remained unsettled.

Omnibus process

He cautioned that the ongoing omnibus process, moving through the legislative machinery without impact assessment, carried a risk that political pressure would produce corrections to the CJEU's jurisprudence that went further than intended.

Dixon noted an unintended consequence of the GDPR's removal of the 1995 directive's registration requirement.

Designed to remove unnecessary red tape, it replaced registration with legal status – as controller, processor, or main establishment.

The GDPR made those designations subject to dispute, and they have in practice been contested "in almost every big case".

She suggested course correction would be needed, while acknowledging it was already underway.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Content related to data law

data lawtechnology
Social media trial: what California verdict means

Opinion: design-deficit claim an important distinction
data law
Caution urged on US stadium trend

FRT faces more scrutiny in Europe – Pinsent Masons

data law
GDPR not useful for systemic issues – Dixon

Bulk of enforcement ‘still fragmented’

data law
Box-tickers will find AI regime ‘challenging’

Chief executive for office to be named within weeks
Copyright © 2026 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.