In recent weeks I have noticed a growing number of influential figures in the data protection world speaking out against a perceived lack of enforcement of the GDPR, the most influential data protection law known to date. Those in favor of revisiting the seminal law argue, for example, that the One-Stop-Shop mechanism is misguided or claim that the Irish and Luxembourgish Data Protection Authorities are allegedly unable or even unwilling to effectively exercise their powers against big tech.  

While surely there is room to improve enforcement of the GDPR and to fine-tune the functioning of the One-Stop-Shop, there is no doubt in my mind that the law has positively impacted the fundamental freedoms and rights of EU citizens. And that is something to be proud of. To date, more than 600 enforcement actions by EU supervisory authorities have attempted to protect the rights of data subjects/users/consumers. Three years on, citizens are more aware of their privacy and data protection rights than they were just a few years ago. Numerous national privacy regimes around the world have been inspired by the GDPR. Organizations are starting to realize that taking privacy, data protection, and data security seriously can have a positive impact on the sustainability of their business in the long-term. 

Rather than reform the GDPR while it is still so young and with so much potential, I invite our legislators to work to finalize the much-needed forthcoming ePrivacy Regulation which will effectively complete the modernized EU data protection legislative framework. Furthermore, let us not forget the potential of codes of conduct, which can also play a very important role in fostering privacy and a user-centric digital environment.