Written By: Jameson Pasek, Alexandra Pakzad, and Daniel O’Brien

As the General Data Protection Regulation (GDPR) enters its seventh year of application, European data protection law is undergoing another period of rapid evolution. Recent guidance from regulators, landmark judgments from the Court of Justice of the European Union, and high-profile enforcement actions reflect both the maturity of the GDPR framework and its continuing capacity to adapt to emerging challenges. Three issues in particular have stood out during 2024–2025: the legality of “consent or pay” models, the stability of international data transfer mechanisms, and the scope of compensation for damages. Together, they illustrate how the GDPR continues to shape the digital economy and fundamental rights discourse.

1. Consent or Pay Models

The legitimacy of “consent or pay” models has emerged as one of the most contested questions in GDPR application. These models, often used by large online platforms, require users to either agree to behavioral advertising or pay a subscription fee for access. In April 2024, the European Data Protection Board (EDPB) issued Opinion 08/2024, adopted under Article 64 GDPR, clarifying that such mechanisms are not prohibited in principle but set a high bar, and, and will only be valid where controllers can demonstrate that consent is freely given and users have a real choice.[1] The Board emphasized that consent must not be bundled with access to services in a way that pressures users into agreement, particularly when a platform provides essential or quasi-essential services. For consent to be valid, users must have a genuine equivalent alternative — typically a version of the service that does not rely on behavioral advertising. Any fee must not undermine users’ autonomy, and the design must avoid conditionality and nudging. Granularity also matters: controllers must provide purpose-specific consent choices, and users should be able to refuse individual purposes rather than accept a bundled set. This position underscores a broader regulatory concern about power imbalances in the digital economy and reflects a tightening interpretation of user autonomy under Article 7 GDPR.

The implications extend beyond advertising models. Any service that conditions participation on data processing for non-essential purposes risks falling afoul of the EDPB’s reasoning. Ongoing national enforcement will likely refine how this standard is applied in practice, but for now, “consent or pay” remains a legally fraught strategy for platforms seeking to monetize personal data. Controllers should look to document the appropriateness of any fee and their assessment of equivalence to evidence “freely given” consent.

2. International Data Transfers

Cross-border data flows continue to be at the center of EU privacy debates. The European Commission’s first annual review of the EU-U.S. Data Privacy Framework (DPF), published in October 2024, concluded that the adequacy decision remains effective and that U.S. safeguards are functioning as intended.[2] The EDPB’s own November 2024 report generally concurred but raised concerns about oversight of onward transfers and monitoring of compliance by U.S. entities.[3]

Meanwhile, enforcement action has intensified. On May 2, 2025, the Irish Data Protection Commission fined TikTok €530 million for transferring EEA user data to China in violation of GDPR and issued a corrective order requiring changes within six months (€485m for Article 46(1) on transfer safeguards; €45m for Article 13(1)(f) on transparency).[4] The EDPB subsequently published a national news post (4 July 2025) summarizing the Irish SA’s decision.[5] Regulators also finalized Guidelines on Article 48 GDPR, clarifying how controllers should respond to foreign law enforcement requests that conflict with EU law.[6] Together, these developments highlight the fragility of international transfer mechanisms and the political sensitivity surrounding government access to personal data.

The convergence of adequacy reviews, enforcement, and interpretive guidance demonstrates that international transfers are no longer treated as a background compliance issue but as a frontline concern of data protection law. Controllers relying on the DPF or other transfer tools must monitor evolving oversight structures closely.

3. Compensation for Damages

The scope of compensation under Article 82 GDPR has been sharpened by recent rulings of the Court of Justice of the European Union (CJEU). In BL v. MediaMarktSaturn (C-687/21) and GP v. juris (C-741/21), the Court reiterated that three conditions must be met before damages can be awarded: (1) an infringement of the GDPR, (2) the existence of damage, and (3) a causal link between the two.[7] In doing so, the Court rejected both extremes — it refused to impose a de minimis threshold (which would bar small claims), but it also insisted that mere infringement of the GDPR is not enough to justify compensation. Claimants must demonstrate actual harm, whether material or non-material.

Significantly, the Court acknowledged that non-material damage, including “loss of control” over personal data, may qualify, provided the claimant can show they actually experienced such harm.[8] This balancing approach has broad implications: it prevents automatic liability for any GDPR breach while still recognizing the intangible harms that privacy violations can inflict.

National courts across the EU are now tasked with interpreting what constitutes sufficient evidence of non-material harm. Their rulings will shape the contours of GDPR damages in practice, potentially opening the door to wider class actions or, conversely, narrowing the scope of viable claims depending on evidentiary standards. For corporate defendants, this underscores the value of contemporaneous evidence of prompt remediation and effective technical/organizational measures when seeking to challenge causation and quantum.

Conclusion

These developments show that the GDPR remains both resilient and dynamic, continuing to evolve in response to new business models, geopolitical pressures, and judicial interpretation. The debates over “consent or pay,” the fragility of cross-border transfer frameworks, and the scope of damages for privacy harms all highlight the Regulation’s central role in shaping the digital economy and protecting fundamental rights. As enforcement intensifies and jurisprudence deepens, the coming years will test whether the GDPR can balance legal certainty for organizations with meaningful protection for individuals in an increasingly data-driven world. For private-equity-backed businesses, action points include: (i) reassessing monetization models against the EDPB’s “real choice” test (including fee and equivalence documentation), (ii) validating Chapter V transfer tooling and DPF reliance in light of the Commission/EDPB reviews, and (iii) strengthening incident response records to mitigate Article 82 exposure.

This publication is distributed with the understanding that the author, publisher, and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising. The choice of a lawyer is an important decision and should not be based solely upon advertisements.

[1] European Data Protection Board, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms (Apr. 17, 2024).

[2] European Commission, Report on the First Periodic Review of the EU-US Data Privacy Framework, COM (2024) 451 final (Oct. 9, 2024).

[3] European Data Protection Board, Report on the First Review of the European Commission Implementing Decision on the EU-U.S. Data Privacy Framework (Nov. 4, 2024).

[4] Data Protection Commission (Ireland), Irish Data Protection Commission Fines TikTok €530 Million and Orders Corrective Measures (May 2, 2025).

[5] European Data Protection Board, Irish Supervisory Authority Fines TikTok €530 Million and Orders Corrective Measures Following Inquiry into Transfers of EEA User Data to China (July 4, 2025).

[6] European Data Protection Board, Guidelines on Article 48 GDPR (Final Version) (June 5, 2025).

[7] Case C-687/21, BL v. MediaMarktSaturn Hagen-Iserlohn GmbH, ECLI:EU:C:2024:72 (Jan. 25, 2024).

[8] Case C-741/21, GP v. juris GmbH, ECLI:EU:C:2024:288 (Apr. 11, 2024).