When data never dies: How better GDPR enforcement could minimise hate and harm

Lina’s story: GDPR’s promise of protection and its current reality

Imagine this. An activist, Lina*, applied for asylum in Europe years ago. Like everyone, she left behind a digital trail: biometric data from border controls, personal details submitted to social services, and traces of her online life. At the time, she had no reason to think that her data, protected under the General Data Protection Regulation (GDPR), would ever come back to haunt her. But that’s exactly what happened.

Years later, Lina was shocked to find her name and image circulating in far-right forums online. Posts falsely branding her a ‘security threat’ spread like wildfire, amplified by platform algorithms designed to fuel outrage. What she didn’t know was that much of her personal data had never truly disappeared. It remained in the hands of multiple entities—both public institutions and private companies—that had once collected it.

Under the GDPR, these entities, known as ‘controllers’, are responsible for deciding how and why personal data is used. Yet instead of deleting Lina’s information when it was no longer needed, as the law requires, they had stored, shared , and fed it into opaque profiling systems—precisely the kind of misuse the GDPR was meant to prevent.

Lina tried to exercise her rights. She filed a data deletion request, but the company refused to comply. Turning to her country’s Data Protection Authority (DPA) for help, she expected a clear path to justice. Instead, she found herself trapped in a bureaucratic maze. She felt her case was bounced between authorities, each deflecting responsibility, either unable or unwilling to cooperate, and her not being informed of almost anything.

The platform hosting the hateful content insisted it was simply ‘amplifying’ existing discussions, absolving itself of any duty to act. Meanwhile, the DPA responsible for overseeing the company – based in a different country, far from where Lina lived – was drowning in a years-long enforcement backlog. Her complaint stalled, justice delayed indefinitely.

Worse still, this was not the first time the system had failed her. On a previous occasion, the same DPA had dismissed her complaint without even hearing her side of the story, blindly accepting the company’s reassurances of compliance – despite clear evidence to the contrary. As the hate continued unchecked, Lina’s trust in the system collapsed. GDPR had promised protection, but in practice, it left her exposed.

GDPR: A Promise Unfulfilled?

Lina might be imaginary but real people are already being harmed by this. The GDPR was meant to give people control over their data and ensure companies could no longer hoard and exploit personal information with impunity. It promised a number of data subject rights for individuals to regain control, together with fundamental principles. It also promised transparency, and accountability. But for many people Lina, these promises remains unfulfilled because the enforcement system is broken.

Big Tech have mastered the art of delay and deflection. Under the GDPR’s ‘one-stop-shop’ mechanism, cases are often handled by regulators in the country where a company is based, rather than where harm occurs. This means that when someone in France, Poland, or Spain suffers from unlawful data misuse by a company based in Ireland or Luxembourg, their complaint can get stuck in an enforcement black hole.

Lina’s story is not unique. Across Europe, vulnerable communities—including migrants, activists, and marginalised groups—face the brunt of these enforcement failures. Their data is weaponised, their dignity compromised, and their access to justice denied.

A Crucial Moment: The GDPR Procedural Regulation

Right now, EU policymakers have a chance to fix this. The GDPR Procedural Regulation—currently in negotiations—could finally close these enforcement loopholes. It could ensure faster, more efficient investigations, remove barriers to redress, and empower DPAs to take meaningful action. The regulation is not just about bureaucratic processes; it is about making GDPR enforcement a reality, ensuring that cross-border cases are handled fairly and efficiently, rather than getting lost in the complexity of the one-stop-shop mechanism.

Yet, despite its significance, this file has not received the attention it deserves. Too often, procedural law is dismissed as ‘boring’ or ‘too technical’—just another set of legal rules that seem far removed from everyday life. But this perception is dangerously misguided. In reality, this regulation underpins the very foundation of human rights online. It determines whether people like Lina can seek justice when their data is misused, whether harmful algorithmic profiling can be stopped, and whether the EU’s much-celebrated digital rights framework has real teeth. Many of the harms EU institutions claim to be concerned about – from misinformation to AI-driven discrimination – are exacerbated by the enforcement failures this regulation seeks to address.

Data protection is not just about privacy—it’s about power, and about many other fundamental rights. If we allow enforcement failures to persist, we allow gigantic corporations and other bad actors to control, distort, and weaponise our identities and deepen vulnerabilities. The EU must act now to ensure that GDPR enforcement becomes a reality, not just a promise.

For people like Lina – and for all of us – data rights must mean something. The time to fix GDPR enforcement is now.

*Lina’s story is a fictional account that captures the real life experiences that many people have had with the current gaps in GDPR enforcement.