There are a lot of issues that have already been discussed elsewhere – too little enforcement (must not be the responsibility of NGOs), too little guidance (most member states don’t have the equivalent to the ICO’s excellent explanations), still no ePrivacy reform, and so on.
What I find a bit dangerous is that the compliance effort can become wholly disproportionate. GDPR compliance can be overwhelming, so that some controllers might just not care. To my amazement, this didn’t seem to happen when the GDPR came into force. Everyone rushed to update their policies, motivated by uncertainty about how fines would be handed out.
But then the Schrems II judgement suddenly destroyed the foundation of modern globalized IT. The result is that everyone replaced the Privacy Shield with SCCs, usually in full knowledge that they are probably invalid as well. The proper compliance response – to stop using US-based services – would be more costly to many data controllers than potential fines. (Corona didn’t help, where the choice often boiled down to compliance vs being able to continue business operations).
Of course the Schrems II judgement was entirely correct, necessary, and unsurprising. I just wish this shock could have come a couple of years later, when industry as a whole would have become more accustomed to compliance issues. Hopefully, future enforcement on this issue will focus on international companies that offer insufficient controls to their customers, most importantly Google.
But overall, especially as a data subject, I’m still glad that the GDPR exists. I’m also very happy that cookie consent banners have become noticeably more navigable and transparent over time, except for their discovery that legitimate interest is a thing