The GDPR is widely respected as a serious attempt to rebalance power around personal data, but it has also attracted substantive criticism from across the spectrum.
Some critiques come from civil society groups who want stronger enforcement, while others come from businesses and researchers who argue the rules are too complex or too blunt. Many of these criticisms can all be true at once, because they target different failure modes of the same system - europarl.europa.eu 
A recurring criticism is that GDPR compliance costs favour incumbents. Large firms can absorb legal uncertainty, buy compliance tooling, and litigate regulators into exhaustion. Smaller organisations, civic projects, and startups often experience GDPR as a tax on experimentation, with disproportionate overhead for documentation, contracts, and risk management, even when they are acting in good faith - europarl.europa.eu - blogs.lse.ac.uk
Another common critique is that the “notice and consent” model is structurally weak in real life. People routinely click through privacy notices without reading them, and even when they try, the texts are often too long or too complex to create meaningful informed consent. This can turn GDPR compliance into a ritual where the paperwork exists, but the power imbalance remains - sciencedirect.com - pmc.ncbi.nlm.nih.gov
There is also a criticism that the GDPR places too much weight on individual rights as a remedy for systemic problems. Rights like access, deletion, and objection matter, but they rely on individuals having time, skill, confidence, and stamina, and they do not automatically fix structural incentives to over-collect and monetise data. Critics argue that relying on individuals to “self-defend” scales badly against industrial data processing.
A major civil-society criticism is the enforcement gap. The law can look strong on paper while feeling weak in practice if investigations move slowly, decisions get stuck in cross-border procedures, or outcomes vary sharply by regulator and country.
The “one-stop-shop” model for cross-border cases is often cited as a bottleneck, especially for large platforms headquartered in a small number of jurisdictions - iccl.ie - wired.com - csis.org
Another criticism is legal uncertainty and fragmented interpretation. GDPR is principles-based, which is philosophically attractive, but it can produce inconsistent guidance and “compliance anxiety,” especially for organisations operating across borders. When the same concept is interpreted differently by different authorities, cautious actors may over-comply, while aggressive actors may exploit grey zones until they are challenged - blogs.lse.ac.uk - europarl.europa.eu
Researchers and journalists often criticise GDPR for producing uncertainty and friction around public-interest work, especially where sensitive data is necessary to reveal harm or measure inequality. GDPR does include mechanisms and exemptions, but critics argue that real-world implementation can be patchy, and risk-averse institutions sometimes use “GDPR” as a rhetorical shield to block legitimate scrutiny, sharing, or archiving - pmc.ncbi.nlm.nih.gov - verfassungsblog.de - ico.org.uk
Finally, there is the criticism of “cookie banner theatre” and dark-pattern consent UX. Even when GDPR pushes the web toward better practice, the day-to-day experience for users can become a fatigue machine, and some consent interfaces are designed to nudge acceptance rather than enable real choice. Critics argue this undermines trust and turns a rights regime into a click-through nuisance - pmc.ncbi.nlm.nih.gov - academic.oup.com
In governance terms, the sharpest critique is that GDPR is trying to solve a power problem with a paperwork solution. When it works well, it sets strong norms like Data Minimisation and forces institutions to justify themselves. When it works poorly, it becomes performative compliance for the powerful, friction for the small, and an enforcement backlog that erodes public confidence.