As the first broad reform of the EU data protection legislation is being achieved, and notwithstanding EU institutions’ confident discourse, scepticism remains about the reform’s ability to safeguard the fundamental right to data protection in the face of evolving data processing techniques underlying so-called big data. Yet, one might wonder whether the cause for this difficulty should be ascribed mainly to technological progresses that the law finds it hard to deal with or rather to the policy choices embedded in the legal reform itself. Indeed, a new data protection enforcement model is being adopted, which relies heavily on risk assessment and management by the data controllers themselves. Likewise, data protection authorities see their supervisory role significantly weakened. These developments and the underlying rationality are discussed. Given the limitations of the risk-based approach as currently devised, we suggest that it be reappraised in consideration of risk regulatory experiences in other domains.