Just before Christmas, the EU’s data protection authorities (DPAs)—working together as the EU Data Protection Board (EDPB)—issued the hotly anticipated Opinion on AI models and EU privacy law. As it turned out, the excitement about the Opinion was unjustified. The Opinion, in a classic EDPB style, gives a long list of things that AI developers and users can attempt to comply with the GDPR while giving no guarantees that all that effort will be seen as sufficient by all EU privacy enforcers. Given the very limited usefulness of the Opinion, I decided to focus on what I see as the real issue: the structural inadequacy of the GDPR enforcement mechanism. The political economy of GDPR enforcement has proven not suitable to deliver what Europe needs: the protection not just of one fundamental right, but a holistic approach that genuinely balances the vital interests.