The Irish DPC is deliberately dragging its feet on GDPR enforcement, which is a huge problem because the majors like Facebook or Google have their European headquarters there, not so coincidentally.
Because the EU is a union of sovereign states. The EU itself is not sovereign and cannot do anything at all without acting through its members. A member can simply decide not to carry out the EU's wishes. Sure there are penalties, but they take a long time to appear and are fairly minor.
GDPR has a section that defines a way for an EU institution to "grab" cases, but that's timely and not used much (or at all, I don't know about the numbers).
