GDPR
EU data protection regulation that sets rights over personal data and imposes global compliance obligations.
Last refreshed: 17 May 2026 · Appears in 1 active topic
Is the GDPR strong enough to prevent US intelligence services accessing EU citizen data?
Timeline for GDPR
France chairs G7 Digital Ministerial on 29 May
European Tech SovereigntyGermany pays maintainers to staff IETF and W3C
European Tech SovereigntyAI Omnibus deal splits enforcement into two speeds
European Tech SovereigntyMentioned in: Mistral ships Le Chat Enterprise and Medium 3.5
European Tech Sovereignty- What is the GDPR and who does it apply to?
- The GDPR (General Data Protection Regulation) is the EU's data protection law that applies to any organisation processing personal data of EU residents, regardless of where the organisation is based. It grants rights including data access, erasure, and portability, and can fine organisations up to EUR 20m or 4% of global turnover.Source: EUR-Lex
- Why can't US cloud providers guarantee GDPR compliance under the CLOUD Act?
- The US CLOUD Act requires US-headquartered companies to disclose customer data to US authorities on court order, even if the data is stored in Europe. This potentially conflicts with GDPR's requirement to protect EU data subjects from unlawful international transfers, making US cloud providers structurally unable to guarantee compliance for sensitive public-sector data.
- What is the difference between GDPR and UK GDPR?
- UK GDPR is the version of the regulation retained in UK law after Brexit. It is substantively identical to EU GDPR but enforced by the UK ICO rather than the EDPB. The EU has granted the UK an adequacy decision, allowing data transfers without additional safeguards, though this decision is periodically reviewed.
Background
The General Data Protection Regulation (Regulation EU 2016/679) is the European Union's foundational data protection law, which came into full effect on 25 May 2018. It establishes rights for EU data subjects — including access, erasure, portability, and objection — and imposes obligations on any organisation that processes personal data of EU residents, regardless of where the organisation is located. Maximum fines are the greater of EUR 20m or 4% of global annual turnover. In 2026, GDPR remained the primary legal instrument underpinning European cloud sovereignty decisions: the incompatibility of US CLOUD Act jurisdiction with GDPR's data subject rights was the core legal argument behind France's migration of its Health Data Hub from Microsoft Azure to Scaleway , and GDPR data-residency requirements drive the CAIDA procurement restriction that bars US-headquartered cloud providers from EU public-sector data contracts .
GDPR replaced the 1995 Data Protection Directive and was adopted in April 2016, giving organisations a two-year transition period. The regulation introduced the concept of privacy by design, mandatory data breach notification within 72 hours, and requirements for data protection impact assessments (DPIAs) for high-risk processing. The European Data Protection Board (EDPB) coordinates enforcement across member states, while each member state has its own supervisory authority — CNIL in France, BfDI in Germany, DPC in Ireland (where most US tech firms are based in the EU). Enforcement has accelerated: Meta has accumulated over EUR 2bn in GDPR fines as of 2026, with Ireland's DPC handling the largest transborder cases.
GDPR's global influence extends beyond the EU: the UK retained GDPR principles in UK GDPR post-Brexit, and the regulation inspired data protection laws in Brazil (LGPD), California (CPRA), Japan, South Korea, and others. It remains the most consequential piece of data governance legislation enacted in the digital era, and its interaction with the AI Act, Data Act, and DORA creates the EU's layered data protection architecture.
