
GDPR
EU data protection regulation that sets rights over personal data and imposes global compliance obligations.
Last refreshed: 17 June 2026 · Appears in 1 active topic
Is the GDPR strong enough to prevent US intelligence services accessing EU citizen data?
Timeline for GDPR
Mentioned in: Brussels stalls its own AI-label code
Media's AI PivotMentioned in: California binds AI hiring, EU defers
AI: Jobs, Power & MoneyMentioned in: Brussels fixes AI Act job deadline
AI: Jobs, Power & MoneyMentioned in: Bruegel puts the cloud law at 86bn euros
European Tech SovereigntyMentioned in: EU finalises its AI content-marking Code
Media's AI PivotWhat is the GDPR and who does it apply to?
Why can't US cloud providers guarantee GDPR compliance under the CLOUD Act?
What is the difference between GDPR and UK GDPR?
Background
The General Data Protection Regulation (Regulation EU 2016/679) is the European Union's foundational data protection law, which came into full effect on 25 May 2018. It establishes rights for EU data subjects (including access, erasure, portability, and objection) and imposes obligations on any organisation that processes personal data of EU residents, regardless of where the organisation is located. Maximum fines are the greater of EUR 20m or 4% of global annual turnover. In 2026, GDPR remained the primary legal instrument underpinning European cloud sovereignty decisions: the incompatibility of US CLOUD Act jurisdiction with GDPR's data subject rights was the core legal argument behind France's migration of its Health Data Hub from Microsoft Azure to Scaleway , and GDPR data-residency requirements drive the CAIDA procurement restriction that bars US-headquartered cloud providers from EU public-sector data contracts .
GDPR replaced the 1995 Data Protection Directive and was adopted in April 2016, giving organisations a two-year transition period. The regulation introduced the concept of privacy by design, mandatory data breach notification within 72 hours, and requirements for data protection impact assessments (DPIAs) for high-risk processing. The European Data Protection Board (EDPB) coordinates enforcement across member states, while each member state has its own supervisory authority: CNIL in France, BfDI in Germany, DPC in Ireland (where most US tech firms are based in the EU). Enforcement has accelerated: Meta has accumulated over EUR 2bn in GDPR fines as of 2026, with Ireland's DPC handling the largest transborder cases.
GDPR's global influence extends beyond the EU: the UK retained GDPR principles in UK GDPR post-Brexit, and the regulation inspired data protection laws in Brazil (LGPD), California (CPRA), Japan, South Korea, and others. It remains the most consequential piece of data governance legislation enacted in the digital era, and its interaction with the AI Act, Data Act, and DORA creates the EU's layered data protection architecture.