Skip to content
— CH. 1 · LEGISLATIVE ORIGINS AND ADOPTION —

General Data Protection Regulation

~4 min read · Ch. 1 of 6
6 sections
  • The European Parliament and Council of the European Union adopted the General Data Protection Regulation on the 14th of April 2016. This regulation, designated as Regulation (EU) 2016/679, became effective two years later on the 25th of May 2018. Unlike previous directives that required transposition into national law, this regulation has direct legal effect across all member states. Austria was the only member state to vote against its adoption in April 2016, arguing that some data protection levels fell short compared to the 1995 directive. The regulation supersedes the Data Protection Directive 95/46/EC and simplifies terminology for international business operations. Recital 4 proclaims that processing personal data should be designed to serve mankind.

  • Article 5 sets out six principles relating to the lawfulness of processing personal data. These include requirements that data must be processed lawfully, fairly, and transparently. Article 6 specifies that personal data may not be processed unless there is at least one legal basis for doing so. Consent must be explicit, freely given, plainly worded, and unambiguous. An online form which has consent options structured as an opt-out selected by default violates these rules. Individuals can withdraw consent at any time, and the process must not be harder than opting in. Children under 16 require parental or custodian verification for consent, though member states may lower this age to 13. Article 17 provides a right to erasure on grounds including noncompliance with lawful processing conditions.

  • Data controllers must report breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. Public authorities and businesses whose core activities involve regular monitoring of large-scale data must employ a Data Protection Officer. This role requires expert knowledge of data protection law and practices. The DPO maintains a living data inventory of all collected information and manages compliance with internal regulations. Article 30 mandates records of processing activities for organizations employing more than 250 people or handling special categories of data. Encryption and decryption operations must occur locally to ensure keys remain with the data owner. Pseudonymisation transforms personal data so it cannot be attributed to a specific subject without additional information kept separately.

  • Fines reach up to €20 million or 4% of annual worldwide turnover, whichever is greater, for serious infringements. In January 2025, Meta received a fine of €1.2 billion for unlawful data transfers between the EU and the US. The Irish Data Protection Commission imposed a €345 million fine on TikTok in early 2024 regarding children's data privacy. Google was fined €50 million by the French DPA on the 21st of January 2019 for insufficient control over behavioral advertising. British Airways faced an initial intention to fine £183 million before receiving a reduced penalty of £20 million. Over 160 million Euros in fines were imposed in 2020, rising to over one billion Euros in 2021. Supervisory authorities cooperate through mutual assistance and joint operations under the European Data Protection Board.

  • The regulation applies to organizations outside the EU if they offer goods or services to individuals located within the Union. It also covers monitoring behavior that takes place within the EU regardless of where processing occurs. Non-EU establishments must designate an EU Representative to serve as a point of contact for obligations. California passed the Consumer Privacy Act on the 28th of June 2018 with many similarities to GDPR standards. China adopted its Personal Information Protection Law in 2021 modeled after these regulations. Turkey enacted its Law on The Protection of Personal Data on the 24th of March 2016 in compliance with EU acquis. Switzerland will adopt new laws largely following EU guidelines while Caribbean regions consider GDPR rules due to lack of local legislation.

  • A 2018 Deloitte study found 92% of companies believed they could comply with GDPR business practices long-term. IT professionals expected GDPR-related spending to reach at least US$100,000 per organization. Total costs for EU companies were estimated at €200 billion while US company estimates reached $41.7 billion. Approximately 25% of software vulnerabilities have GDPR implications according to research findings. Some websites began blocking visitors from EU countries entirely including Instapaper and Tubi upon implementation. Online behavioral advertising placements fell between 25% and 40% on the 25th of May 2018. A 2024 study found GDPR reduced both EU user website page views and revenue by 12%. Mark Zuckerberg called it a very positive step for the Internet while Richard Stallman praised aspects but demanded additional safeguards against manufactured consent.

Common questions

When did the General Data Protection Regulation become effective?

The General Data Protection Regulation became effective on the 25th of May 2018. The European Parliament and Council adopted it on the 14th of April 2016, two years prior to its enforcement.

What are the fines for violating the General Data Protection Regulation?

Fines reach up to €20 million or 4% of annual worldwide turnover, whichever is greater, for serious infringements. In January 2025, Meta received a fine of €1.2 billion for unlawful data transfers between the EU and the US.

Who must appoint a Data Protection Officer under the General Data Protection Regulation?

Public authorities and businesses whose core activities involve regular monitoring of large-scale data must employ a Data Protection Officer. This role requires expert knowledge of data protection law and practices.

Does the General Data Protection Regulation apply to organizations outside the EU?

The regulation applies to organizations outside the EU if they offer goods or services to individuals located within the Union. Non-EU establishments must designate an EU Representative to serve as a point of contact for obligations.

How does the General Data Protection Regulation affect online behavioral advertising?

Online behavioral advertising placements fell between 25% and 40% on the 25th of May 2018 following implementation. A 2024 study found GDPR reduced both EU user website page views and revenue by 12%.

All sources

160 references cited across the entry

  1. 3webThe UK GDPR28 June 2021
  2. 11journalYour Data Is My Data: A Framework for Addressing Interdependent Privacy InfringementsBernadette Kamleitner et al. — 2019-10-01
  3. 13journalWhen data protection by design and data subject rights clashMichael Veale et al. — 2018
  4. 14journalSingling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection RegulationFrederik J. Zuiderveen Borgesius — April 2016
  5. 15webThe Right to Be ForgottenTony Baldry et al. — 1 Essex Court — 15 May 2014
  6. 17webRight to object2019-08-30
  7. 29webreach of the GDPR: What is at stake?Piper-Meredith Jankowski — 21 June 2017
  8. 35webExemptions2020-07-20
  9. 36bookServices of General Economic Interest as a Constitutional Concept of EU LawCaroline Wehlander — TMC Asser Press — 2016
  10. 41webHow to transfer data to a 'third country' under the GDPRConor Donnelly — 18 January 2018
  11. 42webDigital Rights post-BrexitOpen Rights Group — 2 November 2022
  12. 44newsNew UK Data Protection Act not welcomed by allWarwick Ashford — 24 May 2018
  13. 46newsUK data protection 'adequacy' gets EU governments' sign-offKathryn Wynn — Pinsent Masons — 18 June 2021
  14. 47newsEU–UK adequacy decisions approved by the EDPB: EDPB calls for effective monitoringSheilah Mackie et al. — Womble Bond Dickinson — November 18, 2025
  15. 50newsFacebook urged to disable 'like' feature for child usersPatrick Greenfield — 15 April 2019
  16. 51webUK seeks divergence from GDPR to 'fuel growth'Keumars Afifi-Sabet — 12 March 2021
  17. 53webTop nine GDPR myths busted22 January 2019
  18. 54webFive GDPR myth-busters11 May 2023
  19. 57webThe High Costs of GDPR ComplianceChris Babel — UBM Technology Group — 11 July 2017
  20. 63newsNo one's ready for GDPRSarah Jeong — 22 May 2018
  21. 64newsNew rules on data protection pose compliance issues for firmsElaine Edwards — 22 February 2018
  22. 66journalThe impact of the EU general data protection regulation on scientific researchGauthier Chassang — 2017
  23. 71journalWhy a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection RegulationSandra Wachter et al. — 28 December 2016
  24. 75webWhat the GDPR means for Facebook, the EU and youJustin Jaffe et al. — 25 May 2018
  25. 77magazineEurope's new privacy law will change the web, and moreNitasha Tiku — 19 March 2018
  26. 79newsA radical proposal to keep your personal data safeRichard Stallman — 3 April 2018
  27. 80journalThe European Union general data protection regulation: what it is and what it meansChris Jay Hoofnagle et al. — 10 February 2019
  28. 84newsEU citizens being tracked on sensitive government websitesMadhumita Murgia — 18 March 2019
  29. 86newsHow Europe's GDPR Regulations Became a MemeAngela Watercutter — 25 May 2018
  30. 91webThe Data Protection Officer (DPO): Everything You Need to KnowDebra J. Farber — Cranium and HackerOne — 20 March 2018
  31. 92webWhat might bug bounty programs look like under the GDPR?Jennifer Baker — The International Association of Privacy Professionals (IAPP) — 27 March 2018
  32. 93journalDid App Privacy Improve After the GDPR?N. Momen et al. — November 2019
  33. 94citationA Multilateral Privacy Impact Analysis Method for Android AppsMajid Hatamian et al. — Springer International Publishing — 2019
  34. 103newsWhy Your Inbox Is Crammed Full of Privacy PoliciesNitasha Tiku — 24 May 2018
  35. 107bookThe impact of the GDPR on the online advertising marketBernd Skiera et al. — Bernd Skiera — 5 July 2022
  36. 115newsGoogle hit with £44m GDPR fineChris Fox — 21 January 2019
  37. 118newsEnglish Translation of the Letter from the Romanian Data Protection Authority to RISE ProjectGeorge Bălăiți — Organized Crime and Corruption Reporting Project — 9 November 2018
  38. 122newsBA faces £183m fine over passenger data breachMark Sweney — 8 July 2019
  39. 127bookProceedings of Mensch und Computer 2019Fatemeh Alizadeh et al. — ACM Press — 2019
  40. 131bookHuman Centred Intelligent SystemsSoheil Human et al. — Springer — 2021
  41. 137webThe GDPR Is in Effect: Should U.S. Companies Be Afraid?Jeff John Roberts — 25 May 2018
  42. 139newsCalifornia Unanimously Passes Historic Privacy BillIssie Lapowsky — 2018-06-28
  43. 141webVirginia passes the Consumer Data Protection ActSarah Rippy — 3 March 2021
  44. 142webColorado Privacy Act becomes lawSarah Rippy — 8 July 2021
  45. 144bookHigh Wire: How China Regulates Big Tech and Governs Its EconomyAngela Huyue Zhang — Oxford University Press — 2024
  46. 147webEDPB-EDPS Joint Response on the US Cloud ActEuropean Data Protection Supervisor — 10 July 2019
  47. 149webDon't Get Spooked by the CLOUD ActMartin Whitworth — International Data Corporation — 2018
  48. 150journalRegulating Privacy Online: An Economic Evaluation of the GDPRSamuel G. Goldberg et al. — 2024
  49. 158webGDPR – 20. juli er datoen!Kjetil Kolsrud — 10 July 2018