General Data Protection Regulation
The European Parliament and Council of the European Union adopted the General Data Protection Regulation on the 14th of April 2016. This regulation, designated as Regulation (EU) 2016/679, became effective two years later on the 25th of May 2018. Unlike previous directives that required transposition into national law, this regulation has direct legal effect across all member states. Austria was the only member state to vote against its adoption in April 2016, arguing that some data protection levels fell short compared to the 1995 directive. The regulation supersedes the Data Protection Directive 95/46/EC and simplifies terminology for international business operations. Recital 4 proclaims that processing personal data should be designed to serve mankind.
Article 5 sets out six principles relating to the lawfulness of processing personal data. These include requirements that data must be processed lawfully, fairly, and transparently. Article 6 specifies that personal data may not be processed unless there is at least one legal basis for doing so. Consent must be explicit, freely given, plainly worded, and unambiguous. An online form which has consent options structured as an opt-out selected by default violates these rules. Individuals can withdraw consent at any time, and the process must not be harder than opting in. Children under 16 require parental or custodian verification for consent, though member states may lower this age to 13. Article 17 provides a right to erasure on grounds including noncompliance with lawful processing conditions.
Data controllers must report breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. Public authorities and businesses whose core activities involve regular monitoring of large-scale data must employ a Data Protection Officer. This role requires expert knowledge of data protection law and practices. The DPO maintains a living data inventory of all collected information and manages compliance with internal regulations. Article 30 mandates records of processing activities for organizations employing more than 250 people or handling special categories of data. Encryption and decryption operations must occur locally to ensure keys remain with the data owner. Pseudonymisation transforms personal data so it cannot be attributed to a specific subject without additional information kept separately.
Fines reach up to €20 million or 4% of annual worldwide turnover, whichever is greater, for serious infringements. In January 2025, Meta received a fine of €1.2 billion for unlawful data transfers between the EU and the US. The Irish Data Protection Commission imposed a €345 million fine on TikTok in early 2024 regarding children's data privacy. Google was fined €50 million by the French DPA on the 21st of January 2019 for insufficient control over behavioral advertising. British Airways faced an initial intention to fine £183 million before receiving a reduced penalty of £20 million. Over 160 million Euros in fines were imposed in 2020, rising to over one billion Euros in 2021. Supervisory authorities cooperate through mutual assistance and joint operations under the European Data Protection Board.
The regulation applies to organizations outside the EU if they offer goods or services to individuals located within the Union. It also covers monitoring behavior that takes place within the EU regardless of where processing occurs. Non-EU establishments must designate an EU Representative to serve as a point of contact for obligations. California passed the Consumer Privacy Act on the 28th of June 2018 with many similarities to GDPR standards. China adopted its Personal Information Protection Law in 2021 modeled after these regulations. Turkey enacted its Law on The Protection of Personal Data on the 24th of March 2016 in compliance with EU acquis. Switzerland will adopt new laws largely following EU guidelines while Caribbean regions consider GDPR rules due to lack of local legislation.
A 2018 Deloitte study found 92% of companies believed they could comply with GDPR business practices long-term. IT professionals expected GDPR-related spending to reach at least US$100,000 per organization. Total costs for EU companies were estimated at €200 billion while US company estimates reached $41.7 billion. Approximately 25% of software vulnerabilities have GDPR implications according to research findings. Some websites began blocking visitors from EU countries entirely including Instapaper and Tubi upon implementation. Online behavioral advertising placements fell between 25% and 40% on the 25th of May 2018. A 2024 study found GDPR reduced both EU user website page views and revenue by 12%. Mark Zuckerberg called it a very positive step for the Internet while Richard Stallman praised aspects but demanded additional safeguards against manufactured consent.
Up Next
Common questions
When did the General Data Protection Regulation become effective?
The General Data Protection Regulation became effective on the 25th of May 2018. The European Parliament and Council adopted it on the 14th of April 2016, two years prior to its enforcement.
What are the fines for violating the General Data Protection Regulation?
Fines reach up to €20 million or 4% of annual worldwide turnover, whichever is greater, for serious infringements. In January 2025, Meta received a fine of €1.2 billion for unlawful data transfers between the EU and the US.
Who must appoint a Data Protection Officer under the General Data Protection Regulation?
Public authorities and businesses whose core activities involve regular monitoring of large-scale data must employ a Data Protection Officer. This role requires expert knowledge of data protection law and practices.
Does the General Data Protection Regulation apply to organizations outside the EU?
The regulation applies to organizations outside the EU if they offer goods or services to individuals located within the Union. Non-EU establishments must designate an EU Representative to serve as a point of contact for obligations.
How does the General Data Protection Regulation affect online behavioral advertising?
Online behavioral advertising placements fell between 25% and 40% on the 25th of May 2018 following implementation. A 2024 study found GDPR reduced both EU user website page views and revenue by 12%.
All sources
160 references cited across the entry
- 2webWhat is the LGPD? Brazil’s version of the GDPRRichie Koch — 2019-07-31
- 3webThe UK GDPR28 June 2021
- 4newsGDPR vs CCPA: What are the main differences?Lucarini Francesca
- 5webGeneral Data Protection Regulation (GDPR) – Table of ContentsGDPR-info.eu
- 6webGDPR Recitals – Full listGDPR-info.eu
- 8webWhat is personal data?2019-04-24
- 11journalYour Data Is My Data: A Framework for Addressing Interdependent Privacy InfringementsBernadette Kamleitner et al. — 2019-10-01
- 13journalWhen data protection by design and data subject rights clashMichael Veale et al. — 2018
- 14journalSingling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection RegulationFrederik J. Zuiderveen Borgesius — April 2016
- 15webThe Right to Be ForgottenTony Baldry et al. — 1 Essex Court — 15 May 2014
- 16webPractical Data Privacy Books by ThoughtworkersKatharine Jarmul
- 17webRight to object2019-08-30
- 18webUsing privacy laws to regulate automated decision makingBarry Sookman — 30 April 2021
- 20webWebsite maintenance
- 23webData science under GDPR with pseudonymization in the data pipelineJan Lindquist — 17 April 2018
- 25webData protection by design and default2023-07-01
- 27webExplaining GDPR Data Subject Requests – TrueVaultTrueVault
- 29webreach of the GDPR: What is at stake?Piper-Meredith Jankowski — 21 June 2017
- 35webExemptions2020-07-20
- 36bookServices of General Economic Interest as a Constitutional Concept of EU LawCaroline Wehlander — TMC Asser Press — 2016
- 38webExtraterritorial Scope of GDPR: Do Businesses Outside the EU Need to Comply?American Bar Association
- 39webUK: Understanding the full impact of Brexit on UK: EU data flowsDLA Piper — 23 September 2019
- 41webHow to transfer data to a 'third country' under the GDPRConor Donnelly — 18 January 2018
- 42webDigital Rights post-BrexitOpen Rights Group — 2 November 2022
- 44newsNew UK Data Protection Act not welcomed by allWarwick Ashford — 24 May 2018
- 45webGoogle shifts authority over UK user data to the US in wake of BrexitJon Porter — 20 February 2020
- 46newsUK data protection 'adequacy' gets EU governments' sign-offKathryn Wynn — Pinsent Masons — 18 June 2021
- 47newsEU–UK adequacy decisions approved by the EDPB: EDPB calls for effective monitoringSheilah Mackie et al. — Womble Bond Dickinson — November 18, 2025
- 49newsUnder-18s face 'like' and 'streaks' limits2019-04-19
- 50newsFacebook urged to disable 'like' feature for child usersPatrick Greenfield — 15 April 2019
- 51webUK seeks divergence from GDPR to 'fuel growth'Keumars Afifi-Sabet — 12 March 2021
- 52webData sharing myths busted19 May 2023
- 53webTop nine GDPR myths busted22 January 2019
- 54webFive GDPR myth-busters11 May 2023
- 55webA new era for privacy – GDPR six months onPeter Gooch — 2018
- 57webThe High Costs of GDPR ComplianceChris Babel — UBM Technology Group — 11 July 2017
- 58webPreparing for New Privacy Regimes: Privacy Professionals' Views on the General Data Protection Regulation and Privacy ShieldBaker & McKenzie — 4 May 2016
- 59webGDPR Compliance Cost CalculatorGeorgi Georgiev
- 60webHow Europe's 'breakthrough' privacy law takes on Facebook and GoogleOlivia Solon — 19 April 2018
- 61newsEurope’s new privacy rules are no silver bulletMark Scott — 2018-04-22
- 63newsNo one's ready for GDPRSarah Jeong — 22 May 2018
- 64newsNew rules on data protection pose compliance issues for firmsElaine Edwards — 22 February 2018
- 65webLooking to comply with GDPR? Here's a primer on anonymization and pseudonymizationMatt Wes — IAPP — 25 April 2017
- 66journalThe impact of the EU general data protection regulation on scientific researchGauthier Chassang — 2017
- 67webPseudonymisation of Personal Data According to the General Data Protection RegulationLaura Tarhonen — 2017
- 69newsAI watchdog needed to regulate automated decision-making, say expertsIan Sample — 27 January 2017
- 70webEU's Right to Explanation: A Harmful Restriction on Artificial IntelligenceNick Wallace — 25 January 2017
- 71journalWhy a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection RegulationSandra Wachter et al. — 28 December 2016
- 72journalSlave to the algorithm? Why a "right to an explanation" is probably not the remedy you are looking forLilian Edwards et al. — 2017
- 73webFive benefits GDPR compliance will bring to your businessMichael Frimin — 29 March 2018
- 74webEurope's tough new digital privacy law should be a model for US policymakersTrevor Butterworth — Vox — 23 May 2018
- 75webWhat the GDPR means for Facebook, the EU and youJustin Jaffe et al. — 25 May 2018
- 76newsZuckerberg says he wants strict European-style privacy laws — but some experts question his motivesElizabeth Schulze — 2019-04-01
- 77magazineEurope's new privacy law will change the web, and moreNitasha Tiku — 19 March 2018
- 78newsToday, a new E.U. law transforms privacy rights for everyone. Without Edward Snowden, it might never have happened.Nikhil Kalyanpur et al. — 25 May 2018
- 79newsA radical proposal to keep your personal data safeRichard Stallman — 3 April 2018
- 80journalThe European Union general data protection regulation: what it is and what it meansChris Jay Hoofnagle et al. — 10 February 2019
- 81newsScammers are using GDPR email alerts to conduct phishing attacksKeumars Afifi-Sabet — 3 May 2018
- 82webMost GDPR emails unnecessary and some illegal, say expertsAlex Hern — 21 May 2018
- 83webEU gov't and public health sites are lousy with adtech, study findsNatasha Lomas — 18 March 2019
- 84newsEU citizens being tracked on sensitive government websitesMadhumita Murgia — 18 March 2019
- 85newsFall asleep in seconds by listening to a soothing voice read the EU's new GDPR legislationJames Vincent — 3 June 2018
- 86newsHow Europe's GDPR Regulations Became a MemeAngela Watercutter — 25 May 2018
- 87newsThe Internet Created a GDPR-Inspired Meme Using Privacy PoliciesAnn-Marie Alcántara — 31 May 2018
- 88newsHelp, my lightbulbs are dead! How GDPR became bigger than BeyonceMatt Burgess
- 89newsHere Are Some of the Worst Attempts At Complying with GDPRKaleigh Rogers — 25 May 2018
- 90webWhat Percentage of Your Software Vulnerabilities Have GDPR Implications?HackerOne — 16 January 2018
- 91webThe Data Protection Officer (DPO): Everything You Need to KnowDebra J. Farber — Cranium and HackerOne — 20 March 2018
- 92webWhat might bug bounty programs look like under the GDPR?Jennifer Baker — The International Association of Privacy Professionals (IAPP) — 27 March 2018
- 93journalDid App Privacy Improve After the GDPR?N. Momen et al. — November 2019
- 94citationA Multilateral Privacy Impact Analysis Method for Android AppsMajid Hatamian et al. — Springer International Publishing — 2019
- 96newsInstapaper is temporarily shutting off access for European users due to GDPRNick Statt — 23 May 2018
- 97webUnroll.me to close to EU users saying it can't comply with GDPRNatasha Lomas — 5 May 2018
- 98newsHow GDPR, ad fatigue and content costs are complicating the now-global streaming warsAndrew Blustein — September 4, 2019
- 99newsSites block users, shut down activities and flood inboxes as GDPR rules loomAlex Hern et al. — 24 May 2018
- 100newsBlocking 500 Million Users Is Easier Than Complying With Europe's New RulesBloomberg L.P. — 25 May 2018
- 101newsU.S. News Outlets Block European Readers Over New Privacy RulesAdam Satariano — 25 May 2018
- 103newsWhy Your Inbox Is Crammed Full of Privacy PoliciesNitasha Tiku — 24 May 2018
- 104newsGetting a Flood of G.D.P.R.-Related Privacy Policy Updates? Read ThemBrian X. Chen — 23 May 2018
- 106newsGDPR mayhem: Programmatic ad buying plummets in Europe25 May 2018
- 107bookThe impact of the GDPR on the online advertising marketBernd Skiera et al. — Bernd Skiera — 5 July 2022
- 108webPress corner
- 110webGDPR: noyb.eu filed four complaints over 'forced consent' against Google, Instagram, WhatsApp and FacebookNOYB.eu — 25 May 2018
- 113webFacebook, Google face first GDPR complaints over 'forced consent'25 May 2018
- 114newsGoogle, Facebook hit with serious GDPR complaints: Others will be soonDavid Meyer
- 115newsGoogle hit with £44m GDPR fineChris Fox — 21 January 2019
- 116webGoogle fined €50 million for GDPR violation in FranceJon Porter — 21 January 2019
- 117newsYet Another GDPR Disaster: Journalists Ordered To Hand Over Secret Sources Under 'Data Protection' LawMike Masnick — 19 November 2018
- 118newsEnglish Translation of the Letter from the Romanian Data Protection Authority to RISE ProjectGeorge Bălăiți — Organized Crime and Corruption Reporting Project — 9 November 2018
- 120newsBritish Airways breach caused by credit card skimming malware, researchers sayZack Whittaker — 11 September 2018
- 121newsBritish Airways boss apologises for 'malicious' data breach7 September 2018
- 122newsBA faces £183m fine over passenger data breachMark Sweney — 8 July 2019
- 123newsBritish Airways faces record £183m fine for data breach8 July 2019
- 124webICO fines British Airways £20m for data breach affecting more than 400,000 customers16 October 2020
- 125web'We have a huge problem': European regulator despairs over lack of enforcementNicholas Vinocur — 27 December 2019
- 126newsEurope-wide overhaul of GDPR monitoring triggered by ICCLJohnny Ryan — 2023-01-31
- 127bookProceedings of Mensch und Computer 2019Fatemeh Alizadeh et al. — ACM Press — 2019
- 128journalGDPR Reality Check–Claiming and Investigating Personally Identifiable Data from CompaniesFatemeh Alizadeh et al. — 2020
- 129journalUnderstanding challenges of GDPR implementation in business enterprises: a systematic literature reviewYelena Smirnova et al. — 2024-04-04
- 130webDPO.VN – Chuyên gia bảo vệ dữ liệu cá nhân2025-04-21
- 131bookHuman Centred Intelligent SystemsSoheil Human et al. — Springer — 2021
- 132newsHow Europe's Intelligence Services Aim to Avoid the EU's Highest Court—and What It Means for the United StatesTheodore and Kenneth Christakis and Propp — March 8, 2021
- 133newsFines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the bruntRyan Browne — 2022-01-18
- 134webTikTok fined €345 million for GDPR violations on children's privacy15 September 2024
- 135webMeta hit with record €1.2 billion GDPR fine over US data transfers10 January 2025
- 136newsEU ditches plans to regulate tech patents, AI liability, online privacyFoo Yun Chee — 12 February 2025
- 137webThe GDPR Is in Effect: Should U.S. Companies Be Afraid?Jeff John Roberts — 25 May 2018
- 138newsCommentary: California’s New Data Privacy Law Could Begin a Regulatory DisasterDanny Allan — 2018-10-23
- 139newsCalifornia Unanimously Passes Historic Privacy BillIssie Lapowsky — 2018-06-28
- 140newsMarketers and tech companies confront California's version of GDPRGeorge P. Slefo — 2018-06-29
- 141webVirginia passes the Consumer Data Protection ActSarah Rippy — 3 March 2021
- 142webColorado Privacy Act becomes lawSarah Rippy — 8 July 2021
- 144bookHigh Wire: How China Regulates Big Tech and Governs Its EconomyAngela Huyue Zhang — Oxford University Press — 2024
- 145webNew Federal Act on Data Protection (nFADP)S. M. E. Portal
- 146webThe European Union (EU) General Data Protection Regulation (GDPR) in the Caribbean ContextStaff writer — 23 January 2020
- 147webEDPB-EDPS Joint Response on the US Cloud ActEuropean Data Protection Supervisor — 10 July 2019
- 148web21 Thoughts and Questions about the UK-US CLOUD Act Agreement: (and an Explanation of How it Works – with Charts)Theodore Christakis — October 17, 2019
- 149webDon't Get Spooked by the CLOUD ActMartin Whitworth — International Data Corporation — 2018
- 150journalRegulating Privacy Online: An Economic Evaluation of the GDPRSamuel G. Goldberg et al. — 2024
- 153webWritten Procedure
- 157webGeneral Data Protection Regulation (GDPR) entered into force in the EEA20 July 2018
- 158webGDPR – 20. juli er datoen!Kjetil Kolsrud — 10 July 2018
- 159webDigital Single Market