The General Data Protection Regulation became effective on the 25th of May 2018. The European Parliament and Council adopted it on the 14th of April 2016, two years prior to its enforcement.
Fines reach up to €20 million or 4% of annual worldwide turnover, whichever is greater, for serious infringements. In January 2025, Meta received a fine of €1.2 billion for unlawful data transfers between the EU and the US.
Public authorities and businesses whose core activities involve regular monitoring of large-scale data must employ a Data Protection Officer. This role requires expert knowledge of data protection law and practices.
The regulation applies to organizations outside the EU if they offer goods or services to individuals located within the Union. Non-EU establishments must designate an EU Representative to serve as a point of contact for obligations.
Online behavioral advertising placements fell between 25% and 40% on the 25th of May 2018 following implementation. A 2024 study found GDPR reduced both EU user website page views and revenue by 12%.