Policy Papers & Briefings


The European Union’s General Data Protection Regulation (GDPR) is a law on data protection and privacy that applies to all individuals within the EU and the European Economic Area (EEA), including both citizens and residents. It aims to simplify the regulatory environment for international business by unifying the regulation within the EU. Passed in 2016, GDPR went into effect on 25 May 2018, and brought with it a host of new measures that empower citizens and residents with control over their personal data, and it also addresses the export of personal data outside the EU. GDPR has set a standard internationally for the kinds of protections and rights it enables for citizens, and mandates that private sector companies and other entities operating within the EU provide data protection services, even if their headquarters are outside of the EU (referred to as extraterritorial applicability). If an organization or company fails to comply with GDPR rules, they can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).

GDPR codifies certain policies and privacy standards into law, such as but not limited to:

  • The need for clear consent and easily accessible terms and conditions.

  • Notification of privacy breaches or when data has been compromised.

  • The right of consumers (data subjects) to access and download their personal data, free of charge.

  • The right to data erasure (also known as the right to be forgotten).

  • Data portability, which is the right for a consumer to freely transfer their data from one service to another without penalty.

  • The right to privacy by design, which refers to creating and designing services handling personal data that incorporate privacy principles and provide safeguards to protect data.

Additional resources:

  • Two Years Under the EU GDPR: An Implementation Progress Report (Access Now)

Last updated