What is General Data Protection Regulation (“GDPR”)? featured image

What is General Data Protection Regulation (“GDPR”)?

by John DiGiacomo

Partner

Internet Law

The General Data Protection Regulation (“GDPR”) is a set of regulations issued by the European Union (“EU”) that provides legal protection for consumer personal data. The GDPR applies to all nations and countries that are part of the EU and EU economic areas (Iceland, Lichtenstein, and Norway). This includes nearly every country in Europe and several nearby countries.

The GDPR is the forerunner of the many consumer data protection statutes that have been — and are being — enacted in the United States. The GDPR went into effect in 2018 and was the basis/template for the first U.S. personal data protection statute enacted by California. The California statute went into effect in 2020, and since then, more than twenty U.S. States have enacted their own versions of consumer data protection statutes. Already in 2024, more than half a dozen U.S. States have enacted consumer data protection statutes, and more are expected to enact similar legislation by the end of the year.

When promulgated, the GDPR was considered a robust and data-protective set of regulations. This remains true today, and indeed, the GDPR remains the strongest and most stringent data protection regulatory regime in the world (much stronger than any American version). As just a couple of examples, the GDPR applies to any person or entity that processes personal data and targets EU residents by either offering goods or services or monitoring the online behaviors of EU residents. By contrast, similar U.S. have various thresholds for applicability. The recently enacted Kentucky Consumer Data Protection Act (“KCDPA”) applies as follows:

  • To any person or entity that conducts business in Kentucky OR who produces products or services that target Kentucky residents AND
    • Controls or processes data of at least 100,000 Kentucky consumers OR
    • Controls and processes data for at least 25,000 Kentucky consumers AND derives over 50% of gross revenue from the sale of personal data

As another couple of examples, the GDPR does NOT exempt non-profit organizations or employment-related data from coverage. By contrast, most similar U.S. statutes do exempt non-profit organizations and exclude employee-related data. As a final example, the GDPR imposes very significant fines for violations that can be as high as up to 20 million Euros (about 21 million in USD) or up to 4% of a company’s global revenue, whichever is higher. Fines under similar U.S. statutes can be best defined as “mild” (typically $7,500 per violation). So, as stated, from these and many other examples, it is clear that the GDPR remains the strongest and most stringent data protection regulatory regime in the world.

As noted, the GDPR provided the template for similar statutes in the United States. Thus, there is a large overlap in the structure and legal frameworks. The GDPR and the U.S. equivalents provide a set of data rights for consumers and impose a set of legal obligations on controllers and processors of consumer data. As a quick example, the GDPR provides the following consumer rights:

  • Right to be fully informed about the collection and use of their data
  • Right to view what personal data is collected from them
  • Right to a copy of the data collected (also called the right of portability)
  • Right to know why the data was collected
  • Right to know with whom the data was shared
  • Right to correct
  • Right to delete
  • Right to object to automated data processing if such has “significant legal effects” like an impact on obtaining credit
  • Right to restrict or limit data processing and object to certain types of processing like processing for targeted advertising

These are similar to the consumer rights granted by similar data protection statutes enacted in the United States.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Internet Law

In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]

Read more about The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Advantages of Forming Corporate Entities for Operating Your Business

Advantages of Forming Corporate Entities for Operating Your Business

Corporate

Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]

Read more about Advantages of Forming Corporate Entities for Operating Your Business

The Minnesota Consumer Data Privacy Law: Summary For Consumers

The Minnesota Consumer Data Privacy Law: Summary For Consumers

Internet Law

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]

Read more about The Minnesota Consumer Data Privacy Law: Summary For Consumers

Put Revision Legal on your side

Let's Discuss Your Case