The General Data Protection Regulation (“GDPR”) is a set of regulations issued by the European Union (“EU”) that provides legal protection for consumer personal data. The GDPR applies to all nations and countries that are part of the EU and EU economic areas (Iceland, Lichtenstein, and Norway). This includes nearly every country in Europe and several nearby countries.

The GDPR is the forerunner of the many consumer data protection statutes that have been — and are being — enacted in the United States. The GDPR went into effect in 2018 and was the basis/template for the first U.S. personal data protection statute enacted by California. The California statute went into effect in 2020, and since then, more than twenty U.S. States have enacted their own versions of consumer data protection statutes. Already in 2024, more than half a dozen U.S. States have enacted consumer data protection statutes, and more are expected to enact similar legislation by the end of the year.

When promulgated, the GDPR was considered a robust and data-protective set of regulations. This remains true today, and indeed, the GDPR remains the strongest and most stringent data protection regulatory regime in the world (much stronger than any American version). As just a couple of examples, the GDPR applies to any person or entity that processes personal data and targets EU residents by either offering goods or services or monitoring the online behaviors of EU residents. By contrast, similar U.S. have various thresholds for applicability. The recently enacted Kentucky Consumer Data Protection Act (“KCDPA”) applies as follows:

• To any person or entity that conducts business in Kentucky OR who produces products or services that target Kentucky residents AND
  • Controls or processes data of at least 100,000 Kentucky consumers OR
  • Controls and processes data for at least 25,000 Kentucky consumers AND derives over 50% of gross revenue from the sale of personal data

As another couple of examples, the GDPR does NOT exempt non-profit organizations or employment-related data from coverage. By contrast, most similar U.S. statutes do exempt non-profit organizations and exclude employee-related data. As a final example, the GDPR imposes very significant fines for violations that can be as high as up to 20 million Euros (about 21 million in USD) or up to 4% of a company’s global revenue, whichever is higher. Fines under similar U.S. statutes can be best defined as “mild” (typically $7,500 per violation). So, as stated, from these and many other examples, it is clear that the GDPR remains the strongest and most stringent data protection regulatory regime in the world.

As noted, the GDPR provided the template for similar statutes in the United States. Thus, there is a large overlap in the structure and legal frameworks. The GDPR and the U.S. equivalents provide a set of data rights for consumers and impose a set of legal obligations on controllers and processors of consumer data. As a quick example, the GDPR provides the following consumer rights:

• Right to be fully informed about the collection and use of their data
• Right to view what personal data is collected from them
• Right to a copy of the data collected (also called the right of portability)
• Right to know why the data was collected
• Right to know with whom the data was shared
• Right to correct
• Right to delete
• Right to object to automated data processing if such has “significant legal effects” like an impact on obtaining credit
• Right to restrict or limit data processing and object to certain types of processing like processing for targeted advertising

These are similar to the consumer rights granted by similar data protection statutes enacted in the United States.

GDPR’s Legal Bases for Data Processing

One of the most critical distinctions between the GDPR and most U.S. state privacy laws is the concept of a legal basis for processing personal data. Under the GDPR, every instance of personal data processing must be justified by at least one of six legally recognized bases. Unlike U.S. law — which generally allows data processing unless specifically prohibited — the GDPR requires a positive justification for each processing activity.

The six lawful bases under GDPR Article 6 are: (1) the data subject has given consent; (2) processing is necessary to perform a contract with the data subject; (3) processing is necessary to comply with a legal obligation; (4) processing is necessary to protect the vital interests of the data subject or another person; (5) processing is necessary for the performance of a task carried out in the public interest; and (6) processing is necessary for the purposes of the legitimate interests pursued by the controller, except where overridden by the interests or fundamental rights of the data subject (the legitimate interests basis).

The legitimate interests basis is the most nuanced and frequently litigated. Controllers that rely on legitimate interests must conduct a three-part balancing test: identify the legitimate interest; assess whether processing is necessary for that purpose; and balance the interest against the rights and interests of the data subject. Behavioral advertising and profiling are particularly fraught under this basis, as several EU data protection authorities have found that the commercial interests of advertisers do not outweigh consumers’ privacy interests without explicit consent.

GDPR Enforcement: Major Fines and Their Lessons

GDPR enforcement has produced some of the largest data protection fines in history, providing concrete guidance on what practices regulators consider most serious:

• Meta (€1.2 billion, 2023) — the Irish DPC fined Meta for unlawfully transferring EU personal data to the United States using SCCs after the Schrems II decision invalidated Privacy Shield; this fine remains the largest GDPR fine to date
• Amazon (€746 million, 2021) — Luxembourg’s data protection authority fined Amazon for using personal data to serve targeted advertising without a valid legal basis under the GDPR
• WhatsApp (€225 million, 2021) — the Irish DPC fined WhatsApp for GDPR transparency violations, specifically failing to provide adequate information about how user data was shared between WhatsApp and Meta’s other services
• Google (€50 million, 2019) — France’s CNIL fined Google for failing to provide transparent and easily accessible information about its data processing practices and for failing to obtain valid consent for personalized advertising

These cases illustrate that regulators prioritize transparency failures, invalid consent, and unlawful cross-border transfers as enforcement priorities. Businesses that collect EU personal data should audit their privacy notices, consent mechanisms, and data transfer procedures against GDPR standards.

GDPR’s Extraterritorial Reach: U.S. Businesses Are Not Exempt

Many U.S. businesses assume that GDPR does not apply to them because they are not located in the EU. This assumption is incorrect. GDPR Article 3(2) establishes extraterritorial jurisdiction over businesses outside the EU if they offer goods or services to EU residents (even for free) or monitor the behavior of EU residents (such as through website analytics or behavioral tracking).

A U.S.-based e-commerce company that ships products to EU customers, a U.S.-based app that tracks EU users’ location, and a U.S.-based analytics company that processes behavioral data from EU websites are all potentially subject to GDPR. Businesses subject to GDPR must either have a legal establishment in the EU or designate an EU-based representative under GDPR Article 27 — a person or entity based in the EU who can act on the business’s behalf with EU supervisory authorities and data subjects.

Practically, U.S. businesses that process EU personal data should assess their GDPR exposure, implement a GDPR-compliant privacy program if required, and document their compliance efforts. The cost of GDPR compliance is substantially less than the cost of a significant enforcement action.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.