The GDPR: Exploring Europe’s Response to 21st Century Data Privacy Concerns

By Wyatt Smith ‘26

In the 21st century, it can often feel like “privacy” is a thing of the past. Online, where the average internet user spends six-and-a-half hours a day, personal data is constantly being collected and processed. Every time you click a link, visit a new site, make a search with your browser, or purchase an item at a grocery store, records of those interactions are being made and warehoused by potentially dozens of parties. Their purposes for doing so can be as benign as determining what language to show on their website, or as controversial as an insurance provider using data on whether you buy whole or skim milk from a grocery store to determine your risk profile, and by extension, your insurance premium. According to Whotracks.me, the world's largest open-source database of known trackers, an eye-opening 74% of all web traffic is tracked by Google alone. Volumes of books could be written on the ethical and legal concerns stemming from online tracking and data collection, but this article will focus on one legislative solution: The European Union’s General Data Protection Regulation, or GDPR.

The GDPR is currently the world’s most comprehensive single regulation on data processing. The legislation was passed by the European Parliament in 2016, and went into effect in May of 2018. Its protections apply to all 448 million inhabitants of the EU. Conversely, its restrictions apply to any company’s business operations within EU borders. Countries processing data on EU citizens must conform to GDPR regulations, and the EU will not transfer data to any nation that will not afford a similar level of protection. 

The goal of the GDPR is to give some power back to the consumer when it comes to the processing, use, and storage of their personal data, and it accomplishes this by implementing a number of Principles for “data controllers” (any party processing personal data) to adhere to, and Legally Enforceable Rights granted to EU citizens. Let’s start with the principles.

Principles of the GDPR

There are seven key principles outlined in this landmark legislation, to which all data controllers operating within EU borders must adhere:

1. Personal data must be processed lawfully, transparently, and fairly. Data collection requires informed consent in most cases, unless the collector has a “legitimate interest” in collecting the data.

2. Personal data must be used for specified, explicit purposes. The person must also be notified what those purposes are.

3. Personal data must be adequate, relevant, and limited only to what is necessary.

4. Personal data must be accurate and kept up to date. 

5. Personal data must be kept for no longer than necessary to fulfill the stated task. Once that task is accomplished, all stored data must be deleted.

6. Personal data must be kept secure.

7. Personal data controllers must be accountable for complying with these principles. Typically, that means complying with EU probes, and having dedicated employees on board to ensure GDPR compliance.

In the EU, any entity handling personal data is responsible for upholding these seven principles. Any violation of these principles can result in fines of up to 4% global daily revenue per infraction; for Amazon in 2024, for example, this could amount to nearly $70,000,000— an extremely substantial fine.

Rights granted by the GDPR

There are eight legally enforceable rights afforded to every EU citizen under the General Data Protection Regulation: 

1. Right to be informed exactly how your data is used and collected.

2. Right of access. EU citizens can request a copy of their personal data, as well as all inferences made using their data. The company must then comply with the request in a timely manner, usually in under a month.

3. Right to mistakes in personal data being corrected.

4. Right to be forgotten. Any EU citizen can request that all non-essential data relating to them be deleted, no questions asked. Essential data qualifies as data used to carry out a contract or legal obligation, for a vital interest (such as a medical procedure), a public interest, or a legitimate interest (more on this later).

5. Right to stop or restrict collection of personal data. Under the GDPR, consent can be withdrawn at any time.

6. Right to data portability. An EU citizen can request their data be moved.

7. Right to a non-automated decision in most cases.

8. Right to object to how your data is being processed.

Impacts of the GDPR

How has the GDPR held up in the last few years, and what impacts has it had? For one, the rate at which data breaches are reported in Europe has gone up substantially. With data controllers now held liable for breaches, there is now a serious legal incentive to report, and this has greatly aided transparency in the EU surrounding cyber crime. Additionally, the rights of access, portability, and to be forgotten have had a massive positive impact on transparency in data use. Nowhere in the world is it easier to know exactly what data companies have on you and how they are using it, than in the EU. As a consequence, nowhere in the world is it easier to hold data controllers accountable for potential misdeeds; speaking of accountability, violators have faced serious financial consequences under the GDPR, with Meta alone having sustained more than €1,600,000,000 in fines, and companies like Amazon and Marriott sustaining hundreds of millions more. The GDPR has made waves around the globe too, with many nations (not including the US) adopting similar data protection regulations.

But what about some challenges faced by the GDPR? One challenge and potential loophole is what constitutes a “legitimate interest” when it comes to lawfully collecting data without consent. The GDPR holds that data may be collected without the informed consent of the data subject if the collector has a legitimate interest in collecting the data which outweighs the subject’s right to data privacy. As with many laws, this is very much open to interpretation. Some argue that a for-profit company trying to better its bottom line has a legitimate interest in collecting personal data; others opt for a stricter interpretation. Additionally, many data collectors have found ways to mitigate the need for informed consent by writing long and confusing terms and conditions, or by throttling the performance of their service for those that didn’t consent.

While the EU enjoys one comprehensive data privacy law, in the US, legislation varies from piecemeal to nearly nonexistent. The California Consumer Protection Act provides Californians with some level of legal protection, but is still far less comprehensive than the GDPR. As of the writing of this article, 18 out of 50 US States have passed some form of consumer data protection law, with many more having laws in committee. North Carolina has yet to see any such law proposed.

Wyatt Smith is a junior majoring in international business.

Sources

Amazon.com announces Fourth Quarter Results. (2018, February 6). Amazon Inc. https://ir.aboutamazon.com/news-release/news-release-details/2025/Amazon.com-Announces-Fourth-Quarter-Results/ 

California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100–1798.199 (2018)

20 Biggest GDPR Fines So Far. (2025, March 3). Data Privacy Manager. Retrieved March 18, 2025, from https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/ 

European Parliament & Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Official Journal of the European Union, L 119, 1–88. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

Pelchen, L. (2024, December 9). Internet usage statistics in 2025. Forbes. https://www.forbes.com/home-improvement/internet/internet-statistics/ 

GDPR Data Breach Survey: January 2020. (2020, January 20). DLA Piper. https://norway.dlapiper.com/en/publication/gdpr-data-breach-survey-january-2020 

Jacobson, J. (2025, February 18). How grocery data can transform retention for banks and insurers. Forbes. https://www.forbes.com/councils/forbestechcouncil/2025/02/18/how-grocery-data-can-transform-growth-and-retention-for-banks-and-insurers/ 

Kibby, C., Noordyke, M., Rippy, S., Lively, T. K., Desai, A., & Folks, A. (2025, March 10). US State Privacy Legislation Tracker. Retrieved March 18, 2025, from https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ 

Whotracks.me. (n.d.). Ghostery. https://www.ghostery.com/whotracksme