INTRODUCTION
The European Union’s General Data Protection Regulation (GDPR) is recognised globally as a landmark in data protection legislation. It governs the processing of personal data of individuals within the EU and EEA. The GDPR’s widespread impact stems not only from its binding nature across member states but also from its extraterritorial reach, compelling organisations worldwide to adhere to its standards when handling personal information of EU data subjects.[1] It marks a major shift toward transparency, accountability, and individual empowerment in digital privacy.
HISTORICAL BACKGROUND
The European approach to privacy protection is deeply rooted. Article 8 of the European Convention on Human Rights (1950) established a right to respect for private and family life, which influenced subsequent data protection policy.[2] The first comprehensive data protection instrument, Convention 108, was signed by the Council of Europe in 1981, which set up principles for the automatic processing of personal data.[3]
By the mid-1990s, divergent national laws and the rise of cross-border data flows prompted the adoption of Directive 95/46/EC (“Data Protection Directive”), aimed at harmonising standards for data processing and transfer.[4] However, it was largely inflexible in nature, which resulted in uneven national implementation, causing inconsistencies and leading to the failure of regulatory measures.[5] Technological advancements, increasing risks to privacy, and growing consumer expectations for data control increased the need for the implementation of GDPR.
The European Commission prepared and published a draft regulation in 2012, which, after years of negotiation and refinement, was adopted as Regulation (EU) 2016/679 in 2016 and took effect on 25 May 2018.[6] GDPR replaced the previous directive, ensuring uniformity through direct applicability rather than national transposition.
AIM AND SIGNIFICANT PROVISIONS OF GDPR
The aim of GDPR is the protection of fundamental rights and freedoms with respect to personal data and to ensure the free movement of such data.[7] Some of the major provisions include:
Extraterritorial Reach: It applies to data controllers and processors both inside and outside the EU if they are targeting or monitoring EU residents.[8]
Lawful Bases and Consent: The processing of any form of data requires a lawful basis—consent, contract, legal obligation, vital interests, public task, or legitimate interests. The consent must be informed, specific, unambiguous, and withdrawable.[9]
Data Subject Rights: It confers various rights, such as the right to access, correct, erase (“right to be forgotten”), restrict processing, data portability, and object.[10]
Transparency and Accountability: It enhanced disclosures, privacy notices, and record-keeping obligations.[11]
Data Protection Officers: It mandated the requirement for DPOs in public bodies and certain private organisations.[12]
Security and Breach Notification: It lays down obligations for technical/organisational measures and notification of personal data breaches within 72 hours.[13]
Enforcement: Fines of up to €20 million or 4% of global annual turnover can be imposed on organisations, whichever is greater.[14]
FAMOUS CASES RELATED TO GDPR
Judicial interpretation has further helped in refining GDPR’s evolution and application.
Google Spain SL v Agencia Española de Protección de Datos (2014, C-131/12): Before GDPR’s implementation, the CJEU established the “right to be forgotten,” allowing individuals to seek removal of search results linking to their personal information if outdated or irrelevant.[15] This principle is now codified in Article 17 of GDPR.
Schrems I & II (C-362/14, C-311/18): Max Schrems, an Austrian activist, challenged the adequacy of EU-US data transfer mechanisms. The CJEU invalidated the Safe Harbour (2015) and Privacy Shield (2020) frameworks, citing inadequate US safeguards and government surveillance practices. The decisions reinforced strict standards for third-country transfers and the need for robust mechanisms like Standard Contractual Clauses and, sometimes, Additional Measures.[16]
ENFORCEMENT OF GDPR
The enforcement of GDPR has resulted in the imposition of significant fines across the EU, reinforcing its seriousness.
- In 2021, Amazon Europe received a record €746 million fine for breach of consent requirements for processing personal data for advertising.[17]
- Meta Platforms Ireland was fined €405 million for mishandling children’s data on Instagram, and €390 million for improper legal bases regarding targeted ads on Facebook and Instagram.[18]
- Deutsche Wohnen SE was fined €14.5 million for unlawful retention of tenant data beyond necessary periods, demonstrating GDPR’s reach beyond tech giants.[19]
LEGAL CHALLENGES FACED BY GDPR
GDPR’s wide scope has led to several compliance and interpretation issues.
Operational Difficulties: Organisations, especially SMEs, struggle with mapping data flows, managing consents, and fulfilling data subject requests within short deadlines.[20]
Vague Definitions and Discretion: Terms like “legitimate interests” and “undue delay” are open to interpretation, which creates uncertainties and difficulties in national enforcement.[21]
Cross-Border Data Transfers: After Schrems II, companies must ensure that third-country transfers have “essentially equivalent” safeguards to the EU, which raises costs and regulatory uncertainty for international businesses.[22]
Balancing Rights and Innovation: The right to erasure can conflict with information rights and freedom of expression. Data portability and access rights can be challenging for organisations with complex systems.[23]
CONCLUSION
The GDPR symbolises Europe’s commitment to privacy as a fundamental right, shaping global standards and offering individuals control over personal data. Judgments and fines imposed on big companies demonstrate GDPR’s intent to enforce strict standards for consent, security, and transparency. Yet, significant compliance challenges remain, especially as technology, business models, and cross-border data flows continue to evolve.
The regulation’s effectiveness will depend on continued judicial interpretation, responsive regulatory guidance, and innovative compliance solutions that balance privacy protection with economic and technological progress. GDPR sets a model for data protection, but its complexities require vigilance, cautiousness, adaptability, and ongoing dialogue among stakeholders.
Author’s Name: Priyam Pratik (Allahabad University, Prayagraj)
[1] GDPR.eu, ‘What is GDPR, the EU’s new data protection law?’ (2025) https://gdpr.eu/what-is-gdpr/.
[2] Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, as amended).
[3] Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No 108, 1981).
[4] 4 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.
[5] O Lynskey, ‘Complete and Effective Data Protection’, Oxford Academic (2023) https://academic.oup.com/clp/article/76/1/297/7304257.
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
[7] Art 1, Regulation (EU) 2016/679.
[8] Art 3, Regulation (EU) 2016/679.
[9] Art 6, 7, Regulation (EU) 2016/679.
[10] Art 12-20, Regulation (EU) 2016/679.
[11] Art 5, Regulation (EU) 2016/679.
[12] Art 37-39, Regulation (EU) 2016/679.
[13] Art 32, 33, Regulation (EU) 2016/679.
[14] Art 83, Regulation (EU) 2016/679.
[15] Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (2014) ECLI:EU:C:2014:317.
[16] Case C-362/14 Schrems v Data Protection Commissioner (2015) ECLI:EU:C:2015:650; Case C-311/18 Data Protection Commissioner v Facebook Ireland and Schrems (2020) ECLI:EU:C:2020:559.
[17] Data Privacy Manager, ’20 biggest GDPR fines so far ‘ (2025) https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/.
[18] Ibid.
[19] SCB, ‘Look at 6 EU cases that violate privacy laws’ (2020) https://www.scb.co.th/en/personal-banking/stories/tips-for-you/eu-gdpr.
[20] CookieYes, ‘GDPR Compliance Challenges & Their Practical Solutions’ (2025) https://www.cookieyes.com/blog/gdpr-compliance-challenges/.
[21] Ibid.
[22] ActiveMind Legal, ‘Judgments on the GDPR and national data protection law’ (2023) https://www.activemind.legal/rulings/.
[23] Europarl, ‘The impact of the General Data Protection Regulation (GDPR …)’ (2020) https://www.europarl.europa.eu/RegData/etudes/STUD/2020/641530/EPRS_STU(2020)641530_EN.pdf.
