EU Data Privacy Laws: GDPR, AI Act & the 2025-2026 Digital Reforms

Regulation (EU) 2016/679, the GDPR, sets a single data protection standard across all 27 EU member states and binds any organization worldwide that processes personal data of individuals located in the EU. Violations carry fines up to EUR 20 million or 4% of global annual turnover under Article 83.

The European Union has built the world's most comprehensive data protection framework. At its core sits the General Data Protection Regulation (GDPR), a single set of rules that applies in every EU country. Layered around it are sectoral laws covering electronic communications, artificial intelligence, data markets, online platforms, and algorithmic gatekeepers.

This page is the hub for EU data privacy law. It explains how the framework fits together, covers the major legal instruments and their current status, and links to detailed guides for each EU member state and each GDPR sub-topic.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your situation.

Quick Answer

The GDPR is EU law that protects personal data. It applies to any organization, anywhere in the world, that processes the personal data of individuals located in the EU. Penalties reach up to EUR 20 million or 4% of global annual turnover. Every EU member state enforces it through its own data protection authority (DPA), coordinated by the European Data Protection Board (EDPB).

The GDPR is not the only EU data law. The ePrivacy Directive governs cookies and electronic communications. The EU AI Act governs artificial-intelligence systems. The Data Act, Data Governance Act, Digital Services Act, and Digital Markets Act together form a broader digital rulebook. The 2025 GDPR Procedural Regulation streamlines cross-border enforcement, and the 2025 Digital Omnibus proposal is currently simplifying several of these instruments at once.

The GDPR: Core EU Data Protection Law

The General Data Protection Regulation -- Regulation (EU) 2016/679 -- was adopted on 14 April 2016 and took effect on 25 May 2018. It replaced the 1995 Data Protection Directive (Directive 95/46/EC), which had produced a patchwork of inconsistent national laws.

Because the GDPR is a regulation rather than a directive, it is directly applicable in all member states without requiring national transposition of its core provisions. Where the GDPR reserves discretion to member states -- on the age of consent for children's data, additional conditions for employment data, or specific exemptions -- national implementing laws fill those gaps.

Territorial Scope (Article 3)

The GDPR applies in three situations. First, to any organization with an establishment in the EU that processes personal data in the context of that establishment, regardless of where the processing physically occurs. Second, to any organization outside the EU that offers goods or services to individuals in the EU. Third, to any organization outside the EU that monitors the behavior of individuals in the EU.

This broad extraterritorial reach means a company in the United States, India, or Australia must comply with the GDPR if it targets EU customers or tracks their behavior online. The EDPB Guidelines 3/2018 on territorial scope interpret Article 3 in detail.

The Seven Principles (Article 5)

Every processing activity must comply with seven principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. The accountability principle requires organizations to demonstrate compliance, not merely assert it.

Six Legal Bases for Processing (Article 6)

Processing is lawful only if it rests on one of six legal bases: consent, contract performance, legal obligation, vital interests, public interest or official authority, or legitimate interests. Organizations must identify and document their legal basis before processing begins and cannot change it retroactively.

Consent must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw as to give. Pre-ticked boxes and bundled consent do not satisfy the GDPR's consent standard.

Data Subject Rights (Articles 15-22)

The GDPR grants individuals eight enforceable rights: access, rectification, erasure (the "right to be forgotten"), restriction of processing, data portability, objection, and rights related to automated decision-making including profiling. Organizations must respond within one calendar month, extendable by two months in complex cases.

Controller and Processor Obligations

Data controllers determine the purposes and means of processing. Data processors act on instructions from controllers. Written contracts must govern every controller-processor relationship. Controllers must appoint a Data Protection Officer (DPO) in prescribed circumstances, conduct Data Protection Impact Assessments (DPIAs) before high-risk processing, and maintain records of processing activities.

Breach Notification (Articles 33-34)

Controllers must notify their supervisory authority within 72 hours of becoming aware of a personal data breach. If the breach poses a high risk to individuals, the controller must also notify affected individuals without undue delay.

Penalties (Article 83)

The GDPR's two-tier penalty structure provides fines up to EUR 10 million or 2% of global annual turnover (lower tier) and up to EUR 20 million or 4% of global annual turnover (upper tier), whichever is higher in each case. Since May 2018, EU DPAs have issued over EUR 6.8 billion in fines across more than 2,700 enforcement actions.

For detailed coverage of each topic, see the GDPR sub-pages listed below.

GDPR Across 27 Member States

The GDPR is the same law in every EU country, but national implementing legislation, national DPAs, and national court decisions shape how it operates in practice.

National implementing laws address the topics where the GDPR reserves discretion to member states. Germany's Federal Data Protection Act (BDSG) sets strict rules on employee monitoring and works councils. France's loi Informatique et Libertés has been in force since 1978 and was updated to harmonize with the GDPR. Ireland's Data Protection Act 2018 sets the minimum age for children's consent at 16. Every member state has its own supplementary rules.

National DPAs investigate complaints, conduct audits, and issue fines. The Irish Data Protection Commission (DPC) is the lead DPA for most major US technology companies because those companies have their EU headquarters in Ireland. Ireland's DPC has issued approximately EUR 4 billion in total GDPR fines through the one-stop-shop mechanism -- the largest national share by value.

The one-stop-shop mechanism allows organizations with establishments across multiple member states to deal with a single lead DPA for cross-border processing. Concerned DPAs in other member states can raise objections, and disputes escalate to the EDPB for a binding decision. The GDPR Procedural Regulation (discussed below) strengthens this mechanism with binding deadlines from April 2027.

The member-state guide section below links to every EU country's implementing law and DPA page on this site.

ePrivacy Directive and the Withdrawn ePrivacy Regulation

The ePrivacy Directive (Directive 2002/58/EC) governs privacy in electronic communications. It is the source of EU cookie consent rules. Article 5(3) of the Directive requires consent before storing or accessing information on a user's device -- the rule behind the cookie banners on virtually every European website.

The ePrivacy Directive is a directive, not a regulation, so each member state has transposed it into national law differently. Germany, France, Spain, and others have reached different conclusions on what counts as valid cookie consent under their national transpositions.

The ePrivacy Regulation proposal was introduced in January 2017. It was intended to replace the ePrivacy Directive with a directly applicable regulation and to bring cookie and communications-privacy rules into closer alignment with the GDPR. The proposal stalled in the Council for years, unable to reach agreement on data retention and legitimate-interest processing.

On 11 February 2025, the European Commission formally withdrew the ePrivacy Regulation proposal in its 2025 Work Programme. The Commission cited lack of expected agreement from the co-legislators and obsolescence in light of subsequent legislation. The current ePrivacy Directive and national transpositions therefore remain in force indefinitely.

The November 2025 Digital Omnibus proposal picks up some of this unfinished business by proposing to move cookie consent rules from the ePrivacy Directive into the GDPR and expand the list of processing activities that can proceed without consent. For detailed coverage of the current rules, see our ePrivacy Directive explainer.

EU AI Act (Regulation (EU) 2024/1689)

The EU AI Act is the world's first comprehensive regulatory framework for artificial intelligence. It was published in the Official Journal of the EU on 12 July 2024 and entered into force on 1 August 2024.

The AI Act takes a risk-based approach, dividing AI systems into four tiers: unacceptable risk (prohibited outright), high risk (strict compliance obligations), limited risk (transparency requirements), and minimal risk (no mandatory obligations). AI systems that process personal data are often subject to both the AI Act and the GDPR simultaneously.

Phased Implementation Timeline

The AI Act applies in phases:

• 2 February 2025 -- Prohibited AI practices and AI literacy obligations became applicable. Systems using subliminal manipulation, social scoring by public authorities, and most real-time biometric identification in public spaces are banned from this date.
• 2 August 2025 -- Obligations for providers of general-purpose AI (GPAI) models became applicable. Member states must designate national competent authorities and adopt national penalty laws. EU-level governance (the AI Board, Scientific Panel, and Advisory Forum) is operational.
• 2 December 2026 -- Transparency and AI-generated content labelling obligations apply (date extended from 2 August 2026 by the May 2026 Digital Omnibus political agreement). A new prohibition on AI systems generating non-consensual intimate imagery also applies from this date.
• 2 December 2027 -- Compliance deadline for stand-alone high-risk AI systems listed in Annex III (extended by the Digital Omnibus political agreement from 2 August 2026).
• 2 August 2028 -- Compliance deadline for high-risk AI embedded in regulated products listed in Annex I.

Digital Omnibus AI Act Simplification (May 2026)

On 7 May 2026, the European Parliament and Council reached a provisional political agreement under the Digital Omnibus to amend the AI Act. In addition to the timeline changes above, the agreement extends regulatory exemptions available to SMEs to small mid-caps, narrows certain high-risk categorizations, and reinforces the AI Office's supervisory powers. Formal adoption is expected before 2 August 2026.

GDPR Procedural Regulation (Regulation (EU) 2025/2518)

For years, the GDPR's one-stop-shop mechanism suffered from procedural inconsistency: DPAs applied different admissibility standards, investigations ran for years without binding deadlines, and complainants in smaller member states had limited visibility into their cross-border cases.

The GDPR Procedural Regulation -- Regulation (EU) 2025/2518 -- was adopted in 2025 to fix these problems. It came into force on 1 January 2026 and will apply from 2 April 2027.

Key provisions include:

• Unified admissibility standards: the same criteria apply when deciding whether a complaint is admissible, regardless of which member state it is filed in.
• Binding 15-month investigation deadline: the lead DPA must complete its investigation within 15 months, with a possible 12-month extension in particularly complex cases.
• Early resolution mechanism: lead DPAs can resolve complaints before formal cooperation procedures begin, reducing administrative burden and accelerating outcomes.
• Enhanced procedural rights: both investigated parties and complainants have the right to access and comment on preliminary findings before a final decision is issued.

The November 2025 Digital Omnibus Proposal

On 19 November 2025, the European Commission published the Digital Omnibus as part of a Digital Package alongside the Data Union Strategy and European Business Wallets. The Digital Omnibus is a single legislative proposal seeking to simplify and amend multiple existing digital laws: the GDPR, the AI Act, the ePrivacy Directive, the Data Act, the Cybersecurity Act, and others.

Key GDPR-related proposals include:

• Cookie consent simplification: cookie consent rules would move from the ePrivacy Directive into the GDPR, with an expanded list of activities exempt from consent and enabling one-click consent preferences valid for six months, or browser/device-level saved consent.
• Harmonized DPIA lists: the EDPB would compile EU-wide lists of processing activities that do or do not require a DPIA. Commission-approved lists would supersede conflicting national lists.
• Single incident reporting point: a unified mechanism for reporting cybersecurity incidents and personal data breaches under the GDPR, NIS2 Directive, and other instruments.

The Digital Omnibus is in trilogue negotiations between the Commission, Parliament, and Council as of mid-2026. If adopted, the GDPR amendments would formally update Regulation (EU) 2016/679.

The EDPB and the Consistency Mechanism

The European Data Protection Board (EDPB) is the independent EU body responsible for consistent application of the GDPR across all member states. It is composed of the heads of each national DPA and the European Data Protection Supervisor (EDPS).

Its main functions include issuing guidelines, recommendations, and best practices; issuing binding decisions in disputes under the one-stop-shop mechanism; and conducting coordinated enforcement actions under the Coordinated Enforcement Framework (CEF).

The EDPS supervises the EU's own institutions in their handling of personal data and advises on EU legislation with a data protection dimension.

Consistency mechanism: when a national DPA adopts a measure that could affect data subjects in other member states, it must submit a draft decision to the EDPB. If a concerned DPA raises a relevant and reasoned objection that the lead DPA declines to follow, the EDPB issues a binding decision. This mechanism produced the EUR 1.2 billion fine against Meta in 2023 -- the largest GDPR fine to date -- when the EDPB overruled the Irish DPC's lower proposed fine.

2026 coordinated enforcement: the EDPB's 2026 CEF action focuses on GDPR transparency and information obligations. All national DPAs are conducting parallel investigations on the same topic. In 2025, the CEF focused on the right to erasure.

The Wider EU Digital Rulebook

The GDPR is the foundation, but EU data law extends well beyond it. Several complementary instruments address specific sectors or types of data activity.

Data Governance Act (DGA) -- Regulation (EU) 2022/868, applicable since September 2023. The DGA establishes trust frameworks for voluntary data sharing between companies and between the public and private sectors. It creates recognized data intermediaries and authorizes data altruism organizations. Where it involves personal data, the GDPR applies alongside it.

Data Act -- Regulation (EU) 2023/2854, applicable since 12 September 2025. The Data Act gives users of connected products (smart devices, industrial machinery, vehicles) the right to access and share the data generated by their use of those products. It governs business-to-business and business-to-government data sharing. Where personal data is involved, the GDPR applies concurrently.

Digital Services Act (DSA) -- Regulation (EU) 2022/2065. The DSA governs online intermediaries and platforms, with obligations on content moderation, transparency, and researcher data access. Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) face additional obligations. On 2 July 2025, the Commission published a delegated act enabling qualified researchers to access VLOP internal data to study systemic risks.

Digital Markets Act (DMA) -- Regulation (EU) 2022/1925. The DMA targets "gatekeeper" platforms (Google, Meta, Apple, Amazon, Microsoft, ByteDance) with interoperability, data portability, and consent obligations. In April 2025, the Commission issued its first non-compliance decisions: Apple received EUR 500 million for App Store steering restrictions and Meta received EUR 200 million for failing to offer users a less data-intensive service.

NIS2 Directive -- Directive (EU) 2022/2555. NIS2 imposes cybersecurity and incident reporting obligations on operators of essential services and digital providers. Data breaches that are also cybersecurity incidents may trigger both GDPR and NIS2 notification duties -- a complexity the Digital Omnibus single-reporting-point proposal is designed to resolve.

Adequacy Decisions and International Transfers

Transfers of personal data from the EU to third countries are governed by Chapter V of the GDPR. An adequacy decision by the European Commission permits free data flows to a destination without additional safeguards.

As of May 2026, adequacy decisions cover: Andorra, Argentina, Brazil (2026), Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, United States (for organizations certified under the EU-US Data Privacy Framework), Uruguay, and the European Patent Organisation (2025).

EU-US Data Privacy Framework (DPF): The Commission adopted the DPF adequacy decision on 10 July 2023, replacing the invalidated Privacy Shield. The framework relies on US executive commitments limiting intelligence-agency access and on the Data Protection Review Court (DPRC) as a redress mechanism. Over 2,800 organizations held active DPF certifications as of early 2026. The EU General Court dismissed a legal challenge on September 3, 2025 (Case T-553/23), but a further appeal before the CJEU (Case C-703/25 P, filed October 31, 2025) remains pending.

Where no adequacy decision exists, transfers may use Standard Contractual Clauses (SCCs, updated June 2021), Binding Corporate Rules (BCRs), or specific derogations. Organizations using SCCs must also conduct a transfer impact assessment (TIA).

GDPR Sub-Pages on This Site

These pages cover each major GDPR topic in depth:

• What Is GDPR? Complete Guide to EU Data Protection
• GDPR Consent Requirements: What Counts as Valid Consent
• GDPR Data Subject Rights: Access, Erasure and Portability
• GDPR Breach Notification: The 72-Hour Rule Explained
• GDPR Fines and Penalties: Complete List and Guide
• GDPR Compliance Checklist for Businesses
• GDPR for Small Businesses: Simplified Compliance Guide
• EU Cookie Law (ePrivacy Directive) Explained

EU Member-State Guides

Every EU member state has its own national implementing law and independent DPA. These pages explain how the GDPR applies in each country, what the national law adds, and how the local DPA enforces it:

• Austria Data Privacy Laws (DSG)
• Belgium Data Privacy Laws
• Bulgaria Data Privacy Laws
• Croatia Data Privacy Laws
• Cyprus Data Privacy Laws
• Czech Republic Data Privacy Laws
• Denmark Data Privacy Laws
• Estonia Data Privacy Laws
• Finland Data Privacy Laws
• France Data Privacy Laws (CNIL)
• Germany Data Privacy Laws (BDSG)
• Greece Data Privacy Laws (HDPA)
• Hungary Data Privacy Laws (NAIH)
• Ireland Data Privacy Laws (DPC)
• Italy Data Privacy Laws (Garante)
• Latvia Data Privacy Laws
• Lithuania Data Privacy Laws (VDAI)
• Luxembourg Data Privacy Laws (CNPD)
• Malta Data Privacy Laws
• Netherlands Data Privacy Laws (AP)
• Poland Data Privacy Laws (UODO)
• Portugal Data Privacy Laws (CNPD)
• Romania Data Privacy Laws (ANSPDCP)
• Slovakia Data Privacy Laws
• Slovenia Data Privacy Laws
• Spain Data Privacy Laws (AEPD / LOPDGDD)
• Sweden Data Privacy Laws (IMY)

EEA non-EU members applying the GDPR via the EEA Agreement:

• Iceland Data Privacy Laws
• Liechtenstein Data Privacy Laws

In-depth guides

• GDPR International Data Transfers: Chapter V Rules (2026)
• GDPR Right to Be Forgotten (Article 17) Explained
• Does GDPR Apply to US Companies? A Compliance Guide
• EU AI Act and Data Privacy: GDPR Intersection Explained