EU GDPR regime

Copyright © 2025 LexisNexis

The General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) regime became applicable across the EEA (which at the time included the UK) on 25 May 2018. The EU GDPR ceased to apply to the UK on 31 December 2020 at 11 pm.

This subtopic addresses key features of the EU GDPR at a supranational (ie EEA) level. Individual EEA states may exercise a number of national derogations and other discretions to put in place various additional or alternative data protection laws and the various supervisory authorities in each state may adopt different interpretation or approaches in practice. This topic does not consider the position under the laws of specific EEA states or the guidance of specific EEA supervisory authorities. You should refer to guidance from the relevant national supervisory authorities and national law regarding

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Information Law News

Dutch SA fines Netflix €4.75m for EU GDPR violations

The Dutch Supervisory Authority (SA) has imposed a €4.75m fine on Netflix for failing to adequately inform customers about its data processing practices in its privacy statement, violating several General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), provisions, particularly those under Articles 5, 12, 13, and 15. The decision, made on 26 November 2024, followed an investigation initiated by complaints from an Austrian NGO. The Dutch SA found that Netflix's privacy statement lacked clarity regarding the purposes and the legal basis for data collection and use, the extent of data sharing with third parties, data retention periods, and safeguards for international data transfers. The matter was handled as a cross-border case under the One-Stop-Shop procedure.

Libel—serious harm and bad reputation (Bates v Rubython and BusinessF1 Magazine)

TMT analysis: In this libel case, the defendants offered no substantive defences and instead sought to demonstrate that the claimant had not suffered serious harm to his reputation caused by their publication (as required by section 1 of the Defamation Act 2013 (DA 2013)). The claim succeeded with damages, an injunction and an order under DA 2013, s 12 granted. The case contains valuable discussion of the requirements of pleading pre-existing bad reputation as a counter to a plea of serious harm. It also exemplifies a successful plea of serious harm to reputation in circumstances where the claimant relied entirely on inference to make out his case. The judgment ends with useful application of the principles relating to damages and other remedies in defamation claims. A very substantial award of £150,000 was made in this case. Hector Penny is a barrister at 5RB Chambers.

Restrictions on the use of personal data by social networks for direct marketing (Schrems v Meta Platforms Ireland)

EU Law analysis: Privacy activist Maximilian Schrems brought a claim against Meta Platforms Ireland (Meta) before the Austrian courts, alleging that Meta was unlawfully processing his personal data. Meta had directed targeted advertising at Schrems that reflected his interests as perceived by Meta, including his sexual orientation. The Austrian Supreme Court referred two questions to the Court of Justice. In its judgment, the Court of Justice held that principle of data minimisation prevents unrestricted aggregation, analysis and processing of personal data obtained by a data controller from data subjects or third parties for the purposes of targeted advertising. The Court of Justice also held that data concerning sexual orientation that are manifestly made public by an individual may be processed–but that this does not amount to the individual’s consent to the processing of other data relating to their sexual orientation, obtained using partner third-party websites, for the purposes of enabling personalised advertising. Written by Rohan Massey, partner, and Cameron Grabowski, trainee solicitor, at Ropes & Gray International LLP.

ICO responds to government's call for economic growth proposals

The Information Commissioner's Office (ICO) has responded to a government request for proposals to boost economic growth and improve the investment climate. The ICO has emphasized the importance of data protection and information rights as fundamental to innovation and economic growth, fostering public trust and consumer confidence. The organisation has committed to developing ambitious, measurable plans focused on practical benefits for businesses and investors. The ICO aims to position itself as a pragmatic, business-friendly regulator, creating an attractive landscape for UK investment while building upon its existing efforts to promote responsible innovation and sustainable economic growth.

View Information Law by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Profiling and automated decision-making

Profiling and automated decision-makingSTOP PRESS—Impact of the Retained EU Law (Revocation and Reform) Act 2023: This document contains references to retained EU law (REUL) and associated terms introduced by the European Union (Withdrawal) Act 2018 in connection with Brexit. From 1 January 2024,

TikTok sues European Data Protection Board at EU General Court

MLex: TikTok has sued the European Data Protection Board (EDPB) at the EU General Court, not long after it was fined €345m in a case involving the board. The EDPB, which is the umbrella body of EU data protection watchdogs, played a role in the case because it went through the EU General Data

The UK General Data Protection Regulation (UK GDPR)

The UK General Data Protection Regulation (UK GDPR)STOP PRESS—Impact of the Retained EU Law (Revocation and Reform) Act 2023: This document contains references to retained EU law (REUL) and associated terms introduced by the European Union (Withdrawal) Act 2018 in connection with Brexit. From 1

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a
Profiling and automated decision-making

Profiling and automated decision-making

Profiling and automated decision-makingSTOP PRESS—Impact of the Retained EU Law (Revocation and Reform) Act 2023: This document contains references to retained EU law (REUL) and associated terms introduced by the European Union (Withdrawal) Act 2018 in connection with Brexit. From 1 January 2024,

TikTok sues European Data Protection Board at EU General Court

TikTok sues European Data Protection Board at EU General Court

MLex: TikTok has sued the European Data Protection Board (EDPB) at the EU General Court, not long after it was fined €345m in a case involving the board. The EDPB, which is the umbrella body of EU data protection watchdogs, played a role in the case because it went through the EU General Data

The UK General Data Protection Regulation (UK GDPR)

The UK General Data Protection Regulation (UK GDPR)

The UK General Data Protection Regulation (UK GDPR)STOP PRESS—Impact of the Retained EU Law (Revocation and Reform) Act 2023: This document contains references to retained EU law (REUL) and associated terms introduced by the European Union (Withdrawal) Act 2018 in connection with Brexit. From 1

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a