The General Data Protection Regulation (GDPR) is arguably the most advanced data protection law in the world and means consumers  over what happens to their data. All companies which process personal data of citizens in the EU must comply with it no matter where the companies are based.

Why it’s important

People in the EU enjoyed a right to personal data protection long before 2018, but data protection rules had become outdated in the new data-driven economy and the absence of deterrent sanctions for breaking the law limited their effectiveness.

The adoption of the GDPR was a landmark victory to raise the standard of data protection in the EU and ensure there were now real sanctions for breaking the rules.

What did BEUC do

BEUC made the case that consumers cared about the issue and wanted a greater say about what happens to their data. We argued that consumers should be given meaningful choices which are easy to exercise.

In time, the EU recognised existing data protection laws were ill-adapted to reality and required both an update and harmonisation.

Naturally, parts of industry led lobbying efforts against this reform because it would require them to change many of their business practices and mean getting tougher enforcement against their already illegal practices. BEUC campaigned hard to show that the nascent

GDPR would help consumers have a greater protection and say about what happens to their data and could also bring more harmonization of rules for businesses at the same time.

Among the changes the GDPR introduced were a requirement to have data protection by design and by default.

Although the GDPR is currently hampered by poor and slow cross-border enforcement, there is without doubt a pre-GDPR era and a post-GDPR one, with numerous countries around the world also considering passing similar laws.