European Union (GDPR)

Each member state has a supervisory authority (DPA). The EDPB coordinates cross-border enforcement. One-stop-shop mechanism allows companies to deal primarily with one lead DPA.

Major DPAs include CNIL (France), BfDI (Germany), ICO (UK, pre-Brexit), DPC (Ireland — handles most Big Tech cases), and Garante (Italy). The EDPB issues guidelines and binding decisions on cross-border cases.

Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes invalid. Consent is one of six lawful bases; legitimate interest is also available.

Article 6 provides six lawful bases: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interests. Consent for special category data requires explicit consent under Article 9. Burden of proof on controller.

Comprehensive rights: access, rectification, erasure (right to be forgotten), restriction, data portability, objection, and rights related to automated decision-making.

Eight specific rights under Articles 12-22. The right to data portability (Article 20) requires data in structured, machine-readable format. Right to object to profiling (Article 21). Right not to be subject to automated decisions with legal effects (Article 22).

Transfers outside EEA require adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other approved mechanisms. Schrems II invalidated Privacy Shield.

EU-US Data Privacy Framework adopted July 2023 as new adequacy mechanism. SCCs remain the most common transfer tool. Transfer Impact Assessments required. Supplementary measures may be needed for certain countries.

72-hour notification to supervisory authority for breaches likely to result in risk. Notification to data subjects without undue delay if high risk.

Article 33 requires notification to DPA within 72 hours of becoming aware. Article 34 requires communication to data subjects if high risk to rights and freedoms. Processor must notify controller without undue delay.

Mandatory DPO for public authorities, organisations with core activities involving large-scale systematic monitoring, or large-scale processing of special categories.

DPO must be appointed based on professional qualities and expert knowledge. DPO has protected status — cannot be dismissed for performing duties. Can be internal or external. Contact details must be published and communicated to DPA.

Parental consent required for children under 16 (member states may lower to 13). Information society services must verify age and obtain parental consent.

Article 8 sets 16 as default age, with member state discretion to lower to 13. Most states have set 13-16. Controller must make reasonable efforts to verify parental consent using available technology.

Two-tier penalty structure: up to EUR 10M/2% turnover for administrative violations, up to EUR 20M/4% turnover for substantive violations. Active enforcement since 2018.

Over EUR 4 billion in fines imposed since 2018. Major fines: Meta (EUR 1.2B), Amazon (EUR 746M), WhatsApp (EUR 225M). DPAs can also issue warnings, reprimands, orders, and processing bans.

ePrivacy Directive for electronic communications, additional rules for health data, financial services, and employment. AI Act adds AI-specific requirements.

ePrivacy Directive (2002/58/EC) governs cookies, direct marketing, and confidentiality of communications. ePrivacy Regulation (pending) will replace it. Sectoral rules in telecom, health, and financial sectors supplement GDPR.

ePrivacy Directive requires consent for non-essential cookies. Most EU websites use cookie consent banners. CNIL and other DPAs actively enforce cookie rules.

Strictly necessary cookies exempt from consent. All other cookies require prior informed consent. Cookie walls generally prohibited. CNIL has fined Google and Facebook for cookie violations. Planet49 CJEU ruling confirmed pre-ticked boxes are invalid.

Article 22 provides right not to be subject to solely automated decisions with legal effects. AI Act (2024) adds comprehensive AI governance framework.

GDPR Article 22 restricts automated individual decision-making with legal or significant effects. Exceptions: contract performance, EU/member state law, explicit consent. Data subjects have right to obtain human intervention, express their point of view, and contest the decision. EU AI Act classifies AI systems by risk level.

No general data localisation requirement within the EU. Free flow of data within the EEA. Restrictions only on transfers to third countries without adequate protection.

No direct equivalent of India's SDF concept. However, DPO requirements and DPIA obligations apply based on scale and risk of processing. Large-Scale Processing triggers additional obligations.

Member states may restrict certain rights for national security, defence, and public security. Law enforcement processing governed by separate Law Enforcement Directive (LED).

Article 23 allows restrictions for national security, defence, public security, and prevention of criminal offences. Law Enforcement Directive (2016/680) governs police and criminal justice processing. Member states have implemented national security exemptions differently.