Overview of Data Privacy Laws in Europe: Updated for 2024

In today’s digital age, the importance of understanding and complying with data privacy laws cannot be overstated. Europe, in particular, has been at the forefront of championing the rights of its citizens when it comes to online data protection.

Not sure if concerns you? Well, if you have European customers, visitors, or even just a single transaction originating from Europe, you’re already in the spotlight.

In this article, I’ll give you a clear picture of the data privacy laws in Europe, ensuring that you’re not only informed but also prepared. Because, in the end, being knowledgeable is the best defense against potential pitfalls.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized privacy policy generator trusted by over 200,000 businesses.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive regulation established by the European Union (EU) to protect the privacy and personal data of its citizens. Effective since May 2018, it has reshaped the way data is handled across every sector.

One of its standout features is its territorial scope. Even if your business isn’t based in the EU, as long as you’re processing data from EU residents, the GDPR applies.

This means you need to ensure that the personal data you collect is obtained legally and under strict conditions. Moreover, those who collect and manage it will be obliged to protect it from misuse and respect the rights of the data owners.

Businesses face significant fines if they don’t comply. This global reach, coupled with hefty penalties, makes GDPR a critical consideration for businesses everywhere. I’d argue that understanding and adhering to these regulations isn’t just about avoiding fines, but also about building trust with your users.

Key Principles and Consumer Rights:

  • Lawfulness, Fairness, and Transparency: Data collection should be legal, just, and open. You must make clear why you’re collecting data and how you’ll use it.
  • Purpose Limitation: Only collect data for specific, explicit, and legitimate reasons. Once collected, don’t use it for unrelated purposes.
  • Data Minimization: Collect only what’s necessary. It’s not a “grab all you can” scenario; if you don’t need it, don’t take it.
  • Accuracy: Keep the data you’ve gathered correct and up to date. If it’s outdated or wrong, you’re obligated to correct it.
  • Storage Limitation: Don’t store personal data longer than necessary. Once you’ve achieved your data collection purpose, either delete or anonymize the data.
  • Integrity and Confidentiality: Ensure data is secure. Protecting it from unauthorized access or breaches is a top priority.
  • Accountability: You’re responsible for any data you collect. You should be able to demonstrate your compliance with all these principles.
  • Right to Access: Individuals can ask to see their personal data. You have to provide a copy when requested, showing what you have and how you’re using it.
  • Right to Rectification: If someone’s data is incorrect or incomplete, they can request an update. It’s on you to make sure it’s right.
  • Right to Erasure (‘Right to be Forgotten’): Under certain conditions, people can ask you to delete their data. If it’s not necessary anymore or it was unlawfully processed, it has to go.
  • Right to Restriction of Processing: Individuals can limit how their data is used. This isn’t a full-stop on use, but a pause, often while verifying accuracy or purpose.
  • Right to Data Portability: People can request their data in a usable format to transfer to another service. This means that if they want to switch to a competitor, they can bring their data with them.
  • Right to Object: If individuals don’t like how their data is being used, they can voice it. Particularly in cases of direct marketing, they can ask you to stop.
  • Rights in Relation to Automated Decision-Making and Profiling: Individuals have the right not to be subject to decisions based solely on automated processing. They can request human intervention.

Digital Services Act (DSA)

The European Digital Services Act (DSA) is a significant piece of legislation that came into the spotlight in December 2020. It’s meant to revamp the online regulatory environment in the EU, coming years after the introduction of another pivotal regulation, the General Data Protection Regulation (GDPR) in 2018.

While both the DSA and GDPR are landmark regulations, they target different aspects of the online world.

The GDPR focuses on personal data protection and privacy, dictating how businesses should collect, process, and store user data. On the other hand, the DSA primarily addresses online platform responsibilities, especially concerning content moderation and transparency.

Platforms are classified in the DSA as mere conduits, caching services, or hosting services. Depending on their category, obligations differ, which is a clear and systematic approach to platform regulation.

A new feature in the DSA is its requirement for platforms to disclose content ranking and ad placement algorithms. It’s a step towards understanding content visibility decisions.

The DSA’s emphasis on illegal content requires swift removal actions from platforms. This positions the act as a tool to make online environments safer.

Interestingly, while the GDPR empowered individuals over their data, the DSA furthers user rights in the digital space, allowing users to challenge platform decisions on their content.

For me, it’s evident that the EU is steadily enhancing its digital regulatory framework, first with the GDPR’s data-centric approach and now with the DSA’s user and content-focused lens.

Key Principles and Consumer Rights:

  • Transparency Requirements: The DSA mandates platforms to disclose their content-ranking and ad-placement algorithms. This ensures users understand how content is prioritized and displayed to them.
  • Clear Classification of Providers: The act classifies digital service providers into categories like mere conduits, caching services, or hosting services. Each classification has tailored obligations, making regulations more specific.
  • Quick Action on Illegal Content: Platforms have an obligation to act swiftly against illegal content. By doing so, the DSA aims to make digital spaces safer and more reliable for users.
  • Rights of Users to Contest Decisions: If a platform removes or flags content, users have the right to challenge this decision. This provision offers a sense of fairness and control to users.
  • Protection against Malicious Activities: The DSA requires platforms to establish mechanisms to counter fraudulent services or products. This ensures that you offer only legitimate services or items to your users.
  • Dispute Resolution Mechanisms: Platforms are expected to have in place a system for out-of-court settlements. This eases the process of addressing user or trader complaints without diving into lengthy court battles.
  • Vetting of Third-party Suppliers: Before integrating third-party services, platforms need to ensure these services respect the DSA. It’s a move to keep the entire digital ecosystem compliant and trustworthy.
  • Accountability and Oversight: Larger platforms are required to undergo audits, ensuring they adhere to the provisions of the DSA. It’s a way to keep big players in check, ensuring they don’t misuse their dominance.
  • User Safety Protocols: Platforms must have clear measures to protect users, especially minors, from harmful content. This principle underlines the act’s commitment to maintaining the well-being of all digital participants.

Digital Markets Act (DMA)

The European Digital Markets Act (DMA), proposed in December 2020, is a legislative initiative by the European Union to regulate the conduct of major online platforms that hold substantial market power. Unlike the General Data Protection Regulation (GDPR), which mainly focuses on safeguarding individuals’ personal data, the DMA primarily targets the business practices of dominant digital players.

While the GDPR centers on data protection and privacy, the DMA addresses competition issues in the digital realm. It seeks to curb anti-competitive behaviors by gatekeeper platforms, promoting fair competition, innovation, and consumer protection.

The DMA introduces obligations for these platforms to ensure they don’t abuse their dominance, such as prohibiting unfair self-preferencing and requiring data portability.

Compared to the GDPR, which is applicable to virtually all businesses that process personal data within the EU, the DMA’s scope is narrower.

It targets specifically identified gatekeeper platforms, which are determined based on criteria like user base and market capitalization. This means that not all online businesses will fall under the DMA’s control.

Key Principles and Consumer Rights:

  • Transparency: Platforms must clearly explain how they rank products and services, providing users with insight into algorithms and data usage.
  • Fair Practices: Gatekeepers are prohibited from giving their own services an unfair advantage over competitors on their platforms.
  • Data Portability: Users have the right to move their data from one platform to another, encouraging healthy competition and user choice.
  • Interoperability: Platforms are required to allow seamless interaction with other services, reducing dependency on single providers.
  • Access to Data: Businesses gain access to data generated by their activities on platforms, helping them make informed decisions.
  • Prohibition of Unfair Practices: Practices that hinder users from switching platforms or using different services are not allowed.
  • Consumer Rights Protection: Users are safeguarded from unfair terms and conditions and have the right to access third-party software stores.
  • Market Investigation Powers: Authorities can investigate and address anti-competitive behaviors to ensure a level playing field.
  • Non-Discrimination: Equal treatment for similar services and products is enforced, preventing unfair exclusion.
  • Business User Protection: Ensures businesses are treated fairly by gatekeeper platforms, preventing abusive practices.
  • Safeguarding Innovation: Encourages innovation by ensuring smaller businesses have opportunities to grow and compete.

United Kingdom Data Protection Act (UK DPA)

The United Kingdom Data Protection Act (UK DPA) is the UK’s primary legislation designed to protect the privacy and personal data of its citizens. Enacted in 2018, it ensures that personal data is processed in a way that respects the rights of the individuals it concerns.

While many people initially think of the EU’s General Data Protection Regulation (GDPR) when discussing data privacy, the UK DPA is separate, though it incorporates many elements of the GDPR. This means that if you’re handling data belonging to UK residents, it’s the UK DPA you need to be particularly mindful of.

What does this mean for you? First, you’re required to process personal data fairly, lawfully, and transparently. There must be a legitimate reason to collect it and, once collected, it should be accurate, updated when necessary, and not retained for longer than needed. Data breaches, if they occur, must be reported promptly.

Additionally, individuals have a set of rights under the UK DPA. They can access their data, rectify errors, and even request its deletion in certain scenarios. There’s also a stress on making data processing transparent to the individuals concerned.

Key Principles and Consumer Rights:

Many principles and rights under the UK Data Protection Act (UK DPA) mirror those found in the General Data Protection Regulation (GDPR). Here are some of the differences you should be aware of:

  • Geographic Scope: While GDPR is designed for the European Union, the UK DPA is tailored for the United Kingdom. After Brexit, the UK decided to adopt its legislation, though much is based on the GDPR framework.
  • National Security Exemptions: The UK DPA introduces certain exemptions related to immigration and national security that aren’t present in the GDPR.
  • Age of Consent: Under GDPR, the age of digital consent is set at 16, but member states can adjust this. The UK DPA sets it at 13, permitting young teenagers more autonomy in their digital decisions.
  • Representation: While GDPR requires non-EU entities to appoint a representative within the EU if they process EU citizens’ data, the UK DPA mandates that non-UK entities designate a UK representative when processing UK residents’ data.
  • Data Processing Fees: The UK DPA retains a system of fees for data controllers, which the Information Commissioner’s Office (ICO) administers. This fee structure doesn’t exist in the GDPR.
  • Penalties: Both the UK DPA and GDPR have strong penalty structures for violations, but the actual fines’ specifics can differ based on the discretion of the regulatory body involved – the ICO for the UK and various Data Protection Authorities for EU states.
  • Law Enforcement: The UK DPA integrates the EU’s Law Enforcement Directive (LED), which covers the processing of personal data by law enforcement agencies. GDPR doesn’t incorporate this since it’s a separate directive in the EU.
Andreea Mare
CIPP/E, CIPM, FIP, ECPC-B, LLM
Andrea is a data protection and privacy specialist with many years of education and expertise in this area of law. She helps clients by ensuring compliance is reached on all levels while taking into account the legal requirements and their business' needs.