GDPR

The GDPR establishes strict requirements for processing personal data of EU residents. It requires a lawful basis for all processing, grants individuals rights to access, correct, delete and port their data, and imposes significant penalties up to 4% of global turnover for violations.

The GDPR is the world’s most influential data protection regulation. It applies to any organization processing personal data of EU residents, regardless of where the organization is located. Key requirements include obtaining a lawful basis before processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests), implementing data protection by design, appointing Data Protection Officers for large-scale processing, conducting impact assessments for high-risk activities, and reporting breaches within 72 hours. The regulation creates direct tension with US surveillance laws like CLOUD Act, FISA 702, and EO 12333, which can compel disclosure of data that GDPR protects.