Every time you click “Accept cookies” on a website, you are feeling the effects of a law born in Europe. GDPR changed the internet for every person on the planet, yet most people have only the vaguest idea of what it actually is or why it exists. Here is the full story, told plainly.
What Is GDPR and Where Did It Come From?
GDPR stands for General Data Protection Regulation. It is a European Union law that came into full effect on 25 May 2018, and it governs how organisations collect, store, use, and share the personal data of EU citizens. Personal data means any information that can identify you, including your name, email address, location, IP address, browsing history, health records, and even your political opinions.
The regulation did not appear out of nowhere. Europe has a long and specific history of taking privacy seriously, rooted in the painful lessons of the twentieth century. Countries like Germany and France lived through regimes that used personal information as a tool of oppression and control. That historical memory is woven into European political culture in a way that simply does not exist in the same form in the United States or most of Asia. Privacy in Europe is not just a consumer preference. It is treated as a fundamental human right.
Before GDPR, the EU had a patchwork of national data protection laws that varied widely from country to country. A company operating across Germany, Poland, and Sweden might face three completely different sets of rules. GDPR replaced that fragmented system with a single, powerful, enforceable standard that applies across all 27 EU member states.
The Six Rights GDPR Gives You as a Citizen
Understanding GDPR becomes much easier when you focus on what it actually gives you as an individual. The regulation hands EU citizens a set of specific, legally enforceable rights over their own personal data.
You have the right to know what data a company holds about you and why it is being collected. You have the right to access a full copy of that data at any time. You have the right to correct inaccurate information. You have the right to be forgotten, which means you can request that a company delete your data entirely in many circumstances. You have the right to object to your data being used for targeted advertising or automated decision-making. And you have the right to data portability, which means you can ask for your data in a format that allows you to move it to a different service.
These rights sound technical but their implications are very practical. If you have ever emailed a company asking them to delete your account and all associated data, and actually received confirmation that it was done, that is GDPR working for you. If you have ever received a clear, readable explanation of how a website uses your information, that is GDPR at work.
Three Moments When GDPR Changed the Game
The Facebook Fine That Sent a Message Across the Atlantic
In January 2023, Ireland’s Data Protection Commission issued Meta, the parent company of Facebook and Instagram, a record fine of 1.2 billion euros for illegally transferring the personal data of European users to servers in the United States without adequate privacy protections in place. It was the largest GDPR fine ever issued at that point, and it sent an unmistakable message to every technology company in the world: the EU is serious, it has teeth, and it will use them.
Ireland acts as the GDPR regulator for many large American tech companies because they have their European headquarters in Dublin. The fine demonstrated that even the most powerful companies on earth are not above EU privacy law when they handle European citizens’ data.
Estonia Builds Privacy Into Its Digital State
Estonia is often cited as the world’s most digitally advanced nation, with nearly all government services available online, from voting to healthcare to business registration. What is less widely known is how deeply privacy protection is embedded into the architecture of that digital state.
Estonian citizens can log in to a government portal and see exactly which government officials have accessed their personal data, when they did it, and for what reason. If a doctor looks at your health record without a valid reason, you will know. This kind of radical transparency goes beyond what GDPR strictly requires, but it embodies the regulation’s underlying spirit perfectly. Estonia shows that digital convenience and strong privacy protection are not opposites. They can be designed to work together.
Max Schrems and the Austrian Who Took On Facebook Twice
Max Schrems is an Austrian privacy activist and lawyer who has arguably done more to shape the practical reality of GDPR than almost any politician or regulator. Starting in 2013, Schrems began filing complaints against Facebook’s data practices in Ireland, triggering legal battles that eventually reached the highest courts in Europe.
His cases led to the striking down of two major international data transfer agreements between the EU and the United States, Privacy Shield in 2020 and the earlier Safe Harbor framework in 2015. Both were found to offer insufficient protection for European citizens’ data because US surveillance laws allowed American intelligence agencies too much access. Schrems showed that individual citizens, equipped with GDPR rights and persistence, could hold global corporations and even international agreements to account.
Europe vs. the US: A Fundamental Difference in How Privacy Is Treated
The contrast between the European and American approach to personal data is one of the defining differences between the two technology cultures. In the United States, data privacy is treated primarily as a consumer protection issue, something to be managed through market competition and voluntary corporate policies, with limited federal legislation and a patchwork of state-level laws.
In Europe, privacy is treated as a fundamental right equivalent in status to freedom of speech or the right to a fair trial. This philosophical difference has enormous practical consequences. American companies are generally free to collect and monetise user data unless specifically prohibited. European companies must have a clear, specific, and legitimate reason for every piece of data they collect, and that reason must be documented and defensible.
The result is that European citizens have far stronger tools to control their own digital lives than most Americans do. It also means that European tech companies, particularly in fast-growing sectors like fintech, healthtech, and govtech across the Baltic states, must build privacy into their products from the very first day rather than bolting it on later.
What GDPR Means for Businesses in Latvia, Lithuania, and Beyond
For businesses across the Baltic states and Central Europe, GDPR is both a compliance obligation and a genuine opportunity. Companies in Riga, Vilnius, and Tallinn that handle data well and can demonstrate it are increasingly attractive partners for clients across Western Europe and internationally.
The Baltic region has developed a strong reputation for digital competence, and GDPR compliance is part of that reputation. A Latvian software company pitching to a German healthcare client, or a Lithuanian fintech firm approaching a French bank, arrives at that conversation with a shared regulatory framework and a shared understanding of what responsible data handling looks like. That shared standard removes friction and builds trust faster than any sales pitch.
Small and medium businesses do face real costs in achieving and maintaining GDPR compliance. Data protection officers, privacy impact assessments, and documentation requirements all take time and money. But the alternative, building a business on shaky data practices and hoping regulators do not notice, carries far greater risks as enforcement activity across Europe continues to increase year by year.
The Regulation That Changed the World Without Most People Noticing
GDPR turned six years old in 2024, and its influence has spread far beyond Europe’s borders. Brazil’s LGPD, South Korea’s PIPA, and California’s CCPA were all directly shaped by the GDPR framework. Even companies with no European operations have often adopted GDPR-standard privacy practices globally simply because it is easier to apply one high standard everywhere than to maintain different approaches for different markets.
This is the quiet superpower of European regulation. By setting a high standard and enforcing it seriously, the EU effectively exports its values into the global technology industry. No vote was ever taken in Washington or Beijing about whether to adopt European privacy standards. It happened anyway, driven by market realities and the sheer weight of the EU as the world’s largest single consumer market.
GDPR is not perfect. It is complex, sometimes inconsistently enforced, and its cookie consent system has produced a user experience that frustrates almost everyone. But its core achievement, establishing that ordinary citizens have real, enforceable rights over their own personal data, remains one of the most significant acts of digital governance in history.
๐ฌ Here is the question worth thinking about: Six years on from GDPR, do you actually feel more in control of your personal data online, or do you just click through cookie banners without reading them and hope for the best? And if most people are not using their GDPR rights, whose responsibility is that? Tell us in the comments.
Leave a Reply