The EU's privacy framework gives you real rights over your data. But enforcement depends entirely on which country's regulator is in charge.
GDPR gives every EU/EEA resident the right to know what data companies hold, demand its deletion, refuse tracking, and sue for damages — backed by fines of up to 4% of global revenue.
Right of access: see everything a company holds on you. Right to erasure: demand deletion. Right to portability: take your data to a competitor in machine-readable format. Right to object: refuse profiling and automated decision-making. Right to rectification: correct inaccurate data. These aren't suggestions — they're legally enforceable. Companies have 30 days to respond or face regulatory action.
Each EU member state has a Data Protection Authority (DPA). The 'one-stop-shop' rule means a company is primarily regulated by the DPA where its EU headquarters is located. This is why enforcement varies wildly: Apple, Google, Meta, Microsoft, and TikTok are all headquartered in Ireland — overseen by the Irish DPC, widely criticised as the slowest and most lenient regulator in Europe.
CNIL (France): fined Google €150M, fined Criteo €40M, banned Google Analytics in France. The most aggressive enforcer in Europe. DPC (Ireland): took 5 years and pressure from other EU DPAs to fine Meta €1.2B. Approved Meta's data transfers for years while other regulators objected. NOYB (Max Schrems' organisation) has filed over 800 complaints and successfully challenged Ireland's inaction at EU level. BfDI (Germany): 17 authorities (federal + 16 states), strictest on consent. Banned Facebook Pages for page administrators. AP (Netherlands): fined their own government for discriminatory tax surveillance algorithms. IMY (Sweden): first to rule Google Analytics illegal under Schrems II.
In 2020, the EU Court of Justice struck down the EU-US Privacy Shield — meaning transfers of EU personal data to the US lacked legal basis. The court found that US surveillance laws (FISA 702, EO 12333) made American data protection 'essentially equivalent' impossible. A replacement framework (EU-US Data Privacy Framework) was adopted in 2023, but Max Schrems has already challenged it. Austrian and French regulators ruled Google Analytics illegal because it transferred EU data to the US. Companies using US cloud providers face ongoing legal uncertainty.
National security is explicitly excluded from GDPR. Intelligence agencies, police surveillance, and military data processing fall outside its scope. Each country's intelligence oversight is separate (and usually weaker). GDPR also doesn't apply to purely personal or household activities. And enforcement requires a regulator willing to act — which, in Ireland's case, has been the system's biggest weakness.
Meta: €1.2B (2023, Ireland — transfers to US). Amazon: €746M (2021, Luxembourg — ad targeting). TikTok: €530M (2025, Ireland — China transfers). WhatsApp: €225M (2021, Ireland — transparency). Google: €150M (2022, France — cookies). H&M: €35M (2020, Germany — employee surveillance). These sound large but represent days or weeks of revenue for these companies. Whether GDPR fines actually change behaviour is debated.