GDPR
Regulation (EU) 2016/679 (General Data Protection Regulation)
Foundational EU data protection law with direct AI enforcement precedent. Article 22 restricts automated decision-making; Article 9 classifies mental health data as special category requiring explicit consent; Article 8 sets children's consent thresholds (13-16 by member state).
Jurisdiction
European Union
EU
Enacted
Apr 27, 2016
Effective
May 25, 2018
Enforcement
EU/EEA Data Protection Authorities + EDPB coordination
What It Requires
Who Must Comply
This law applies to:
- • Controllers/processors handling EU personal data
- • Non-EU entities processing EU residents' data (extraterritorial)
Who bears obligations:
Safety Provisions
- • Article 22: Right not to be subject to decisions based solely on automated processing with legal/significant effects
- • Article 9: Mental health data is "special category" requiring explicit consent
- • Article 8: Children's consent threshold 13-16 years (varies by member state); parental consent below
- • Articles 13/14: Transparency about automated decision-making logic, significance, consequences
- • Article 35: DPIA required for high-risk processing (health data, systematic monitoring)
- • Data protection by design and by default
- • Data subject rights (access, deletion, objection, portability)
- • Security + 72-hour breach notification
Enforcement
Enforced by
EU/EEA Data Protection Authorities + EDPB coordination
Penalties
€20M or 4% revenue (whichever higher)
Up to €20M or 4% global annual turnover (whichever higher).
Private Right of Action
Individuals can sue directly without waiting for regulatory action. This significantly increases liability exposure.
Quick Facts
- Binding
- Yes
- Mental Health Focus
- Yes
- Child Safety Focus
- Yes
- Algorithmic Scope
- Yes
- Private Action
- Yes
Why It Matters
The Replika enforcement (€5M, May 2025) establishes companion AI processes special category health data. Italian DPA found "confidant, therapist, romantic partner" positioning requires enhanced protections. This reasoning applies EU-wide.
Recent Developments
Italy Garante fined OpenAI €15M (Dec 20, 2024). Garante fined Replika €5M (decision Apr 10, 2025; announced May 19, 2025)—among the first major companion AI enforcement actions. EDPB Opinion 28/2024 addresses AI model training.
What You Need to Comply
You need: lawful basis (explicit consent for mental health data under Art. 9); DPIA for high-risk features; data minimization + retention deletion; user rights workflows; Art. 22 posture for significant automated decisions; age verification/parental consent for children.
NOPE can helpCite This
APA
European Union. (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). Retrieved from https://nope.net/regs/eu-gdpr
BibTeX
@misc{eu_gdpr,
title = {Regulation (EU) 2016/679 (General Data Protection Regulation)},
author = {European Union},
year = {2016},
url = {https://nope.net/regs/eu-gdpr}
} Related Regulations
EU PLD
Modernized product liability framework explicitly covering AI systems and software as products. Shifts burden of proof in complex AI cases, allows disclosure orders for technical documentation, and addresses liability for AI-caused harm including through software updates.
EU AI Act
World's first comprehensive risk-based regulatory framework for AI systems. Classifies AI by risk level with escalating requirements from prohibited practices to high-risk obligations.
Switzerland FADP
Switzerland's revised data protection law with Article 21 automated decision transparency requirements, human review rights, and fines up to CHF 250,000.
Portugal Digital Rights Charter
Portugal's Charter of Digital Rights with Article 9 requiring AI to respect fundamental rights and establishing algorithmic auditability principles.
Serbia PDP Law
Serbia's GDPR-aligned data protection law with profiling safeguards and DPIA requirements.
Digital Austria 2.0
Austria's digital sovereignty framework establishing Sovereignty Compass for AI audits and mandatory Digi-Check for all legislation.