ThinkableWhat is this?

Data & Privacy — GDPR

The Law That Made Silicon Valley Flinch

When a single piece of European legislation forced every major tech company on Earth to rewrite its privacy policies overnight, it wasn't because the EU got lucky — it was because they understood something about power that the industry had spent a decade hoping nobody would notice.

The Idea

The General Data Protection Regulation, which came into force in May 2018, is often described as a privacy law — but that framing undersells it. It is more accurately a property rights law. What GDPR did, in structural terms, was reassert that personal data belongs to the person it describes, not to whoever happens to have collected it. This sounds obvious until you realise that the entire business model of the attention economy was built on the opposite assumption. The regulation introduced several hard-edged rights: the right to know what data is held about you, the right to have it deleted, the right to object to it being processed, and — most disruptively — the requirement that companies obtain meaningful consent before collecting it in the first place. 'Meaningful' is doing enormous work in that sentence. Pre-ticked boxes, buried opt-outs, and consent-as-a-condition-of-service were all ruled out. The enforcement mechanism is what gave it real teeth. Fines can reach four percent of a company's global annual turnover — not revenue from Europe, but global turnover. For a company the size of Meta, that is a number that gets board-level attention. The law also applies to any company that handles data about EU residents, regardless of where the company itself is headquartered. That extraterritorial reach is why it reshaped practices in California, Singapore, and São Paulo, not just in Brussels.

In the World

In January 2023, Ireland's Data Protection Commission fined Meta a sum equivalent to roughly a month's worth of the company's global advertising revenue — the largest GDPR fine ever issued at that point — for transferring European users' data to servers in the United States without adequate legal safeguards. The fine itself was significant, but the more consequential outcome was the underlying ruling: Meta could not simply route data across the Atlantic under the frameworks it had been relying on for years. This was the culmination of a legal campaign that had begun with a single complaint filed in 2013 by an Austrian law student named Max Schrems on the day the GDPR's predecessor directive was being weakened. Schrems had argued that the legal mechanism allowing EU-US data transfers — a framework called Safe Harbour — was meaningless after Edward Snowden's revelations about NSA surveillance. He was right. The Court of Justice of the EU agreed, struck down Safe Harbour in 2015, then struck down its replacement, Privacy Shield, in 2020. What's striking about this story is the asymmetry: one person with a law degree and a legitimate grievance was able to force a trillion-dollar company into a decade-long legal battle that reshaped international data flows. GDPR created the architecture that made that leverage possible.

Why It Matters

Most people encounter GDPR as a nuisance — those cookie consent banners that appear on every website, designed to comply with the letter of the law while undermining its spirit as thoroughly as possible. That frustration is legitimate, but it's worth separating the regulation from the implementation choices companies made in response to it. The underlying question GDPR forces into the open is one worth carrying around: who benefits from the data trail you leave behind, and do you have any meaningful say in it? Before 2018, the honest answer for most people was 'someone else' and 'no'. The regulation didn't fully fix that, but it created a legal basis for individuals to push back — and it established a global precedent that other jurisdictions, from Brazil to South Korea to California, have since followed. Understanding GDPR also sharpens your ability to read the fine print on any digital service you use. When a company asks for your consent, are they offering a genuine choice, or engineering one? The law gives you a framework for asking that question — and occasionally, the right to demand a real answer.

A Question to Ponder

If your personal data is genuinely yours, what would it mean to treat it the way you treat other things you own — and how would that change the digital services you're willing to use?

Get a new one of these every morning.

Start learning with Thinkable
One topic like this, every day.Start free