EU GDPR Regulatory Apparatus (2018–ongoing)

Class card for the EU General Data Protection Regulation apparatus, the world's most consequential data-rights regulatory machine. Regulation (EU) 2016/679 was adopted April 27 2016, replacing Data Protection Directive 95/46/EC (1995), and entered force May 25 2018. The machine's telos: protect EU citizen data rights and force global digital platforms to internalize data protection as the cost of EU market access. The regulatory architecture: seven lawful-basis categories (consent, contract, legal obligation, vital interest, public task, legitimate interest); eight data-subject rights (access, rectification, erasure/"right to be forgotten", portability, restriction, objection, automated-decision, profiling); enforcement via 27 national Data Protection Authorities (DPAs) coordinated through the European Data Protection Board (EDPB); fines up to €20M or 4% of global annual turnover (whichever higher). Major enforcement: Meta €1.2B (May 22 2023, Ireland DPC — EU-US data transfer); Amazon €746M (Jul 30 2021, Luxembourg DPA — consent); Google €50M (Jan 21 2019, CNIL France — consent transparency). CJEU pivots: Schrems I (Oct 6 2015) invalidated US-EU Safe Harbor; Schrems II (Jul 16 2020) invalidated Privacy Shield; EU-US Data Privacy Framework (Jul 2023, third attempt) currently operative but litigation-pending. The Brussels Effect: 50+ countries adopted GDPR-equivalent frameworks — Brazil LGPD (Aug 2018), China PIPL (Nov 2021), India DPDP (Aug 2023). The machine exports its regulatory template through market-access pressure, not treaty or military power — the definitive positive-DM-Day case of divergentism (capacity HIGH, narrative coherent, capture_resistance HIGH, fragmentation LOW per atlas DM-33 w0). Extension wave (2022–2024): EU Digital Markets Act (DMA, adopted Sep 14 2022; force May 2 2023) targets gatekeeper platforms; EU Digital Services Act (DSA, force Feb 17 2024) governs illegal content and systemic risk; EU AI Act (adopted May 21 2024; force Aug 1 2024) extends the regulatory envelope to foundation models. GDPR, DMA, DSA, and AI Act together constitute a coherent "Brussels regulatory stack" — the GDPR is the first layer. V0.2 GAP: no schema field for multi-jurisdiction enforcement coordination at class level; captured via jurisdiction_splits. The machine is incorporeal (statutory framework) but has corporeal enforcement teeth via national DPAs with staff + budget. Sources: Bradford, The Brussels Effect (2020); Schwartz + Solove, Privacy Law Fundamentals (2021); Lynskey, The Foundations of EU Data Protection Law (2015); EDPB Annual Reports 2019–2024; CJEU Grand Chamber judgments (Schrems I, Schrems II).