A survey conducted in April and May 2023 revealed that around ** percent of the companies that do business in the European Union (EU) and the United Kingdom (UK) found it challenging to adapt to new or changing requirements of the General Data Protection Regulation (GDPR) or Data Protection Act 2018 (DPA). A further ** percent of the survey respondents said it was challenging to increase the budget because of the changes in the data privacy laws.

As of January 2025, The European Union (EU) had three fully operating and one upcoming law regarding online privacy and the usage of digital technologies. The first one, the General Data Protection Regulation (GDPR), was enacted in May 2018. The second law became effective on February 17, 2024, and is called the Digital Services Act (DSA). In March 2024, another law protecting consumer privacy, the Digital Markets Act, was enacted. The latest regulation adopted by the European Union (EU) is called the Cyber Resilience Act (CRA), which became active in December 2024.

The European Union implemented data privacy laws in mid-2018 and the state of California enacted a similar law several weeks later. These regulations affect medical data collection and analysis. It is unclear if they achieve this goal in the realm of clinical trials. Here we investigate the effect of these laws on clinical trials through analysis of clinical trials recorded on the US's ClinicalTrials.gov, the World Health Organization's International Clinical Trials Registry Platform and scientific papers describing clinical trials. Our findings show that the number of phase 1 and 2 trials in countries not adhering to these data privacy laws rose significantly after implementation of these laws. The largest rise occurred in countries which are less free, as indicated by the negative correlation (−0.48, p = 0.008) between the civil liberties freedom score of countries and the increase in the number of trials. This trend was not observed in countries adhering to data privacy laws nor in the paper publication record. The rise was larger (and statistically significant) among industry funded trials and interventional trials. Thus, the implementation of data privacy laws is associated a change in the location of clinical trials, which are currently executed more often in countries where people have fewer protections for their data.

One out of two surveyed respondents representing Danish organizations stated in a survey that the new General Data Protection Regulations (GDPR) had been a burden on their business as of 2019. That was a drastic increase from the year before, when just one out of three respondents stated so.

As of February 2025, 19 U.S. states had consumer privacy laws signed. California was the first state to develop a privacy bill in 2018. Since then, more states have come up with state-level laws dedicated to the protection of consumer data. A few of the signed laws are yet to become effective in 2025 or in 2026.

Since the entry into force of the General Data Protection Regulation (GDPR), on 25 May 2018, only digital processing of the most sensitive personal data must be subject to prior formalities with the CNIL.

These formalities may take the form of simplified declarations (declarations of conformity with a reference framework proposed by the CNIL), requests for an opinion (for the sovereign activities of the State) or applications for authorisation (in the field of health). To find out more: cnil.fr.

In accordance with the amended Data Protection Act (Article 36), the CNIL keeps available to the public the list of these formalities in an open and easily reusable format, known as “List article 36”.

** Warnings:**

1/The published data are the result of the prior formalities completed, since May 25, 2018, by the controllers of personal data processing at the CNIL, via its dedicated teleservices. The CNIL cannot be held responsible for their content.

2/The processing carried out on behalf of the State may not appear in the dataset, the formalities having been completed in the form of requests for an opinion on a draft regulatory act (decree or decree) not submitted via the teleservices mentioned. The information relating to these treatments is available on Legifrance, the opinion of the CNIL being published with the act authorising the treatment (to access the deliberations of the CNIL: https://www.legifrance.gouv.fr/initRechExpCnil.do). In addition, some important treatments are subject to fiches on the CNIL website.

3/Exceptionally exempted from the publication of the regulatory act authorising them (decree or decree) are not included in the published data set, in accordance with article 36 of the amended Data Protection Act. The treatments referred to in Article 30 I and II may be exempted, by decree in the Council of State, from the publication of the regulatory act which authorises them. These treatments are mentioned in Decree n°2007-914 of 15 May 2007.

Introduction

GDPR Statistics: ​In 2024, enforcement of the General Data Protection Regulation (GDPR) intensified across Europe, resulting in significant financial penalties for non-compliance. The Irish Data Protection Commission (DPC) imposed a €310 million fine on LinkedIn for processing personal data without a proper legal basis.

Similarly, Uber faced a €290 million penalty from the Dutch Data Protection Authority for unlawfully transferring European drivers' personal data to the United States. Meta Platforms Ireland Limited was fined €251 million by the Irish DPC due to a 2018 data breach affecting millions of user accounts. Collectively, GDPR fines in 2024 totaled approximately €1.2 billion, marking a 33% decrease from the previous year.

Since the regulation's inception in 2018, cumulative fines have reached €5.88 billion. These figures underscore the ongoing commitment of European authorities to uphold data privacy standards and the substantial financial risks organizations face for non-compliance.

As of February 2025, 19 states in the U.S. had state-level privacy laws signed. All signed laws protect the right of a consumer to access personal information collected by companies and shared with third parties. The first state-level privacy law proposed in California in 2018 had gaps, as it did not reference the consumer's right to request a correction of incorrect or outdated personal information and other rights. However, the second privacy law developed afterward in the state, the California Privacy Rights Act, was more comprehensive. Other consumer rights, such as the consumer's right to opt out of specific processing and the right to opt in for sensitive data processing, were rarely protected, too. Additionally, only one of the signed laws covered the consumer's private right of action, with certain limitations.

List of personal data processing activities of the Government of Aragon that comply with data protection regulations (General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and Royal Decree-Law 5/2018 of 27 July 2018 on urgent measures for the adaptation of Spanish law to European Union legislation on data protection).

The goal of this study was to measure the attitudes towards data sharing and data-collecting organizations before and after the introduction of the EU General Data Protection regulations (GDPR) among people in Germany. The data come from a three-wave split-panel web survey among people 18 years and older in Germany who were recruited from a German nonprobability online panel. In April 2018 (before the GDPR came into effect), 2,095 participants completed the Wave 1 questionnaire on device ownership, social media use, trust in different data collecting organizations, willingness to share data, general trust, awareness of and knowledge about the GDPR, and privacy concerns. In July and in October 2018 (after the GDPR came into effect), respondents from the earlier waves were invited to participate in a second and a third web survey that repeated most of the questions from the first wave. In addition to participants from the earlier waves, fresh respondents were also invited to Waves 2 and 3. A total of 2,046 (Wave 2) and 2,117 (Wave 3) respondents completed the questionnaire in the subsequent waves. 1,269 participated in all three waves.

Topics:

Wave 1

Possession of smartphone, mobile phone, PC, tablet and/or e-book reader; social media use: account with user name and password at selected providers (Google, Facebook, Twitter, LinkedIn, Xing); trust in institutions (Google, Facebook, Bundesamt für Statistik, Universitätsforscher) with regard to the protection of personal data and reasons for this assessment; probability scale with regard to the protection of personal data at the above-mentioned institutions and reasons for this assessment; agreement with the import of personal data of the social insurance institutions to the survey data; general personal trust; awareness of the EU General Data Protection regulations (GDPR) ; knowledge test: goals of the GDPR (open); feeling of invaded privacy by the following institutions: Google, Facebook, government agencies, university researchers; general privacy concerns.

Wave 2

Possession of smartphone, mobile phone, PC, tablet and/or e-book reader; social media use: account with user name and password with selected providers (Google, Facebook, Twitter, LinkedIn, Xing); trust in institutions (Google, Facebook, Federal Statistical Office, university researchers) with regard to the protection of personal data; general personal trust; awareness of the EU General Data Protection regulations (GDPR); knowledge test: goals of the GDPR (open); consent to the storage of various personal data by Facebook or Google (name, e-mail address, home address, date of birth, telephone number, income, marital status, number of children, current location, Internet browser history, account names from other social media and data received from third parties); feeling of invasion of privacy by the following institutions: Google, Facebook, government agencies, university researchers; general privacy concerns.

Wave 3

Possession of smartphone, mobile phone, PC, tablet and/or e-book reader; social media use: account with user name and password at selected providers (Google, Facebook, Twitter, LinkedIn, Xing); trust in institutions (Google, Facebook, Federal Statistical Office, university researchers) with regard to the protection of personal data; general personal trust; awareness of the EU General Data Protection regulations (GDPR); knowledge test: goals of the GDPR (open); concerns about privacy in general; comprehensibility of excerpts of the contents of the EU General Data Protection regulations (GDPR) (resp. on passenger rights in the event of denied boarding and flight delays); estimated popularity of smartphones (proportion of smartphone owners per 100 adult Germans); repetition of the question on trust data collecting organisations (Google, Facebook) with regard to the protection of personal data and general personal trust; readiness for data exchange by Google (or Facebook or the Federal Statistical Office) for research purposes (or for commercial purposes).

Demography: sex; age (year of birth); federal state; school education; professional qualification.

Additionally coded was: running number; respondent ID; experimental groups GDPR Info; duration (reaction time in seconds); used device type to complete the questionnaire.

The questionnaire also included two experiments, one on the effect of GDPR-related information on trust in data collecting organisations and one on the comfort of data shar...

This study is to understand how perceptions and the organization of school safety and security are associated with the level and type of law enforcement engagement in rural schools. A triangulation mixed methods design was used to collect and examine individual, school, and community level quantitative and qualitative data. The social-ecological theory of violence prevention guides the research by predicting that an interplay of factors at multiple levels influences the type and level of law enforcement engagement in rural schools. Specifically, it was predicted that the more organized and coordinated a school is in the area of safety and security, the more likely it is to be formally engaged with law enforcement. Formal engagement is defined as use of some version of the school resource officer (SRO) model or defined roles and responsibilities for law enforcement in schools that are articulated in documents such as a memorandum of agreement or understanding.

Snapshot img

Data Protection As A Service Market Size 2024-2028

The data protection as a service (DPaaS) market size is forecast to increase by USD 87.57 billion at a CAGR of 46.02% between 2023 and 2028.

The market is experiencing significant growth due to the rising adoption of this solution among various industries in the US. The exponential growth in the volume of data being generated and collected by enterprises necessitates strong data protection measures. Deployment modes like hosted services and hybrid cloud have made DPaaS more accessible and cost-effective for businesses. In-house security teams are increasingly turning to DPaaS to enhance their data security capabilities.
Disaster recovery is another key area where DPaaS is gaining traction, providing businesses with a reliable and efficient backup and recovery solution. Despite its benefits, the high cost of DPaaS remains a challenge for some enterprises. Overall, the DPaaS market is poised for continued growth as more organizations recognize the importance of securing their data in the digital age.

What will be the Data Protection As A Service Market Size During the Forecast Period?

Request Free Sample

The market refers to the provision of managed data security services through cloud-based solutions. These services enable organizations to safeguard their data from cyberattacks and data breaches, ensuring business continuity and compliance with data protection regulations. In the US, the adoption of DPaaS is on the rise as businesses seek to enhance their IT infrastructure's security and scalability. DPaaS offers several benefits to organizations, including scalability, management, and recovery options. Scalability allows businesses to easily expand their data protection capabilities as they grow, while management simplifies the process of securing data through centralized control. Recovery options ensure that data can be quickly restored in the event of a cyberattack or data loss. Cloud storage is a critical component of DPaaS, providing organizations with secure, offsite data storage. DPaaS providers offer advanced security features, such as encryption, access controls, and intrusion detection, to protect data in the cloud. Data breaches and cyberattacks pose significant risks to organizations, leading to financial losses, reputational damage, and legal consequences.
Moreover, DPaaS helps mitigate these risks by providing strong security measures and real-time threat detection and response. DPaaS can be deployed in various modes, including public, private, and hybrid clouds. The choice of deployment mode depends on the organization's size and specific security requirements. Small and medium-sized businesses may prefer public cloud solutions, while larger enterprises may opt for private or hybrid clouds for enhanced security and control. DPaaS is applicable to various industry verticals, including healthcare, finance, retail, and education. These industries handle sensitive data and are subject to stringent data protection regulations. DPaaS providers offer paid databases with threat intelligence and compliance information to help organizations stay informed and comply with regulatory requirements. Next-Generation Technologies: DPaaS solutions leverage next-generation technologies, such as artificial intelligence (AI) and machine learning (ML), to provide advanced threat detection and response capabilities.
Additionally, these technologies enable DPaaS providers to quickly identify and respond to emerging threats, ensuring that organizations' data remains secure. IT Infrastructure Industry: The IT infrastructure industry is a significant contributor to the growth of the DPaaS market. DPaaS solutions offer businesses a cost-effective and efficient way to enhance their data security capabilities without the need for extensive IT resources or expertise. DPaaS is an essential solution for businesses looking to enhance their data security and ensure business continuity in the face of cyberattacks and data breaches. With its scalability, management, and recovery options, DPaaS offers organizations the flexibility and control they need to protect their data in the cloud. As data security becomes increasingly critical, the adoption of DPaaS is expected to continue growing in the US and beyond.

How is this market segmented and which is the largest segment?

The market research report provides comprehensive data (region-wise segment analysis), with forecasts and estimates in 'USD billion' for the period 2024-2028, as well as historical data from 2018-2022 for the following segments.

Application

  STaaS
  BaaS
  DRaaS


Business Segment

  Large
  Small and medium


Geography

  North America

    US


  Europe

    Germany
    UK


  APAC

    China
    Japan


  South America



  Middle East and Africa

By Application Insights

The STaaS segment is est

Collection of definitions of terms in English, French, German, Italian and Spanish extracted from the following data-related European laws:

Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (INSPIRE)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Commission Recommendation (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (Text with EEA relevance)

Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (Text with EEA relevance)

Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast) (Open Data Directive)

Regulation (EU) 2021/695 of the European Parliament and of the Council of 28 April 2021 establishing Horizon Europe – the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination, and repealing Regulations (EU) No 1290/2013 and (EU) No 1291/2013 (Text with EEA relevance)

Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (Text with EEA relevance)

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance)

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance)

Commission Implementing Regulation (EU) 2023/138 of 21 December 2022 laying down a list of specific high-value datasets and the arrangements for their publication and re-use (Text with EEA relevance)

Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)

Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act)

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) Text with EEA relevance.

Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)

Dataset on commits (and repositories) on GitHub making reference to data privacy legislation (covering laws: GDPR, CCPA, CPRA, UK DPA).

The dataset contains:
+ all_commits_info_merged-v2-SHA.csv : commits information as collected from various GitHub REST API calls (all data merged together).
+ repos_info_merged_USED-v2_with_loc.csv: repository information with some calculated data.
+ top-70-repos-commits-for-manual-check_commits-2coders.xlsx: results of the manual coding of the commits of the 70 most popular repositories in dataset.
+ user-rights-ω3.csv: different terms for user rights teriminology in legislation.
+ github_commits_analysis_replication.r: main analysis pipeline covering all RQs in the R programming language.

In order to perform also the initial data collection, the GitHub REST API can be used, collecting data using time intervals, for instance:
https://api.github.com/search/commits?q=%22GDPR%22+committer-date:2018-05-25..2018-05-30&sort=committer-date&order=asc&per_page=100&page=1

This dataset accompanies the following publication, so please cite it accordingly:

Georgia M. Kapitsaki, Maria Papoutsoglou, Evolution of repositories and privacy laws: commit activities in the GDPR and CCPA era, accepted for publication at Elsevier Journal of Systems & Software, 2025.

Any person or association can submit a complaint to the CNIL for non-compliance with the Data Protection Act and, since May 25, 2018, for non-compliance with the General Data Protection Regulation (GDPR). The CNIL can then contact the person in charge of the file to check its compliance with the law and request corrective actions if necessary. At the end, the complainant is informed of the actions taken. This dataset presents the number of complaints received since 1981. Disclaimer: for any questions about the operation of a file and the help that the CNIL can provide you, please do not use the "Discussions" below, which are visible to all and reserved for exchanges on published datasets; use the Need help service (https://www.cnil.fr/en/cnil-direct) or contact the CNIL on 01 53 73 22 22.

Whilst this some of the requested information is held by the NHSBSA, we have exempted some of the figures under section 40(2) subsections 2 and 3(a) of the FOIA because it is personal data of applicants to the VDPS. This is because it would breach the first data protection principle as: a - it is not fair to disclose individual’s personal details to the world and is likely to cause damage or distress. b - these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the individual. https://www.legislation.gov.uk/ukpga/2000/36/section/40 Information Commissioner Office (ICO) Guidance is that information is personal data if it ‘relates to’ an ‘identifiable individual’ regulated by the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018. The information relates to personal data of the VDPS claimants and is special category data in the form of health information. As a result, the claimants could be identified, when combined with other information that may be in the public domain or reasonably available. Online communities exist for those adversely affected by vaccines they have received. This further increases the likelihood that those may be identified by disclosure of this information. Section 40(2) is an absolute, prejudice-based exemption and therefore is exempt if disclosure would contravene any of the data protection principles. To comply with the lawfulness, fairness, and transparency data protection principle, we either need the consent of the data subject(s) or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet the legitimate interest and finally, the disclosure must not cause unwarranted harm. The NHSBSA has considered this and does not have the consent of the data subjects to release this information and believes that it would not be possible to obtain consent that meets the threshold in Article 7 of the UK GDPR. The NHSBSA acknowledges that you have a legitimate interest in disclosure of the information to provide the full picture of data held by the NHSBSA; however, we have concluded that disclosure of the requested information would cause unwarranted harm and therefore, section 40(2) is engaged. This is because there is a reasonable expectation that patient data processed by the NHSBSA remains confidential, especially special category data. There are no reasonable alternative measures that could meet the legitimate aim. As the information is highly confidential and sensitive, it outweighs the legitimate interest in the information. Section 41 FOIA This information is also exempt under section 41 of the FOIA (information provided in confidence). This is because the requested information was provided to the NHSBSA in confidence by a third party - another individual, company, public authority or any other type of legal entity. In this instance, details have been provided by the claimants. For Section 41 to be engaged, the following criteria must be fulfilled:

A data protection impact assessment (DPIA) is a process to identify privacy risks to individuals in the collection, use, storing, and disclosure of information. This allows Camden to identify problems so that risks can be removed or reduced to acceptable levels. It also reduces privacy breaches and complaints which can damage the Council’s reputation or enforcement action against it by the Information Commissioner (the regulator). We publish these as a dataset in accordance with the Council's Data Charter and also the GDPR/Data Protection Act 2018.

🇬🇧 영국 English This report contains all Right of Access (Data Protection Act 2018) requests received by the Metropolitan Police Service and logged on our corporate logging system since May 2018. In addition, there is information on Subject Access Requests (Data Protection Act 1998) received after 01/01/2015 up to the introduction of the 2018 Act. There is also information on Appeals and complaints from January 2015 onwards covering both the 1998 and 2018 legislation. The Information Commissioners Office (ICO) recommend that organisations publish their own performance in answering Subject Access/Right of Access Requests on a quarterly basis. This report is our response to that recommendation. Counting Rules One submission from a member of the public will count as one request. Multiple submissions from the same person on different dates for different data will be counted as multiple requests. The data used in the MPS Right of Access Performance Dashboard is available here Right of access performance dashboard | Metropolitan Police , along with the related data definitions. Please note that, this data set running quarterly behind with quarterly update. Due to an internal IT deployment, from 27th February these datasets may be temporarily disrupted. Work is ongoing to rebuild these datasets.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, Ireland has reported the highest amount of fines issued for violation of the regulation, over **** billion euros. Luxembourg ranked second, with around *** million euros, while France followed, issuing ****** million euros of fines for GDPR violations.

I can confirm that we do hold the requested information however, we consider the name and General Medical Council (GMC) number to be personal data under section 3(2) of the Data Protection Act 2018. Disclosure of the medical assessor’s name or GMC number would result in the identification of the medical assessor when entered into the GMC public register. As the requested information would allow a medical assessor to be identified, I consider this information is exempt under section 40(2) and 40(3A)(a) of the FOIA (personal information). This is because it would breach the first data protection principle as: a) it is not fair to disclose medical assessors’ personal details to the world and is likely to cause damage or distress. b) these details are not of sufficient interest to the public to warrant an intrusion into the privacy of the medical assessor. For disclosure to comply with the lawfulness, fairness, and transparency principle, we either need the consent of the medical assessor or there must be a legitimate interest in disclosure. In addition, the disclosure must be necessary to meet that interest and finally, the disclosure must not cause unwarranted harm. In this case we do not have the consent of the medical assessor to disclose their personal information. This means that the NHSBSA is therefore required to conduct a balancing exercise between the legitimate interest in disclosing the information against the rights and freedoms of the medical assessor. Having reviewed the information you have provided I acknowledge that you have a legitimate interest in disclosure of the information. However, I agree with the previous decision that disclosure of the requested information would cause unwarranted harm. Whilst I acknowledge your comments on this, disclosure under FOIA is to the world and therefore the NHSBSA has to consider the overall impact of the disclosure and its duty of care. The expectation of the medical assessors is that they will remain anonymous and will therefore not be subject to contact or pressure from claimants or campaigning groups. Given the certainty that the name and/or GMC number will identify the medical assessor there is a reasonable expectation that this information would not be disclosed under the FOIA. Disclosing this information would be unfair and as such this would breach the UK General Data Protection Regulation first data protection principle. Please see the following link to view the section 40 exemption in full - https://www.legislation.gov.uk/ukpga/2000/36/section/40