Home
About
Open source Mobile apps Frequently asked questions Migrating from Google Photos About us
Pricing Blog
Help Center
Account Immich Migrating Other Contact support
Login Sign up
Privacy

What is GDPR, and does it actually protect you?

Odin from PixelUnion
4 min read
#GDPR #Privacy #Data Protection #Digital Rights #Europe
What is GDPR, and does it actually protect you?

Let me guess. You have clicked “Accept all cookies” more times than you can count, and somewhere in the back of your mind you know it has something to do with GDPR. But if someone asked you to explain what GDPR actually is, you would probably change the subject.

No judgement. I would have done the same a few years ago.

If you have ever wondered what is actually behind that acronym, and whether it does anything useful for you, this one is for you.

What is GDPR?

GDPR stands for General Data Protection Regulation. It is a European law that came into effect in 2018, and it sets the rules for how companies are allowed to collect, store, and use your personal data.

Personal data is a broad term. It includes your name and email address, but also your location, your photos, your browsing history, your IP address, and anything else that can be used to identify you as a person.

The regulation applies to any company that processes the data of people living in the EU. That includes American companies like Google and Meta. If they want to operate in Europe, they have to play by European rules.

What rights does it actually give you?

This is where it gets interesting. GDPR is not just a policy document for companies to ignore. It gives you real, enforceable rights.

The right to know. You can ask any company what data they hold about you. They are legally required to tell you within one month.

The right to access. You can request a full copy of your data. Google, Meta, Apple: all of them have tools for this. It is often a humbling experience.

The right to be forgotten. You can ask a company to delete your data. They have to comply, unless they have a legitimate reason to keep it, such as an ongoing contract or a legal obligation.

The right to portability. You can ask for your data in a format that lets you take it somewhere else. Your photos, your messages, your history. It should be yours to move.

The right to object. If a company is using your data for advertising, you can tell them to stop. This one is more complicated in practice, but the right exists.

These are not small things. Before GDPR, most of this was left entirely to the goodwill of the companies involved.

So why does it still feel like nothing has changed?

Because enforcement is slow, and fines are often delayed by years. The companies with the most data also have the most lawyers.

Meta was fined €1.2 billion under GDPR in 2023. It sounds enormous. It was roughly four days of revenue. Google has faced similar fines. They pay, they appeal, and in the meantime, they continue.

GDPR has teeth. But it bites slowly.

What GDPR does not protect you from

This is the part most people do not know.

GDPR governs what companies can do with your data on their own initiative. It does not protect you from government requests.

Under the US CLOUD Act, American authorities can demand access to data held by American companies, even if that data is stored in Europe, and even if you are a European citizen. The company can be legally required to hand it over without telling you.

GDPR says: companies cannot misuse your data on their own. The CLOUD Act says: the US government can still ask for it anyway. These two laws are in direct conflict.

My colleague already wrote a deeper dive on exactly how the CLOUD Act works and what it means for your photos.

Does it matter where a company is based?

Yes. Significantly.

If your data is stored with a company that is headquartered in the EU, incorporated under EU law, and has no US parent company, the CLOUD Act does not apply. A European court order under European law is a very different thing from a US government request.

That is not a technicality. It is the whole point.

At PixelUnion, we store your photos under European law. Not because we had to, but because it is the only way to make the protection real. Stored in the EU, operated under EU law, no American parent company, no unclear data pipeline.

GDPR is a solid foundation. But it only works fully when the company holding your data is genuinely subject to it.

Curious what else you can do to take back control? Our colleague has put together a practical guide on switching away from Big Tech entirely — with concrete alternatives for every service.