The European Union General Data Protection Regulation (GDPR), entered into force in 2018, considerably expands the scope of EU privacy rules. In addition to companies established in the EU, the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EU and companies that monitor the behavior of EU citizens (Art. 3). In addition, there is complementary legislation such as Directive (EU) 2016/680, on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data.

The EU's General Data Protection Regulation (GDPR) considerably expands the scope of EU privacy rules. In addition to companies established in the EU, the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EU and companies that monitor the behavior of EU citizens (Art. 3).
The Regulation mandates that data is allowed to flow freely outside the European Economic Area (EEA) only in certain circumstances listed in Chapter 5 of the Regulation. The main conditions for such a transfer are the following: the recipient jurisdiction has an adequate level of data protection; the controller ensures adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or, the transfer is necessary for the performance of a contract between the data subject and the controller.
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay as providing adequate protection. In addition, the EU-US Data Privacy Framework acts as a self-certification system open to certain US companies for data protection compliance since July 2023.

The European Union has joined ond agreement with binding commitments to open transfers of data across borders: the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the One Part, and the United Kingdom of Great Britain and Northern Ireland, of the Other Part (Art. 201).

The EU has attached the WTO Telecom Reference Paper to its schedule of commitments.

Art. 3[2] of the Directive 2014/61/EU establishes that Member States shall ensure that, upon written request of an undertaking providing or authorised to provide public communications networks, any network operator has the obligation to meet all reasonable requests for access to its physical infrastructure under fair and reasonable terms and conditions, including price, with a view to deploying elements of high-speed electronic communications networks. Such written request shall specify the elements of the project for which the access is requested, including a specific time frame.

The Directive on the protection of undisclosed know-how and business information (trade secrets) is key in harmonising national laws concerning trade secrets by:
- ensuring an equivalent level of protection of trade secrets throughout the Union
- introducing a uniform definition of the term "trade secret"
- providing common measures against the unlawful acquisition, use, and disclosure of trade secrets.
At the same time, the Directive contains several exceptions to the protection of trade secrets, e.g. to the advantage of those who reveal misconducts, wrongdoing, or illegal activity if a disclosure of a trade secret serves the public interest.

The Digital Services Act (DSA) envisages research access to data under confidentiality obligations, as well as access to algorithms and explanations by regulators. It is reported that certain requirements in the DSA create uncertainty in relation to trade secret protection as very large online platforms can be under an obligation to open access to their (confidential) data. Article 25 defines very large online platforms as those platforms which reach a number of average monthly active recipients of the service in the Union equal to or higher than 45 million.
Art. 31 of the DSA provides a framework for compelling access to data from very large online platforms to competent national authorities (“Digital Services Coordinators”) to monitor and assess compliance with the Regulation. The Digital Services Coordinator may also request large online platforms to provide access to data to vetted researchers for researching and identifying systemic risks as set out in Art. 26(1). Such a requirement may include, for example, data on the accuracy, functioning and testing of algorithmic systems for content moderation. All requirements for access to data under the framework should be proportionate and appropriately protect the rights and legitimate interests, including trade secrets and other confidential information.
Moreover, according to Art. 31(6) a platform may apply to amend the data request if it will lead to “significant vulnerabilities for the protection of confidential information.”

Regulation EU 2019/1150 on promoting fairness and transparency for business users of online intermediation services (the Platform to Business Regulation) requires the disclosure of certain features of algorithms, which may constitute trade secrets. Article 5 stipulates that online intermediation services must disclose the main ranking parameters and their relative importance to business users through terms of service, while online search engines need to make similar disclosures publicly. The Commission's December 2020 guidance on ranking (§82) argues that providers cannot refuse to disclose the main parameters based on the sole argument that these constitute a trade secret.

The EU signed the WIPO Performances and Phonograms Treaty in 1996 and ratified the treaty in 2009. The treaty entered into force in 2010.

The Trade Secrets Directive (EU) 2016/943 protects trade secrets, while also allowing for disclosure of trade secrets for reasons of public interest, either to the public or to public authorities in the performance of their duties. Art. 1.2 states that "this Directive shall not affect: [..] (b) the application of Union or national rules requiring trade secret holders to disclose, for reasons of public interest, information, including trade secrets, to the public or to administrative or judicial authorities for the performance of the duties of those authorities."
Moreover, Art. 5 stipulates that Member States shall ensure that an application for the measures, procedures and remedies provided for in this Directive is dismissed where the alleged acquisition, use or disclosure of the trade secret was carried out in any of the following cases for revealing misconduct, wrongdoing or illegal activity, provided that the respondent acted for the purpose of protecting the general public interest.

The EU signed the WIPO Copyright Treaty in 1996 and ratified the treaty in 2009. The treaty entered into force in 2010.

Contrary to several intellectual property rights in existence (trademarks, design, new varieties of plants), copyright within the EU is still not a unitary right, but a bundle of national laws, though much harmonized by EU Directives. There is no general principle for the use of copyright protected material comparable to the fair use/fair dealing principles. Directive 2001/29/EC defines an exhaustive set of limitations from the author´s exclusive rights under the control of the “three-step test” in line with the Berne Convention that establishes three cumulative conditions to the limitations and exceptions of a copyright holder’s rights. The Directive has been transposed by Member States with some freedom left to them.
The list of copyright exceptions and limitations provided by EU law is exhaustive. However, these may be optional for Member States, as is the case for those provided by the Directive 2001/29/EC (the InfoSoc Directive), or mandatory, as is the case for those provided by Directive 2019/790 on Copyright in the Digital Single Market (DSM Directive).

Under the Regulation 2019/452, Member States may maintain their existing investments screening mechanisms (21 Member States currently do), adopt new ones or remain without such national mechanisms. The Commission keeps an up-to-date list of screening laws in the EU. Member States must notify the Commission who may issue an opinion when an investment threatens the security or public order of more than one Member State, or when an investment could undermine a strategic project or programme of interest to the whole EU, such as Horizon 2020 or Galileo. The final decision remains with the Member State.
The regulation introduces some key requirements for national screening mechanisms, whether existing or envisaged:
- transparency of rules and procedures;
- non-discrimination among foreign investors;
- confidentiality of information exchanged;
- the possibility of recourse against screening decisions, and;
- measures to identify and prevent circumvention by foreign investors.
Screening considerations related to digital trade include the potential effect of the investment (1) on critical infrastructure, whether physical or virtual, including communications, media, data processing or storage, or (2) on critical technologies including artificial intelligence, robotics, semiconductors & cybersecurity or (3) on access to sensitive information, including personal data, or the ability to control such information or (4) on the freedom and pluralism of the media (Art. 4).

Although the European Union is a signatory to the WTO Government Procurement Agreement (GPA), its coverage schedules do not include "telecommunications related services" (CPC 754), which is an important sector for digital trade.

Art. 85 of the Utilities Directive (2014/25/EU) contains provisions allowing contracting public entities to reject foreign goods not covered by any EU international commitments from its tender procedures. In these cases, a tender submitted for the award of a supply contract may be rejected where the proportion of the products originating in third countries exceeds 50% of the total value of the products constituting the tender (Art. 85.2). Additionally, in cases of equivalent offers, the provisions provide for a preference for European tenders and tenders covered by EU's international obligations. In practice, this possibility has rarely been used.