Jump to content

Talk:General Data Protection Regulation

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Dsprc (talk | contribs) at 11:52, 7 October 2023 (Reverted good faith edits by 103.150.214.146 (talk): Please use the WP:SANDBOX). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Archives (Index)

This page is archived by ClueBot III.

Summary needs work

The current summary (shown below) does not seem appropriate.

"The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover."

While it may seem like a general description of the regulation it is in fact a description from 2012 which was referenced in this article. Please update the summary to reflect the regulation as it was passed. — Preceding unsigned comment added by 149.161.197.247 (talk) 16:21, 23 October 2017 (UTC)[reply]

Note that the regulation does not discuss residence in the EU at all. While processors and data controllers have interpreted the regulation as being limited to those residing in the EU, it is not apparent that it excludes EU citizens residing abroad. 65.198.98.16 (talk) 16:42, 28 April 2021 (UTC)Arch[reply]


Right to Rectification

The entire section of law relating to right of rectification is missing from the article.

UK Legislation mentioned in summary

I am removing the following text, which is not appropriate to the summary section of an article on the EU GDPR (Even if it might make sense in a section on effects of Brexit on the GDPR, or in an article on English, Scottish or Northern Irish Data Protection law, it's not particularly relevant to the GDPR itself).

The UK Data Protection Bill will update data protection laws for the digital age and was introduced to the House of Lords on 13 September 2017. Until then the UK will be subject to the GDPR. The Data Protection Bill is primarily based on the GDPR.

Also, it's not true - at least not as currently written (I believe intermediate edits have mangled the sense somewhat). The UK will presumably be subject to the GDPR, along with the rest of EU law, until 2 years after the UK's Article 50 notice to leave the EU (possibly longer depending on the nature of any regulatory equivalence which may be negotiated). - Paul (talk) 17:10, 8 December 2017 (UTC)[reply]


'Personally Identifiable Information (PII)' vs. 'Personal data'

In the summary ...

[...] the regulation contains provisions and requirements pertaining to the processing of personally identifiable information (personal data) of individuals (formally called data subjects in the GDPR) inside the European Union[...]

To some, "personally identifiable information" (PII) will have a specific meaning, particularly with regard to the US legal definition. Reading the personally identifiable information page itself makes this distinction a bit clearer. The GDPR definition of "personal data" is broader in scope than that of PII.

While the term is sometimes used ubiquitously to refer to a broad range of personal information (granted that a search on Wiki for "personal data" will redirect to the PII page) I think in this context it is better sense to refer solely to "personal data", here in the summary and anywhere else on the page — in particular because the scope of the GDPR does have an impact on firms in the US who might have EU customers. Views?

+1, and very much so. The PII page itself states multiple times that "personal data" is (substantially) wider than PII; hence, the two cannot and should never be used as meaning the same thing. --User:Haraldmmueller 10:34, 11 September 2018 (UTC)[reply]
Very true, Haraldmmueller. ♫ RichardWeiss talk contribs 12:23, 11 September 2018 (UTC)[reply]
Ok, I have made that change. Different.joy (talk) 11:04, 12 September 2018 (UTC)[reply]

Section: "Restrictions" (Disputed)

Section Restrictions currently states: "The following cases are not covered by the regulation: ... Statistical and scientific analysis"

This is untrue. The exceptions are limited: an exemption to Article 9(1) by Article 9(2)(j), and a provision that Member States can "provide exemptions, derogations, conditions or rules in relation to specific processing activities".

Article 89, Recital 156, and Recital 159 refer explicitly to the way statistical and scientific analysis is regulated.

Additionally with the only citation being marked Page Needed, I'm doubtful about the rest of that section.

I am going to mark the section Disputed. Please indicate so that we can reach consensus as editors and seek to rewrite it or remove.

Golightlys (talk) 18:59, 26 May 2018 (UTC)[reply]

Over a year later, and this needs action. Claims that science isn't covered is clearly false: "(156) The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. [...] (159) Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing." All this can be verified on https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679 and it would be nice if this section were accurate. Certainly a researcher wanting a quick overview of this huge regulation would likely come to Wikipedia first. 174.52.240.90 (talk) 16:34, 13 February 2020 (UTC)[reply]

Abuse of GDPR / What GDPR is NOT !

Isn't there a list of examples where GDPR was misused? --SvenAERTS (talk) 03:21, 4 December 2020 (UTC)[reply]

Granting of the Royal Assent (UK)

The article currently has : "The United Kingdom granted royal assent to ...".

The United Kingdom does not do that. Royal Assent is granted by the Reigning Monarch (except when some form of proxy or deputy, such as I suppose the Prince Regent [1811-1820], has of necessity been formally appointed). 94.30.84.71 (talk) 17:10, 6 January 2021 (UTC)[reply]

Principles section should Cover Article 5 more than Article 6

When the EU describes the GDPR (https://gdpr.eu/what-is-gdpr/), they list seven principles that form the basis: 

Data protection principles. 
If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

The current section on "principles" pulls from Article 6, which is framed by the EU as being about "Lawfulness of processing". I think the prinicples section should cover Article 5, and don't know how important it is to cover Article 6. ★NealMcB★ (talk) 21:29, 29 September 2021 (UTC)[reply]

Regulation "Chatcontrol"

In July 2021 the Eu Parliament approved Chatcontrol, a regulation that allowed for the following three years Internet Service Providers to scan extensively the e-mail of their private users in order to prevent child abuses. They don't need of any specific authorization. The regulation derogates GDPR (sources: [1], [2]). — Preceding unsigned comment added by 151.82.218.171 (talk) 15:13, 8 October 2021 (UTC)[reply]

Claim Doesn't Seem to be Supported by Reference

At the beginning of the article it says: "The regulation became a model for many national laws outside the EU, including United Kingdom, Turkey, Mauritius, Chile, Japan, Brazil, South Korea, Argentina and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR." the reference for that is number 2 which is an article on the sites advisera.com titled "The differences between the California Consumer Privacy Act and the GDPR" about the CCPA but as far as I could see doesn't mention any other nations. Did I miss something in that article or is there another source to support this claim? I believe it is true but would like to see a solid reference for it. --MadScientistX11 (talk) 23:16, 15 October 2021 (UTC)[reply]

Content imported from another Wikipedia page

Content at General Data Protection Regulation#Risk-based approach has been imported from Draft:Risk-based approach in the GDPR by an inexperienced editor without any annotation in the edit summary. Advice has been left at User talk:Elena2341#Marking edits as minor, and a new section at Draft talk:Risk-based approach in the GDPR.--Rocknrollmancer (talk) 21:42, 5 May 2022 (UTC)[reply]

Privacy of someone else's files opened . What are the laws of data protection actions by court employee. Just to look at her husbands mistresses background of any court appearances?

Privacy of someone else's files opened . What are the laws of data protection actions by court employee. Just to look at her husbands mistresses background of any court appearances? 82.132.214.147 (talk) 21:16, 24 August 2022 (UTC)[reply]

Mad_girl14

Spanish 2600:6C40:1900:B1:CBA:4A62:C3FE:A20E (talk) 19:30, 28 August 2022 (UTC)[reply]

"Risk Based Approach"

Industry lawyers have for a long term advocated that the GDPR would have a "risk based approach". This is not correct, while some articles of the GDPR do refer to risk (e.g. Article 32 GDPR on security), the notion that the entire law should only be complied with if there is a "risk", is not correct. The relevant section of the Wikipedia article is only referring to one (!) source, not the any element of the law. It should be deleted. Maxschrems (talk) 19:11, 21 January 2023 (UTC)[reply]

Privacy and data protection

The terms "privacy" and "data protection" are currently used synonymously in this article, but it may be helpful to mention that data protection and the right to privacy are considered distinct concepts in EU law. The GDPR is largely concerned with protecting individuals from the potential harms arising from the automated processing of personal data relating to them, i.e., ensuring that personal data used in decisions affecting individuals is "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (Jon Bing calls this a "decision-oriented view of data protection"). This departs from the traditional notion of privacy, which focuses primarily on keeping private, personal matters out of the public eye. Any personal data, whether publicly available or not, can be processed to infer characteristics of specific identifiable individuals and used to make decisions that affect those individuals, and is therefore subject to data protection under the GDPR.

It is also problematic that there is currently almost no mention of the principles of adequacy and relevancy set out in Article 5(1)(c), and how these principles relate to the protection of individuals from unfair automated decisions under various circumstances. First Comet (talk) 10:16, 20 August 2023 (UTC)[reply]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:General_Data_Protection_Regulation&oldid=1179030408"