Talk:General Data Protection Regulation: Difference between revisions

	; Archives (Index) ;
	2015; 2017; 2018; 2019; 2020; 2021;
	This page is archived by ClueBot III.

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 14:18, 24 June 2019

This is the talk page for discussing improvements to the General Data Protection Regulation article.
This is not a forum for general discussion of the article's subject.

Put new text under old text. Click here to start a new topic.
New to Wikipedia? Welcome! Learn to edit; get help.

Article policies

Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL

A news item involving General Data Protection Regulation was featured on Wikipedia's Main Page in the In the news section on 26 May 2018.

Wikipedia

Articles for creation C‑class

	This article was reviewed by member(s) of WikiProject Articles for creation. The project works to allow users to contribute quality articles and media files to the encyclopedia and track their progress as they are developed. To participate, please visit the project page for more information.Articles for creationWikipedia:WikiProject Articles for creationTemplate:WikiProject Articles for creationAfC articles
C	This article has been rated as C-class on Wikipedia's content assessment scale.
	This article was accepted on 8 January 2013 by reviewer Andrewman327 (talk · contribs).

Business C‑class Low‑importance

	Business portal This article is within the scope of WikiProject Business, a collaborative effort to improve the coverage of business articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.BusinessWikipedia:WikiProject BusinessTemplate:WikiProject BusinessWikiProject Business articles
C	This article has been rated as C-class on Wikipedia's content assessment scale.
Low	This article has been rated as Low-importance on the project's importance scale.

Computing C‑class Low‑importance

	This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles
C	This article has been rated as C-class on Wikipedia's content assessment scale.
Low	This article has been rated as Low-importance on the project's importance scale.

European Union C‑class Mid‑importance

	European Union portal This article is within the scope of WikiProject European Union, a collaborative effort to improve the coverage of the European Union on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.European UnionWikipedia:WikiProject European UnionTemplate:WikiProject European UnionEuropean Union articles
C	This article has been rated as C-class on Wikipedia's content assessment scale.
Mid	This article has been rated as Mid-importance on the project's importance scale.

Internet C‑class Mid‑importance

	Internet portal This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet articles
C	This article has been rated as C-class on Wikipedia's content assessment scale.
Mid	This article has been rated as Mid-importance on the project's importance scale.

Law C‑class Mid‑importance

	Law portal This article is within the scope of WikiProject Law, an attempt at providing a comprehensive, standardised, pan-jurisdictional and up-to-date resource for the legal field and the subjects encompassed by it.LawWikipedia:WikiProject LawTemplate:WikiProject Lawlaw articles
C	This article has been rated as C-class on Wikipedia's content assessment scale.
Mid	This article has been rated as Mid-importance on the project's importance scale.

Mass surveillance C‑class Low‑importance

	General Data Protection Regulation is within the scope of WikiProject Mass surveillance, which aims to improve Wikipedia's coverage of mass surveillance and mass surveillance-related topics. If you would like to participate, visit the project page, or contribute to the discussion.Mass surveillanceWikipedia:WikiProject Mass surveillanceTemplate:WikiProject Mass surveillanceMass surveillance articles
C	This article has been rated as C-class on Wikipedia's content assessment scale.
Low	This article has been rated as Low-importance on the project's importance scale.

Daily pageviews of this article

A graph should have been displayed here but graphs are temporarily disabled. Until they are enabled again, visit the interactive graph at pageviews.wmcloud.org

This article is written in British English, which has its own spelling conventions (colour, travelled, centre, defence, artefact, analyse) and some terms that are used in it may be different or absent from other varieties of English. According to the relevant style guide, this should not be changed without broad consensus.

"Came into force" is wrong

It says in the infobox "25 May 2018", but actually, it came into force on 24 May 2016! - it is only to be applied beginning 25 May 2018, as it says itself in its last article (and it must be in force to be able to say so!). This "legalese" distinction between "in force" and "to be applied" is certainly confusing ... Does the infobox for EU regulations have a field where it can be stated from when on the regulation is to be applied? --User:Haraldmmueller 12:10, 16 January 2017 (UTC)[reply]

Data Protection Officer

I have removed this sentence: "Monitoring of DPOs will be the responsibility of the Regulator rather than the Board of Directors of the organisation that employs the DPO."

There is no mention of 'the Regulator' in the article, the DPO Guidance document cited for this section nor in the Regulations themselves so I cannot understand the basis on which this statement has been made.

If someone can provide a citation for this specific statement then happy for it to be reintroduced, but in which case 'the Regulator' needs to somehow be both introduced and defined. Tedmarynicz (talk) 18:31, 19 March 2017 (UTC)[reply]

Data breach notification

I'm do not have a legal background. However, I think i detected a small mistake:

"The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33). "

=> Notification should happen 72 hours after having become aware of it

Summary needs work

The current summary (shown below) does not seem appropriate.

"The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover."

While it may seem like a general description of the regulation it is in fact a description from 2012 which was referenced in this article. Please update the summary to reflect the regulation as it was passed. — Preceding unsigned comment added by 149.161.197.247 (talk) 16:21, 23 October 2017 (UTC)[reply]

Right to Rectification

The entire section of law relating to right of rectification is missing from the article.

UK Legislation mentioned in summary

I am removing the following text, which is not appropriate to the summary section of an article on the EU GDPR (Even if it might make sense in a section on effects of Brexit on the GDPR, or in an article on English, Scottish or Northern Irish Data Protection law, it's not particularly relevant to the GDPR itself).

The UK Data Protection Bill will update data protection laws for the digital age and was introduced to the House of Lords on 13 September 2017. Until then the UK will be subject to the GDPR. The Data Protection Bill is primarily based on the GDPR.

Also, it's not true - at least not as currently written (I believe intermediate edits have mangled the sense somewhat). The UK will presumably be subject to the GDPR, along with the rest of EU law, until 2 years after the UK's Article 50 notice to leave the EU (possibly longer depending on the nature of any regulatory equivalence which may be negotiated). - Paul (talk) 17:10, 8 December 2017 (UTC)[reply]

'Personally Identifiable Information (PII)' vs. 'Personal data'

In the summary ...

[...] the regulation contains provisions and requirements pertaining to the processing of personally identifiable information (personal data) of individuals (formally called data subjects in the GDPR) inside the European Union[...]

To some, "personally identifiable information" (PII) will have a specific meaning, particularly with regard to the US legal definition. Reading the personally identifiable information page itself makes this distinction a bit clearer. The GDPR definition of "personal data" is broader in scope than that of PII.

While the term is sometimes used ubiquitously to refer to a broad range of personal information (granted that a search on Wiki for "personal data" will redirect to the PII page) I think in this context it is better sense to refer solely to "personal data", here in the summary and anywhere else on the page — in particular because the scope of the GDPR does have an impact on firms in the US who might have EU customers. Views?

+1, and very much so. The PII page itself states multiple times that "personal data" is (substantially) wider than PII; hence, the two cannot and should never be used as meaning the same thing. --User:Haraldmmueller 10:34, 11 September 2018 (UTC)[reply]

Very true, Haraldmmueller. ♫ RichardWeiss talk contribs 12:23, 11 September 2018 (UTC)[reply]

Ok, I have made that change. Different.joy (talk) 11:04, 12 September 2018 (UTC)[reply]

general viewpoint : transitional?

In many places the article seems to be not describing the Regulation per se, but how it evolved from and is different to its predecessor. However, it's not explicit when it does this. For example the sentence. “The notice requirements remain and are expanded. ” Without re-reading the introduction and making a guess, this sentence doesn't help the general reader. I suggest drafting to say what the Regulation does, and only then draw comparisons. --Matt Whyndham (talk) 10:43, 21 November 2017 (UTC)[reply]

No longer a proposal

The section "Content" starts with "The proposal for the European Data Protection ..." But for 18 months, this has not been a proposal, but a regulation (or "law", if you want). So this should be changed, shouldn't it? --User:Haraldmmueller 13:38, 25 November 2017 (UTC)[reply]

Done This is indeed the case^[1], therefore I will change it. Droogstoppel (talk) 20:55, 12 December 2017 (UTC)[reply]

References

^ http://europa.eu/rapid/press-release_STATEMENT-16-1403_en.htm

Summary section: Direct quotation is unsupported by citation of source

Extended quotation in Summary section is unsupported by citation of source in a footnote. — Preceding unsigned comment added by 2601:154:4000:742E:DDDB:F1E2:4530:B40B (talk) 12:31, 4 January 2018 (UTC)[reply]

Wrong quoting of quoted source

The key definition for this article, of personal information, may appear as if erronously copied from its source. This quote, is simply not a copy of its original verbatim form from its mentioned source:

"personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."[7]

I'm new here, but I find this somewhat disturbing for the reliability of this Wikipedia page and similar ones. Maybe there have been multiple versions of the quoted source? anyway, a bit concerning.

Data is plural

The word data is the plural of datum. Throughout this article data has been used as a singular noun. However the English version of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, i.e. the General Data Protection Regulation, to which the article refers, correctly differentiates singular from plural. FussyBSM (talk) 03:24, 31 January 2018 (UTC) http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN[reply]

Umm, no. See Data (word) - data in this sense is an uncountable mass noun. It is perfectly proper to write "data is available" and not the awkward-sounding "data are available". Wikipedia does not duplicate the writing style of EU regulations, but writes encyclopedia articles. Mauls (talk) 19:25, 25 February 2018 (UTC)[reply]

One of the signs of a word being fully assimilated - people argue over whether it should comply with source language usage, formal English or colloquial English. Jackiespeel (talk) 15:52, 16 May 2018 (UTC)[reply]

"Data are available" sounds perfectly normal to me. "Data is available" seems like a reference to the Star Trek character or merchandise thereof ("Data is available as either a 6 inch or 12 inch action figure.") --Khajidha (talk) 15:53, 26 May 2018 (UTC)[reply]

Data is plural. ♫ RichardWeiss talk contribs 05:21, 14 June 2018 (UTC)[reply]

You can unscramble the hashes of humanity's 5 billion email addresses in ten milliseconds for $0.0069

Given that many companies are using hashed emails as a way to comply with GDPR, this seems important to point out

https://boingboing.net/2018/04/09/over-the-rainbow-table.html

Thanks

John Cummings (talk) 07:43, 10 April 2018 (UTC)[reply]

Could companies not salt the hashes? Jasperwillem (talk) 06:34, 13 April 2018 (UTC)[reply]

This problem can solved easily by adding a secret 256-bit salt, this can prevent unhash and rainbow table lookup, which make you unscramble one email address from one millisecond to a billions of year, even use a supercomputer. — Preceding unsigned comment added by 45.64.240.140 (talk) 03:05, 7 November 2018 (UTC)[reply]

Outside influence

Dear all,

Hereby I wanted to point your editors to the following piece; https://epic.org/2018/04/zuckerberg-confirms-global-com.html, where the reach of GDPR is wider as just European consumers. Other topics on the internet already suggested that this framework could be a referral piece of legislation for other law making entities. Since I am no expert in this topic I wanted to point this out for people known with the subject who could place it justly in the articles scope.

Greatings

Jasperwillem (talk) 06:32, 13 April 2018 (UTC)[reply]

I have added a link to the Brussels effect. Implementation of GDPR outside the EU jurisdiction is an example of the Brussels effect and that entry mentions the GDPR as one of the examples. LeoVeo (talk) 18:26, 25 May 2018 (UTC)[reply]

"B2B Marketing" original research?

Someone added that section - with only links to GDPR articles, but no secondary source. This alone is not really ok. However, "B2B" implies that both (or all) involved parties are not persons, but "businesses" - so prima facie, the GDPR should not at all be relevant for B2B. So why would one claim this, and support it with paragraphs from the GDPR, which only refer to "natural persons"? I argue that this section should be removed, unless some proff can be given that GDPR professionals (lawyers) regards B2B in the context of the GDPR. --User:Haraldmmueller 10:00, 18 May 2018 (UTC)[reply]

Criticism

I am surprised there is no chapter on critisim - after all, there are plenty... — Preceding unsigned comment added by 185.220.70.134 (talk) 20:03, 23 May 2018 (UTC)[reply]

Just research and add it ... BTW, in the German WP, we had the opposite problem: The whole article contained essentially only critical information, but nothing whatsoever about the GDPR's contents; so I rewrote it ... --User:Haraldmmueller 20:24, 23 May 2018 (UTC)[reply]

It's clearly there, and the topic is big enough that criticism should not be given undue weight. Much of it comes from US services and companies, which is already somewhat undue. Prinsgezinde (talk) 22:49, 13 June 2018 (UTC)[reply]

Section: "Restrictions" (Disputed)

Section Restrictions currently states: "The following cases are not covered by the regulation: ... Statistical and scientific analysis"

This is untrue. The exceptions are limited: an exemption to Article 9(1) by Article 9(2)(j), and a provision that Member States can "provide exemptions, derogations, conditions or rules in relation to specific processing activities".

Article 89, Recital 156, and Recital 159 refer explicitly to the way statistical and scientific analysis is regulated.

Additionally with the only citation being marked Page Needed, I'm doubtful about the rest of that section.

I am going to mark the section Disputed. Please indicate so that we can reach consensus as editors and seek to rewrite it or remove.

Golightlys (talk) 18:59, 26 May 2018 (UTC)[reply]

Reference broken

The following reference, #14 at the moment, is broken and provides no PDF document: Reference "Data protection" (PDF). European Commission – European Commission. — Preceding unsigned comment added by Ignacio.Agulló (talk • contribs) 22:54, 28 May 2018 (UTC)[reply]

Semi-protected edit request on 2 June 2018

This edit request has been answered. Set the |answered= or |ans= parameter to no to reactivate your request.

197.156.115.253 (talk) 00:22, 2 June 2018 (UTC)[reply]

Not done: it's not clear what changes you want to be made. Please mention the specific changes in a "change X to Y" format and provide a reliable source if appropriate. LittlePuppers (talk) 06:34, 2 June 2018 (UTC)[reply]

Hey guys,

The largest change in the data privacy regulation law is GDPR. WP GDPR compliance require that you as a website owner, must take care of all PII - Personal Identifiable Information, in order to support the compliance of the citizens rights. See here

Best regards, gdpr-system

Dubious

Re "As the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.[dubious – discuss]": This sentence is actually misleading. The GDPR actually is directly binding and applicable - this is true. However, it has a number of "open areas" where members states need to pass legislation to define more narrowly these open areas. I do not know whether a member state must pass such additional legislation - would Malta or Cyprus actually do this? Anyone has any information how many member states actually did pass such supportive laws, like Germany's "Bundesdatenschutzgesetz (neu)" or Austria's "Datenschutz-Anpassungsgesetz 2018"? --User:Haraldmmueller 07:41, 5 October 2018 (UTC)[reply]

Can I link to 'List of fines ...' from the Sanctions section?

I've started contributing to the List of fines issued under the General Data Protection Regulation page. Would it be appropriate to add a link to this page under the Sanctions section? And if so, what would be the appropriate text for such a reference?

[1] ttp://europa.eu/rapid/press-release_STATEMENT-16-1403_en.htm

[1]

@@ Line 175: / Line 175: @@
 Re "As the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.[dubious – discuss]": This sentence is actually misleading. The GDPR actually is directly binding and applicable - this is true. However, it has a number of "open areas" where members states need to pass legislation to define more narrowly these open areas. I do not know whether a member state ''must'' pass such additional legislation - would Malta or Cyprus actually do this? Anyone has any information how many member states actually ''did'' pass such supportive laws, like Germany's "Bundesdatenschutzgesetz (neu)" or Austria's "Datenschutz-Anpassungsgesetz 2018"? --[[User:Haraldmmueller]] 07:41, 5 October 2018 (UTC)
+== Can I link to 'List of fines ...' from the Sanctions section? ==
+I've started contributing to the [[List of fines issued under the General Data Protection Regulation]] page.
+Would it be appropriate to add a link to this page under the Sanctions section?
+And if so, what would be the appropriate text for such a reference?