Content deleted Content added
mNo edit summary |
Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5 |
||
| (40 intermediate revisions by 30 users not shown) | |||
Line 1:
{{Short description|EU regulation on
{{Redirect|GDPR|the economics term|Gross domestic product of region}}
{{Use dmy dates|date=October 2020}}
Line 20:
}}
The '''General Data Protection Regulation''' (Regulation (EU) 2016/679),<ref name="32016R0679">{{CELEX|02016R0679-20160504|format=PDF|text=Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)}}</ref> abbreviated '''GDPR''',
The [[European Parliament]] and [[Council of the European Union]] adopted the GDPR on 14 April 2016, to become effective on 25 May 2018. As an [[Regulation (European Union)|EU regulation]] (instead of a [[Directive (European Union)|directive]]), the GDPR
As an example of the [[Brussels effect]], the regulation became a model for many other laws around the world, including in Brazil, Japan, Singapore, South Africa, South Korea, Sri Lanka, and Thailand.{{Citation needed|date=September 2024}}<ref>Ryngaert, C & Taylor, M 2020, ‘The GDPR as Global Data Protection Regulation?’, ''AJIL unbound'', vol. 114, pp. 5–9.</ref> After [[Brexit|leaving the European Union]] the United Kingdom enacted its "UK GDPR", identical to the GDPR.<ref name=UKGD_1>{{cite web| title=The UK GDPR| url=https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr| website=[[Information Commissioner's Office]] ico.| date=28 June 2021| access-date=3 May 2024}}</ref> The [[California Consumer Privacy Act]] (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.<ref>Francesca Lucarini, [https://advisera.com/eugdpracademy/blog/2020/04/13/gdpr-vs-ccpa-what-are-the-main-differences/ "The differences between the California Consumer Privacy Act and the GDPR"] {{Webarchive|url=https://web.archive.org/web/20200712060310/https://advisera.com/eugdpracademy/blog/2020/04/13/gdpr-vs-ccpa-what-are-the-main-differences/ |date=12 July 2020 }}, ''Adviser''</ref>
Line 28:
==Contents==
The GDPR 2016 has eleven chapters, concerning general provisions, principles, rights of the data subject, duties of data controllers or processors, transfers of personal data to third countries, supervisory authorities, cooperation among member states, remedies, liability or penalties for breach of rights, provisions related to specific processing situations, and miscellaneous final provisions. Recital 4 proclaims that ‘processing of personal data should be designed to serve mankind’.
===General provisions===
Line 55:
If informed ''consent''<ref name="32016R0679"/>{{rp|Art. 4(11)}} is used as the lawful basis for processing, consent must have been explicit for data collected and each purpose data is used for.<ref name="32016R0679"/>{{rp|Art. 7}} Consent must be a specific, freely given, plainly worded, and unambiguous affirmation given by the data subject; an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of processing may not be "bundled" together into a single affirmation prompt, as this is not specific to each use of data, and the individual permissions are not freely given. (Recital 32).
Data subjects must be allowed to withdraw this consent at any time, and the process of doing so must not be harder than it was to opt in.<ref name="32016R0679"/>{{rp|Art. 7(3)}} A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service.<ref name="32016R0679"/>{{rp|Art. 8}} Consent for children, defined in the regulation as being less than 16 years old (although with the option for member states to individually make it as low as 13 years old), must be given by the child's parent or custodian, and verifiable.<ref>{{Cite web|url=https://iapp.org/resources/article/age-of-consent-in-the-gdpr-updated-mapping/|title=Age of consent in the GDPR: updated mapping|website=iapp.org|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180527023437/https://iapp.org/resources/article/age-of-consent-in-the-gdpr-updated-mapping/|archive-date=27 May 2018|url-status=dead}}</ref><ref name="privacy association">[https://www.privacyassociation.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf "How the Proposed EU Data Protection Regulation Is Creating a Ripple Effect Worldwide"] {{Webarchive|url=https://web.archive.org/web/20210217012511/https://iapp.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf |date=17 February 2021 }}. Judy Schmitt, Florian Stahl. 11 October 2012. Retrieved 3 January 2013.</ref>
If consent to processing was already provided under the Data Protection Directive, a data controller does not have to re-obtain consent if the processing is documented and obtained in compliance with the GDPR's requirements (Recital 171).<ref name="guardian-unneeded"/><ref>{{Cite journal|last1=Kamleitner|first1=Bernadette|last2=Mitchell|first2=Vince|date=2019-10-01|title=Your Data Is My Data: A Framework for Addressing Interdependent Privacy Infringements|journal=Journal of Public Policy & Marketing|language=en|volume=38|issue=4|pages=433–450|doi=10.1177/0743915619858924|s2cid=201343307|issn=0743-9156|doi-access=free}}</ref>
Line 160:
* National certification schemes, whose application is limited to a single [[European Union|EU]]/[[European Economic Area|EEA]] country;
* European Data Protection Seals, which are recognized by all EU and EEA jurisdictions.
According to Art. 42 GDPR, the purpose of this certification is to demonstrate “compliance with the GDPR of processing operations by controllers and processors”.<ref name=":0">{{Cite web |title=Art. 42 GDPR – Certification |url=https://gdpr-info.eu/art-42-gdpr/ |access-date=2024-10-30 |website=General Data Protection Regulation (GDPR) |language=en-US}}</ref> There are over 70 references to certification in the GDPR, encompassing various obligations such as:<ref name=":0" />
Line 169:
* International data transfers.
The GDPR certification also contributes to reduce the legal and financial risks of applicants, as well as of data controllers using certified data processing services.<ref>{{Cite web |date=2022-10-17 |title=Europrivacy: the first certification mechanism to ensure compliance with GDPR {{!}} Shaping
The adoption of the European Data Protection Seals is under the responsibility of the [[European Data Protection Board]] (EDPB) and is recognized across all EU and EEA [[Member state of the European Union|Member States]].<ref>{{Cite web |title=EDPB document on the procedure for the approval of certification criteria by the EDPB resulting in a common certification, the European Data Protection Seal {{!}} European Data Protection Board |url=https://www.edpb.europa.eu/our-work-tools/our-documents/procedure/edpb-document-procedure-approval-certification-criteria-edpb_en |access-date=2024-11-03 |website=www.edpb.europa.eu}}</ref>
Line 224:
== Applicability outside of the European Union ==
The GDPR also applies to data controllers and processors outside of the [[European Economic Area]] (EEA) if they are engaged in the "offering of goods or services" (regardless of whether a payment is required) to data subjects within the EEA, or are monitoring the behaviour of data subjects within the EEA (Article 3(2)). The regulation applies regardless of where the processing takes place.<ref>{{Cite web|url=https://www.fasken.com/en/knowledge/2019/11/the-extra-territorial-scope-of-the-gdpr/|title=The (Extra) Territorial Scope of the GDPR: The Right to Be Forgotten|website=Fasken.com|date=28 November 2019 |language=en|access-date=21 February 2020|archive-date=21 February 2020|archive-url=https://web.archive.org/web/20200221171716/https://www.fasken.com/en/knowledge/2019/11/the-extra-territorial-scope-of-the-gdpr/|url-status=live}}</ref> This has been interpreted as intentionally giving GDPR [[extraterritorial jurisdiction]] for non-EU establishments if they are doing business with people located in the EU. It is questionable whether the EU or its member states will in practice be able to enforce GDPR against organisations which have no establishment in the EU.<ref>{{Cite web|url=https://www.americanbar.org/groups/business_law/publications/blt/2018/04/01_speirs/|title=Extraterritorial Scope of GDPR: Do Businesses Outside the EU Need to Comply?|publisher=American Bar Association|language=en|access-date=21 February 2020|archive-date=21 February 2020|archive-url=https://web.archive.org/web/20200221171715/https://www.americanbar.org/groups/business_law/publications/blt/2018/04/01_speirs/|url-status=dead}}</ref>
=== EU Representative ===
Line 239:
[[File:EU-UK GDPR divergence.webm|thumb|Explanation of the possible results from UK's divergence from the European GDPR<ref>{{cite web |title=Digital Rights post-Brexit |url=https://www.youtube.com/watch?v=efz4utnzjjI |website=Youtube | date=2 November 2022 |publisher=[[Open Rights Group]] |access-date=27 November 2022 |archive-date=22 November 2022 |archive-url=https://web.archive.org/web/20221122202536/https://www.youtube.com/watch?v=efz4utnzjjI&gl=US&hl=en |url-status=live }} Video from Open Rights Group developed as an explainer of the UK's proposals</ref>]] The applicability of GDPR in the United Kingdom is affected by [[Brexit]]. Although the United Kingdom formally withdrew from the European Union on 31 January 2020, it remained subject to EU law, including GDPR, until the end of the transition period on 31 December 2020.<ref name=":5" /> The United Kingdom granted [[royal assent]] to the [[Data Protection Act 2018]] on 23 May 2018, which augmented the GDPR, including aspects of the regulation that are to be determined by national law, and criminal offences for knowingly or recklessly obtaining, redistributing, or retaining personal data without the consent of the data controller.<ref>{{Cite web|url=https://www.out-law.com/en/articles/2018/may/new-data-protection-act-finalised-uk/|title=New Data Protection Act finalised in the UK|website=Out-Law.com|url-status=live|archive-url=https://web.archive.org/web/20180525120311/https://www.out-law.com/en/articles/2018/may/new-data-protection-act-finalised-uk/|archive-date=25 May 2018|access-date=25 May 2018}}</ref><ref>{{Cite news|url=https://www.computerweekly.com/news/252441814/New-UK-Data-Protection-Act-not-welcomed-by-all|title=New UK Data Protection Act not welcomed by all|work=Computer Weekly|first=Warwick|last=Ashford|date=24 May 2018|access-date=25 May 2018|url-status=live|archive-url=https://web.archive.org/web/20180524143548/https://www.computerweekly.com/news/252441814/New-UK-Data-Protection-Act-not-welcomed-by-all|archive-date=24 May 2018}}</ref>
Under the [[European Union (Withdrawal) Act 2018]], existing and relevant EU law was transposed into
In April 2019, the UK [[Information Commissioner's Office]] (ICO) issued a [[Children's Code|children's code of practice]] for social networking services when used by minors, enforceable under GDPR, which also includes restrictions on "[[Like button|like]]" and "streak" mechanisms in order to discourage [[social media addiction]] and on the use of this data for processing interests.<ref>{{Cite news|url=https://www.bbc.com/news/technology-47933521|title=Under-18s face 'like' and 'streaks' limits|date=15 April 2019|work=BBC News|access-date=15 April 2019|archive-date=15 April 2019|archive-url=https://web.archive.org/web/20190415172531/https://www.bbc.com/news/technology-47933521|url-status=live}}</ref><ref>{{Cite news|last=Greenfield|first=Patrick|url=https://www.theguardian.com/technology/2019/apr/15/facebook-urged-to-ditch-like-feature-in-uk-online-child-safety-drive|title=Facebook urged to disable 'like' feature for child users|date=15 April 2019|work=The Guardian|access-date=15 April 2019|issn=0261-3077|archive-date=15 April 2019|archive-url=https://web.archive.org/web/20190415085023/https://www.theguardian.com/technology/2019/apr/15/facebook-urged-to-ditch-like-feature-in-uk-online-child-safety-drive|url-status=live}}</ref>
Line 262:
Companies operating outside of the EU have invested heavily to align their business practices with GDPR. The area of GDPR consent has a number of implications for businesses who record calls as a matter of practice. A typical disclaimer is not considered sufficient to gain assumed consent to record calls. Additionally, when recording has commenced, should the caller withdraw their consent, then the agent receiving the call must be able to stop a previously started recording and ensure the recording does not get stored.<ref>{{Cite web|url=https://www.xewave.io/how-smart-businesses-can-avoid-gdpr-penalties-when-recording-calls/|title=How Smart Businesses Can Avoid GDPR Penalties When Recording Calls|website=xewave.io|access-date=13 April 2018|archive-url=https://web.archive.org/web/20180414011044/https://www.xewave.io/how-smart-businesses-can-avoid-gdpr-penalties-when-recording-calls/|archive-date=14 April 2018|url-status=dead}}</ref>
IT professionals expect that compliance with the GDPR will require additional investment overall: over 80 percent of those surveyed expected GDPR-related spending to be at least US$
The regulations, including whether an enterprise must have a data protection officer, have been criticized for potential administrative burden and unclear compliance requirements.<ref>{{Cite news|url=https://www.irishtimes.com/business/technology/new-rules-on-data-protection-pose-compliance-issues-for-firms-1.3397742|title=New rules on data protection pose compliance issues for firms|first=Elaine|last= Edwards|newspaper=The Irish Times|date=22 February 2018|access-date=25 May 2018|archive-url=https://web.archive.org/web/20180526041717/https://www.irishtimes.com/business/technology/new-rules-on-data-protection-pose-compliance-issues-for-firms-1.3397742|archive-date=26 May 2018|url-status=live}}</ref> Although data minimisation is a requirement, with [[pseudonymization|pseudonymisation]] being one of the possible means, the regulation provides no guidance on how or what constitutes an effective data de-identification scheme, with a grey area on what would be considered as inadequate pseudonymisation subject to Section 5 enforcement actions.<ref name="looking-to">{{cite web |publisher=IAPP |first=Matt |last=Wes |date=25 April 2017 |url=https://iapp.org/news/a/looking-to-comply-with-gdpr-heres-a-primer-on-anonymization-and-pseudonymization/ |title=Looking to comply with GDPR? Here's a primer on anonymization and pseudonymization |access-date=19 February 2018 |archive-url=https://web.archive.org/web/20180219150511/https://iapp.org/news/a/looking-to-comply-with-gdpr-heres-a-primer-on-anonymization-and-pseudonymization/ |archive-date=19 February 2018 |url-status=live }}</ref><ref>{{Cite journal |last=Chassang |first=Gauthier |date=2017 |title=The impact of the EU general data protection regulation on scientific research |journal=ecancermedicalscience |volume=11 |pages=709 |doi=10.3332/ecancer.2017.709 |issn=1754-6605 |pmc=5243137 |pmid=28144283}}</ref><ref>{{cite web |last=Tarhonen |first=Laura |year=2017 |url=https://www.edilex.fi/viestintaoikeus/18073 |title=Pseudonymisation of Personal Data According to the General Data Protection Regulation |access-date=19 February 2018 |archive-url=https://web.archive.org/web/20180219150702/https://www.edilex.fi/viestintaoikeus/18073 |archive-date=19 February 2018 |url-status=live }}</ref> There is also concern regarding the implementation of the GDPR in [[blockchain]] systems, as the transparent and fixed record of blockchain transactions contradicts the very nature of the GDPR.<ref>{{Cite web|url=https://www.siliconrepublic.com/enterprise/blockchain-gdpr-report-bai|title=A recent report issued by the Blockchain Association of Ireland has found there are many more questions than answers when it comes to GDPR|website=siliconrepublic.com|date=23 November 2017 |access-date=5 March 2018|archive-url=https://web.archive.org/web/20180305202537/https://www.siliconrepublic.com/enterprise/blockchain-gdpr-report-bai|archive-date=5 March 2018|url-status=live}}</ref> Many media outlets have commented on the introduction of a "[[right to explanation]]" of algorithmic decisions,<ref>{{Cite news|url=https://www.theguardian.com/technology/2017/jan/27/ai-artificial-intelligence-watchdog-needed-to-prevent-discriminatory-automated-decisions|title=AI watchdog needed to regulate automated decision-making, say experts|last=Sample|first=Ian|date=27 January 2017|work=The Guardian|access-date=15 July 2017|issn=0261-3077|archive-url=https://web.archive.org/web/20170618031432/https://www.theguardian.com/technology/2017/jan/27/ai-artificial-intelligence-watchdog-needed-to-prevent-discriminatory-automated-decisions|archive-date=18 June 2017|url-status=live}}</ref><ref>{{Cite web|url=http://www.techzone360.com/topics/techzone/articles/2017/01/25/429101-eus-right-explanation-harmful-restriction-artificial-intelligence.htm|title=EU's Right to Explanation: A Harmful Restriction on Artificial Intelligence|website=techzone360.com|access-date=15 July 2017|archive-url=https://web.archive.org/web/20170804005751/http://www.techzone360.com/topics/techzone/articles/2017/01/25/429101-eus-right-explanation-harmful-restriction-artificial-intelligence.htm|archive-date=4 August 2017|url-status=live}}</ref> but legal scholars have since argued that the existence of such a right is highly unclear without judicial tests and is limited at best.<ref>{{Cite journal|last1=Wachter|first1=Sandra|last2=Mittelstadt|first2=Brent|last3=Floridi|first3=Luciano|date=28 December 2016|title=Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation|ssrn=2903469|journal=International Data Privacy Law}}</ref><ref name=":3">{{Cite journal|last1=Edwards|first1=Lilian|last2=Veale|first2=Michael|year=2017|title=Slave to the algorithm? Why a "right to an explanation" is probably not the remedy you are looking for|url=https://ssrn.com/abstract=2972855|journal=Duke Law and Technology Review|doi=10.2139/ssrn.2972855|ssrn=2972855|url-access=subscription}}</ref>
The GDPR has garnered support from businesses who regard it as an opportunity to improve their data management.<ref>{{cite web|url=https://www.forbes.com/sites/forbestechcouncil/2018/03/29/five-benefits-gdpr-compliance-will-bring-to-your-business/#3c8e415f482f|title=Five benefits GDPR compliance will bring to your business|first=Michael|last=Frimin|work=Forbes|date=29 March 2018|access-date=11 September 2018|archive-url=https://web.archive.org/web/20180912054700/https://www.forbes.com/sites/forbestechcouncil/2018/03/29/five-benefits-gdpr-compliance-will-bring-to-your-business/#3c8e415f482f|archive-date=12 September 2018|url-status=live}}</ref><ref>{{cite web|url=https://www.vox.com/the-big-idea/2018/3/26/17164022/gdpr-europe-privacy-rules-facebook-data-protection-eu-cambridge|title=Europe's tough new digital privacy law should be a model for US policymakers|first=Trevor|last=Butterworth|publisher=Vox|date=23 May 2018|access-date=11 September 2018|archive-url=https://web.archive.org/web/20180912054623/https://www.vox.com/the-big-idea/2018/3/26/17164022/gdpr-europe-privacy-rules-facebook-data-protection-eu-cambridge|archive-date=12 September 2018|url-status=live}}</ref> [[Mark Zuckerberg]] has also called it a "very positive step for the [[Internet]]",<ref>{{cite web|url=https://www.cnet.com/how-to/what-gdpr-means-for-facebook-google-the-eu-us-and-you/|title=What the GDPR means for Facebook, the EU and you|first1=Justin|last1=Jaffe|first2=Laura|last2=Hautala|website=CNET|date=25 May 2018|access-date=11 September 2018|archive-url=https://web.archive.org/web/20180912091915/https://www.cnet.com/how-to/what-gdpr-means-for-facebook-google-the-eu-us-and-you/|archive-date=12 September 2018|url-status=live}}</ref> and has called for GDPR-style laws to be adopted in the US.<ref>{{Cite web|url=https://www.cnbc.com/2019/04/01/facebook-ceo-zuckerbergs-call-for-gdpr-privacy-laws-raises-questions.html|title=Facebook CEO Zuckerberg's Call for GDPR Privacy Laws Raises Questions|website=www.cnbc.com|date=April 2019|access-date=8 April 2019|archive-date=4 April 2019|archive-url=https://web.archive.org/web/20190404041806/https://www.cnbc.com/2019/04/01/facebook-ceo-zuckerbergs-call-for-gdpr-privacy-laws-raises-questions.html|url-status=live}}</ref> Consumer rights groups such as [[The European Consumer Organisation]] are among the most vocal proponents of the legislation.<ref>{{cite magazine|url=https://www.wired.com/story/europes-new-privacy-law-will-change-the-web-and-more/|title=Europe's new privacy law will change the web, and more|first=Nitasha|last=Tiku|magazine=Wired|date=19 March 2018|access-date=11 September 2018|archive-url=https://web.archive.org/web/20181015205629/https://www.wired.com/story/europes-new-privacy-law-will-change-the-web-and-more/|archive-date=15 October 2018|url-status=live}}</ref> Other supporters have attributed its passage to the whistleblower [[Edward Snowden]].<ref>{{cite news|url=https://www.washingtonpost.com/news/monkey-cage/wp/2018/05/25/today-a-new-eu-law-transforms-privacy-rights-for-everyone-without-edward-snowden-it-might-never-have-happened/?|title=Today, a new E.U. law transforms privacy rights for everyone. Without Edward Snowden, it might never have happened.|first1=Nikhil|last1=Kalyanpur|first2=Abraham|last2=Newman|newspaper=The Washington Post|date=25 May 2018|access-date=11 September 2018|archive-url=https://web.archive.org/web/20181011173700/https://www.washingtonpost.com/news/monkey-cage/wp/2018/05/25/today-a-new-eu-law-transforms-privacy-rights-for-everyone-without-edward-snowden-it-might-never-have-happened/|archive-date=11 October 2018|url-status=live}}</ref> Free software advocate [[Richard Stallman]] has praised some aspects of the GDPR but called for additional safeguards to prevent technology companies from "manufacturing consent".<ref>{{cite news|url=https://www.theguardian.com/commentisfree/2018/apr/03/facebook-abusing-data-law-privacy-big-tech-surveillance|title=A radical proposal to keep your personal data safe|first=Richard|last=Stallman|newspaper=The Guardian|date=3 April 2018|access-date=11 September 2018|archive-url=https://web.archive.org/web/20180912091923/https://www.theguardian.com/commentisfree/2018/apr/03/facebook-abusing-data-law-privacy-big-tech-surveillance|archive-date=12 September 2018|url-status=live}}</ref>
Line 273:
Despite having had at least two years to prepare and do so, many companies and websites changed their privacy policies and features worldwide directly prior to GDPR's implementation, and customarily provided email and other notifications discussing these changes. This was criticised for resulting in a fatiguing number of communications, while experts noted that some reminder emails incorrectly asserted that new consent for data processing had to be obtained for when the GDPR took effect (any previously obtained consent to processing is valid as long as it met the regulation's requirements). [[Phishing]] scams also emerged using falsified versions of GDPR-related emails, and it was also argued that some GDPR notice emails may have actually been sent in violation of anti-spam laws.<ref>{{Cite news|url=http://www.itpro.co.uk/general-data-protection-regulation-gdpr/31058/scammers-are-using-gdpr-email-alerts-to-conduct|title=Scammers are using GDPR email alerts to conduct phishing attacks|last=Afifi-Sabet|first=Keumars|date=3 May 2018|work=IT PRO|access-date=25 May 2018|archive-url=https://web.archive.org/web/20180526041641/http://www.itpro.co.uk/general-data-protection-regulation-gdpr/31058/scammers-are-using-gdpr-email-alerts-to-conduct|archive-date=26 May 2018|url-status=live}}</ref><ref name="guardian-unneeded">{{Cite web|url=https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts|title=Most GDPR emails unnecessary and some illegal, say experts|last=Hern|first=Alex|date=21 May 2018|website=The Guardian|access-date=28 May 2018|archive-url=https://web.archive.org/web/20180528054755/https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts|archive-date=28 May 2018|url-status=live}}</ref> In March 2019, a provider of compliance software found that many websites operated by EU member state governments contained embedded tracking from ad technology providers.<ref>{{Cite web |date=18 March 2019 |title=EU gov't and public health sites are lousy with adtech, study finds |url=https://techcrunch.com/2019/03/18/eu-govt-and-public-health-sites-lousy-with-adtech-study-finds/ |archive-url=https://web.archive.org/web/20210410233414/https://techcrunch.com/2019/03/18/eu-govt-and-public-health-sites-lousy-with-adtech-study-finds/ |archive-date=2021-04-10 |access-date=18 March 2019 |url-status=live |website=TechCrunch}}</ref><ref>{{Cite news|url=https://www.ft.com/content/6dbacf74-471b-11e9-b168-96a37d002cd3|title=EU citizens being tracked on sensitive government websites|website=Financial Times|date=18 March 2019|access-date=18 March 2019|archive-date=19 March 2019|archive-url=https://web.archive.org/web/20190319130253/https://www.ft.com/content/6dbacf74-471b-11e9-b168-96a37d002cd3|url-status=live}}</ref>
The deluge of GDPR-related notices also inspired [[internet meme|memes]], including those surrounding privacy policy notices being delivered by atypical means (such as a [[Ouija]] board or [[Star Wars opening crawl|''Star Wars'' opening crawl]]), suggesting that [[Santa Claus]]'s "naughty or nice" list was a violation, and a recording of excerpts from the regulation by a former [[BBC Radio 4]] [[Shipping Forecast]] announcer. A blog, ''GDPR Hall of Shame'', was also created to showcase unusual delivery of GDPR notices, and attempts at compliance that contained egregious violations of the regulation's requirements. Its author remarked that the regulation "has a lot of nitty gritty, in-the-weeds details, but not a lot of information about how to comply", but also acknowledged that businesses had two years to comply, making some of its responses unjustified.<ref>{{Cite news|url=https://www.theverge.com/2018/6/3/17413390/gdpr-legislation-asleep-in-seconds-listening-meditation-app-peter-jefferson|title=Fall asleep in seconds by listening to a soothing voice read the EU's new GDPR legislation|work=The Verge|access-date=16 June 2018|archive-url=https://web.archive.org/web/20180617015346/https://www.theverge.com/2018/6/3/17413390/gdpr-legislation-asleep-in-seconds-listening-meditation-app-peter-jefferson|archive-date=17 June 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.wired.com/story/gdpr-memes/|title=How Europe's GDPR Regulations Became a Meme|magazine=Wired|access-date=17 June 2018|archive-url=https://web.archive.org/web/20180618002541/https://www.wired.com/story/gdpr-memes/|archive-date=18 June 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.adweek.com/digital/the-internet-created-a-gdpr-inspired-meme-using-privacy-policies/|title=The Internet Created a GDPR-Inspired Meme Using Privacy Policies|work=Adweek|access-date=17 June 2018|archive-url=https://web.archive.org/web/20180617221720/https://www.adweek.com/digital/the-internet-created-a-gdpr-inspired-meme-using-privacy-policies/|archive-date=17 June 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.wired.co.uk/article/happy-gdpr-day-gdpr-hall-of-shame|title=Help, my lightbulbs are dead! How GDPR became bigger than Beyonce|work=Wired.co.uk|last=Burgess|first=Matt|access-date=17 June 2018|archive-url=https://web.archive.org/web/20180619193137/https://www.wired.co.uk/article/happy-gdpr-day-gdpr-hall-of-shame|archive-date=19 June 2018|url-status=live}}</ref><ref>{{Cite news|url=https://
Research indicates that approximately 25% of software vulnerabilities have GDPR implications.<ref>{{cite web|url=https://www.hackerone.com/sites/default/files/2018-01/GDPR%20Implications-ebook.pdf|title=What Percentage of Your Software Vulnerabilities Have GDPR Implications?|date=16 January 2018|publisher=HackerOne|access-date=6 July 2018|archive-url=https://web.archive.org/web/20180706162027/https://www.hackerone.com/sites/default/files/2018-01/GDPR%20Implications-ebook.pdf|archive-date=6 July 2018|url-status=live}}</ref> Since Article 33 emphasizes breaches, not bugs, security experts advise companies to invest in processes and capabilities to identify vulnerabilities before they can be exploited, including [[Application security#Coordinated vulnerability disclosure|coordinated vulnerability disclosure processes]].<ref>{{cite web|url=https://www.slideshare.net/hacker0x01/everything-you-need-to-know-about-the-data-protection-officer-role|title=The Data Protection Officer (DPO): Everything You Need to Know|date=20 March 2018|publisher=Cranium and HackerOne|access-date=6 July 2018|archive-url=https://web.archive.org/web/20180831165003/https://www.slideshare.net/hacker0x01/everything-you-need-to-know-about-the-data-protection-officer-role|archive-date=31 August 2018|url-status=live}}</ref><ref>{{cite web|url=https://iapp.org/news/a/what-might-bug-bounty-programs-look-like-under-the-gdpr/|title=What might bug bounty programs look like under the GDPR?|date=27 March 2018|publisher=The International Association of Privacy Professionals (IAPP)|access-date=6 July 2018|archive-url=https://web.archive.org/web/20180706165037/https://iapp.org/news/a/what-might-bug-bounty-programs-look-like-under-the-gdpr/|archive-date=6 July 2018|url-status=live}}</ref> An investigation of Android apps' privacy policies, data access capabilities, and data access behaviour has shown that numerous apps display a somewhat privacy-friendlier behaviour since the GDPR was implemented, although they still retain most of their data access privileges in their code.<ref>{{Cite journal|last1=Momen|first1=N.|last2=Hatamian|first2=M.|last3=Fritsch|first3=L.|date=November 2019|title=Did App Privacy Improve After the GDPR?|journal=IEEE Security & Privacy|volume=17|issue=6|pages=10–20|doi=10.1109/MSEC.2019.2938445|s2cid=203699369|issn=1558-4046|url=http://urn.kb.se/resolve?urn=urn:nbn:se:kau:diva-75508}}</ref><ref>{{Citation|last1=Hatamian|first1=Majid|title=A Multilateral Privacy Impact Analysis Method for Android Apps|date=2019|work=Privacy Technologies and Policy|volume=11498|pages=87–106|editor-last=Naldi|editor-first=Maurizio|publisher=Springer International Publishing|doi=10.1007/978-3-030-21752-5_7|isbn=978-3-030-21751-8|last2=Momen|first2=Nurul|last3=Fritsch|first3=Lothar|last4=Rannenberg|first4=Kai|series=Lecture Notes in Computer Science |s2cid=184483219|url=https://zenodo.org/record/3248889|editor2-last=Italiano|editor2-first=Giuseppe F.|editor3-last=Rannenberg|editor3-first=Kai|editor4-last=Medina|editor4-first=Manel|access-date=3 June 2020|archive-date=12 July 2020|archive-url=https://web.archive.org/web/20200712060716/https://zenodo.org/record/3248889|url-status=live}}</ref> An investigation of the [[Norwegian Consumer Council]] into the post-GDPR data subject dashboards on social media platforms (such as [[Google Dashboard|Google dashboard]]) has concluded that large social media firms deploy deceptive tactics in order to discourage their customers from sharpening their privacy settings.<ref>Moen, Gro Mette, Ailo Krogh Ravna, and Finn Myrstad. [https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf "Deceived by design - How tech companies use dark patterns to discourage us from exercising our rights to privacy"] {{Webarchive|url=https://web.archive.org/web/20191220000426/https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf |date=20 December 2019 }}. 2018. Report by the Norwegian Consumer Council.</ref>
On the effective date, some websites began to block visitors from EU countries entirely (including [[Instapaper]],<ref>{{Cite news|url=https://www.theverge.com/2018/5/23/17387146/instapaper-gdpr-europe-access-shut-down-privacy-changes|title=Instapaper is temporarily shutting off access for European users due to GDPR|work=The Verge|access-date=24 May 2018|archive-url=https://web.archive.org/web/20180524013709/https://www.theverge.com/2018/5/23/17387146/instapaper-gdpr-europe-access-shut-down-privacy-changes|archive-date=24 May 2018|url-status=live}}</ref> Unroll.me,<ref>{{Cite web|url=https://techcrunch.com/2018/05/05/unroll-me-to-close-to-eu-users-saying-it-cant-comply-with-gdpr/|title=Unroll.me to close to EU users saying it can't comply with GDPR|website=TechCrunch|date=5 May 2018 |access-date=29 May 2018|archive-url=https://web.archive.org/web/20180530035124/https://techcrunch.com/2018/05/05/unroll-me-to-close-to-eu-users-saying-it-cant-comply-with-gdpr/|archive-date=30 May 2018|url-status=live}}</ref> and [[Tribune Publishing]]-owned newspapers, such as the ''[[Chicago Tribune]]'' and the ''[[Los Angeles Times]]'') or redirect them to stripped-down versions of their services (in the case of [[National Public Radio]] and ''[[USA Today]]'') with limited functionality and/or no advertising so that they will not be liable.<ref>{{Cite news|url=https://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect|title=Sites block users, shut down activities and flood inboxes as GDPR rules loom|last1=Hern|first1=Alex|date=24 May 2018|work=The Guardian|access-date=25 May 2018|last2=Waterson|first2=Jim|archive-url=https://web.archive.org/web/20180524222426/https://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect|archive-date=24 May 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.bloomberg.com/news/articles/2018-05-25/blocking-500-million-users-is-easier-than-complying-with-gdpr|title=Blocking 500 Million Users Is Easier Than Complying With Europe's New Rules|date=25 May 2018|publisher=Bloomberg L.P.|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180525235055/https://www.bloomberg.com/news/articles/2018-05-25/blocking-500-million-users-is-easier-than-complying-with-gdpr|archive-date=25 May 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html|title=U.S. News Outlets Block European Readers Over New Privacy Rules|date=25 May 2018|work=The New York Times|access-date=26 May 2018|issn=0362-4331|archive-url=https://web.archive.org/web/20180526025851/https://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html|archive-date=26 May 2018|url-status=live}}</ref><ref>{{Cite news|url=http://adage.com/article/digital/eu-citizens-gdpr-day/313655/|title=Look: Here's what EU citizens see now that GDPR has landed|work=Advertising Age|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180525220203/http://adage.com/article/digital/eu-citizens-gdpr-day/313655/|archive-date=25 May 2018|url-status=live}}</ref> Some companies, such as [[Klout]], and several online video games, ceased operations entirely to coincide with its implementation, citing the GDPR as a burden on their continued operations, especially due to the business model of the former.<ref>{{Cite news|url=https://www.wired.com/story/how-a-new-era-of-privacy-took-over-your-email-inbox/|title=Why Your Inbox Is Crammed Full of Privacy Policies|last=Tiku|first=Nitasha|date=24 May 2018|magazine=Wired|access-date=25 May 2018|archive-url=https://web.archive.org/web/20180524214938/https://www.wired.com/story/how-a-new-era-of-privacy-took-over-your-email-inbox/|archive-date=24 May 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.nytimes.com/2018/05/23/technology/personaltech/what-you-should-look-for-europe-data-law.html|title=Getting a Flood of G.D.P.R.-Related Privacy Policy Updates? Read Them|last=Chen|first=Brian X.|date=23 May 2018|work=The New York Times|access-date=25 May 2018|issn=0362-4331|archive-url=https://web.archive.org/web/20180524194430/https://www.nytimes.com/2018/05/23/technology/personaltech/what-you-should-look-for-europe-data-law.html|archive-date=24 May 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.bloomberg.com/news/articles/2018-05-25/blocking-500-million-users-is-easier-than-complying-with-gdpr|title=Blocking 500 Million Users Is Easier Than Complying With Europe's New Rules|last=Lanxon|first=Nate|date=25 May 2018|work=Bloomberg|access-date=25 May 2018|archive-url=https://web.archive.org/web/20180525125509/https://www.bloomberg.com/news/articles/2018-05-25/blocking-500-million-users-is-easier-than-complying-with-gdpr|archive-date=25 May 2018|url-status=live}}</ref> The volume of online [[behavioural advertising]] placements in Europe fell 25–40% on 25 May 2018.<ref>{{Cite news|url=https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying-plummets-europe/|title=GDPR mayhem: Programmatic ad buying plummets in Europe|date=25 May 2018|work=[[Digiday]]|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180525213159/https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying-plummets-europe/|archive-date=25 May 2018|url-status=live}}</ref><ref>{{Cite book|last1=Skiera|first1=Bernd|last2= Miller|first2=Klaus Matthias|last3=Jin|first3=Yuxi|last4=Kraft|first4=Lennart|last5=Laub|first5=René|last6=Schmitt|first6=Julia|date=5 July 2022
In 2020, two years after the GDPR began its implementation, the European Commission assessed that users across the EU had increased their knowledge about their rights, stating that "69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority."<ref name=":9">{{Cite web|title=Press corner|url=https://ec.europa.eu/commission/presscorner/home/en|access-date=18 September 2020|website=European Commission - European Commission|language=en|archive-date=27 December 2020|archive-url=https://web.archive.org/web/20201227193856/https://ec.europa.eu/commission/presscorner/home/en|url-status=live}}</ref><ref>{{Cite web|date=12 June 2020|title=Your rights matter: Data protection and privacy - Fundamental Rights Survey|url=https://fra.europa.eu/en/publication/2020/fundamental-rights-survey-data-protection|access-date=18 September 2020|website=European Union Agency for Fundamental Rights|language=en|archive-date=25 September 2020|archive-url=https://web.archive.org/web/20200925141211/https://fra.europa.eu/en/publication/2020/fundamental-rights-survey-data-protection|url-status=live}}</ref> The commission also found that privacy has become a competitive quality for companies which consumers are taking into account in their decisionmaking processes.<ref name=":9" />
Line 291:
In November 2021, Irish Council for Civil Liberties lodged a formal complaint of the Commission that it is in breach of its obligation under EU Law to carefully monitor how Ireland applies the GDPR.<ref name=":10">{{Cite web |last=Ryan |first=Johnny |date=2023-01-31 |title=Europe-wide overhaul of GDPR monitoring triggered by ICCL |url=https://www.iccl.ie/digital-data/europe-wide-overhaul-of-gdpr-monitoring-triggered-by-iccl/ |access-date=2023-04-08 |website=Irish Council for Civil Liberties |language=en-GB |archive-date=6 April 2023 |archive-url=https://web.archive.org/web/20230406075809/https://www.iccl.ie/digital-data/europe-wide-overhaul-of-gdpr-monitoring-triggered-by-iccl/ |url-status=live }}</ref> Until January 2023, the Commission published a new commitment based on the complaint of ICCL.<ref name=":10" />
While companies are now subject to legal obligations, there are still various inconsistencies in the practical and technical implementation of GDPR.<ref>{{Cite book|last1=Alizadeh|first1=Fatemeh|last2=Jakobi|first2=Timo|last3=Boldt|first3=Jens|last4=Stevens|first4=Gunnar|title=Proceedings of Mensch und Computer 2019 |chapter=GDPR-Reality Check on the Right to Access Data |date=2019|pages=811–814|___location=New York|publisher=ACM Press|doi=10.1145/3340764.3344913|isbn=978-1-4503-7198-8|s2cid=202159324}}</ref> As an example, according to the GDPR's right to access, the companies are obliged to provide data subjects with the data they gather about them. However, in a study on loyalty cards in Germany, companies did not provide the data subjects with the exact information of the purchased articles.<ref name=":7">{{Cite journal|last1=Alizadeh|first1=Fatemeh|last2=Jakobi|first2=Timo|last3=Boden|first3=Alexander|last4=Stevens|first4=Gunnar|last5=Boldt|first5=Jens|date=2020|title=GDPR Reality Check–Claiming and Investigating Personally Identifiable Data from Companies|url=https://eusec20.cs.uchicago.edu/eusec20-Alizadeh.pdf|journal=EuroUSEC|access-date=17 June 2020|archive-date=17 June 2020|archive-url=https://web.archive.org/web/20200617145507/https://eusec20.cs.uchicago.edu/eusec20-Alizadeh.pdf|url-status=live}}</ref> One might argue that such companies do not collect the information of the purchased articles, which does not conform with their business models. Therefore, data subjects tend to see that as a GDPR violation. As a result, studies have suggested for a better control through authorities.<ref>{{Cite journal |last1=Smirnova |first1=Yelena |last2=Travieso-Morales |first2=Victoriano |date=2024-04-04 |title=Understanding challenges of GDPR implementation in business enterprises: a systematic literature review |url=https://www.emerald.com/insight/content/doi/10.1108/IJLMA-08-2023-0170/full/html |journal=International Journal of Law and Management |language=en |volume=66 |issue=3 |pages=326–344 |doi=10.1108/IJLMA-08-2023-0170 |issn=1754-243X|url-access=subscription }}</ref><ref name=":7" />
According to the GDPR, end-users' [[consent]] should be valid, freely given, specific, informed and active.<ref name=":8">{{Cite book|last1=Human|first1=Soheil|last2=Cech|first2=Florian|title=Human Centred Intelligent Systems |chapter=A Human-Centric Perspective on Digital Consenting: The Case of GAFAM |date=2021|editor-last=Zimmermann|editor-first=Alfred|editor2-last=Howlett|editor2-first=Robert J.|editor3-last=Jain|editor3-first=Lakhmi C.|series=Smart Innovation, Systems and Technologies|volume=189|language=en|___location=Singapore|publisher=Springer|pages=139–159|doi=10.1007/978-981-15-5784-2_12|isbn=978-981-15-5784-2|s2cid=214699040|chapter-url=https://epub.wu.ac.at/7523/1/HCIS2020_A%20Human-centric%20Perspective%20on%20Digital%20Consenting_The%20Case%20of%20GAFAM_Soheil%20Human_Florian%20Cech.pdf|access-date=23 August 2020|archive-date=14 April 2021|archive-url=https://web.archive.org/web/20210414233129/https://epub.wu.ac.at/7523/1/HCIS2020_A%20Human-centric%20Perspective%20on%20Digital%20Consenting_The%20Case%20of%20GAFAM_Soheil%20Human_Florian%20Cech.pdf|url-status=live}}</ref> However, the lack of enforceability regarding obtaining lawful consents has been a challenge. As an example, a 2020 study, showed that the [[Big Tech]], i.e. [[Google]], [[Amazon (company)|Amazon]], [[Facebook]], [[Apple Inc.|Apple]], and [[Microsoft]] (GAFAM), use [[dark pattern]]s in their consent obtaining mechanisms, which raises doubts regarding the lawfulness of the acquired consent.<ref name=":8" />
Line 298:
After around 160 million Euros in GDPR fines were imposed in 2020, the figure was already over one billion Euros in 2021.<ref>{{Cite web|last=Browne|first=Ryan|date=2022-01-18|title=Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt|url=https://www.cnbc.com/2022/01/18/fines-for-breaches-of-eu-gdpr-privacy-law-spike-sevenfold.html|access-date=2022-02-09|website=CNBC|language=en|archive-date=9 February 2022|archive-url=https://web.archive.org/web/20220209162741/https://www.cnbc.com/2022/01/18/fines-for-breaches-of-eu-gdpr-privacy-law-spike-sevenfold.html|url-status=live}}</ref>
In 2024 and early 2025, GDPR enforcement actions intensified. The Irish Data Protection Commission (DPC) imposed a €345 million fine on TikTok for violations related to children's data privacy and insufficient safeguards for young users.<ref>{{Cite web |title= TikTok fined €345 million for GDPR violations on children's privacy |url=https://www.bbc.com/news/technology-66830288 |website=BBC News |date=15 September 2024 |access-date=20 February 2025}}</ref> In January 2025, Meta was fined €1.2 billion for unlawful data transfers between the EU and the US, marking one of the largest GDPR fines to date.<ref>{{Cite web |title=Meta hit with record €1.2 billion GDPR fine over US data transfers |url=https://www.theverge.com/2025/01/10/meta-gdpr-fine-1-2-billion |website=The Verge |date=10 January 2025 |access-date=20 February 2025}}</ref>
On 12 February 2025,The European Commission has abandoned proposed regulations on technology patents, AI liability, and privacy for messaging apps due to strong lobbying and a lack of consensus among EU lawmakers, with major tech firms opposing the changes.<ref>{{cite news|last=Chee Foo|first=Yun|title=EU ditches plans to regulate tech patents, AI liability, online privacy|date=12 February 2025|work=Reuters|url= https://www.reuters.com/technology/eu-ditches-plans-regulate-tech-patents-ai-liability-online-privacy-2025-02-12/|access-date=13 February 2025}}</ref>
=== Influence on foreign laws ===
Line 309 ⟶ 313:
Switzerland will also adopt a new data protection law that largely follows EU's GDPR.<ref>{{Cite web |last=Portal |first=S. M. E. |title=New Federal Act on Data Protection (nFADP) |url=https://www.kmu.admin.ch/kmu/en/home/fakten-und-trends/digitalisierung/datenschutz/neues-datenschutzgesetz-revdsg.html |access-date=2023-03-25 |website=www.kmu.admin.ch |language=en |archive-date=25 March 2023 |archive-url=https://web.archive.org/web/20230325204902/https://www.kmu.admin.ch/kmu/en/home/fakten-und-trends/digitalisierung/datenschutz/neues-datenschutzgesetz-revdsg.html |url-status=live }}</ref>
With the addition of overseas regions of the European Union joining non-governmental organsational (NGO) bodies in the Caribbean region such as the [[Organisation of Eastern Caribbean States]], the GDPR rules have become necessary to consider in the lack of any current legislation found in the region concerning privacy rights and maintaining compliance of the laws of those outer regions.<ref>{{cite web |author=Staff writer |author-link1= |date=23 January 2020 |___location= |title=The European Union (EU) General Data Protection Regulation (GDPR) in the Caribbean Context |script-title= |title-link= |url=https://www.carib-export.com/news/the-european-union-eu-general-data-protection-regulation-gdpr-in-the-caribbean-context/ |url-access= |trans-title= |format= |department= |website=www.carib-export.com |script-website= |trans-website= |type=Press Release |language= |edition= |agency=Carib-Export |arxiv= |asin= |asin-tld= |bibcode= |bibcode-access= |biorxiv= |citeseerx= |doi= |doi-access= |eissn= |hdl= |hdl-access= |isbn= |ismn= |issn= |jfm= |jstor= |jstor-access= |lccn= |medrxiv= |mr= |oclc= |ol= |ol-access= |osti= |osti-access= |pmc= |pmid= |rfc= |sbn= |ssrn= |s2cid= |s2cid-access= |zbl= |id= |archive-format= |access-date=12 January 2025 |via= |quote= |script-quote= |trans-quote= }}</ref>
The [[CLOUD Act]], enacted in 2018, is seen by the [[European Data Protection Supervisor]] (EDPS) as a law in possible conflict with the GDPR.<ref>{{cite web |author=European Data Protection Supervisor |date=10 July 2019 |title=EDPB-EDPS Joint Response on the US Cloud Act |url=https://edps.europa.eu/sites/edp/files/publication/19-07-10_edpb_edps_cloudact_annex_en.pdf}}</ref><ref name=":02">{{cite web |last=Christakis |first=Theodore |date=October 17, 2019 |title=21 Thoughts and Questions about the UK-US CLOUD Act Agreement: (and an Explanation of How it Works – with Charts) |url=https://europeanlawblog.eu/2019/10/17/21-thoughts-and-questions-about-the-uk-us-cloud-act-agreement-and-an-explanation-of-how-it-works-with-charts/ |accessdate=July 20, 2020 |work=blog |archive-date=21 July 2020 |archive-url=https://web.archive.org/web/20200721122020/https://europeanlawblog.eu/2019/10/17/21-thoughts-and-questions-about-the-uk-us-cloud-act-agreement-and-an-explanation-of-how-it-works-with-charts/ |url-status=dead }}</ref><ref>{{Cite web |last=Whitworth |first=Martin |date=2018 |title=Don't Get Spooked by the CLOUD Act |url=https://d1.awsstatic.com/whitepapers/compliance/IDC_Cloud_Act_Analysis.pdf |publisher=International Data Corporation}}</ref>
=== Website views and revenue ===
A 2024 study found that GDPR reduced both EU user website page views and website revenue by 12%.<ref>{{Cite journal |last1=Goldberg |first1=Samuel G. |last2=Johnson |first2=Garrett A. |last3=Shriver |first3=Scott K. |date=2024 |title=Regulating Privacy Online: An Economic Evaluation of the GDPR |url=https://www.aeaweb.org/articles?id=10.1257/pol.20210309 |journal=American Economic Journal: Economic Policy |language=en |volume=16 |issue=1 |pages=325–358 |doi=10.1257/pol.20210309 |issn=1945-7731|url-access=subscription }}</ref>
== Timeline ==
Line 336 ⟶ 344:
* [[Children's Online Privacy Protection Act]] (COPPA) (USA)
* [[Personal Information Protection Law of the People's Republic of China|Personal Information Protection Law]] (PIPL) (China)
* [[Personal Data Protection Act 2012]] (PDPA) (Singapore)
* [[Protection of Personal Information Act, 2013|Protection of Personal Information Act]] (PoPIA) (South Africa)
Line 350 ⟶ 357:
* [[European Health Data Space]]
* [[Privacy and Electronic Communications Directive 2002]] (ePrivacy Directive, ePD)
* [[Transparency and targeting of political advertising]]
Related concepts:
* [[Budapest Convention on Cybercrime]]
* [[Data portability]]
* [[Do Not Track legislation]]
| |||