Wikipedia

General Data Protection Regulation: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
OAbot (talk | contribs)
Bots
643,717 edits
m Open access bot: url-access=subscription updated in citation with #oabot.
Citation bot (talk | contribs)
Bots
5,865,322 edits
Altered title. Add: authors 1-1. Removed URL that duplicated identifier. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | #UCB_CommandLine
Line 169:
* International data transfers.
 
The GDPR certification also contributes to reduce the legal and financial risks of applicants, as well as of data controllers using certified data processing services.<ref>{{Cite web |date=2022-10-17 |title=Europrivacy: the first certification mechanism to ensure compliance with GDPR {{!}} Shaping Europe’sEurope's digital future |url=https://digital-strategy.ec.europa.eu/en/news/europrivacy-first-certification-mechanism-ensure-compliance-gdpr |access-date=2024-10-30 |website=digital-strategy.ec.europa.eu |language=en}}</ref>
 
The adoption of the European Data Protection Seals is under the responsibility of the [[European Data Protection Board]] (EDPB) and is recognized across all EU and EEA [[Member state of the European Union|Member States]].<ref>{{Cite web |title=EDPB document on the procedure for the approval of certification criteria by the EDPB resulting in a common certification, the European Data Protection Seal {{!}} European Data Protection Board |url=https://www.edpb.europa.eu/our-work-tools/our-documents/procedure/edpb-document-procedure-approval-certification-criteria-edpb_en |access-date=2024-11-03 |website=www.edpb.europa.eu}}</ref>
Line 277:
Research indicates that approximately 25% of software vulnerabilities have GDPR implications.<ref>{{cite web|url=https://www.hackerone.com/sites/default/files/2018-01/GDPR%20Implications-ebook.pdf|title=What Percentage of Your Software Vulnerabilities Have GDPR Implications?|date=16 January 2018|publisher=HackerOne|access-date=6 July 2018|archive-url=https://web.archive.org/web/20180706162027/https://www.hackerone.com/sites/default/files/2018-01/GDPR%20Implications-ebook.pdf|archive-date=6 July 2018|url-status=live}}</ref> Since Article 33 emphasizes breaches, not bugs, security experts advise companies to invest in processes and capabilities to identify vulnerabilities before they can be exploited, including [[Application security#Coordinated vulnerability disclosure|coordinated vulnerability disclosure processes]].<ref>{{cite web|url=https://www.slideshare.net/hacker0x01/everything-you-need-to-know-about-the-data-protection-officer-role|title=The Data Protection Officer (DPO): Everything You Need to Know|date=20 March 2018|publisher=Cranium and HackerOne|access-date=6 July 2018|archive-url=https://web.archive.org/web/20180831165003/https://www.slideshare.net/hacker0x01/everything-you-need-to-know-about-the-data-protection-officer-role|archive-date=31 August 2018|url-status=live}}</ref><ref>{{cite web|url=https://iapp.org/news/a/what-might-bug-bounty-programs-look-like-under-the-gdpr/|title=What might bug bounty programs look like under the GDPR?|date=27 March 2018|publisher=The International Association of Privacy Professionals (IAPP)|access-date=6 July 2018|archive-url=https://web.archive.org/web/20180706165037/https://iapp.org/news/a/what-might-bug-bounty-programs-look-like-under-the-gdpr/|archive-date=6 July 2018|url-status=live}}</ref> An investigation of Android apps' privacy policies, data access capabilities, and data access behaviour has shown that numerous apps display a somewhat privacy-friendlier behaviour since the GDPR was implemented, although they still retain most of their data access privileges in their code.<ref>{{Cite journal|last1=Momen|first1=N.|last2=Hatamian|first2=M.|last3=Fritsch|first3=L.|date=November 2019|title=Did App Privacy Improve After the GDPR?|journal=IEEE Security Privacy|volume=17|issue=6|pages=10–20|doi=10.1109/MSEC.2019.2938445|s2cid=203699369|issn=1558-4046|url=http://urn.kb.se/resolve?urn=urn:nbn:se:kau:diva-75508}}</ref><ref>{{Citation|last1=Hatamian|first1=Majid|title=A Multilateral Privacy Impact Analysis Method for Android Apps|date=2019|work=Privacy Technologies and Policy|volume=11498|pages=87–106|editor-last=Naldi|editor-first=Maurizio|publisher=Springer International Publishing|doi=10.1007/978-3-030-21752-5_7|isbn=978-3-030-21751-8|last2=Momen|first2=Nurul|last3=Fritsch|first3=Lothar|last4=Rannenberg|first4=Kai|series=Lecture Notes in Computer Science |s2cid=184483219|url=https://zenodo.org/record/3248889|editor2-last=Italiano|editor2-first=Giuseppe F.|editor3-last=Rannenberg|editor3-first=Kai|editor4-last=Medina|editor4-first=Manel|access-date=3 June 2020|archive-date=12 July 2020|archive-url=https://web.archive.org/web/20200712060716/https://zenodo.org/record/3248889|url-status=live}}</ref> An investigation of the [[Norwegian Consumer Council]] into the post-GDPR data subject dashboards on social media platforms (such as [[Google Dashboard|Google dashboard]]) has concluded that large social media firms deploy deceptive tactics in order to discourage their customers from sharpening their privacy settings.<ref>Moen, Gro Mette, Ailo Krogh Ravna, and Finn Myrstad. [https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf "Deceived by design - How tech companies use dark patterns to discourage us from exercising our rights to privacy"] {{Webarchive|url=https://web.archive.org/web/20191220000426/https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf |date=20 December 2019 }}. 2018. Report by the Norwegian Consumer Council.</ref>
 
On the effective date, some websites began to block visitors from EU countries entirely (including [[Instapaper]],<ref>{{Cite news|url=https://www.theverge.com/2018/5/23/17387146/instapaper-gdpr-europe-access-shut-down-privacy-changes|title=Instapaper is temporarily shutting off access for European users due to GDPR|work=The Verge|access-date=24 May 2018|archive-url=https://web.archive.org/web/20180524013709/https://www.theverge.com/2018/5/23/17387146/instapaper-gdpr-europe-access-shut-down-privacy-changes|archive-date=24 May 2018|url-status=live}}</ref> Unroll.me,<ref>{{Cite web|url=https://techcrunch.com/2018/05/05/unroll-me-to-close-to-eu-users-saying-it-cant-comply-with-gdpr/|title=Unroll.me to close to EU users saying it can't comply with GDPR|website=TechCrunch|date=5 May 2018 |access-date=29 May 2018|archive-url=https://web.archive.org/web/20180530035124/https://techcrunch.com/2018/05/05/unroll-me-to-close-to-eu-users-saying-it-cant-comply-with-gdpr/|archive-date=30 May 2018|url-status=live}}</ref> and [[Tribune Publishing]]-owned newspapers, such as the ''[[Chicago Tribune]]'' and the ''[[Los Angeles Times]]'') or redirect them to stripped-down versions of their services (in the case of [[National Public Radio]] and ''[[USA Today]]'') with limited functionality and/or no advertising so that they will not be liable.<ref>{{Cite news|url=https://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect|title=Sites block users, shut down activities and flood inboxes as GDPR rules loom|last1=Hern|first1=Alex|date=24 May 2018|work=The Guardian|access-date=25 May 2018|last2=Waterson|first2=Jim|archive-url=https://web.archive.org/web/20180524222426/https://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect|archive-date=24 May 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.bloomberg.com/news/articles/2018-05-25/blocking-500-million-users-is-easier-than-complying-with-gdpr|title=Blocking 500 Million Users Is Easier Than Complying With Europe's New Rules|date=25 May 2018|publisher=Bloomberg L.P.|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180525235055/https://www.bloomberg.com/news/articles/2018-05-25/blocking-500-million-users-is-easier-than-complying-with-gdpr|archive-date=25 May 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html|title=U.S. News Outlets Block European Readers Over New Privacy Rules|date=25 May 2018|work=The New York Times|access-date=26 May 2018|issn=0362-4331|archive-url=https://web.archive.org/web/20180526025851/https://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html|archive-date=26 May 2018|url-status=live}}</ref><ref>{{Cite news|url=http://adage.com/article/digital/eu-citizens-gdpr-day/313655/|title=Look: Here's what EU citizens see now that GDPR has landed|work=Advertising Age|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180525220203/http://adage.com/article/digital/eu-citizens-gdpr-day/313655/|archive-date=25 May 2018|url-status=live}}</ref> Some companies, such as [[Klout]], and several online video games, ceased operations entirely to coincide with its implementation, citing the GDPR as a burden on their continued operations, especially due to the business model of the former.<ref>{{Cite news|url=https://www.wired.com/story/how-a-new-era-of-privacy-took-over-your-email-inbox/|title=Why Your Inbox Is Crammed Full of Privacy Policies|last=Tiku|first=Nitasha|date=24 May 2018|magazine=Wired|access-date=25 May 2018|archive-url=https://web.archive.org/web/20180524214938/https://www.wired.com/story/how-a-new-era-of-privacy-took-over-your-email-inbox/|archive-date=24 May 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.nytimes.com/2018/05/23/technology/personaltech/what-you-should-look-for-europe-data-law.html|title=Getting a Flood of G.D.P.R.-Related Privacy Policy Updates? Read Them|last=Chen|first=Brian X.|date=23 May 2018|work=The New York Times|access-date=25 May 2018|issn=0362-4331|archive-url=https://web.archive.org/web/20180524194430/https://www.nytimes.com/2018/05/23/technology/personaltech/what-you-should-look-for-europe-data-law.html|archive-date=24 May 2018|url-status=live}}</ref><ref>{{Cite news|url=https://www.bloomberg.com/news/articles/2018-05-25/blocking-500-million-users-is-easier-than-complying-with-gdpr|title=Blocking 500 Million Users Is Easier Than Complying With Europe's New Rules|last=Lanxon|first=Nate|date=25 May 2018|work=Bloomberg|access-date=25 May 2018|archive-url=https://web.archive.org/web/20180525125509/https://www.bloomberg.com/news/articles/2018-05-25/blocking-500-million-users-is-easier-than-complying-with-gdpr|archive-date=25 May 2018|url-status=live}}</ref> The volume of online [[behavioural advertising]] placements in Europe fell 25–40% on 25 May 2018.<ref>{{Cite news|url=https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying-plummets-europe/|title=GDPR mayhem: Programmatic ad buying plummets in Europe|date=25 May 2018|work=[[Digiday]]|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180525213159/https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying-plummets-europe/|archive-date=25 May 2018|url-status=live}}</ref><ref>{{Cite book|last1=Skiera|first1=Bernd|last2= Miller|first2=Klaus Matthias|last3=Jin|first3=Yuxi|last4=Kraft|first4=Lennart|last5=Laub|first5=René|last6=Schmitt|first6=Julia|date=5 July 2022|url=https://www.worldcat.org/oclc/1322186902|title=The impact of the GDPR on the online advertising market|publisher=Bernd Skiera|___location=Frankfurt am Main|isbn=978-3-9824173-0-1|oclc=1322186902}}</ref>
 
In 2020, two years after the GDPR began its implementation, the European Commission assessed that users across the EU had increased their knowledge about their rights, stating that "69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority."<ref name=":9">{{Cite web|title=Press corner|url=https://ec.europa.eu/commission/presscorner/home/en|access-date=18 September 2020|website=European Commission - European Commission|language=en|archive-date=27 December 2020|archive-url=https://web.archive.org/web/20201227193856/https://ec.europa.eu/commission/presscorner/home/en|url-status=live}}</ref><ref>{{Cite web|date=12 June 2020|title=Your rights matter: Data protection and privacy - Fundamental Rights Survey|url=https://fra.europa.eu/en/publication/2020/fundamental-rights-survey-data-protection|access-date=18 September 2020|website=European Union Agency for Fundamental Rights|language=en|archive-date=25 September 2020|archive-url=https://web.archive.org/web/20200925141211/https://fra.europa.eu/en/publication/2020/fundamental-rights-survey-data-protection|url-status=live}}</ref> The commission also found that privacy has become a competitive quality for companies which consumers are taking into account in their decisionmaking processes.<ref name=":9" />
Line 291:
In November 2021, Irish Council for Civil Liberties lodged a formal complaint of the Commission that it is in breach of its obligation under EU Law to carefully monitor how Ireland applies the GDPR.<ref name=":10">{{Cite web |last=Ryan |first=Johnny |date=2023-01-31 |title=Europe-wide overhaul of GDPR monitoring triggered by ICCL |url=https://www.iccl.ie/digital-data/europe-wide-overhaul-of-gdpr-monitoring-triggered-by-iccl/ |access-date=2023-04-08 |website=Irish Council for Civil Liberties |language=en-GB |archive-date=6 April 2023 |archive-url=https://web.archive.org/web/20230406075809/https://www.iccl.ie/digital-data/europe-wide-overhaul-of-gdpr-monitoring-triggered-by-iccl/ |url-status=live }}</ref> Until January 2023, the Commission published a new commitment based on the complaint of ICCL.<ref name=":10" />
 
While companies are now subject to legal obligations, there are still various inconsistencies in the practical and technical implementation of GDPR.<ref>{{Cite book|last1=Alizadeh|first1=Fatemeh|last2=Jakobi|first2=Timo|last3=Boldt|first3=Jens|last4=Stevens|first4=Gunnar|title=Proceedings of Mensch und Computer 2019 |chapter=GDPR-Reality Check on the Right to Access Data |date=2019|pages=811–814|___location=New York|publisher=ACM Press|doi=10.1145/3340764.3344913|isbn=978-1-4503-7198-8|s2cid=202159324}}</ref> As an example, according to the GDPR's right to access, the companies are obliged to provide data subjects with the data they gather about them. However, in a study on loyalty cards in Germany, companies did not provide the data subjects with the exact information of the purchased articles.<ref name=":7">{{Cite journal|last1=Alizadeh|first1=Fatemeh|last2=Jakobi|first2=Timo|last3=Boden|first3=Alexander|last4=Stevens|first4=Gunnar|last5=Boldt|first5=Jens|date=2020|title=GDPR Reality Check–Claiming and Investigating Personally Identifiable Data from Companies|url=https://eusec20.cs.uchicago.edu/eusec20-Alizadeh.pdf|journal=EuroUSEC|access-date=17 June 2020|archive-date=17 June 2020|archive-url=https://web.archive.org/web/20200617145507/https://eusec20.cs.uchicago.edu/eusec20-Alizadeh.pdf|url-status=live}}</ref> One might argue that such companies do not collect the information of the purchased articles, which does not conform with their business models. Therefore, data subjects tend to see that as a GDPR violation. As a result, studies have suggested for a better control through authorities<ref>{{Cite journal |lastlast1=Smirnova |firstfirst1=Yelena |last2=Travieso-Morales |first2=Victoriano |date=2024-04-04 |title=Understanding challenges of GDPR implementation in business enterprises: a systematic literature review |url=https://www.emerald.com/insight/content/doi/10.1108/IJLMA-08-2023-0170/full/html |journal=International Journal of Law and Management |language=en |volume=66 |issue=3 |pages=326–344 |doi=10.1108/IJLMA-08-2023-0170 |issn=1754-243X|url-access=subscription }}</ref>.<ref name=":7" />
 
According to the GDPR, end-users' [[consent]] should be valid, freely given, specific, informed and active.<ref name=":8">{{Cite book|last1=Human|first1=Soheil|last2=Cech|first2=Florian|title=Human Centred Intelligent Systems |chapter=A Human-Centric Perspective on Digital Consenting: The Case of GAFAM |date=2021|editor-last=Zimmermann|editor-first=Alfred|editor2-last=Howlett|editor2-first=Robert J.|editor3-last=Jain|editor3-first=Lakhmi C.|series=Smart Innovation, Systems and Technologies|volume=189|language=en|___location=Singapore|publisher=Springer|pages=139–159|doi=10.1007/978-981-15-5784-2_12|isbn=978-981-15-5784-2|s2cid=214699040|chapter-url=https://epub.wu.ac.at/7523/1/HCIS2020_A%20Human-centric%20Perspective%20on%20Digital%20Consenting_The%20Case%20of%20GAFAM_Soheil%20Human_Florian%20Cech.pdf|access-date=23 August 2020|archive-date=14 April 2021|archive-url=https://web.archive.org/web/20210414233129/https://epub.wu.ac.at/7523/1/HCIS2020_A%20Human-centric%20Perspective%20on%20Digital%20Consenting_The%20Case%20of%20GAFAM_Soheil%20Human_Florian%20Cech.pdf|url-status=live}}</ref> However, the lack of enforceability regarding obtaining lawful consents has been a challenge. As an example, a 2020 study, showed that the [[Big Tech]], i.e. [[Google]], [[Amazon (company)|Amazon]], [[Facebook]], [[Apple Inc.|Apple]], and [[Microsoft]] (GAFAM), use [[dark pattern]]s in their consent obtaining mechanisms, which raises doubts regarding the lawfulness of the acquired consent.<ref name=":8" />
Line 314:
Switzerland will also adopt a new data protection law that largely follows EU's GDPR.<ref>{{Cite web |last=Portal |first=S. M. E. |title=New Federal Act on Data Protection (nFADP) |url=https://www.kmu.admin.ch/kmu/en/home/fakten-und-trends/digitalisierung/datenschutz/neues-datenschutzgesetz-revdsg.html |access-date=2023-03-25 |website=www.kmu.admin.ch |language=en |archive-date=25 March 2023 |archive-url=https://web.archive.org/web/20230325204902/https://www.kmu.admin.ch/kmu/en/home/fakten-und-trends/digitalisierung/datenschutz/neues-datenschutzgesetz-revdsg.html |url-status=live }}</ref>
 
With the addition of overseas regions of the European Union joining non-governmental organsational (NGO) bodies in the Caribbean region such as the [[Organisation of Eastern Caribbean States]], the GDPR rules have become necessary to consider in the lack of any current legislation found in the region concerning privacy rights and maintaining compliance of the laws of those outer regions.<ref>{{cite web |author=Staff writer |author-link1= |date=23 January 2020 |___location= |title=The European Union (EU) General Data Protection Regulation (GDPR) in the Caribbean Context |script-title= |title-link= |url=https://www.carib-export.com/news/the-european-union-eu-general-data-protection-regulation-gdpr-in-the-caribbean-context/ |url-access= |trans-title= |format= |department= |website=www.carib-export.com |script-website= |trans-website= |type=Press Release |language= |edition= |agency=Carib-Export |arxiv= |asin= |asin-tld= |bibcode= |bibcode-access= |biorxiv= |citeseerx= |doi= |doi-access= |doi-broken-date= |eissn= |hdl= |hdl-access= |isbn= |ismn= |issn= |jfm= |jstor= |jstor-access= |lccn= |medrxiv= |mr= |oclc= |ol= |ol-access= |osti= |osti-access= |pmc= |pmc-embargo-date= |pmid= |rfc= |sbn= |ssrn= |s2cid= |s2cid-access= |zbl= |id= |archive-format= |access-date=12 January 2025 |via= |quote= |script-quote= |trans-quote= |ref= }}</ref>
 
The [[CLOUD Act]], enacted in 2018, is seen by the [[European Data Protection Supervisor]] (EDPS) as a law in possible conflict with the GDPR.<ref>{{cite web |author=European Data Protection Supervisor |date=10 July 2019 |title=EDPB-EDPS Joint Response on the US Cloud Act |url=https://edps.europa.eu/sites/edp/files/publication/19-07-10_edpb_edps_cloudact_annex_en.pdf}}</ref><ref name=":02">{{cite web |last=Christakis |first=Theodore |date=October 17, 2019 |title=21 Thoughts and Questions about the UK-US CLOUD Act Agreement: (and an Explanation of How it Works – with Charts) |url=https://europeanlawblog.eu/2019/10/17/21-thoughts-and-questions-about-the-uk-us-cloud-act-agreement-and-an-explanation-of-how-it-works-with-charts/ |accessdate=July 20, 2020 |work=blog}}</ref><ref>{{Cite web |last=Whitworth |first=Martin |date=2018 |title=Don't Get Spooked by the CLOUD Act |url=https://d1.awsstatic.com/whitepapers/compliance/IDC_Cloud_Act_Analysis.pdf |publisher=International Data Corporation}}</ref>
Retrieved from "https://en.wikipedia.org/wiki/General_Data_Protection_Regulation"