Talk:General Data Protection Regulation

Principles section should Cover Article 5 more than Article 6
When the EU describes the GDPR (https://gdpr.eu/what-is-gdpr/), they list seven principles that form the basis:

Data protection principles. If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified. Accuracy — You must keep personal data accurate and up to date. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption). Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

The current section on "principles" pulls from Article 6, which is framed by the EU as being about "Lawfulness of processing". I think the prinicples section should cover Article 5, and don't know how important it is to cover Article 6. ★NealMcB★ (talk) 21:29, 29 September 2021 (UTC)

Regulation "Chatcontrol"
In July 2021 the Eu Parliament approved Chatcontrol, a regulation that allowed for the following three years Internet Service Providers to scan extensively the e-mail of their private users in order to prevent child abuses. They don't need of any specific authorization. The regulation derogates GDPR (sources:, ). — Preceding unsigned comment added by 151.82.218.171 (talk) 15:13, 8 October 2021 (UTC)

Claim Doesn't Seem to be Supported by Reference
At the beginning of the article it says: "The regulation became a model for many national laws outside the EU, including United Kingdom, Turkey, Mauritius, Chile, Japan, Brazil, South Korea, Argentina and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR." the reference for that is number 2 which is an article on the sites advisera.com titled "The differences between the California Consumer Privacy Act and the GDPR" about the CCPA but as far as I could see doesn't mention any other nations. Did I miss something in that article or is there another source to support this claim? I believe it is true but would like to see a solid reference for it. --MadScientistX11 (talk) 23:16, 15 October 2021 (UTC)


 * I think this is an attempt to promote some of the other laws. Are any of these places publicly stating they are 'going to seek GDPR as a basis for their privacy law', or be 'on par' with it, or 'GPDR style compliance etc'. CaribDigita (talk) 23:15, 2 March 2024 (UTC)

Content imported from another Wikipedia page
Content at General Data Protection Regulation has been imported from Draft:Risk-based approach in the GDPR by an inexperienced editor without any annotation in the edit summary. Advice has been left at User talk:Elena2341, and a new section at Draft talk:Risk-based approach in the GDPR.--Rocknrollmancer (talk) 21:42, 5 May 2022 (UTC)

"Risk Based Approach"
Industry lawyers have for a long term advocated that the GDPR would have a "risk based approach". This is not correct, while some articles of the GDPR do refer to risk (e.g. Article 32 GDPR on security), the notion that the entire law should only be complied with if there is a "risk", is not correct. The relevant section of the Wikipedia article is only referring to one (!) source, not the any element of the law. It should be deleted. Maxschrems (talk) 19:11, 21 January 2023 (UTC)

Privacy and data protection
The terms "privacy" and "data protection" are currently used synonymously in this article, but it may be helpful to mention that data protection and the right to privacy are considered distinct concepts in EU law. The GDPR is largely concerned with protecting individuals from the potential harms arising from the automated processing of personal data relating to them, i.e., ensuring that personal data used in decisions affecting individuals is "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (Jon Bing calls this a "decision-oriented view of data protection"). This departs from the traditional notion of privacy, which focuses primarily on keeping private, personal matters out of the public eye. Any personal data, whether publicly available or not, can be processed to infer characteristics of specific identifiable individuals and used to make decisions that affect those individuals, and is therefore subject to data protection under the GDPR.

It is also problematic that there is currently almost no mention of the principles of adequacy and relevancy set out in Article 5(1)(c), and how these principles relate to the protection of individuals from unfair automated decisions under various circumstances. First Comet (talk) 10:16, 20 August 2023 (UTC)

Wiki Education assignment: Cybersecurity Policy
— Assignment last updated by MrLavoie (talk) 00:46, 20 February 2024 (UTC)

Is it wrong to list Facebook as an example company that's been found in breach of this law?
In 2023. Facebook (owned by Meta) was issued a record breaking fine by the European Union regarding this law. I included it as part of Timeline indicating how this law has made history, but another editor said company names shouldn't be listed. I contend is it wrong to list company names for having breached this law? CaribDigita (talk) 23:08, 2 March 2024 (UTC)


 * I guess this is about significance. There are thousands of companies that are fined under GDPR, but a "record breaking" fine representing an egregious abuse of the law would be significant. I can't see a reason for not naming the company as such.
 * I would add that GDPR's enforcement strategy is deliberately aggressive and attempts to create consistency, but there have also been well known issues with getting this in place regarding Ireland's DP authority, where many international tech businesses operate their EU personal data processing from. Depending on whether authors have time to expand the article around GDPR's development post implementation, this would also be significant information that would require mention of Facebook / Meta as a major data processor that has been held to shield under Ireland's lax or slow enforcement of GDPR.
 * (Post script: I went back to the article and this is covered pretty well, some direct criticisms of the Irish DPA may be missed but most of the information is there). Jim Killock (talk) 09:08, 4 March 2024 (UTC)