LLMpediaThe first transparent, open encyclopedia generated by LLMs

General Data Protection Regulation

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Facebook Hop 3
Expansion Funnel Raw 48 → Dedup 13 → NER 12 → Enqueued 10
1. Extracted48
2. After dedup13 (None)
3. After NER12 (None)
4. Enqueued10 (None)
General Data Protection Regulation
General Data Protection Regulation
User:Verdy p, User:-xfi-, User:Paddu, User:Nightstallion, User:Funakoshi, User:J · Public domain · source
NameGeneral Data Protection Regulation
Enacted byEuropean Parliament and Council of the European Union
Date enacted27 April 2016
Date commenced25 May 2018
Statusin force

General Data Protection Regulation The General Data Protection Regulation is a comprehensive data protection law enacted by the European Parliament and the Council of the European Union to harmonize data protection rules across the European Union and reshape relations with United States and other jurisdictions on data flows. The Regulation replaced the Data Protection Directive and established rights, obligations, and enforcement mechanisms affecting public authorities such as the European Commission and private entities including multinational firms like Google, Facebook, and Amazon. It has influenced international agreements and litigation involving courts such as the Court of Justice of the European Union and national authorities including the Information Commissioner's Office.

Background and Legislative History

The legislative trajectory involved institutions and actors such as the European Commission, the European Parliament, the Council of the European Union, and national data protection authorities including the CNIL (France), Bundesdatenschutzbeauftragter (Germany), and Agencia Española de Protección de Datos. Preparatory work referenced instruments like the European Convention on Human Rights, the Charter of Fundamental Rights of the European Union, and cases adjudicated by the Court of Justice of the European Union including rulings related to Google Spain v AEPD and Mario Costeja González. Negotiations engaged prominent political figures and committees within the European Parliament such as the LIBE Committee and involved trilogue meetings among representatives from the European Commission, European Parliament, and Council of the European Union.

Scope and Key Principles

The Regulation applies to processing activities by controllers and processors established in the European Union and to entities outside the EU offering goods or monitoring behaviour of individuals in the EU, implicating multinational corporations like Apple Inc., Microsoft, and Twitter. Core principles draw on precedents from the Data Protection Directive and international standards such as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and include lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Mechanisms such as data protection by design and by default, data protection impact assessments, and pseudonymization mirror practices advocated by bodies like the European Data Protection Supervisor and intersect with standards from organizations such as the International Organization for Standardization.

Rights of Data Subjects

The Regulation codified rights for individuals including the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and rights related to automated individual decision-making including profiling. These rights have been asserted in disputes before courts like the Court of Justice of the European Union and enforced by national authorities such as the Bundesamt für Sicherheit in der Informationstechnik and the Data Protection Commission (Ireland), often in contexts involving companies such as Facebook Ireland Limited and Google LLC.

Obligations of Controllers and Processors

Controllers and processors must implement technical and organizational measures, maintain records of processing activities, appoint data protection officers where applicable, and cooperate with supervisory authorities such as the Information Commissioner's Office and the Autorité de protection des données (Belgium). Contracts between controllers and processors are subject to requirements reflected in model clauses and guidance produced by bodies including the European Data Protection Board and are implicated in corporate compliance programs at firms like IBM, SAP (company), and Oracle Corporation.

Enforcement and Penalties

Enforcement is carried out by independent supervisory authorities in each member state, coordinated through the European Data Protection Board and subject to judicial review by courts including the Court of Justice of the European Union. Penalties include administrative fines up to specified percentages of global turnover, applied in high-profile cases involving corporations such as Google, British Airways, and Marriott International. Enforcement actions have provoked litigation before national courts and supranational bodies, and have involved remedies like injunctions, reprimands, and orders to suspend processing.

International Impact and Data Transfers

The Regulation reshaped international data transfer mechanisms, influencing frameworks like the EU–US Privacy Shield and successor arrangements, and prompting reliance on transfer tools such as standard contractual clauses, binding corporate rules, and adequacy decisions including those concerning jurisdictions like Japan, Canada, and Switzerland. Judgments by the Court of Justice of the European Union in cases such as decisions affecting transfers to the United States have led to renegotiations among governments and businesses and engagement with institutions such as the European Commission and national ministries.

Criticisms and Reforms Proposed

Critiques have come from stakeholders including technology companies like Facebook, Google, trade associations, civil society groups such as Privacy International, and academic commentators affiliated with institutions such as Oxford University and Harvard University. Commonly cited issues include compliance costs for small and medium enterprises, legal uncertainty around international transfers impacting agreements with entities like American Civil Liberties Union litigants, tensions between data protection and law enforcement bodies such as Europol, and debates over interoperability with sectoral regulations like the ePrivacy Directive. Proposed reforms and guidance have been developed by bodies including the European Commission, the European Data Protection Board, and national parliaments, and have been subject to consultation with stakeholders such as the Council of Europe and the Organisation for Economic Co-operation and Development.

Category:European Union law