cc3976fb7f
- Split competitive-analysis-2026-05.org → TOC + 9 competitor files in ideas/competitors/. Dropped date from filename. All competitor UUIDs generated, TOC keeps original UUID for backlink continuity. - Deleted passepartout-economics.org archive (replaced by 27-node KB). - Inlined 5 'See also' blocks into natural prose (compliance-index, first-mover-window, revenue-table, orders-of-magnitude-time, native-org-knowledge-base). - Linked 7 orphan compliance pages back to compliance index + finished truncated sentences. - Linked all 14 Agora requirement docs from topic-relevant pages (identity→lisp-machine-security, infrastructure→compute-marketplace, social-space→growth-strategy, exchange→agora-contracts, etc.). - Linked ai-industry-impact from investment-thesis, sufficiency-flip, verification-appliance, effects-growth-flywheel (up from 1 to 10+ pages). - Fixed CREATED timestamps to use git commit dates instead of today. - Made all links absolute from root (no port inheritance). - Removed stale agora/docs/ duplicate content.
2.5 KiB
GDPR (General Data Protection Regulation)
GDPR (General Data Protection Regulation)
What it is
EU regulation (effective May 2018) governing the processing of personal data of natural persons in the EU. Extraterritorial — applies to any organization processing EU personal data regardless of where the organization is based.
Key requirements:
- Lawful basis for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests)
- Data minimization — collect only what is necessary
- Purpose limitation — do not reuse data for incompatible purposes
- Storage limitation — delete when no longer needed
- Right of access, rectification, erasure (right to be forgotten), data portability, restriction, objection
- Data Protection Impact Assessment (DPIA) for high-risk processing
- Breach notification within 72 hours to supervisory authority
- Data Protection Officer (DPO) appointment for certain controllers/processors
- Data Processing Agreements (DPAs) between controllers and processors
Who must comply
Any organization that processes personal data of EU residents. Includes controllers (determine purposes and means) and processors (process on behalf of controller). Non-EU organizations with EU data subjects are in scope.
Penalties
Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered system. Supervisory authorities in each member state enforce. Private right of action for damages.
Why it matters for the triad
GDPR is the most extraterritorial and aggressively enforced privacy framework. The gate stack's principle of least privilege maps naturally to GDPR's data minimization requirement. Every data access is gated by a verified rule that states the purpose — the proof log is a built-in DPIA artifact. For the compute marketplace: a provider processing proofs on EU users' gate data must maintain DPAs with all clients. Proof logs themselves may constitute personal data if they reference natural persons (names in access rules, etc.), creating a demand for privacy-preserving proof techniques. This is why the GDPR gate package includes data-processing agreement templates and purpose-boundary gate rules that are independently verified by the provider's evaluation harness.