GENERAL DATA PROTECTION REGULATION
On 25th May 2018, The EU, after 2 years of its adoption, enforced the General Data Protection Regulation, which created waves globally with respect to Personal Data Protection.
The GDPR, while replacing the Data Protection Regime governing the EU (Data Protection Directive), aims at harmonizing rules across 28–nation EU block. The EU enforced the GDPR with the intent to reshape the way organizations approach data privacy, by giving control over their personal data to the citizens, thereby protecting the misuse of personal information. The provisions of the Regulation ensure that the firms hit by the GDPR do not merely update their privacy policy but take active steps to make changes in their internal mechanism to comply with the Regulation.
Extra-territorial Applicability
The GDPR applies to all companies that process personal data of data subjects residing in the Union regardless of the Company’s place of incorporation or place of doing business.
The Regulation classifies data handlers into two categories, namely, ‘processors’ and ‘controllers’. A controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is “person, public authority, agency or other bodies which processes personal data on behalf of the controller”.1 The Regulation clearly provides that it will apply to the processing of personal data by controllers and processors in the EU, irrespective of where the processing is going to take place.
Informed Consent
The Regulation mandates informed consent of the data subjects as a prerequisite to collect process and store personal data. In contrast to the earlier “take it or leave it to approach” followed by companies, under the new regime, the data subject has to be properly informed about the data being collected. The conventional way of asking consent through incoherent terms and conditions or through long privacy policies not comprehensible by laymen would not be acceptable in the current regime. There must be a real choice of saying yes or no. The Data Controller/Processor is also obligated to ensure that the consumers have an option to withdraw their consent.
Enlargement of the Rights of Data Subjects:
- Right to Erasure of Data: The GDPR ensures complete control of personal data to the extent that the data subject has the right to get their personal information erased and halt further dissemination of the data.
- Right to Breach Notification: In case of likelihood of data breach resulting in a risk for the rights and freedoms of individuals, the data subjects are entitled to a breach notification within 72 hours of first having become aware of the breach.
- Right to Access: In order to ensure 100% transparency, the data subjects have a right to a free electronic copy of the personal data collected from them.
The principle of Data Minimisation
The regulation works on the principle of data minimization and thus, allows the only collection of data that is essential to the service being offered ( Article 23). For this purpose, it requires that the purpose for which the data is collected has to be specifically mentioned. The approach that was earlier adopted by the companies whereby the consumers were forced to consent to targeted advertising would no longer be possible. In case of data being shared with 3rd parties, it has to be specifically brought to the knowledge of the data subjects.
Privacy as a Design
The GDPR emphasizes that privacy is not merely an addition but must be integrated to the core design of business of all entities. For this purpose, the data controller should implement appropriate technical and organizational measures to meet the requirements of the Regulation.
Penalty
Non- compliance with the GDPR could result in an imposition of a maximum penalty of 4% of global turnover or 20 Million Dollars, whichever is greater. This threat of heavy penalty ensures that the Companies themselves would strictly adhere to the broad set of rules to safeguard themselves from being penalized.
Data Protection Officers
The Regulation envisages the appointment of Data Protection Officers for those data controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects. The Data Protection officers would have the responsibility to ensure that the entity is compliant with all provisions of GDPR at all times.
Wider Scope of the Definition of ‘Personal Data’
The definition of Personal Data is wider and includes IP Address, genetic data etc. apart from the conventional heads like name, address, photos and biometric data that is considered to be personal data.
Impact:
The extraterritorial applicability of the Company, supplemented with its stringent compliance and penalty provisions have resulted in Companies frantically trying to be GDPR compliant since its adoption. While we would have all received Emails and on-site notifications regarding the review of their privacy policy, some companies who were unable to do so in time have resorted to temporarily blocking their service areas in Europe. Microsoft, commending the efforts taken by the EU to set an example, has implemented their new privacy policy worldwide. Several organizations have taken it unto themselves to bring out data privacy tools to keep themselves GDPR compliant. Apple has launched a data privacy portal which would allow customers to manage, correct or delete their data.
The GDPR has influenced various nations to adopt stringent data protection measures world over. Japan has adopted the “Japanese Act on Protection of Personal Information”. India is also in the process of drafting a law for data protection. A committee headed by Justice Sri Krishna has been put to task for the same.