An INDIAN insight into Europe

EUROPEAN UNION’S GENERAL DATA PROTECTION REGULATION: 

PRIVACY BY DESIGN AND DEFAULT

25. 05. 2018

Privacy in the digital age is no more a myth after 25 May 2018. The European Unions’ (EU) General Data Protection Regulation (GDPR) is an outcome of two decades of EU regulatory revolution that has set the benchmark for the creation of a European online data protection regime with global implications. The GDPR has 173 Paragraphs, 11 Chapters and 99 Articles that underlines the entire gamut of individual privacy and online data protection issues in a networked world. The significance of the regulation is that it regards ‘data as a natural entity’ and protects the rights of the individuals, whose data was collected, stored and used by both the state but more so by businesses in all probable ways. This issue was clearly amplified by the recent revelations of the misuse of Facebook data by Cambridge Analytica.

The Second Para of the GDPR has clearly underlined the core concerns with respect to personal data, “the principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.” (EC 2016).

In a digital era, data has become ‘the driver and the power’ of the networked world, however, protection, use and misuse of online data emerged as paramount concerns at the level of individuals, society, policymakers and businesses. To address rising data security and misuse concerns, the EU adopted the GDPR in 2016 and gave a two year period till 25 May 2018 for all EU Member States and businesses to comply with the new regulations. During the last 30 years, this is the most significant development that has happened in the global digital discourse for data protection and individual privacy. The key features of the DGPR are:  awareness, consent, expanded scope, individual rights, access requests, privacy by design, transparency, accountability, data protection officers and penalties. The GDPR compliance will further encourage the idea of ‘data hygiene’ among stakeholders, which will enable a culture of error free or clean data. The regulation is intended to safeguard data and simultaneously further boost the process of the European digital integration and enhance the digital single market and in creating a European data economy across the Union.

The GDPR identifies two types of data - personal data which can identify the individual and non-personal data.  The expansion of the tech industry and the growth of the digital economy have resulted in large amounts of personal data collection and storage, which has been gradually monetised in the name of better service deliverables. In the process, the matter of individual privacy has been ignored and often overlooked in data collection and sharing information with third parties that have serious political, economic, security and social ramifications and concerns.

Data Collection and Management: Consent, Accountability and Penalty

At the heart of the new regulation is the crucial aspect of the consent of the individual (informed, specific and unambiguous) for data collection and accountability on the part of the data processor. Article 25 of the GDPR has made it obligatory for all the stakeholders to put in place ‘data protection’ by design. The seriousness of protecting such data is evident from the description under Article 83 of the penalties in case of infringements that amount “up to 10,000,000 EUR, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher” (EC 2016: 82). Likewise, non-compliance also invokes strong penalties, all of which draws attention to the liability which rests with an organisation on the collection, storage, use and sharing of online data. In addition, the GDPR has adopted security techniques like ‘pseudonymisation’ to protect Personally Identifiable Information (PII) from hacking or data leaks like those which happened in cases like Equifax or Ashley Madison in 2015.

At the core of the GDPR is the protection of the individual’s rights with respect to their personal online data. The new regulation thus provides large set of rights to EU residents such as, “Right to be informed about the personal data organizations have about them; Right to access personal data; Right to rectification – correct errors in personal data or add to incomplete records; Right to erasure (“the right to be forgotten”); Right to restriction on processing of personal data; Right to data portability; Right to object to the processing of personal data (EC 2016). Second, Article 28 has talked about ‘data collection’, ‘data transfer’ and ‘data flows’ to third party. Herein lies the major challenge to foreign companies such as Facebook, Google, or any Indian company which want to have business within the EU as they are now required by law to comply with the GDPR. The regulation seeks to enhance industries’ and businesses responsibility and accountability towards its consumer given that most of the earlier privacy laws were weak on compliance and penalties.   

The big challenge is that the Member States and the businesses are not yet fully DGPR compliant. As the regulation comes into force, some countries like Germany which had good privacy laws are ahead of the curve, but for many businesses across the EU, adapting to the new regulation is a never-ending nightmare. Between consent, compliance, and redressal of the breach of data there is a wide gap between the existing and created capability EU wide and what the regulatory framework sets as standards.  

In a digital and networked world, where bots, trolls, and disinformation are already challenging liberal democratic societies, GDPR has vested significant responsibilities on data protection officers, industries and researchers to make the digital world safe and create transparency in the way data is handled and prevent the misuse of personal data. The GDPR can be seen as ‘rules of engagement’ developed by the EU to address the challenges posed by growing technologies and processes like Internet of Things and Artificial Intelligence for the Union, but with global spill over effects. The implementation of the GDPR will make the EU a more robust cyber power and actor and a pioneer especially with regards to online data creation, access and protection. Living in an Orwellian world, where every online activity and interfaced everyday life that produces data can be watched, tracked and stored, the GDPR seeks to be the gatekeeper of individual privacy, however, the challenge for the EU is 100 percent compliance.   

Prof. Dr. Ummu Salma Bava, Chairperson & Jean Monnet Chair and Jayadev Parida, Ph.D. Scholar, Centre for European Studies, SIS.