General Data Protection Regulation : Is India Ready ? [Part — I]
DATA AND THE MODERN ERA:
• In today’s ever-changing world where the age-old conventional technology has been defenestrated every day, data proved to be the most important thing and usually termed as “oil” or “air” of our society. The avalanche of data or should I say Big data are the only business interest for the big entities of our complex society. It is ex-facie clear that our data is the centre of attraction for those entities. Some invincible data brokers qua data-analytics without our knowledge are collecting, packaging and selling our personal private data online and offline. Even the different e-commerce and social site companies are collecting, storing and tracking our data. Our life is converted into data package where we are only products. Our every purchase, every journey, every likes and dislikes, hobbies, thinking and thus every part of our life are digitised, tracked and logged. Today all around we can find a data war where unknown and invisible data brokers are stealing our data and profiling us. This unfair business.
• In the light of the above, we need to have legislation which will protect us from this gross attack on our cherished privacy and security. The corner stone of all the laws in the world is human dignity as we strongly believe the celebrated maxim “Salus populi suprema lex esto” [Let the good (or safety) of the people be the supreme (or highest) law]. But the innate difference between the progress of technology and law is due to the fact technologies are moved on rapid speed while law on the other hand moves slowly. Today with the more use of various algorithm the strain relationship of law and data analytics or Artificial Intelligence are becoming prominent. The intention of the privacy legislation is to put a tap on unauthorized collection, share management and use of one’s personal data. Online social media organisations are accessing one’s shared information and identifying a person and thus controls his autonomy. Any kind of algorithmic failure will jeopardise one’s identity and autonomy in the days to come.
GENERAL DATA PROTECTION REGULATIONS:
In the above backdrop European Union has come with one of the world’s most comprehensive regulation which is known as GENERAL DATA PROTECTION REGULATIONS or popularly known as GDPR. GDPR is the biggest revolution in the Data Protection Law of the World
Europe has its PRIVACY LAW or DIRECTIVES since 1990 and 1994 long before the GDPR came into effect.
It was placed in April, 2016 by EU Parliament
It came into effect on May 25th, 2018
It has 99 articles and over 200 Pages of long and complex regulations
Companies who have no physical existence but collecting and processing the personal data of Europe are governed by these regulations.
GDPR concerns on transfer of personal data outside Europe.
Data subject’s consent must be clear, freely given, informed and specific and can be withdrawn without any consequence.
The main function of GDPR is to protect the personal data of an individual assuring its proper security, governance, management and help in preventing personal data of the individual not being misused.
In GDPR compliance, companies have to implement solutions and processes that enable it to protect, discover, classify and monitor data.
As the Europe has previously the exposure to privacy law which helped her to put such a painstaking and elaborate in drafting such a huge legislation. Now let us see some of the important Articles of GDPR.
ARTICLE 1 : Subject-matter and objectives :
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
ARTICLE 2 : Material scope
2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU
(c) by a natural person in the course of a purely personal or household activity
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
ARTICLE 3 : Territorial scope :
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
ARTICLE 4 : Definitions
For the purposes of this Regulation :
1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
ARTICLE 5 : Principles relating to processing of personal data
1. Personal data shall be :
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
f) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
ARTICLE 6 : Lawfulness of processing :
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
ARTICLE 7 : Conditions for consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data’
ARTICLE 9 : Processing of special categories of personal data :
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
ARTICLE 21 : Right to object
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
ARTICLE 33 : Notification of a personal data breach to the supervisory authority
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
ARTICLE 34 : Communication of a personal data breach to the data subject :
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
ARTICLE 52 : Independence :
1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.
ARTICLE 82 : Right to compensation and liability :
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
ARTICLE 83 : General conditions for imposing administrative fines :
6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
GDPR is already have a global impact to consumer in case of Personally Identifiable Information.
The GDPR has expanded the very definitions of personal data.
The companies dealing with the personal data have to notify any breach of data or hacking of the data of the organization concerning the personal data of the citizen of all the countries within 72 hours.
People also says that GDPR is a Defacto World Regulations.
The penalty in GDPR is severe. Non-compliance of regulations will result in fine upto 20 Million Euro or 4percent of annual global turn over, whichever is higher.
BRIGHTER side of the GDPR
Companies will get chance to reorganise its digital infrastructure and may earn confidence of global citizen.
The personal data of the citizens will be protected.
GDPR is preparation ground for the legislature and of the entire world for drafting and getting their data privacy law
GDPR is a journey and not destination. As in fact it requires ongoing continues compliance. After the full compliance of GDPR, organisations have to show reasons to hold data and keep it safe. The companies have to approve your consent if they want to keep your information.
Every country other the European countries are closely watching and following the after effect or aftermath of GDPR came into effect.
The GDPR compliance is very high for companies as well as it is not a one-time investment but a journey with ongoing process and hence continues expenditure to be incurred.
Given in the existing corporate structure of India the big question is whether the Companies are ready to handle GDPR compliance or being forced to stop their operations in outside countries and operate the processing of their personal data.