A complete and brief summary on EU GDPR : General Data Protection Regulation is a mandatory data protection regulation that ensures a harmonized approach across all European Member State.
Introduction:
In the globalized online trade, personal data or personal information become the key element in driving the online activity as cash drives the business. Due to the massive improvements in information and communication technologies, every day, vast amount of data are transmitted, stored and collected across the globe. But in today’s informative digital world, the handling and protection of data turned into an international issue. The Insufficient protection of data can create negative market effect with adverse economic condition. Looking at all the severity and complexity in protection of data against the data flow, the most significant regional initiative has been taken by European Union in year 1995 which established the “European Union Data Protection Directive”. The directive has also had a major impact on global privacy. It has set the standard for international data flow for two decades. After more than twenty years of operation, the European Union has upgraded the directive and replaced by “General Data Protection Regulation”. The GDPR was adopted on 14 April 2016, and became enforceable from 25 May 2018.
(GDPR)/ General Data Protection Regulation:
The General Data Protection Regulation (GDPR) is a European Union (EU) law regulation on data protection and privacy for all individual citizens of the European Union and the European Economic Area (EEA). It primarily aims to give authority to individuals over their personal data and to streamline the international business under a uniform regulatory environment by EU.
GDPR is a mandatory data protection regulation that ensures a harmonized approach across all European Member State. It provides a uniform and simplified legislative data privacy framework. GDPR establish a single pan European set of law that makes it easier for companies to adopt single privacy policy throughout the EU. And at the same time it protects the rights of individual across the continent.
Succeeding the Data Protection Directive 95/46/EC, the GDPR contains provisions and principles regarding the processing of personal data of individuals inside the EEA and also addresses the transfer of personal data outside the EU and EEA areas.It also applies to any enterprise established in the EEA or—regardless of its location and the “data subjects' citizenship.
[Note : A data subject is any person whose personal data is being collected, held or processed.]
The GDPR 2016 has been divided into 11 chapters which includes General Provision, Principles, Rights of the data subject, Controller and Processor, Transfer of Personal Data to third countries or international organization, Independent Supervisory Authorities, Cooperation and Consistency, Remedies, liability and Penalties, Provision relating to specific processing situation, Delegated acts and implementing acts and Final Provision.
Let's discuss the important features of GDPR.
1. General Provision:
According to Article 1 in General Provision, GDPR protects the fundamental rights and freedom of natural person, in particular to their right in the protection of personal data. It establishes the rules ensuring the protection of natural person in processing and free movement of personal data.
Natural Person: The law states that the information for a personnel reference must refer to a natural person. In other words, data protection does not apply to information about legal entities such as corporations, foundations and institutions. For natural persons, on the other hand, protection begins and is extinguished with legal capacity. Basically, a person obtains this capacity with his birth, and loses it upon his death.
2. Personal Data:
As per Article 4(1) of GDPR, ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data must therefore be assignable to identified or identifiable living persons to be considered personal.
Also read: "Personal Data, Sensitive Personal Data and Personal Identity Information are three gems."
3. Six data protection principles of GDPR:
According to Article 5(1) in GDPR, there are six privacy principles relating to processing of personal data. ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Let’s discuss in details the six principles relating to the processing of personal data.
GDPR first principle: ‘Lawfulness, Fairness and Transparency’ should be necessarily maintained in processing of Personal data.
GDPR second principle: “Purpose limitation”, as per that personal data should be collected for specified, explicit and legitimate purposes. And it should not be further processed in a manner that is incompatible with those purposes.
[Note: Processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), should not be considered to be incompatible with the initial purposes.]
GDPR Third principle: “Data minimization” which clarifies only adequate, relevant and limited to what is necessary in relation to the purposes should be processed.
GDPR Fourth principle: “Data Accuracy” which defines that Data must be accurate and updated. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
GDPR Fifth principle: “Storage Limitation” which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
[ Note: Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.]
GDPR Sixth principle: “Integrity” and “confidentiality”, According to which personal data must be processed in a manner that ensure appropriate security of the personal data,including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures.
4. Controller:
As per Article 4, ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
5. Consent:
Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. Consent must be freely given, specific, informed and unambiguous. For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent.
[Function creep is the gradual widening of the use of a technology or system beyond the purpose for which it was originally intended, especially when this leads to potential invasion of privacy.]
6. Rights of the Data Subject:
Rights of Access: The right of access by the data subject (Article 15 GDPR) includes information about the processing purposes such as the categories of personal data processed, the recipients or categories of recipients, the planned duration of storage or criteria for their definition and information about the rights of the data subject.
Right to Rectification: As per Article 16 in GDPR, the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
Right to Erasure (Right to be Forgotten): According to Right to Erasure as stated in Article 17 in GDPR, personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing.
Right to Data Portability (Article 20 in GDPR): The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Right to Restriction of Processing (Article 18 in GDPR): The data subject shall have the right to obtain from the controller restriction of processing where the accuracy of the personal data is contested by the data subject, the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead and the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
Right to Object (Article 21 in GDPR): The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her where
(i) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(ii) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
(iii) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Note: The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
7. Data Protection Officer:
The General Data Protection Regulation (GDPR) has established the concept of a Data Protection Officer (DPO) in Europe. A Data Protection Officer will be appointed not depending on the size of the company but by the core processing activities. If the core activities consists of processing sensitive personal data on a large scale then appointment of DPO is necessary as per the legal obligation.
8. Penalties:
National authorities can or must assess fines for specific data protection violations in accordance with the General Data Protection Regulation. For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.
9. Cross Border Data Transfer:
With the booming international trade, it becomes essential to transmit data to third countries. But keeping tight hold in their citizen’s data privacy, European Union has implemented a strict and tough guideline for cross border data transfer.As per GDPR first the data transfer itself must be legal and authorized. And for the special personal data, Art. 9 of the GDPR provide separate legal requirements. Then, in second step as per GDPR third countries guideline, data must transfer to secure third countries which provide a suitable level of data protection on the basis of an adequacy decision and confirmed by the European Commission. In those countries, national laws provide a level of protection for personal data which is comparable to those of EU law.
The time when the General Data Protection Regulation became applicable, the third countries which ensure an adequate level of protection were: Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan and USA (if the recipient belongs to the Privacy Shield). Data transfer to these countries is expressly permitted.
If there is no adequacy data privacy decision for a country, this does not necessarily foreclose any data transfer to this country.
10. Strengths of GDPR:
The GDPR has the strongest set of baseline privacy principles with a comprehensive mature coverage on data protection. It has achieved the significant consistency within EU and also acts as global influencer well beyond its boundaries. The GDPR has provided the enough ground for “privacy to personal data” with strict regulation on cross border data transfer. With the strict data protection measure it will reduce multiple time the chances of cyber crime, data breaching and unlawful access of personal data.
However limitation of GDPR should also be discussed:
11.Limitation of GDPR:
Due to the stringent GDPR policy, small companies feel it as a barrier. European Union also faces some difficulties in data transfer against data protection which may affect the economy. For example, the data transfers between the United States and the European Union are of utmost importance. The European Commission was keen on securing the flow of personal data through a unique arrangement. However, from a data protection point of view, the so-called Safe Harbour agreement between the two parties has always been questionable and was declared invalid by the European Court of Justice in the wake of the Snowden revelations (Schrems vs. Data Protection Commissioner). Since then it has been replaced by another unique framework, the Privacy Shield, which should provide a stricter set of ground rules for data transfer from the EU to the US. However, many points criticized by the Court during the Schrems ruling still persist in the new arrangement. Therefore, the Privacy Shield is currently under high scrutiny by the European Data Protection Authorities.
Conclusion:
European Union has set such a global data privacy guideline through GDPR, that international companies and many other nations are highly influenced by its “Brussels effect”. The Brussels effect is the process of unilateral regulatory globalization caused by the European Union laws outside its borders through market mechanisms. The European Union (EU) is an economic and political union of 28 countries. The EU countries are: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK. The European Economic Area (EEA) has 31 members (The EEA includes EU countries and also Iceland, Liechtenstein and Norway) and accounts for a significant proportion of the world’s population and global trade. Now due to the implementation of the GDPR in EU and EEA, all other nations are in pressure to frame an up to mark “Data privacy law & Regulation” for becoming active participant in international trade and business.
Special Note:
Brexit (British Exit) is the scheduled withdrawal of the United Kingdom from the European Union followed by June 2016 referendum. The UK government formally announced the country’s withdrawal in Mar 2017, starting a two-year process that was due to conclude with the UK withdrawing on 29 March 2019. As the UK Parliament thrice voted against the negotiated withdrawal agreement , that deadline has been extended twice, and is currently on 31 October 2019. An act of Parliament requires the government to seek a third extension if no agreement is reached before 19 October.
Comentarios