The modern era of information and technology has turned our personal data into a valuable commodity. But unfortunately, the evolution of law protecting such commodity has failed to keep up with the ever-changing technologies. As a result, a lot of confusion has arisen over the past few years and many opportunists took advantage of this confusion by stealing and selling our personal data without informing us about our identity theft.
In Europe however, a new era for personal data protection has begun by the enforcement of the General Data Protection Regulation (GDPR) by the European Union (EU). It is by far the most advanced and relevant legislation in this regard. It was adopted by both the European Parliament and the European Council in April 2016 after four years of negotiations.
GDPR has brought some sweeping changes in the field of data protection by harmonising the data privacy laws across Europe. It is comprised of 99 Articles giving greater protection and rights to EU individuals. It regulates the processing of personal data of individuals in the EU by an individual, company or organisation.According to the European Commission, “personal data is any information relating to an individual-whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address.” So, a person from any part of the world who deals with even one EU member state's citizen comes under the purview of GDPR.
Under the new rules, a consumer or user must give his informed consent regarding the use of his data. And this consent cannot be a general one for all rather they have to actively “opt-in” to give the required permission. The terms and conditions for the consent and information regarding the usage and purpose of harvesting data must be presented in a clear and concise way, using language that is comprehensible. The request will be distinguished from other general terms and conditions and will also include contact details of the company processing the data.
The new rules also provide the EU citizens with a set of rights including, right to access and erasure of personal information. Right to access means the EU citizens will be able to obtain every kind of information regarding any personal data held about them. They will be able to ask the controllers of their data to disclose the collection of data that they have about them. They will also have access to information regarding the use of such data and regarding any third party having any access to such data. The users will have the right to request a portable copy of the data collected and if and when requested, it must be entertained within a month. This service must be provided free of charge.
The users can also ask the controllers to totally erase their personal data under some circumstances. For example, any data provided during childhood will be deleted if requested. Same goes for any data which is incorrect or accessed illegally. This right is often referred to as the 'right to be forgotten'. This right was first confirmed by the European Court of Justice in the case of Google Spain and inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González' c-131/121 (WP 225). However, like most rights, this one is also not absolute and is under some restrictions when conflicts with other rights such as the freedom of expression and scientific research arise. This right also extends to correction of any incorrect data that the controller has of the users.
Under GDPR the companies who control personal data are obligated to notify the users in case of any breach of their privacy by any third party. If any company lost control over the customer data or they have been hacked, it is mandatory for the company to notify the users within 72 hours about the breach.
GDPR also put in place a strong enforcement mechanism with one GDPR supervisor in every country. Also, companies whose activities are centered around the processing of personal data are required to employ a data protection officer (DPO). Companies in violation of the rules set in GDPR will have to pay a hefty fine. The maximum fine for a GDPR violation is 20 million euros or 4 percent of a company's annual global revenue from the year before, whichever is higher.
In today's world of information and technology, almost every aspect of our lives revolves around data. Most of the services that we receive or provide are related to some form of collection and analysis of data. It is high time we realised the effect of the enormous amount of unprotected personal data on the internet. European Union with the passing of GDPR Europe has went head and shoulders above and entered into a new era in data privacy regulations. Slowly but surely, we must also consider following the footsteps of EU and create a strong legislative basis for data protection in our country.
The writer is a lecturer of law at Primeasia University.