Privacy is Paradise
Adopted in April 2016 by the Council of the European Union and the European Parliament, the General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018. Hailed as the most comprehensive legislation on data protection ever passed, the GDPR aims to secure the rights of the individual over their personal data and the transfer of that data to third parties. It harmonizes laws across member states of the European Union while allowing states to customize certain aspects according to national laws and contexts.
The Regulation defines personal data as any information related to a natural person (or data subject) by which that person may be identified like name, ID number, location data, an online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It applies to any organization that collects and processes personal data of EU data subjects whether they are based in the territory of the European Union or not if the data processing activities are related to offering of goods or services to subjects in the Union or monitoring their behavior if this takes place within the boundaries of the Union.
Impact on India’s Data Protection Framework
India is in the process of drafting her own data protection guidelines. After a protracted legal battle, the Supreme Court in August 2017 explicitly recognized the Right to Privacy. A few weeks earlier, the Ministry of Electronics and Information Technology (MeITy) constituted a committee to deliberate a data protection framework headed by Justice B.N. Srikrishna. The final recommendations of this committee are expected in June 2018.
India’s data protection guidelines can well take inspiration and adapt some of the best practices in data protection regimes across the world - the GDPR included. The definitions of the types of data (personal, biometric, genetic, sensitive personal etc.) are not well laid out in Indian law and the differentiation in the GDPR is one such best practice. Others include the treatment of personal information of deceased persons, the right to be forgotten and the obligations of the data controller and data processor and their obligations to the data subject are absent from Indian law and may certainly be adapted from the GDPR.
Impact on Industry
The terms of the GDPR are enforceable even if companies do not have an office or do not operate in the EU, but handle private data of EU citizens. The burden of ensuring consent falls on the companies: silence, pre-ticked boxes and inactivity do not constitute consent.
Companies are obliged to appoint a Data Protection Officer (DPO) who will ensure data protection for products and services offered by the company. The DPO is tasked to monitor compliance with the regulation, provide advice and act as contact point for a supervisory authority. If any organisation intentionally fails to comply with the regulation, it may face fines up to EUR 20 Million or 4% of their annual global turnover, whichever is higher.
Impact on SMEs
The GDPR recognises the important role small and medium enterprises (SMEs) play in catalyzing the economy and generating innovation. A few exemptions apply to SMEs aimed at increasing their ease of doing business and compliance with the requirements of the GDPR. Most notable is the exemption placed on organizations that have less than 250 employees and/or do not undertake regular or large-scale processing of personal data of EU data subjects.
These SMEs do not have to create a detailed record of their processing activities and categories except if there is a risk to the freedoms of the data subjects or if the processed data is related to the race, ethnicity, and political beliefs etc. of the data subject.
As a strong supporter of the fundamental freedoms of the individual, we support the GDPR in its intention to protect those freedoms and the data of every individual. We do not think the GDPR is a bad regulation. It is not sector-specific. It applies to all players in the value chain and empowers citizens with the same rights irrespective of the platform. The GDPR can catalyze a new breed of coders, engineers and designers who innovate and create new solutions to problems while ensuring a fair and neutral way of leveraging the internet and securing our digital identities.
It also has the potential to increase the European Union’s competitiveness being the first to introduce such a modern data protection regulation. The EU is already pushing other countries to raise their data protection standards and this, we assume, will raise overall standards of protection globally.
What is the Friedrich Naumann Foundation for Freedom doing
As a European institute, FNF has appointed a data protection officer under the GDPR and is in the process of revamping the internal data controlling and processing procedures to allow for clarity in reporting. Survey forms and statements of consent previously collected by the Foundation will be reviewed and possibly supplemented. We are also undertaking a risk assessment to identify any potential vectors of risk and probability of a breach occurring to increase resilience and reduce the chance of a breach.
Finally, internal training exercises are underway in our offices to ensure that the staff is brought up to speed with the requirements of the GDPR. In South Asia, we’ve started this process several months ago.
Rajat is a Program Manager for Digital Transformation at the Regional Office of the Friedrich Naumann Foundation for Freedom (FNF). In this commentary, he is sharing his personal thoughts.