With the enactment of European Union General Data Protection Regulation (EU GDPR) made effective from 25 May 2018, “privacy” has become a very important issue for all firms engaged in collecting, processing and disseminating personal information of their customers and employees alike.
Even though “Data Protection Directive” has been in existent in Europe for about 20 years, EU GDPR provides a consistent framework to address data protection across 28 EU member states covering about 350 million people. Unlike the Directive which provided minimum set of data protection standards and leave it to the member states to frame their own law, EU GDPR is a law by itself across the member states and hence more stringent and enforceable than ever. Thus EU has taken data protection head on to handle it through command and control regulatory regime.
It must be pointed out that on the contrary, the United States has taken a more liberal approach to data protection. Though there were numerous regulations and directives such as Right to Financial Privacy Act of 1978, Electronic Communications Privacy Act of 1986, Family Educational Rights and Privacy Act of 1978, Privacy Protection Act of 1988, Video Privacy Protection Act of 1988 exist, the law and policy makers have upheld the market oriented principles instead of adopting a stringent regulatory approach on the use of personal information of data subjects.
Though EU GDPR sets out very clear unambiguous rules on protection of personal data of the EU residents, it also makes it easier for firms who comply with these rules to transfer data across EU member countries efficiently thus improving their business operations.
The territorial scope of the Regulation covers the processing of personal information of data subjects who are in the Union, irrespective of their nationality or place of residency, by data controllers and processors who are within are outside EU, regardless of whether the processing takes place within or outside the EU. The “data controllers” are entities that determines the purposes and means of personal data and “data processers” are those contracted by data controllers for processing personal data. As per Article 3 of the Regulation, the territorial scope affects all the firms that have business in the EU member countries for which they collect, process, and disseminate personal information about EU based data subjects. The Regulation has serious consequences to all firms in India who handle personal information of the data subjects of EU for monetary or non-monetary purposes.
With this wide territorial scope, the Regulation covers the entire supply chain of data flow from data subjects to data controllers to data processors. To provide accountability, the Regulation mandates the data controllers and data processors to designate a Data Protection Officer with assigned roles and responsibilities.
The debate about privacy consists of economic, legal, psychological, social and technical dimensions and hence more often than not the definition of privacy is mired in confusion. We identify the main dimensions of “privacy” using the classical framework of privacy taxonomy as proposed by Daniel Solove (Solove, 2006) and map the clauses in EU GDPR as per the taxonomy for better understanding.
Identification is connecting information to individuals. Identification is “the association of data with a particular human being.” Identification enables us to attempt to verify identity–-that the person accessing her records is indeed the owner of the account or the subject of the records. For example, Aadhaar number, is a random number that bears no relationship to the identity of the holder. However, it can be traced to the “blood and flesh” of the individual through the associated bio metric information. While Aadhaar number alone may not divulge much about an individual, when aggregated with other identity information (excluding core biometrics) may reveal some telling patterns about an individual. EU GDPR applies data protection to any information concerning an “identified” or “identifiable” natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. What this means is that the data protection to individuals is much broader in context and scope.
Related to “identifiability” is aggregation. Aggregation is the gathering together of information about a person. A piece of information here or there is not very telling. But when combined together, bits and pieces of data begin to form a portrait of a person. The whole becomes greater than the parts. This occurs because combining information creates synergies. EU GDPR recognizes this process of aggregation in the form of “identifiable” information that needs to be protected.
Secondary use is the use of data for purposes unrelated to the purposes for which the data was initially collected without the data subject’s consent. Consent of data subject is of utmost important in the processing of personal data by data controllers. As per EU GDPR, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. EU GDPR gives utmost importance to consent of the data subject for all types of processing of personal data. Further, EU GDPR clearly states that personal data can be collected only for “specified, explicit and legitimate purposes”. This is referred to as “purpose limitation” and limits the use of personal data so collected by data controllers only for the intended purpose. Hence firms should be very careful in using the personal data and restrict their use only for the intended purpose and that too within the consent framework accepted by the data subjects.
EU GDPR specifies a number of rights to data subjects over use, modifications and erasure of their personal information. EU GDPR mandates “transparency” with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing. Further, the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. This is expected minimize the existence of partial, outdated or incomplete personal information of data subjects with the data controllers. One of the important rights endowed on data subjects is the “right to be forgotten”. Under article 17 of the Regulation, data subjects can request their information be erased. As per this right, the data controller is obligated to take all necessary steps to erase all information about the data subjects without undue delay unless holding or processing such information is absolutely necessary.
Identity theft is the fastest growing white collar crime. An identity thief opens accounts and conducts fraud in the victim’s name. Identity theft is the overt result of a larger group of problems called “insecurity.” Glitches, security lapses, abuses, and illicit uses of personal information all fall into this category. Insecurity, in short, is a problem caused by the way our information is handled and protected. Insecurity is related to aggregation, as it creates risks of downstream harm that can emerge from inadequate protection of compendiums of personal data. As per the Regulation, personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing un-authorized access to or use of personal data and the equipment used for the processing. Realizing that despite all precautions data breaches could occur, Article 33 of the Regulation provides stringent requirements of notification of such breaches. The data breaches as and when they occur should be notified by data processers and controllers to designated authority within 72 hours of the breach.
To enforce data protection outside the bounds of EU, the GDPR has a number of elements related to trans-border data flow across EU member countries and “third countries” that are outside the bounds of EU. One of the key requirements for such trans-border data flow is that the third country offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. The European Commission has so far recognized Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited) as providing adequate protection. Though the United States was not included earlier due to lack of pan-national data protection regulation or law, it has been included recently with certain limits. The important part of the adequacy test is the presence of legal and regulatory framework and compliance procedures for data protection. India does not appear yet in the list and has to pass the adequacy test of the European Commission as given in Article 45 of the Regulation once the draft Data Protection Bill 2018 is enacted in the parliament. Until then the IT firms located in India who process data of EU subjects have to adhere strictly to the data protection articles in the GDPR. Once the adequacy test is passed, then trans-border data flow between EU and India will be treated much like data flow within EU.
Laws and regulations are in paper unless they are enforced! The Regulation refers to a number of organizations and groups with varying levels of authority for enforcement. The “one-stop-shop mechanism” referred to in clause 127 of the Regulation demotes a mechanism that ensures an organization under investigation is only examined once. The “Supervisory authority” depending on the jurisdiction of the incident will handle the enforcement proceedings. The data subjects have a number of rights that relate specifically to how they can seek remedy or judicial redress for breaches of the Regulation. The administrative fines that can be levied against organizations that breach the Regulation ranges from € 10 million – € 20 million or 2% – 4% of the total worldwide annual turnover, whichever is greater. Hence the organizations need to compute the economics of data protection steps vis-à-vis the penalty incurred for breaches and take appropriate actions. This is one of the first Regulation to precisely specify the amount of penalty so that organizations can do cost-benefit analysis of their data protection policies and initiatives. This has also been replicated by India’s draft Data Protection Bill 2018.
Though firms and CXOs of organizations see the Regulation to be onerous, it puts enormous responsibility on the firms to deal with personal information of data subjects. Data is an asset to today’s organizations. Along with the emergence of Big Data Analytics and Machine Learning algorithms, firms have been extracting huge value by harvesting and analyzing personal information. The data subjects, though sometimes voluntarily disclosing their information for their own benefits, do not have a concrete unified legal recourse to breach of their information and associated privacy. The Regulation just provides that.
One can argue that the Regulation might provide a sub-optimal solution to protecting personal information compared to markets as expounded by neo-classical economists. Many economists and scholars have argued that divulging personal information also has positive externalities and improves the provisioing of public good. For example, sharing of health data provides mechanisms to prevent epidemic outbreak as illustrated in HealthMap http://www.healthmap.org and hence enable taking preventive steps.
However, the Regulation is the first serious attempt to delineate property rights to individual’s personal information and enable protection of the same. Hopefully, this will augment social benefits and benefit for all!
Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477 (2006).
IT Governance and Privacy Team (2016, 2017). EU General Data Protection Regulation: An implementation and compliance guide. IT Governance Publishing, ISBN: 978-1-84928-945-0.
General Data Protection Regulation. Available at: https://gdpr-info.eu/