Mark Zuckerberg’s testimony could easily be one of the most viewed videos in the recent days. Recovering from the shock wave, nations around the globe have been prompt to raise their guards in the aftermath of the recent Facebook Data Breach incident, when the technology giant allegedly granted Cambridge Analytica, a British political consulting firm access to personal data of as many as 87 million Facebook users during the 2016 US elections without their consent.
General Data Protection Regulation (GDPR)
The European Union (EU) has taken the lead in curating a privacy law of its own (surprisingly beating the United States which houses most of the technology giants across the globe), one that is likely to set an international precedent for all countries to follow.
EU is set to implement its General Data Protection Regulation (GDPR) on May 25th, replacing the Data Protection Directive, which went into effect in 1995. Inarguably one of the most complex and robust legislatures around data protection and privacy, GDPR lays down a baseline set of standards for all companies – those located within the territorial boundaries of EU and even those located outside EU, who store or process data of individuals who reside in EU.
Terms and Conditions Applied
Once put in place, the GDPR shall grant EU residents the right to discern and determine how their personal data is being stored, processed, used and transferred. GDPR defines personal data as any data that allows an individual to be identified, including names, address, birthdate or identification number as well as IP address, location data or any type of pseudonymous data.
GDPR is prescriptive and rigid in its instructions to organizations in what they need to ensure that they comply with the rules. On the outset, ‘Terms and Conditions’ while collecting the user’s data should be “unambiguous”, and “specific”. Catch-all clauses, which bundle consent such as “your data will be used to improve our services”, shall not be permitted anymore. Companies need to clearly lay out the purposes for which the user’s data is being obtained. The organization is required to obtain consent from the user every time there is a change in the usage of the data or an upgradation in the product. Users must also be allowed to seamlessly revoke consent. GDPR sets rules for how companies share data after it’s been collected, pushing companies to rethink how they approach analytics, logins, and, above all, advertising.
In Case of A Breach
Users can now closely monitor how their personal data is being processed and transferred across international borders. The law mandates companies to notify their users within 72 hours in case of any data breach and ensure that all steps are taken to remedy the situation.
Right To Be Forgotten
The new data protection act also lets users erase their personal data under certain circumstances, under the Right to Erasure Act. Users shall be granted the right to demand a copy of their data held by the organization, ask for the information to be corrected and demand it to be deleted if needed be.
Besides these, organizations have to appoint a “data-protection officer” (DPO), an ombudsman who will report directly to top management, ensure that the guidelines are abided by, train the staff and conduct internal audits.
Other than the stern guidelines, what sets GDPR apart from all preceding privacy laws in EU is the significant financial penalties which the law can impose on organisations for not complying with GDPR. The penalty for non-compliance can be as high as €20m or 4% of a company’s global annual revenue — whichever is greater.
GDPR is undoubtedly posed to bring about an overhaul in the way in which data is handled. It will prompt organizations to reconsider the framework within which they collect, save, manage, process and transfer data – that is, from point of origin to point of consumption.
Some obvious teething pains are expected with a regulation of this extent and magnitude. One such problem flagged by companies with legacy consumer data systems is that it is difficult to exactly know where the regulated consumer data is stored. Personal data can be hidden in a wide range of places, including backup drives, unstructured data, log-in details and social media data. A mammoth task which lies ahead of these legacy companies in of the implementation of the law will be to ensure that all data is harmonized and sanitized.
According to a survey conducted by PricewaterhouseCoopers, 68% of US-based companies expect to spend anything between $1-$10 million to meet GDPR requirements. Another 9% expect to spend more than $10 million. Critics also argue that any kind of restriction on technology shall stymie innovation, especially affecting firms which use subject data as the main input for development of their technology.
No regulation is without gaps or loopholes. Not surprisingly, Facebook was one of the first to identify a loophole in this legislation. Facebook is set to switch its data controller entity for all non-EU non-US users from Facebook Ireland to Facebook USA, in an attempt bypass GDPR for non-EU data. Therefore, by moving the information of 1.5 billion users in Africa, Asia, Australia, and Latin America out of EU, it suggests that Facebook intends to follow the law in spirit, but not in letter.
The Road Ahead
For those who are bound by the legislation and don’t have a way out, GDPR will require an ongoing supervision and governance of data. Post the initial compliance heavy-lift, all organisations must going forward ensure that their data collection and processing systems are in accordance with the GDPR guidelines.
What Does This Mean For India
Indian Information Technology Industry and IT-enabled services derive about 30% of its revenues from Europe. With EU set to roll out the new legislation, this sector will undoubtedly be the most affected. However, since India is currently in the process of building an express legislation which regulates data protection and privacy, GDPR can become an interesting roadmap to follow. As the nation paces towards becoming a truly “Digital India”, especially with the government undertaking initiatives such as Aadhaar, IndiaStack and DigiLocker, EU could be the torchbearer.