DR. RAM MANOHAR LOHIYA NATIONAL LAW UNIVERSITY, LUCKNOW
SUBJECT: CYBER LAW Session: 2018 - 2019 FINAL DRAFT ON “GENERAL DATA PROTECTION REGULATION (GDPR)”
SUBMITTED TO:
SUBMITTED BY:
Dr. Amandeep Singh
Shubham Singh Rawat
Assistant Professor (Law)
B.A. LL.B. (Hons.)
RMLNLU
Sec. B; Enroll. No.-134
ACKNOWLEDGEMENT
Through the mode of this acknowledgement I would thank my subject teacher for allowing me to choose this topic as my project. Being one of the most important segment of subject, this topic has given me a lot to learn, therefore I bestow my thanks to my subject teacher to give me an opportunity to enhance my knowledge through the medium of this work. Working on the topic was impossible without the assistance I got from the library staff and my friends so they also deserve a special mention in this acknowledgement.
-
Shubham Rawat
TABLE OF CONTENTS
INTRODUCTION
TERMINOLOGIES OF GDPR
REQUIREMENTS OF GDPR
KEY TERMS IN GDPR
LEGAL CASE IN GDPR
SALIENT FEATURES OF GDPR
PERSONAL DATA & ITS RELEVANCY IN GDPR
WHEN CONSENT NOT REQUIRED IN GDPR
CONCLUSION
BIBLIOGRAPHY
INTRODUCTION: The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personal data of individuals (formally called data subjects in the GDPR) inside the European Union, and applies to an enterprise established in the EU or—regardless of its location and the data subjects' citizenship—that is processing the personal data of people inside the EU. Controllers of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. "Data protection by design and by default", means that business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate), and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time. A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EU. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy. The GDPR was adopted on 14 April 2016, and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable. In some cases, violators of the GDPR1 may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
1
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
TERMINOLOGIES OF GDPR • • • • •
The data controller is the person or organisation who determines the how and what of data processing. The data subject is the person about whom personal data is being processed. A data processor is the person or organisation who takes an action with the personal data you control – this might be a 3rd party acting on your behalf. Processing is anything done with/to personal data, including storing it. The Data Protection Officer (DPO) is a specific role which will be a legal requirement for many organisations including large church bodies such as NCIs or dioceses.
REQUIREMENTS OF GDPR
The GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles: • Transparency, fairness, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a “lawful basis” to process that data. • Limiting the processing of personal data to specified, explicit, and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected. • Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose. The aim of GDPR is Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.2
2
https://en.wikipedia.org/wiki/European_Union
KEY TERMS IN GDPR CONCEPT
Article 4 of the GDPR includes a list of defined terms used in the regulation. Several are particularly important: “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Pseudonymization”3 means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
LEGAL CASE AROUND GDPR Max Schrem’s Case: Facebook, Google, Instagram and WhatsApp are accused of forcing users to consent to targeted advertising to use the services. Privacy group noyb.eu, led by activist Max Schrem’s, said people were not being given a "free choice". If the complaints are upheld, the websites may be forced to change how they operate and they could be fined. But those rights don't have the force of law behind them, which means you can't file a complaint against Microsoft for violating the GDPR if you aren't an EU resident. While you
3
https://en.wikipedia.org/wiki/Pseudonymization
enjoy these rights only as long as a company says you do, it does show that the European regulations are reshaping the way major companies approach user data. The other way this affects you is with the barrage of privacy policy updates you've likely received over the past few months. Many companies crafted new privacy policies in advance of the GDPR going into effect, and then they told you about it all at the same time. EU Justice Commissioner Vera Jourova said the new GDPR rules "cannot be applied in this [Cambridge Analytica scandal], because there's no retroactivity possible."
SALIENT FEATURES OF GDPR
1) Broad jurisdiction. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides. 2) Strong penalties. Breaches can cost companies up to 20 million Euros or up to 4 percent of their annual global turnover. Some infractions are less expensive but still represent a significant penalty. 3) Simplified and strengthened consent from data subjects. Consent must be given in an easyto-understand, accessible form, with a clear written purpose for the user to sign off on, and there must be an easy way for the user to reverse consent. 4) Mandatory breach notification. Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of its discovery. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach. 5) A reiteration of important consumer rights. This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure. Additionally, it will also allow customers to move their data from one service provider to another. Better systems. In order to comply with the core foundation of “privacy by design,” GDPR requires processes to be built with data protection in mind, rather than treated as an afterthought. 6) Specific protection for children. Since kids are generally more vulnerable and less aware of risks, GDPR includes guidance that includes parental consent for children up to age 16. 7) Introducing the data protection officer
GDPR requires companies that process large amounts of data to hire dedicated personnel to manage all aspects of GDPR compliance. The Data Protection Officer (DPO) is expected to be in addition to any current IT or data security personnel working for the company and is the point person in terms of compliance and liability for GDPR. 8) From its charter: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” Companies that wish to stay in compliance must implement processes (and in many cases, add personnel) to ensure that when data is handled, it remains protected. To comply with this requirement, GDPR promotes pseudonymization, anonymization and encryption. Anonymization is the encryption or removal of identifiable information so that it can never be tied back to a user. Pseudonymization is somewhere between identified and anonymous. With pseudonymization, the data components are anonymized and separated but can be put back together. For example, a system might assign a user one identifier for location and another for browser that can only be tied back to the user if it is put together with their date of birth, which is kept separately. The regulation promotes pseudonymization over anonymization. Even if you personally aren’t in Europe, and you aren’t working for a European firm, you still need to abide by GDPR principles if you store or process the data of European individuals. The simplest example is if your business builds new software. If you make it available to buy on the internet, and let people from all countries buy it, then GDPR applies to the way you process the data of your European customers.
What is Personal Data and how is it relevant with GDPR? The ICO (Information Commissioner’s Office) defines personal data as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier e.g., Name, Address, Data of birth, Location, data gathered from browser history, Identification number, such as a customer reference number, as long as that can be tied back to a person, Online identifier, like a social media user name.
When Consent is NOT required in GDPR? GDPR (and DPA) are all about making sure data processing and sharing is done properly – they aren’t there to prevent legitimate data sharing, so there is a lot you can do without consent. For example, you can process personal data without consent where it is necessary: •
For the performance of a contract.
• • • •
For compliance with a legal obligation. To protect the vital interests of the data subject or another person. In the exercise of official authority or in the public interest. For the purposes of legitimate interests you are undertaking.
CONCLUSION With the growing era of cyber-crimes including cyber stalking, cyber bullying and other communal hatred activities going, it is high time that Govt. of India should bring appropriate legislation to deal with GDPR concept so as to protect the rights of individuals in our country. GDPR helps to combat cyber terrorism and protect the personal data’s of individual’s and help the minority in the world to combat against the large MNC’s like Facebook, Google who uses third party cookies to transfer your personal data’s at anonymous places without your free and willing consent. Hence the aim of GDPR is Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU countries. As the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. Hence it is a good tactic to keep a check on the growing power of these social websites and make them come under the purview of GDPR. It even helps to restore your privacy, keep a check on your account and if at any future course of time period any breach occurs, then GDPR principles would enable the Data Controllers to protect your personal data and aware you regarding the concerned breach. Even in India, RBI is coming up with proposals of Data Localization to enable the data controllers to set up their offices in the concerned countries of where their consumer’s reside of the same nationality, which could help in processing data at a local place.
BIBLIOGRAPHY
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
https://iapp.org/resources/article/age-of-consent-in-the-gdpr-updated-mapping/
https://www.washingtonpost.com/news/monkey-cage/wp/2018/05/25/today-a-new-eulaw-transforms-privacy-rights-for-everyone-without-edward-snowden-it-might-neverhave-happened/?utm_term=.088bebcd7961
https://www.slideshare.net/hacker0x01/everything-you-need-to-know-about-the-dataprotection-officer-role
https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying-plummets-europe/