General Data Protection Regulations for Indian Companies Doing Business in EU
The European Union on 25th May, 2018 enforced its General Data Protection Regulations (hereinafter “the GDPR” or “the Regulations”) owing to which multiple online service providers updated their privacy policy. The GDPR replaced the Data Protection Directive 95/46/EC. Rationale behind enacting this set of regulations was to give more autonomy to residents and citizens of the European Union (EU) over the use of their personal data.
Backdrop of the General Data Protection Regulations
In 2016, the member nations of the European Union agreed to draft data protection regulations which shall provide the residents and citizens of the EU with more autonomy over their personal data. In addition to this, the data protection regulations sought to regulate the manner in which companies doing business in the EU protect personal data of their users. In this background, the EU began drafting its data protection regulations. The deadline to comply with the regulations for companies doing business in the EU was set to be 25th May, 2018. So far, the GDPR is the most sophisticated and expansive data protection regulation across the globe.
Subject-Matter and Objectives of the GDPR
Article 1 of the Regulations establishes its subject-matter and the objectives to safeguard the “fundamental rights and freedom of natural persons” particularly their fundamental right to the protection of personal data. It is noticeable that the GDPR specifically recognizes rights of natural persons. Artificial persons, including corporations, are excluded from the ambit of the regulations. While Article 1 recognizes the fundamental right of individuals to safeguard their personal data, it also establishes rules and regulations pertaining to the free movement of the personal data. This means that Article 1, in addition to establishing the subject-matter and objective of the Regulations, has recognized data protection to be a fundamental right. This is crucial because this is the first time data protection has been put on the same pedestal as other fundamental rights.
Material Scope of the Regulations: Application and Non-Application of the Regulations
The European Union, in Article 2 of the Regulation, has meticulously carved out the exceptions in which processing of personal data shall not be regulated by the GDPR. The list of such instances is exhaustive and covers the “course of activity falling outside the scope of Union law; activities within the ambit of Chapter 2 of Title V of the TEU; by a natural person in the course of a purely personal or household activities; and by competent authorities to prevent, investigate and detect criminal offences”.
Territorial Applicability of the Regulation
Article 3 of the Regulation stipulates its territorial scope. A business/data controller shall be deemed to be doing business in EU if it offers goods or services or both to the data subjects in the EU. If instead of offering goods and services or both in EU, a data controller monitors the behaviour of its data subjects in the Union, it shall be deemed to be doing business in EU for the purposes of GDPR. This provision is essentially the embodiment of the widely popular phrase “if you are not paying for it, you become the product”.
Principles Outlined by the Regulation Relating to the Processing of the Personal Data
Article 5 of the Regulation has succinctly articulated the principles enumerated in the Regulation regarding the processing of personal data. It enlists six principles of data processing. These principles include “lawful, fair and transparent processing of the data subject; collection of data for specific, explicit and legitimate purposes; data processed should be adequate, relevant and limited to the purposes for which it has been processed i.e. data minimization; it must be accurate and up-to-date; there should be a storage limitation of such data; and it must be appropriately secured”.This means that the EU via GDPR has severely restricted the usage of personal data. Before the GDPR, the corporations were not bound by any law to restrict use of personal data. The regulations before GDPR were largely concerned with data breaches instead of the way personal data was used.
Conditions for Consent: Streamlining Privacy Policies with the GDPR
The GDPR, by virtue of Article 7, has laid down that the personal data can only be processed by consent. Unlike vague and lengthy privacy policies or terms and conditions, the GDPR mandates that the corporations seeking personal data of its users shall have to distinguishingly seek consent for processing of personal data. Such request shall have to be in “an intelligible and easily accessible form, using clear and plain language”. Implication of this provision is that if the corporation or business entity would be required to take multiple consents if it shall use personal data for multiple purposes. Multiple times, several internet applications do not provide an option of deleting the account or withdrawing the consent to use personal data. This has been delved into by the GDPR. Clause 3 of Article 7 clearly provides that the data subject could withdraw its consent at any time. However, such withdrawal shall not influence the lawfulness of data processing before the withdrawal of consent.
The Regulation has fixed at least 16 years of age for a child to be the threshold age for consent to process data. For a child below 16 years of age, the consent shall be authorized by parents or guardians.
Right to Erasure: Floodgate to ‘right to be forgotten’ requests?
Principally, “right to be forgotten” or more correctly known as “right to erasure” is right of an individual to safeguard information of private and potentially damaging in nature. It has been mentioned in the GDPR under Article 17. It provides that the data subject has the right to obtain erasure of its personal data. The grounds for application under Article 17 are— “the personal data is no longer necessary in relation to the purpose for which it was processed; withdrawal of consent by data subject; objection by data subject under Article 21(1); unlawful processing of personal data; where personal data has been collected to the offer of information society services”.
Right to be forgotten, however, is not absolute in nature. It is subject to conditions mentioned in Paragraph 3 of Article 17. The ramifications of this provision shall be that it has opened the gate for thousands of EU citizens claiming the right to be forgotten. Most importantly, the recitals of Article 17 provide that if such personal data has been shared with some third party, the data controller shall have to take reasonable steps to ensure such third party deletes the data of such individual. “Reasonable Steps”, however, is open to interpretation and is rather vague. There is no benchmark set for reasonable steps. This might open floodgates to litigation.
Conclusion
The EU has drafted a finely balanced data protection legislation the effects of which shall be visible in a very short span of time. With the light-speed growth of technology, the world needs sophisticated data protection laws. Though right to privacy has been recognized as a fundamental right in multiple nations, the GDPR is the first legislation across the globe to recognize data protection of an individual to be a fundamental right. Hopefully, other countries along with India which has recently setup a committee for data protection legislation under Retd. Justice Srikrishna, shall take a cue from GDPR and come up with similar finely balanced data protection laws.