GDPR | Lex Peeps

The article has been written by Yash Mittal, pursuing LLB-1 year from Mewar Law Institute. Picture Credits to MarTech Today

GDPR stands for General Data Protection Regulation which came into effect on 25 May 2018. It is a regulation enforced by the European parliament on European union member states for data handling. The EU General data protection regulation is the most important change in data privacy regulation in 20 years.

GDPR was adopted and approved by the European parliament in April 2016. The Data protection directive (1995) is being replaced with the General data protection regulation (2018).

GDPR was to take effect after two years period, and it doesn’t require any legislation to be passed by the government.

Timeline

1) 21 Oct 2013- European Parliament committee on civil liberties, justice and home affairs (LIBE committee) had an orientation vote.

2) 15 Dec 2015- Negotiations between European parliament, council, and commission resulted in a joint proposal.

3) 17 Dec 2015- LIBE committee votes positively on the outcomes of negotiations.

4) 8 April 2016- Adopted by the council of the European Union.

5) 14 April 2016- Adopted by the European Parliament.

6) 4 May 2016- Published in the EU official journal.

7) 20 days later entered into force.

8) 25 May 2018- date the regulation allies from.

Why is GDPR important today?

Data is the oil of the 21st century. For a lot of business and marketing purposes, data processing is a significant process. Almost each and every company is processing some sort of personal data on regular basis.

From the last 12 to 15 years, we saw a revolution on the Internet all over the world. There are so many social media platforms like WhatsApp, Instagram, Facebook, Twitter, and many more. But when you install these applications on your desktop or mobile phones they ask for your permissions like Identity, location, contacts, photos, etc. Apps want to collect your data because it is valuable for their companies and many companies collect your valuable data for their personal use. As it helps them in making their market strategies and easy for them to know your behavior and patterns towards their products.

Rights of Individuals under GDPR

1) Right, to be informed- It must be transparent, intelligible, easily accessible, written in clear and simple language, if addressed to a child.

2) Right to access- Individuals have the right to know exactly what data or information held about them and how it has been used.

3) Right to rectification- An individual will be entitled to have personal data rectified if it is inaccurate or an option to complete it if incomplete.

4) Right to erasure- It is also known as the right to be forgotten. It gives individuals to right to have their personal data deleted or removed without the need for specific reasons.

5) Right to restrict processing- It refers to individual right to block or suppress processing of their personal data.

6) Right to data portability- It allows individuals to obtain and reuse their personal data across different services for their own purpose.

7) Right to object- Individual is entitled to object their personal data being used.

8) Right of automated decision making and profiling -GDPR has put safeguards to protect individuals against the risk that potentially damaging decision is made without human intervention.

Objective of GDPR

The objective of the GDPR is to provide a set of standardized data protection laws across all the member countries. This should make it easier for EU citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where its located.

Principles of GDPR

There are 7 key principles of GDPR:-

1) Lawfulness, fairness, and transparency.

2) Purpose limitation.

3) Data minimization.

4) Accuracy.

5) Storage limitation.

6) Integrity and confidentiality (Security).

7) Accountability.

Facebook- Cambridge Analytica data scandal

Cambridge Analytica is a British firm. It was a data leak in early 2018. The firm is alleged to harvest data of millions of Facebook users without their permission or consent. It was predominantly to be used for political advertising and to influence people voting patterns. In response, Mark Zuckerberg, CEO of Facebook apologizes for their role in the data harvesting in front of Congress and Facebook also agrees to pay fine for their breach of data.

Data Processor and Data Controller

Definitions of the data controller and data processor are outlined in Article 4 of the GDPR.

A data controller is: “a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

Data processors process personal data on behalf of the controller.

GDPR and its Global Impacts

General data protection regulation that came into force in May in the European Union, but it affects the companies all over the world. It will not just affect the companies but also the citizens all over the world.

GDPR gives control back to the person whose data it is. Whether a person is a business user or a consumer, they have to give their consent and it is the responsibility of the company to make sure that they secure our data properly.

But how does it affect everybody if it is a European directive?

For instance if a person is in Europe and using a service outside of Europe, then that service had to give the same privileges as it is of Europe itself.

So if anyone is providing services and if European citizens visiting some other place outside of Europe, then it has to be a complaint of GDPR.

What happens if you don’t comply with GDPR

Fines can be levied as penalties for non-compliance. There are two levels of fines.

1) Up to €10 million, or 2% annual global turnover – whichever is higher.

2) Up to €20 million, or 4% annual global turnover – whichever is higher.

But not all infringements will lead to serious fines. There are some corrective powers to enforce GDPR.

1) Issuing warnings and reprimands;

2) Imposing a temporary or permanent ban on data processing;

3) Ordering the rectification, restriction or erasure of data, and;

4) Suspending data transfers to third countries.

Conclusion

The general data protection regulation of the European Union is to secure the personal data of its citizens and secure them from cyber threats. In India, in recent times “The Ministry of Electronics and Information Technology has received many complaints, about the misuse of some mobile apps on mobile phones for stealing and misusing the users data in an unauthorized manner to servers which have locations outside of India.

India banned Chinese apps like pubg, tiktok etc.

It is important for the government to secure it’s citizens’ rights that are right to privacy under article 21.

The government had to make sanctions for protecting its citizens from cyber threats and to secure their personal data.

Latest Posts