What is it?
The European Union General Data Protection Regulation (GDPR) is, arguably, the most notable change in the data protection regime in the last two decades. The law, which comes into effect on May 25, has been designed to protect the personal data of E.U. residents.
Personal data is data that relates to an identifiable living individual and includes names, email IDs, ID card numbers, physical and IP addresses.
The GDPR reflects a paradigm shift in the understanding of the relationship individuals have with their personal data, granting the citizen substantial rights in his/her interaction with data controllers (those who determine why and how data is collected such as a government or private news website), and data processors (those who process the data on behalf of controllers, such as an Indian IT firm to which an E.U. firm has outsourced its data analytics).
Under the GDPR, a data controller will have to provide consent terms that are clearly distinguishable, i.e., consent cannot be buried in the fine print that is incomprehensible to the layperson.
Additionally, the GDPR requires those collecting data to provide information on the ‘who’ and ‘how.’ Individuals will also have the right to have personal data deleted under certain conditions. The GDPR also makes reporting obligations and enforcement stronger: data breaches will normally have to be reported within 72 hours and failure to comply with the new laws could result in a fine up to 4% of global turnover or €20 million — the maximum amount of the fine.
How did it come about?
Brussels recognised that the growth in the digital economy and rapid advances in technology meant individuals were sharing personal data, and companies and governments used this data on an “unprecedented scale.” Therefore, it sought to replace the existing data privacy directive, which enables and guides laws in each of the 28 EU member states, with a regulation (GDPR), a stronger instrument which harmonises data protection laws across the 28 countries.
Why does it matter?
Apart from its profound significance for Europe, the GDPR has global implications as it also applies to those outside the E.U. who either monitor the behaviour of EU residents or sell goods and services to them. Consequently, the law is expected to have a significant impact on Indian IT firms and other service providers with an E.U. clientèle.
The E.U. as a bloc is India’s largest trading partner, with bilateral trade in services alone running upwards of €28 billion (₹2.2 lakh crore). Yet, only a third of Indian IT firms are making arrangements for the GDPR, with 39% unaware of what it is even, according to a 2018 survey by tax and accounting firm EY. This will likely mean fines, loss of business and missed opportunities, as well as diplomatic wrangling in trade talks between India and the E.U.
What lies ahead?
The alleged data breach around Facebook and Cambridge Analytica has alerted people to the challenges of protecting data in a hyper-digitised environment. The issue has once again raised questions about what constitutes legitimate uses of data and how businesses, governments and political parties can and cannot use data. A White Paper produced by a government-appointed committee, headed by retired judge B.N. Srikrishna, which is formulating a national data protection law for India, has suggested a hybrid approach to privacy. This combines the EU rights-based approach, the U.S. approach of using data with consent to encourage innovation, and an Indian approach, which takes note of the Supreme Court’s ruling that privacy is a fundamental right subject to reasonable restrictions.
