GDPR: Europe Has A New Privacy Law. Should India Borrow From It?
There’s no disputing the fact that the omnipresence of apps, combined with their utility, makes life easier and efficient. There’s virtually an app for everything – from shopping to sleeping, driving and dating. This convenience also comes with downside, from threats to user privacy to information misuse in the face of data breaches.
Many giants of the online world have been under the spotlight on these counts, highlighting the threats to users in the digital world. These include social-networking websites Facebook and Yahoo, credit score company Equifax, identity management company OneLogin and gaming retailer Cex.
Europe has framed a law that seeks to address the lacunae, and it is known as the General Data Protection Regulation.
Key Facts About The GDPR
What is it?
The European Parliament approved GDPR in April 2016. It replaces an over two-decade old data protection law and will come into effect on May 25.
Why do we need it?
The new law comes with the promise of privacy for its consumers and aims to reshape the way organisations approach data privacy. It brings within its fold any information that can be used directly or indirectly to identify a person. It can be anything from a name, a photograph, an email address, bank account details, posts on social-networking websites, medical information, or even a computer IP address. To collect, process and store any or all this information, companies will have to seek specific, informed and unambiguous consent. The purpose for which the data will be used will also have to specified. Personal information so collected can then not be used for any other purpose but for which consent was sought.
How will this be a silver bullet for users?
GDPR is armed with consumer rights. These include the rights to object, restrict data-processing, ask for data to be deleted, port data from one controller to another, opt out of profiling processes, among others. Consumers will also be informed if their data has been obtained indirectly.
Who is this aimed at?
These rights will have to be respected by anyone who targets European residents, irrespective of the company's geographical location. GDPR places on companies a variety of obligations that differ based on whether the entity is a data controller or data processor. These include spelling out the legitimate business interest for which information is being collected, duration for which the data will be stored, appointing a data-protection officer if there is regular and systematic processing of sensitive data and informing consumers about the logic, and consequences of automated decision-making, for instance, if a bank automates the decision of granting a loan, it will need to disclose the basis of it.
What if it’s not adhered to?
If an entity fails to fulfil these obligations, the regulations provide for a fine of up to 4 percent of their annual global turnover or €20 million.
Will the GDPR be the answer to privacy problems the digital age poses? Will it make companies that collect and process data more accountable? Should India emulate Europe’s approach on data protection?
David Martin, senior legal officer at The European Consumer Organisation; Rahul Matthan, partner at law firm Trilegal; and Andrew Dyson, partner at law firm DLA Piper; shared their views on BloombergQuint’s weekly law and policy show — The Fineprint.
The starting point of the regulations is consent. Even today, apps or social media platforms ask for our consent. How will GDPR change things to empower consumers?
If some information is strictly not necessary for the provision of a service and the app doesn’t have a legitimate interest to use that information, then they must ask for your consent and there you should be able to say yes or no to those things. You cannot be forced to agree if that is not necessary for the provision of the service.
Companies will have to assess legitimate interest on their own. They must demonstrate that those legitimate interests are not overriding the rights of data subject which means that companies will have to say that this legitimate interest will not have a huge impact on your privacy. If the impact on your privacy is going to be big, then they cannot claim that they have this legitimate interest because your rights will be more important.
All this must be checked by the data protection authority, for example, if there is a problem. There is big risk for companies if they don’t get this right.
India is in the process of drafting a law for data protection. Justice Srikrishna’s committee has been tasked with this job. What elements, if at all, of GDPR should India incorporate in its law?
Matthan: The GDPR is an evolved law and there are pieces in the law which are superb. There are well nuanced provisions that Europe has come to after a long time of trial and error. So, we must borrow from those provisions, but we’ve to borrow selectively. I don’t think we should cut and paste. We should take those elements which are useful in our context and discard those which are suited for more sophisticated data protection regimes. They have got a very interesting rights framework and it is important to take that rights framework into account.
What we shouldn’t borrow blindly is their consent framework. The reason I say that is because Europe has lived with consent for 30 years and so they are used to it, but we are not used to it. We should have consent but perhaps we shouldn’t jump in with the excessive consent that GDPR requires. I am not saying that you get the authority to take something that could harm me without my consent. But I am questioning whether consent is the solution for everything. I may consent to engage with an app on its terms. None of us read those terms in great detail and even if we do, we will struggle to understand them in a way that they are sometimes interpreted.But what the app will do is it will rely on your consent to do things and if harm comes because of it, it will hold you accountable because you consented to it. That is an extension of consent that is unworkable in this age because no matter how sophisticated an internet user you are, there’s no way you’ll be able to fully appreciate the consequences of providing consent.
Even when we look to adopt the rights framework under GDPR, we should help the lay consumer little better. There should be a concept of learned intermediary. A learned intermediary is versed in the ways of technologies as well as the rights of a data subject. So, that person, on our behalf, could for instance investigate the apps that I use and say this particular app is using location data even if you are not moving from one place to other. As a result, when it correlates where you are shopping, it’s building a certain profile. I, as a user, will look at it and say I want to look at the right of access to see what exactly they have picked up on me.I must exercise the right of automated decision making to see are they making decisions based on that. I won’t be able to do any of this if a learned intermediary isn’t in the play. Which means if we borrow from GDPR, we should borrow the rights. But we are not sophisticated nation - in fact, I don’t think even Europe is as sophisticated as they think they are. By giving the rights,they think people will stand up and come to arms. I think we need another layer.
The regulations say that anyone who collects, targets or processes data of European consumers will be covered by GDPR. What kind of companies and connections will get impacted and how should companies prepare for this new law in Europe?
Dyson: The scope of the regulation is very broad, and it covers any organization involved in data collection, including a bank or an insurance company. Literally, any organization which is involved in interacting directly with an individual. Then you move into technology space and you look at social media websites where they are involved in retaining personal data. But the rules go beyond companies that may have an obvious interaction with a consumer where data is being collected; they extend to companies behind the scenes that provide back-office or outsourced services to those big companies. So, cloud vendors, back office IT companies and anyone involved in supporting of capturing and holding data – it’s a very broad range or sets of companies which are potentially affected.
If you have a point of presence in Europe –for instance a bank with a branch in London — you’d be covered but probably you’d expect that because you’re sitting here in the country. But the GDPR goes broader than that, due to what we call as the extra-territorial effects. So, if you’re in India and actively selling products and services to European consumers, you’re going to be subjected to these rules.
In terms of preparing for GDPR, the starting point really is sitting down as an organisation to assess what personal data relating to European customers am I collecting. Do I really understand that? Many businesses don’t know that. They have lot of systems and applications, but they don’t necessarily know where all that data has come from and what it relates to. So,tracking the data-flow across the organisation, working out what you’re doing with it, and then looking downstream and assessing whom I’m sharing that information with. Do I know why I’m sharing it and what are they using it for? Do I have a contract in place with those third parties to regulate what they use that data for? And then going to the end of the chain to look at the life cycle of the data. How long do I keep this information for? When am I deleting it? How am I archiving it? And then managing security, controls and confidentiality around it.
Watch the full interview here.