Professor, International Institute of Information Technology Bangalore (IIIT-B)
With the enactment of European Union General Data Protection Regulation (EU GDPR) made effective from 25 May 2018, “privacy” has become a very important issue for all firms engaged in collecting, processing and disseminating personal information of their customers and employees alike.
Even though “Data Protection Directive” has been in existent in Europe for about 20 years, EU GDPR provides a consistent framework to address data protection across 28 EU member states covering about 350 million people. Unlike the Directive which provided minimum set of data protection standards and leave it to the member states to frame their own law, EU GDPR is a law by itself across the member states and hence more stringent and enforceable than ever. Thus EU has taken data protection head on to handle it through command and control regulatory regime.
It must be pointed out that on the contrary, the United States has taken a more liberal approach to data protection. Though there were numerous regulations and directives such as Right to Financial Privacy Act of 1978, Electronic Communications Privacy Act of 1986, Family Educational Rights and Privacy Act of 1978, Privacy Protection Act of 1988, Video Privacy Protection Act of 1988 exist, the law and policy makers have upheld the market oriented principles instead of adopting a stringent regulatory approach on the use of personal information of data subjects.
Though EU GDPR sets out very clear unambiguous rules on protection of personal data of the EU residents, it also makes it easier for firms who comply with these rules to transfer data across EU member countries efficiently thus improving their business operations.
The territorial scope of the Regulation covers the processing of personal information of data subjects who are in the Union, irrespective of their nationality or place of residency, by data controllers and processors who are within are outside EU, regardless of whether the processing takes place within or outside the EU. The “data controllers” are entities that determines the purposes and means of personal data and “data processers” are those contracted by data controllers for processing personal data. As per Article 3 of the Regulation, the territorial scope affects all the firms that have business in the EU member countries for which they collect, process, and disseminate personal information about EU based data subjects. The Regulation has serious consequences to all firms in India who handle personal information of the data subjects of EU for monetary or non-monetary purposes.
With this wide territorial scope, the Regulation covers the entire supply chain of data flow from data subjects to data controllers to data processors. To provide accountability, the Regulation mandates the data controllers and data processors to designate a Data Protection Officer with assigned roles and responsibilities.
The debate about privacy consists of economic, legal, psychological, social and technical dimensions and hence more often than not the definition of privacy is mired in confusion. We identify the main dimensions of “privacy” using the classical framework of privacy taxonomy as proposed by Daniel Solove (Solove, 2006) and map the clauses in EU GDPR as per the taxonomy for better understanding.
Identification and Aggregation:
Identification is connecting information to individuals. Identification is “the association of data with a particular human being.” Identification enables us to attempt to verify identity–-that the person accessing her records is indeed the owner of the account or the subject of the records. For example, Aadhaar number, is a random number that bears no relationship to the identity of the holder. However, it can be traced to the “blood and flesh” of the individual through the associated bio metric information. While Aadhaar number alone may not divulge much about an individual, when aggregated with other identity information (excluding core biometrics) may reveal some telling patterns about an individual. EU GDPR applies data protection to any information concerning an “identified” or “identifiable” natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. What this means is that the data protection to individuals is much broader in context and scope.
Related to “identifiability” is aggregation. Aggregation is the gathering together of information about a person. A piece of information here or there is not very telling. But when combined together, bits and pieces of data begin to form a portrait of a person. The whole becomes greater than the parts. This occurs because combining information creates synergies. EU GDPR recognizes this process of aggregation in the form of “identifiable” information that needs to be protected.
Secondary Use and Consent:
Secondary use is the use of data for purposes unrelated to the purposes for which the data was initially collected without the data subject’s consent. Consent of data subject is of utmost important in the processing of personal data by data controllers. As per EU GDPR, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. EU GDPR gives utmost importance to consent of the data subject for all types of processing of personal data. Further, EU GDPR clearly states that personal data can be collected only for “specified, explicit and legitimate purposes”. This is referred to as “purpose limitation” and limits the use of personal data so collected by data controllers only for the intended purpose. Hence firms should be very careful in using the personal data and restrict their use only for the intended purpose and that too within the consent framework accepted by the data subjects.
Rights of the data subjects:
EU GDPR specifies a number of rights to data subjects over use, modifications and erasure of their personal information. EU GDPR mandates “transparency” with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing. Further, the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. This is expected minimize the existence of partial, outdated or incomplete personal information of data subjects with the data controllers. One of the important rights endowed on data subjects is the “right to be forgotten”. Under article 17 of the Regulation, data subjects can request their information be erased. As per this right, the data controller is obligated to take all necessary steps to erase all information about the data subjects without undue delay unless holding or processing such information is absolutely necessary.
Security of Personal Information:
Identity theft is the fastest growing white collar crime. An identity thief opens accounts and conducts fraud in the victim’s name. Identity theft is the overt result of a larger group of problems called “insecurity.” Glitches, security lapses, abuses, and illicit uses of personal information all fall into this category. Insecurity, in short, is a problem caused by the way our information is handled and protected. Insecurity is related to aggregation, as it creates risks of downstream harm that can emerge from inadequate protection of compendiums of personal data. As per the Regulation, personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing un-authorized access to or use of personal data and the equipment used for the processing. Realizing that despite all precautions data breaches could occur, Article 33 of the Regulation provides stringent requirements of notification of such breaches. The data breaches as and when they occur should be notified by data processers and controllers to designated authority within 72 hours of the breach.