Trans-border data flow protection:
To enforce data protection outside the bounds of EU, the GDPR has a number of elements related to trans-border data flow across EU member countries and “third countries” that are outside the bounds of EU. One of the key requirements for such trans-border data flow is that the third country offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. The European Commission has so far recognized Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited) as providing adequate protection. Though the United States was not included earlier due to lack of pan-national data protection regulation or law, it has been included recently with certain limits. The important part of the adequacy test is the presence of legal and regulatory framework and compliance procedures for data protection. India does not appear yet in the list and has to pass the adequacy test of the European Commission as given in Article 45 of the Regulation once the draft Data Protection Bill 2018 is enacted in the parliament. Until then the IT firms located in India who process data of EU subjects have to adhere strictly to the data protection articles in the GDPR. Once the adequacy test is passed, then trans-border data flow between EU and India will be treated much like data flow within EU.
Laws and regulations are in paper unless they are enforced! The Regulation refers to a number of organizations and groups with varying levels of authority for enforcement. The “one-stop-shop mechanism” referred to in clause 127 of the Regulation demotes a mechanism that ensures an organization under investigation is only examined once. The “Supervisory authority” depending on the jurisdiction of the incident will handle the enforcement proceedings. The data subjects have a number of rights that relate specifically to how they can seek remedy or judicial redress for breaches of the Regulation. The administrative fines that can be levied against organizations that breach the Regulation ranges from € 10 million – € 20 million or 2% – 4% of the total worldwide annual turnover, whichever is greater. Hence the organizations need to compute the economics of data protection steps vis-à-vis the penalty incurred for breaches and take appropriate actions. This is one of the first Regulation to precisely specify the amount of penalty so that organizations can do cost-benefit analysis of their data protection policies and initiatives. This has also been replicated by India’s draft Data Protection Bill 2018.
Though firms and CXOs of organizations see the Regulation to be onerous, it puts enormous responsibility on the firms to deal with personal information of data subjects. Data is an asset to today’s organizations. Along with the emergence of Big Data Analytics and Machine Learning algorithms, firms have been extracting huge value by harvesting and analyzing personal information. The data subjects, though sometimes voluntarily disclosing their information for their own benefits, do not have a concrete unified legal recourse to breach of their information and associated privacy. The Regulation just provides that.
One can argue that the Regulation might provide a sub-optimal solution to protecting personal information compared to markets as expounded by neo-classical economists. Many economists and scholars have argued that divulging personal information also has positive externalities and improves the provisioing of public good. For example, sharing of health data provides mechanisms to prevent epidemic outbreak as illustrated in HealthMap http://www.healthmap.org and hence enable taking preventive steps.
However, the Regulation is the first serious attempt to delineate property rights to individual’s personal information and enable protection of the same. Hopefully, this will augment social benefits and benefit for all!
Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477 (2006).
IT Governance and Privacy Team (2016, 2017). EU General Data Protection Regulation: An implementation and compliance guide. IT Governance Publishing, ISBN: 978-1-84928-945-0.
General Data Protection Regulation. Available at: https://gdpr-info.eu/