The General Data Protection Regulation (GDPR) is a regulation in European Law on data protection and privacy for all individuals within the European Union (EU).
The EU General Data Protection Regulation (GDPR) superseded the UK Data Protection Act 1998 on May 25, 2018. Significant and wide-reaching in scope, the new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.
‘Personal Data’ means any information relating to an identified or identifiable natural person, where such identifiable natural person can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The GDPR will apply automatically across all Member States from May 25, 2018. That includes the UK, notwithstanding Brexit. It will replace the 1995 EU Data Protection Directive.
The changes which have ushered in by the GDPR from Friday, May 25, 2018, are substantial and ambitious. The Regulation is one of the most wide-ranging pieces of legislation passed by the EU in recent years, and concepts to be introduced such as the right to be forgotten, data portability, data breach notification and accountability (to call out only a few) will take some getting used to. The regulation, not a directive makes the GDPR an unusual piece of legislation for professionals to analyse.
All the organizations that come under the purview of this Regulation were given a two-year time period to modify their policies and systems to bring them in accordance with this Regulation. However, one question many organizations encountered was whether their activities or business establishment came under the scope of this Regulation. Due to the extra-territorial applicability of this Regulation, even the organizations which do not come directly under its purview modified their policies and systems to escape any future liability.
Article 3 of the Regulation talks about the extra-territorial scope of the Regulation. It states that this Regulation will apply:
- to the activities of an establishment of a controller or processor in the Union in relation to the processing of personal data irrespective of the place where processing takes place;
- to the controller or processor irrespective of their place of establishment, in context of processing of personal data of data subjects (“Identifiable Natural Person”) who are in the Union, where processing activities are related to offering goods or services to data subjects (whether free or paid) or monitoring their behavior within the Union;
- to the processing of personal data by a controlled, established outside the territory of Union, but in a place where member state laws will apply by virtue of public international law, such as a consulate, diplomatic mission etc.
APPLICABILITY TO EU BUSINESSES:
This Regulation will apply to the controllers or processors established in the Union if they are processing any personal data of data subjects who are in the Union. Emphasis is required on the meaning of establishment that has been dealt under recital 22 of the Regulation – that an establishment implies the effective and real exercise of activity through stable arrangements and branch or subsidiary is not relevant.
The term ‘establishment’ was firstly interpreted by Court of Justice of European Union in the Google case wherein Google Spain, a subsidiary of Google Inc., had been considered an establishment of Google Inc. in the Union and accordingly held liable for infringing the data protection Directive. The Court further stated that Directive 95/46 does not require the processing of personal data in question to be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities’ of the establishment. In this case, the processing of personal data by Google Inc. of users from the Union had been considered as an activity carried out in the context of the activities of its establishment in the Union i.e. Google Spain. Therefore, both Google Inc. and Google Spain were said to be covered under the Directive (Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12)).
Also, Organisations which have EU sales offices, which promote or sell advertising or marketing targeting EU residents will likely be subject to the GDPR – since the associated processing of personal data is considered to be “inextricably linked” to and thus carried out “in the context of the activities of” those EU establishments.
Further, “Establishment” was considered by the Court of Justice of the European Union (“CJEU”) in the 2015 case of Weltimmo v NAIH (C-230/14). This confirmed that establishment is a “broad” and “flexible” phrase that should not hinge on legal form. An organisation may be “established” where it exercises “any real and effective activity even a minimal one” through “stable arrangements” in the EU. The presence of a single representative may be sufficient. In that case, Weltimmo was considered to be established in Hungary as a result of the use of a website in Hungarian which advertised Hungarian properties (which meant that, as a consequence, it was considered “mainly or entirely directed at that Member State”), use of a local agent (who was responsible for local debt collection and acted as a representative in administrative and judicial proceedings), and use of a Hungarian postal address and bank account for business purposes – notwithstanding that Weltimmo was incorporated in Slovakia.
APPLICABILITY ON NON-EU BUSINESSES:
In order to give the utmost level of protection to personal data of data subjects who are in the Union, the Regulation also covers a controller or processor not established in the Union but offering any goods or services (whether free or paid) to the data subjects in the Union. Unlike the Directive, this Regulation has specifically included an extra-territorial applicability clause. This clause clearly intends not to give a single chance to any controller or processor for using personal information of data subjects who are in the Union without their express permission or for other purposes as mentioned under Article 6(1).
Article 3(2) states that this Regulation will apply to all the controllers or processors who are processing any personal data of data subjects who are in Union, either through any establishment in the Union or outside the territory of Union. This clause has also included businesses which do not have any type of establishment in the territory of the Union, but they are targeting the individuals within the Union for buying or selling any products or services either for free or for any consideration. The intention of controller/processor can be determined based on whether they are using a member state’s language on their website for offering goods and services, dealing in their currency, targeting the customers or users who are in the Union, etc. This clause has compelled non-EU businesses to modify their policies and systems in accordance with this Regulation. Companies that are substantially affected by this clause are e-commerce companies which target a large number of people from different parts of the world and in some cases, these companies store the personal data of their customers for giving them better services.
HOW DO NON-EU COMPANIES DECIDE WHETHER GDPR IS APPLICABLE TO THEM OR NOT?
Sometimes, non-EU companies that operate outside the EU and do not provide any type of services to EU-based persons find it confusing that whether this Regulation will apply to them in case one of their clients visits EU for any short-term purpose and access their website from EU because the clause reads: “this Regulation will apply to the processing of personal data of data subjects who are in the Union”. The phrase ‘data subjects who are in the Union’ does not mean that it will be applicable to all the individuals who are in the Union. The same is explained by way of an example given by the European Commission on their website which states:
“Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”
This Regulation also covers those controllers or processors (irrespective of their establishment) who engage in processing the monitoring of the behaviour of data subjects if their behaviour takes place within the boundaries of Union. If such type of processing leads to any information relating to an identifiable natural person or through such processing if a data subject can be traced by using such person’s potential subsequent use of personal data processing techniques (including behavioural characteristics, personal preferences, attitude, interests, location etc.) then the activity will be considered as processing the monitoring of behaviour of data subjects.
Activities which fall entirely outside the GDPR’s scope:
Activities concerning national security in relation to the EU’s common foreign policy, by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences and associated matters.
India is in a unique position as it embarks on a digital transformation journey of unprecedented magnitude through citizen biometric data platform of Aadhaar, e-governance initiative Digital India, fostering presence-less, paperless, and cashless service delivery through IndiaStack and digitization of citizens’ documents via DigiLocker. Aadhaar has strong data protection measures but as India moves towards digital at a scorching pace, ensuring comprehensive protection of data while also empowering citizens to leverage their own data will be paramount. For instance, enrollment for jobs or skilling initiatives based on the documents saved on the cloud platform of DigiLocker.
India’s demonetisation move was followed by the Union Budget for 2017, that outlines an ambitious goal of achieving 25 billion digital transactions in 2017-18 which means the Government will need to ensure security and regulatory compliance of the unprecedented number of websites and web applications offering digital transaction services. With the Goods and Services Tax or GST coming into effect recently, all businesses will now have to maintain electronic invoices on the cloud. India could draw on an over-arching data protection regime by building on GDPR. However, data protection cannot be in the government sphere alone. Businesses in India can also take cognizance and bring in strong data protection measures akin to GDPR, that will only enable their growth in the long run.
The Srikrishna committee on data protection submitted its much-awaited report on July 27, 2018, along with its recommendation and if accepted by the government will sharply increase the citizen privacy level, affect the technologies e-commerce Companies & re-define governments access to personal information.
Further, citizens and internet users will have the final say on how and for which purpose personal data can be used and they will also have the right to withdraw consent. There will also be an option of ‘Right to be forgotten’ subject to certain condition. Strict monetary penalties, as well as criminal prosecution, has been recommended for companies violating data privacy rules.
The data localization could also mean huge business growth for companies like Amazon web services, Microsoft and Google which already have established services in India and have been aggressively expanding operations. Entering the data centre space would be one of the huge businesses in near future.
THE SUMMARY ON INTERNATIONAL LEVEL IMPACT OF THE GDPR:
The Australian Government recognizes the similarities between GDPR and the Australian Privacy Act 1988. Both sets of regulation focus on the transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.
- South Africa:
South Africa’s 2013 Protection of Personal Information Act (PoPI) shares many similarities with GDPR. In our experience, companies that have embraced PoPI will benefit significantly in terms of their journey to GDPR compliance.
- United States:
In a recent PwC survey of over 200 US executives, 92 per cent of the respondents cited compliance with GDPR as a top priority on their data privacy and security agenda in 2017. After significant negotiation between the European Commission and the US Government, the EU-US Privacy Shield was adopted in July 2016.
Japan has recently made significant enhancements to the Act on the Protection of Personal Information (APPI), and established a new Personal Information Protection Commission (PPC). As with GDPR, APPI has a comprehensive definition of personal information or ‘special care-required personal information’. Regulators are advising organizations on the value of finding ways to anonymize or pseudonymize data so that it can still be used effectively for big data analytics without a connection to an individual.
- European Economic Area Countries
The rules relating to data exports to non-EU/EEA countries, such as Norway, will not change significantly because they were already fully harmonized under the old framework. Data exports will continue to be allowed where the European Commission has established that the level of data protection in the destination country is adequate.
With the growing need for know, your customer norms and information sought by various establishments on their website, the Companies dealing in the personal data of the Data Subject will now have to comply with the GDPR, besides complying with the provisions of the local laws. Any failure to comply with the provisions of the GDPR will attract heavy penalty on the establishments.
GDPR compliance is not just a matter of ticking a few boxes; the Regulation demands that you be able to demonstrate compliance with its data processing principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.
For many organisations, achieving GDPR compliance will be a year-long journey – if not longer. One needs to prioritise tackling those areas where a lack of action leaves the organisation exposed.
GDPR has strengthened the conditions for consent, and companies can no longer use long illegible terms and conditions full of legalese.
As a professional, we feel that there is also a need for the independent authority to enforce the rules and regulations in order to give teeth to the law and take action against those companies who don’t play by the rules.
Jaya Sharma is a Practising Company Secretary in Mumbai.