General Data Protection Regulation

General Data Protection Regulation or simply known as “GDPR” is a regulation in EU law on data protection and privacy under European Union (EU) and the European Economic Area (EEA). Transfer of personal data under the said areas are also being conducted in this regulation but primarily aims to control individuals over their personal data and simplifying the regulatory environment by unifying regulation within the EU. By cutting out the Data Protection Directive, personal information of data subjects inside the EEA can be processed regardless of its location or citizenship.

Data protection principles must be implemented in accordance with appropriate technical and organizational measures used by processors in handling personal data. Information systems must be designed with extreme privacy setting by default so that it cannot be used to identify a subject. Processing must be done under the six lawful bases specified by the regulation (consent, contract, public task, vital interest, legitimate interest or legal requirement) otherwise, no personal data must be processed.

Exposure of the data collection, declaring all the lawful basis and intention for data processing and stating how long data is being retained and if it is being linked with any third parties must be practiced by data regulators. Data subjects (residents) have the right to demand for a portable copy of the data collected and have it erased under certain circumstances. Data protection officer (DPO) is necessary for GDPR adherence. Any data violations must be reported within 72 hours to national supervisory authorities if ever there is a problem on user privacy. Violators of the GDPR may be fined up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise or €20 million, whichever is greater.

The GDPR was made on the 14th of April 2016 and was officially implemented on the 25th of May 2018. It widely became a model for many national laws outside EU, it even had many similarities with the California Consumer Privacy Act (CCPA).

I. General Provisions

GDPR regulation applies if the data controller or the data subject is based in the EU but can be considered under certain circumstances like processing personal data of individuals inside the EU. There must be a professional connection in processing the data otherwise, the regulation cannot be applied.

The regulation is not intended for the processing of personal data for national security activities or law enforcement of the EU, however, industry groups concerned about facing a potential conflict of laws have questioned whether the Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 of the GDPR could be invoke to seek to prevent a data controller subject to a third country’s laws from complying with a legal order from that country’s law enforcement, judicial or national security authorities to disclose to such authorities the personal data of an EU person, regardless of whether the data resides in or out of the EU. This article states that any form of judgment of a court and any decision of an administrative authority of a third country requiring a controller to transfer personal data may not be recognized in any manner unless based on an international agreement. The data protection reform package also includes a separate Data Protection Directive for the police and criminal justice sector that provides rules on personal data exchanges at national, European and international levels.

A single set of rules applies to all EU member states and establishes an independent supervisory authority (SA) to attend and observe complaints, sanctions and administrative offences. Each member should cooperate with another, providing mutual assistance and organizing joint operations.

II. Principles

A legal basis is necessary to process a personal data. Lawful purposes are:

a.) Data subject has given consent for processing his/her data

b.) Fulfill contractual obligations with a data subject

c.) Comply with a data controller’s legal obligations

d.) Protect the vital interests of a data subject

e.) Perform a task in the public interest

f.) For the legitimate interests of a data controller or a third party

Using informed consent as the lawful basis for processing must be specific for data collected and its purposes used for The Proposed EU General Data Protection Regulation. Consent provided must be a specific, freely-given, plainly-worded and ambiguous affirmation given by the data subject. Thus making an online form of consent, a violation of the GDPR.

Residents must be allowed to withdraw this consent freely as they could. For children aged less than 16 years old, consent must be given by the parents, and verifiable. The data controller does not have to re-obtain consent if processing was already provided under the Data Protection Directive, providing the requirements.

III. Rights of the Data Subject

1.) Transparency and modalities

“Most GDPR emails are unnecessary and some illegal, say experts” (Article 12) requires the data controller to provide information to the subject in a concise, transparent, intelligible and easily accessible form using an understandable language appropriate to children.

2.) Information and Access

The Right of Access (Article 15) gives people the right to access their personal data and any information about its processing. Data controllers must provide an overview of the categories and a copy of an actual data upon request. Controllers has to inform the subject about the details and how it acquired the data.

Transfer of personal data from one electronic processing system to and into another is allowed. Data that has been sufficiently anonymised is excluded but data that has been only de-identified but remains possible to link to the individual in question, such as by providing the relevant identifier, is not. Both data being observed and provided by the data subject such as behavior, are included. Data portability must be observed.

3.) Rectification and Erasure

Proposal for the EU General Data Protection Regulation (Article 17) provides the data subject a right to request an erasure of personal data related to them within 30 days, including noncompliance with Directive (EU) 2016/680 of the European Parliament and the Council of 27 April 2016 (Article 6), which require protection of personal data.

4.) Right to object and automated decisions

Privacy notices under the EU General Data Protection Regulation (Article 21) of the GDPR is a right that allows an individual to prevent controllers from processing their personal data.

Instances where objection does not apply:

·         Legal or official authority is being carried out.

·         ‘Legitimate Interest’ where the organization needs to process data in order to provide the data subject with a service they signed up for.

·         A task being carried out for public interest.

IV. Controller and Processor

Compliance with the GDPR includes implementing measures which meet the principles of data protection by design and by default such as pseudonymised data by the controller as soon as possible. Data subjects must be completely informed about the extent of data collection, the legal basis, how long data is retained, whether data is transferred, any automated decision making that is made on a  solely algorithmic basis and be updated about all their rights.

Data protection impact assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and prior approval of the data protection authorities is required for high risks. Article 25 requires data protection to be designed  into the development of business processes and must be set at a high level by default, still in compliance with the regulation.

1.) Pseudonymisation

According to the GDPR, pseudonymisation is a mandatory process for which stored data transforms personal data attributed to a specific data, only with the use of additional information. It must be kept separately from pseudonymised data, encryption is an example for which it renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key.

2.) Records of processing activities

According to Global reach of the GDPR: What is at stake? (Article 30) the records of processing the activities must be maintained to include purposes of the processing, categories involved and envision the time limits. This must be available to the supervisory authority.

3.) Security of personal data

The Territorial Scope of the GDPR: The Right to be forgotten (Article 33) states that the data controller is liable to inform the supervisory authority without undue delay unless the violation does not affect the freedom and rights of the individuals.

4.) Data protection officer

Article 37 requires appointment of a data protection officer. Still, in compliance with the regulation. The DPO is like a compliance manager, they are expected to be proficient at managing IT processes, data security and other critical business continuity issues mainly associated with the holding and processing of personal and confidential data.

VIII. Remedies, liability and penalties

Besides the definitions as a criminal offence according to national law following Article 83 GDPR the following sanctions can be imposed:

·         a warning in writing in cases of first and non-intentional noncompliance

·         regular periodic data protection audits

·         a fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions

·         a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions.

The following cases are not covered by the regulation:

·         Lawful interception, national security, military, police, justice

·         Deceased persons are subject to national legislation

·         There is a dedicated law on employer-employee relationships

·         Processing of personal data by a natural person in the course of a purely personal or household activity

Applicability outside of the European Union

GDPR is not only limited inside EEA, it also applies to data controllers and processors outside European Economic Area as long as they engage in the “offering of goods or services” to data subjects within the EEA.

EU Representative

Under Article 27, non-EU establishments subject to GDPR are obliged to have an “EU Representative” to serve as a contact for their obligations under regulation. Compliance with the GDPR must always be observed. Failure to designate an EU Representative is considered ignorance of the regulation, which is a violation of the GDPR subject to fines of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. The conscious and negligent character of infringement may rather constitute aggravating factors.

Third Countries

Chapter V of the GDPR regulation forbids the transfer of the personal data of EU data subjects to countries outside EEA (known as third countries) unless data protection regulations are formally considered adequate by the European Commission like binding corporate rules, standard contractual clauses for data protection issued by a DPA, or a scheme binding and enforceable commitments by the data controller situated in the third country.

United Kingdom Implementation

United Kingdom formally withdrew from the European Union but remained as a subject to EU law until the end of the transition period on 31 December 2020. A royal assent has been granted to the Data Protection Act 2018 which implemented the GDPR.

Upon completion of the transition, existing and relevant EU law will be transposed into local law and the GDPR will be amended by statutory instrument to remove certain provisions that are no longer needed due to the UK’s non-membership in the EU, referring to the regulation as the “UK GDPR”.

Reception

The proposal for the new regulation gave rise to much discussion and controversy that made thousands of amendments. The area of GDPR consent has a number of implications for businesses who record calls as a matter of practice. When recording a commenced and the caller withdrew their consent, the agent receiving the call must be able to stop the recording and make sure it wasn’t stored.

Concerns were echoed since respondents believe that organizations will need to invest additional budget to comply with the consent for it has been argued that smaller businesses and startup companies might not have the financial resources to adequately comply with the GDPR. A lack of knowledge and understanding of the regulations has also been a concern in the lead-up to its adoption.

Impact

According to the academic experts who participated in the formulation of GDPR regulation, the law is the most consequential regulatory development in information policy in a generation.

Many companies and websites changed their privacy policies and features worldwide prior to GDPR’s implementation. This was criticized but experts noted that some reminder emails incorrectly asserted that new consent for data processing had to be obtained for when the GDPR took effect. A blog, GDPR Hall of Shame, was also created to showcase unusual delivery of GDPR notices and attempts at compliance that contained blatant violations of the regulation’s requirements. An investigation of Android Apps’ privacy policies, data access capabilities and behavior has shown that numerous apps display a somewhat privacy-friendlier behavior since GDPR was implemented. However, they still retain most of their data access privileges in their code.

Enforcement and Inconsistency

Few apps were immediately sued by Max Schrems’ non-profit NOYB for using “forced consent”. It was said to violate Article 7(4) by not presenting opt-ins for data processing consent and forbidden from using the services. Companies are now subject to legal obligations such as providing data subjects with the data they gather about them. Yet some are still not complying that resulted for suggesting a better control through authorities.

Influence on international laws

California Consumer Privacy Act grants rights to transparency and control over the collection of personal information by companies in a similar means to GDPR.

EU Digital Single Market

The EU Digital Single Market strategy relates to “digital economy” activities related to businesses and people in the EU. European Council has stated that the GDPR should be considered “a prerequisite for the development of future digital policy initiatives”.