There has been a lot of discussion about privacy (particularly online privacy)  over the last couple of years, most of which has coincided with the rise of social media, improved surveillance and monitoring techniques, and the use of user data as a commodity. Several industries have risen solely on the back of harvesting, selling, and trading user data in recent years. Advertisers now use user profiles compiled from aggregating search history, browsing habits, and media consumption to deliver advertisements that can be specifically targeted to particular individuals. There have even been allegations of companies using user data to build profiles of their users and attempting to influence them during elections.

It is in this context that the global conversation around privacy has taken grown louder, with governments around the world bringing different data protection legislations. In India, the Supreme Court has ruled that privacy is a fundamental right recently. In the online sphere, the draft Personal Data Protection Bill, 2018, is an attempt at bringing in a law that addresses modern requirements.

The most important privacy law in effect today however, is the European Union’s General Data Protection Regulation (GDPR), which has already caused a significant change in the way that companies handle and process user data. The GDPR was notified in 2016 and gave organizations a two-year window to set their houses in order, before coming into force on May 25, 2018.

Who does GDPR apply to?

THE GDPR is applicable to any entity that conducts business in the EU, as well as any entity that collects, stores, or processes data of EU citizens or residents (including non-citizens who are physically in the EU). Therefore, this means that the GDPR also applies to:

  1. Non-EU companies that employ EU citizens (regardless of location)
  2. Non-EU companies that handle, collect, store, or process the data of EU citizens (even a single EU citizen using a company’s products/services attracts application of the GDPR).

Therefore, it’s obvious that the GDPR would have an effect on Indian businesses as well. In today’s interconnected world where products and (especially) services are no longer restricted by physical borders, Indian businesses which aren’t careful could end up running afoul of the GDPR, which in turn can have significant consequences.

What does it cover?

Broadly speaking, the GDPR covers two kinds of data:

  1. Personal data: This is any kind of data that can identify an individual, such as a name, date of birth, physical address, or even an IP address or a pseudonym. Any organization which handles any such data of an EU citizen or resident is compelled to comply with the GDPR.
  2. Sensitive personal data: The GDPR defines this data as information pertaining to an individual’s personal matters, such as racial information, religious beliefs, sexual orientation, political affiliation, genetic information, and trade union membership among others.

Key Features

  1. Scope

The predecessor to the GDPR was the European Council’s Data Protection Initiative (DPI) of 95/46/EC. This law came into effect in 1995, and obviously times have changed significantly since then. Less than 5% of the global population had access to the internet back then, and the idea of massive data transfers across continents was more science fiction than fact. Accordingly, the DPI was quite ambiguous as to its applicability and scope.

The GDPR addresses these issues, making it clear that geography is not a consideration any more. As mentioned above, the law applies to any EU citizen or resident, regardless of where the data handling takes place. It is this specific provision that has had implications for businesses all over the world, as the EU constitutes the world’s largest single market and companies are obviously reluctant to run afoul of its regulations and subsequently lose access to it.

  1. Express Consent Terms

Under the GDPR, entities must obtain express permission to collect, process or store personal data. They must also clearly define what the data will be used for, and consent given is use-specific (i.e. data provided to access research cannot be used for targeted advertising). It focuses more on an opt-in process rather than relying on users to opt out of unwanted data collection. Further, organizations are barred from collecting data beyond the scope of the purpose for which consent was obtained. Organizations are also required to allow users to withdraw their consent easily, and at any given time.

  1. Right to Access and be Forgotten

Under the GDPR, users to whom it applies are entitled to know what data is being collected, how it’s processed and used, and who has access to it. Upon user request the organization is mandated to provide a copy of the collected data free of charge. Users are also entitled to request the correction of inaccurate information.

The GDPR also expands on the EU’s right to be forgotten, empowering users to demand erasure of their data. There are also some circumstances where a user may demand that an entity which has collected its data ensures that any third-parties can no longer process it.

  1. Infrastructure Changes

Being a modern legislation, the GDPR has been drafted to ensure that organizations make structural changes to the way data is collected, stored, handled, or processed. This includes mandating a position for Data Protection Officers (with specific employment protections) for all organizations who fit certain criteria (essentially those whose primary business is handling data) as well as descriptions of how data is stored and safeguards for the same, and creating provisions for data audits.

  1. Penalties

It could be argued that the biggest reason that organizations scrambled to comply with GDPR as May 25, 2018 approached, were the significant penalties that GDPR imposes on violators. For smaller/first time offenses, violators can be fined up to €10 million or 2% of global revenue– whichever is higher. For more serious or serial offenses, violators could be fined €20 million or 4% of global revenue, whichever was higher. For many MNCs, the costs associated with non-compliance could potentially run into billions of euros.

It is the sharp teeth that come attached with the GDPR that makes this of particular relevance to Indian entities. In the event an Indian entity which was in violation of GDPR ever tried to set up a presence in the EU, the financial ramifications (not to mention publicity issues) could be disastrous. It is for this reason as well that many Indian entities also sought to ensure that their data handling procedures were in compliance with the GDPR.

In summary, the GDPR has proven to be a real game-changer in the way that organizations handle data, and its effects are being seen in legislation all over the world, including in India. We’ll be covering some of the more interesting GDPR provisions, as well as India’s Personal Data Protection Bill, in subsequent posts.