By Supratim Chakraborty, Shweta Dwivedi and Sneh Lata
On May 25 this year the European Union (EU) implemented the General Data Protection Regulation (GDPR) implemented by the European Union (EU) aiming to harmonise and strengthen the data privacy and protection laws across EU member states. It provides data subjects with extensive rights over their personal data and prescribes heavy penalties for non-compliances, which can go up to the higher of either 20 million euros or 4% of the annual global turnover of an erring corporate body.
GDPR aims to regulate the collection, storage and processing of personal data of EU data subjects by entities. With its advent, there has been an increase in transparency in methods of personal data collection and its processing amongst global businesses which have an EU touchpoint. The GDPR applies not only to entities within the EU but to all entities that provide goods and services to EU residents or monitor their behaviour within EU.
The advent of GDPR has brought about a sea change in data protection standards and has also increased awareness amongst entities that process personal data of individuals. GDPR has sensitized masses about their rights over personal data and has acted as a platform to unify the data privacy and protection framework in the EU.
Key takeaways for countries outside the EU
Globally, there has been an increased demand for comprehensive data protection laws in the light of the rapid digitization that has taken place in the last few years and the corresponding increase in the instances of cyber-crimes such as hacking, unauthorized usage of personal data, unauthorized online-tracking of user behaviour. Furthermore, there has also been an increase in awareness amongst people who have started viewing data as a valuable resource and recognizing the need to protect the same.
At present, the GDPR principles have become the gold standard for data privacy and protection across the globe. Non-EU countries which still do not have a comprehensive data protection regime could attempt to incorporate similar principles in their domestic laws.
Some of the important principles enunciated in the GDPR include consent of the data subject, which needs to be obtained before collecting, processing, storing, handling, dealing with any of their personal data. Another important principle implemented due to the increase in instances of cross-border flow of data is the extra-territorial jurisdiction to address concerns of data subjects that involve a breach of the domestic data protection law by any entity located outside the geographic boundaries of such a country.
Another important factor addressed by the GDPR is the issue of data minimisation, whereby, any collection of personal data has to be justified to be adequate, relevant and limited to what is necessary in relation to the purpose of its collection. Thus, personal data collection should be minimized to include only such personal data which is absolutely required for the purpose of its collection. Similarly, subjects should be allowed to port their personal data from one service provider to another. Such free flow of personal data at the discretion of the subject in a structured and a machine-readable format reduces the need to submit data multiple times.
The GDPR also calls for data protection impact assessment, which is that processing carried out using any new technology should be done after conducting a prior impact assessment to determine the likelihood of risks involved and whether such risks affect the rights and freedom of the data subjects. Finally, perhaps one of the most important principles is the right to be forgotten and the right to erasure, that is it mandated that personal data of an individual should be deleted if an individual withdraws his/her consent or if the purpose for which personal data had been collected is now complete.
Data privacy by design and default
GDPR envisages, data privacy by design and default that mandates entities to adopt improved data protection practices right from the first stage of data collection to the last stage of data storage or deletion. If non-EU countries adopt such a legislation, it would help safeguard personal data and prevent any misuse. Such a legislation should not only strategize a coherent data-flow system, but should also help data subjects to enforce their rights over their personal data. If the law balances the concerns of the business entities and the privacy rights of data subjects, then it will act as a foundation for building a trusted and a long-lasting relationship between business entities and data subjects.
Supratim Chakraborty is the Associate Partner at Khaitan & Co. Shweta Dwivedi is the Principal Associate at Khaitan & Co and Sneh Lata is an Associate at Khaitan & Co