GENERAL DATA PROTECTION REGULATION
European Commission, that is the executive branch of European Union (EU), put forward the plans for data protection reform across Europe in order to make it ready for a digital age.
One of the key components of the reforms so proposed was the introduction and adoption of General Data Protection Regulation (GDPR) in 2016. It replaces the1995 Data Protection Directive which was adopted at a time when the internet was in its infancy.
The member states were given 2 years to make GDPR fully implemented in their countries, that was, by May, 2018.
According to article 8 of European Union charter of fundamental rights and article 16(1) of the Treaty on the functioning of the European Union, data protection is a fundamental right in the EU.
Earlier the rules of the member states on data protection differed widely. The EU considering the issue at hand came out with the Data Protection Directive (DPD) in 1995. This required the member states to make changes in their national laws respectively. However there is a difference between a directive and a regulation. A directive allows the member countries to mould and customise according to their nation specific needs but unlike a direction, a regulation needs to be complied by all the member states.
In 2012, a proposal for a single European statute was made to end legal fragmentation and administrative obligations. This was later called as General Data Protection Regulation (GDPR).
GDPR at its core
It is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
GDPR comprises 11 chapters and 99 articles, hence being a thorough document.
GDPR applies to all the business organisations working inside the EU and all others who are working outside but are involved in business with the EU. In other words all the big business houses have to get compliance under GDPR.
GDPR talks about two different types of data handlers under article 4 i.e. processors and controllers.
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Article 27 talks about the representatives of processors and controllers not established in the union.Under this Article the non- EU establishments have to compulsorily designate an individual under the EU to serve as the point of contract.
Article 45 talks about the transfer of personal data to a third country or an international organisation under Chapter 5 of GDPR only if they comply with the adequate level of protection.
Due to the UK leaving the EU, the applicability of the GDPR in the UK does not stand affected till now. Although the United Kingdom formally withdrew from the European Union on 31 January 2020, it remains subject to EU law, including GDPR, until the end of the transition period on 31 December 2020.
But the UK government has time and again referred to the hindrances caused by GDPR while providing data to third countries. After leaving the EU, GDPR will cease to have a direct effect on the UK. However, as the UK is committed to maintaining an equivalent data protection regime, a UK version of the GDPR will effectively apply. However this is a temporary measure and soon the UK would come out with its own ‘adequacy measures’ which would replace UK GDPR or similar regulations of GDPR which are being followed.
Impact in international arena
Mass adoption of these new privacy standards by international companies have been cited as an example of the “Brussels effect”, a phenomenon wherein European laws and regulations are used as a global baseline due to their gravitas.
There has been a European leadership in this field of protection of data laws around the world. This mainly due to the reason that the EU has promoted global standards while formulating the regulations.
EU regulations also apply to business entities who do not operate from inside the EU, therefore indirectly all the global business houses need to comply with these regulations. These non- EU business entities need to comply if they offer goods and services in the EU or monitor the online behaviour of the citizens.
The globalised flow of data also leads the global world to follow a single and common law to strengthen the data protection of the netizens. Thus the need for an international law gets fulfilled by GDPR even though without any intention of doing so.
GDPR has also become a model statute for other countries to be followed or making legislation on similar guidelines.
Data has become a part of our lives which revolves around us in different forms commonly such as social media, banks, government institutions, etc. Every service that we use today requires our data from phone numbers to bank account numbers and analyses it, some even store this information.
Data breaches have become a common instance these days where information is stolen and captured by the individuals with malicious intentions being the biggest threat to our privacy.
Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.