GDPR did not happen overnight. It came into effect two years after it was passed by the EU Parliament. Moreover, the seeds were sown on 23rd October 1980 in the form of Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It was published by the OECD (Organisation for the Economic Cooperation and Development) and endorsed by the USA and the EU.
These recommendations enumerated below laid the foundation of what we now know as Right to Privacy.
Collection Limitation Principle — limit the collection of personal data by all means except by informed consent.
Data Quality Principle — Data, if stored/processed must be free of inaccuracies and be updated within a suitable time duration.
Purpose Specification Principle — The reason for data collection must be elucidated and must be strictly adhered to.
Use Limitation Principle — Any use of data beyond the Purpose Specification Principle shall require new informed consent for every subsequent use.
Security Safeguards Principle — A robust security mechanism must protect the user data.
Openness Principle — Users must be informed of changes to user consent and be able to access their stored information in a simple manner.
Individual Participation Principle — A user should be able to request to view his/her data by paying a nominal sum and cannot be summarily refused.
Accountability Principle — The responsibility lies with the Data controller for adhering to the recommendations.
The recommendations were non-binding and hence, failed to bring effect to privacy concerns despite forming the cornerstone of many countries’ privacy laws.
Arriving in 1995, this directive aimed to harmonize the fractured consensus on right to privacy within the EU and govern the transmission of data to countries outside of EU. It provided for the creation of DPAs (Data Protection Authorities) in each member state to serve as the regulatory body for interactions with businesses and citizens.
It set forth the condition that transmission of user data outside EU was allowed as long as the third-party country implemented the same stringent regulation to govern user data as the EU.
It still did not allow users the right to be forgotten and was unwieldy due to shoddy implementation. The fact that it was a directive made it powerless and open to conflicting interpretations.
The newly-enforced GDPR is a larger piece of legislation and the changes it brings are radical with far-flung impact on businesses. Most importantly, as a regulation and not a directive, it is immediately enforceable law in all member states of the EU.
Modern technology has enabled us to create a growing trove of personal user data which has concurrently led to diverse streams such as Data Analysis and detailed profiling and targeting potential. GDPR updates the old standards to fit the day’s technology while still being consensus-friendly to protect the fundamental rights of individuals in a simple manner.
The Weltimmo case (of CJEU) ruling attempted to help users access the DPAs closer to their point of situation instead of the operational area of the data processing unit.
Coupled with the collapse of the Safe-Harbour Agreement between the EU and the US, due to the controversy regarding the Edward Snowden revelations, the GDPR was long-desired to plug the gaps in the old directive and prevent repeated intervention of the courts.
There are 3 major components of GDPR:
1. Data Subject Rights
2. Data Portability
3. Privacy by Design
These pertain to a group of rights that are collectively and individually available to the citizens of the EU with respect to their data. These data subject rights are 3 in number and are:
These rights mandate the data controllers to notify the subjects of any data breach that may affect their freedom and rights, within 72 hours of the data controller becoming aware of the data breach.
This right allows data subjects under GDPR to request the data controller to furnish such information as to whether user data has been collected, processed, and to what end. Data controllers are also required to mandatorily service these requests and provide an electronic copy of all such data (when requested by the user) free of cost.
Also known as Data Erasure, this right enables data subjects to request for the deletion of their personal data from all servers of any business or commercial activity. The data controller must compulsorily service such requests as withdrawal of consent to personal data by the subject and shall delete all such data except if deletion is not in public interest.
GDPR brings a new feature called data portability which says that the data requested by the data subject (user) from a data controller can be provided as personal data to another data controller for processing. This data and its dissemination belong to the data subject and not to the data controller. The consent to both will also be considered separately and the revocation of consent to one will not automatically constitute the revocation of consent to the other.
According to Article 23 of the GDPR text, data controllers must follow data minimisation. This is popularly known as privacy by design and has long been a demand of privacy advocates. It requires the data controllers to ensure that only those data processors have access to data subject personal data who/which will process the data. It should not be shared with those who/which do not directly process the data.
Thus, GDPR is not just a new piece of legislation that fell from the skies but has taken shape over the years and attempts to bring data privacy of the users to the fore and make rights regarding our personal data as enforceable as our other civil rights. In a growing digital world, this is a step in the right direction.
Let me know what you think about this in the comments section below. All views are welcome.