European Union’s GDPR: One Small Step For The Internet, One Giant Leap For Data Privacy

The data party for companies across the world has come to an abrupt end. Applicable as law from today, 25 May 2018, European Union’s ‘General Data Protection Regulation’ (GDPR) is nothing less than a giant leap in the realm of data protection and privacy.

Empowering the users within the EU, the law would hold companies accountable for data collection, retention, storage, protection, and breaches. The law replaces the 1995 directive on data privacy and is mandatory for all corporations dealing with the citizens of the EU, irrespective of where they are headquartered.

GDPR focuses on an array of aspects pertaining to user data. Unlike before, users shall now have a greater say in how the data collected from them is used. For the data to be used for a purpose, different from what it was collected for in the first place, user consent would be required. Users will have the right to know how, where, when, and by whom their data is being used. Also, they will have the freedom to be completely forgotten, that is, ensure their data is permanently deleted once they have opted out of the service or virtual platform.

Read: Lessons From EU’s Data Protection Policy: How To Shield The Online Privacy Of 500 Million Indians

GDPR warrants the presence of data protection officers in companies with an employee strength greater than 250. Given the amount of EU subjects’ data, these companies might be processing, a data protection officer would be obligated to ensure that the company is GDPR compliant in its practices, will have to ensure transparent data collection mechanisms, and curate infrastructure for efficient protection of user data.

Each of the 28 member states of EU would be required to have a GDPR supervisor. Until the Brexit process is complete, the United Kingdom would be obligated to implement the GDPR.

The companies are now required to up the ante. If Zuckerberg’s hurried testimony before the EU lawmakers is any indicator, the EU is not going to allow corporations, even the GAFA (Google, Amazon, Facebook, Apple) foursome, to get around GDPR without complying. Companies would now be required to notify their users in the case of a data breach within 72 hours. Given how the last few years saw data scandals following infamous hacking episodes, like the one at Sony and Uber, the clause was long coming.

Companies dealing with EU subjects could be fined 2 per cent of their global revenue and up to 10 million euros, or 4 per cent of their global revenue or 20 million euros, whichever is higher. The fine would depend upon the scale of the breach and other relevant clauses. Thus, upon failing to comply with GDPR, Amazon could be fined over $7 billion alone.

In its entirety, the GDPR is a success already. A year ago, over 61 per cent of the companies in a survey reported no plans to comply with GDPR. However, the last few days have witnessed a rush, with online portals updating their policies. From Twitter to Google, and soon, Facebook, big and small, all virtual businesses have rolled out updated policies to prevent a fallout with the EU lawmakers. In their pursuit to secure user data, the lawmakers have won the first battle in a long war; getting companies to listen, even if they encompass 2.2 billion users around the world.

The GDPR adds to the vulnerability of the businesses too. Given users would have to be answered within 30 days of their request, the clause adds to the bandwidth challenges of the companies. The obligatory presence of a data protection officer adds to the problems on the human resources front, and thus, many small and medium companies working with EU subjects in India and the US are already looking to jump the red light on this one.

For many local businesses, the given penalties leave no room for unintentional erroring. With utility apps and other online portals becoming integral to the users in the last few years, innovation and experimentation pertaining to data would also suffer as companies, at least in the first few months of GDPR application, would remain apprehensive. For now, many entrepreneurial ventures will have to decide upon the amount of data they are going to collect, and if that shall suffice their scalability prospects in the future.

GDPR repeatedly emphasises on user consent. While from a user point of view, it is an ideal scenario, it does not work well in the real world. Firstly, it won’t be in the best interests of both the user and the service provider to have a redundant mechanism to grant or obtain consent. Secondly, it does slow down operations at the business end, and finally, it shall be only a matter of a time before consent fatigue sets in. In the longer run, companies may have to look for a method which incentivises users who share their data for a specific duration or unconditional processing.

While blaming Cambridge Analytica for global user data crisis is like blaming a forest fire for global warming, the EU has used the hysteria around the scandal to further its cause. While the necessity of the GDPR cannot be disregarded, it must be seen as a regulation against companies that have been exploiting user data and not a hindrance in the operations of these companies.

As stated earlier, India, still languishing in the Indus Valley age of data processing, protection and privacy, GDPR offers an ideal lesson, to begin with. Alongside, the government’s incredible scaling of the Jan Dhan, Aadhaar, and Mobile trinity programme could make up the foundation of India’s data policy.

However, unlike the EU which has greater internet penetration, literacy, and inclusion amongst its users, India must focus first on getting its users online. The Aadhaar programme, through some misplaced opinions, offers a valuable lesson in this aspect. Privacy, as of now, is more of an urban concept, and our data policy must take this into account.

GDPR, even with its challenges and constraints for businesses worldwide, is a giant leap towards revamping the world wide web. For all we know, it could fuel the lack of data credibility virtual portals suffer from across the world. For users, the law is an empowerment, while for businesses it is an opportunity to come clean, to ensure accountability to their clients, and to enhance transparency in their operations.

As Thanos says, the hardest choices require the strongest will.

The EU must be credited for demonstrating that will.

This is the final of a three-part article series on data protection and privacy laws in the context of EU's GDPR.