Categories
Blog

Data Protection Regime in the European Union- General Data Protection Regulation (EU-GDPR)

Originally proposed by the European Commission in 2012, the EU GDPR[1] came into effect on 25th May 2018. It is intended to harmonize privacy and data protection laws across Europe. It further aims to provide a framework to ensure that the data subjects have control over their personal data. The provisions are GDPR are applicable[2]

  1. When a controller or a processor is established in the EU
  2. When the personal data of EU data subjects is processed

The Regulation defines terms like ‘personal data’, ‘processing’, ‘data subject’, ‘controller’, ‘consent’, ‘processor’ and ‘personal data breach’.[3] It also enumerates the basic principles on which GDPR is based. These include “lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability[4].

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

One of the grounds mentioned under the Regulation which makes the processing of personal data by the controller or the processor lawful is when the data subject has consented to such processing[5]. The declaration seeking such consent should be made in an intelligible and easily accessible form, using clear and plain language[6]. Further, the data subject has the right to withdraw his consent at any time, and such withdrawal will not affect the lawfulness of the processing prior to the withdrawal.[7] When the data subject is a child below the age of 16 years, consent for the processing of personal data can only be given or authorized by the parents.[8] However, the Regulation gives the discretion to the individual member states of the EU to decide the minimum age for which parental consent will be required, however, such age cannot be lower than 13 years.[9]

The GDPR prohibits the processing of personal data relating to a specific category (sensitive personal data)[10]. However, such data can be processed in certain conditions like when the data subject gives explicit consent or when processing is necessary to protect the vital interests of the data subject or when processing is necessary for substantial public interest etc.[11]

Chapter 4 of GDPR enumerates the rights provided to the data subject with respect to the processing of their personal data. These include the right to access the data by the data subject (to know the purpose of processing, the categories of data being processed, recipients of such data, the period for which data will be stored, right to be informed of additional safeguards if data is transferred to a third country or an international organization etc.)[12], right to rectification (of inaccurate data concerning the data subject), right to erasure (when data is no longer necessary, when consent is withdrawn when data is unlawfully processed etc.), right to restriction of processing (for a particular time period) , right to data portability (receive the data in a machine-readable format and transmit the same to another controller) and right to object.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

The member states of the Union have the right to restrict the scope of rights and obligations[13] of the data subject and the controllers/processors, under the Regulation on the ground of national security, defence, public security, and criminal offences[14], general public interest etc.[15] by means of legislative measures.

The controller is obligated to take necessary technical and organizational measures which are designed to implement the principle of GDPR while processing the personal data of the subject (data protection by design).[16] Furthermore, the technical measures should be implemented to ensure that, by default, only the personal data which is required for specific purposes, is processed[17] (data protection by default).

In case of a data breach which is likely to risk the rights of natural persons, the controller should notify the supervisory authority within 72 hours of becoming aware of such breach. The controller should also inform the data subject about such data breaches in certain specific situations[18].

Further, if the processing of data involves new technology which might result in “high risk to the rights and freedoms of natural persons, the controller should carry out an impact assessment, before processing any data[19].

The Regulation also mandates the appointment of a Data Protection Officer by the controller and processor in certain situations.[20] The Officer has the duty to inform and advise the employees of their obligations while processing the data of data subjects, to monitor the compliance of provisions of GDPR, to cooperate with supervisory authority etc.[21]

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

In case of infringement of any right of the data subject or any obligation mentioned under GDPR, the data subject has the right to lodge a complaint with the supervisory authority of a particular member state[22]. For severe violations, the fine framework can be “up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher[23]. In case of less severe violations, the Regulation sets forth fines of “up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher[24].

Therefore, the privacy and data protection regime in the European Union is very stringent. Although it has only been two years since the GDPR came into effect, however, the recent cases of imposition of huge sums of fines on Twitter[25] and Google[26] in Europe for violating the provisions of GDPR, highlight the seriousness of privacy and data protection in Europe.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

 

[1] General Data Protection Regulation, Regulation (EU) (2016/679).

[2] Id, art. .

[3] Supra note 1, art. 4.

[4] Supra note 1, art. 5.

[5] Supra note 1, art. 6(1)(a).

[6] Supra note 1, art. 7(2).

[7] Supra note 1, art. 7(3).

[8] Supra note 1, art. 8(1).

[9] Id.

[10] Supra note 1, art. 9(1).

[11] Supra note 1, art. 9(2).

[12] Supra note 1, art. 15.

[13] Supra note 1, under art. 12-22, art. 34 and art 5.

[14] Prevention, Investigation, Detection or Prosecution.

[15] Supra note 1, art. 23.

[16] Supra note 1, art. 25(1).

[17] Supra note 1, art. 25(2).

[18] Supra note 1, art. 34(3).

[19] Supra note 1, art. 35.

[20] Supra note 1, art. 37.

[21] Supra note 1, art. 39.

[22] Supra note 1, art. 77.

[23] Supra note 1, art. 83(5).

[24] Supra note 1, art. 83(4).

[25] BGR, https://www.bgr.in/news/twitter-fined-547000-dollars-for-not-disclosing-data-breach-927683/ (last visited Feb. 1, 2021).

[26] REUTERS, https://www.reuters.com/article/us-google-privacy-france/french-watchdog-fines-google-amazon-for-breaching-cookies-rules-idUSKBN28K0NA (last visited Feb. 1, 2021).