UPSC: GENERAL DATA PROTECTION REGULATION (GDPR)
Barely six months after the Cambridge Analytica-Facebook data theft scandal, the world’s largest social network hit the headlines once again. Facebook announced that it had discovered a security breach that had compromised nearly 50 million accounts. The figure was subsequently revised to 30 million.
It is also unclear how much personal data have been stolen, and how that data may end up being used in ways that could harm Facebook users. This announcement came after implementation of European Union General Data Protection Rules in May 2018.
What is GDPR?
- The law is a replacement for the 1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU.
- GDPR will significantly strengthen a number of rights for individuals as well as regulators.
- Individuals will find themselves with more power to demand companies reveal or delete the personal data they hold;
- Regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction;
- Enforcement actionswill have real teeth, with the maximum fine now reaching the higher of €20m (£17.5m) or 4% of the company’s global turnover.
- These rules aim to create more consistent protection of consumer and personal data across the European Union.
- EU-GDPR mandates a baseline set of standards for companies that handle the EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
- India’s draft bill on data protection, which has been created on the suggestions of B.N Srikrishna committee recommendations, also draws inspirations from EU-GDPR.
Highlights of EU-GDPR
- Requiring consentof the subject for data processing
- Anonymising the data collected to protect the privacy
- Providing data breach notifications
- Safely handlingthe transfer of data across the border
Impact of the EU-GDPR
- The European Union (EU)’s General Data Protection Regulation (GDPR) forced Facebook to go public with the breach so promptly, even before the full extent of the damage could be assessed.
- The GDPR’s stringent guidelines require companies to make such events known within three days of their discovery.
- EU-GDPR has ensured not only awareness of such data breach, but also prompt corrective measures with respect to data security which institutions need to ensure.
- Many Tech giants such as Google and facebook also changed their privacy terms and conditions, to be agreed by users.
In general, citizen-consumers have had to choose between two equally unsatisfactory options: either resign themselves to a post-privacy world or be perpetually scrambling to reskill themselves in order to be able to safely navigate the complicated and ever-evolving (mine)field of data privacy and safety.
If data security for ordinary users is to become something more than a seminar topic, then an equitable regulatory regime such as the GDPR must become the universal norm, in force beyond the EU jurisdiction as well.