The General Data Protection Regulation (“GDPR”) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). It focuses on data security and protection and on the user control of the data. According to EU it is the most important change in the data privacy regulation in 20 years. It reshaped the way in which the data is handled. The European Union’s General Data Protection Regulation which came into effect on May 25 2018 has put consumers in charge of their online data. Attributable largely to the scope and reach of the internet, several businesses operating out of India now have the ability to target customers globally. Under GDPR, if an entity, while offering its goods or services, targets persons in the EU and consequently collects and processes personal data of such persons, then the entity in question is required to comply with the rules and processes set out in GDPR. Hence, any business operating out of India that targets persons from the EU and consequently controls and processes personal data of a person in the EU needs to comply with GDPR.
The data monitored under the new regulation will not only include personal information such as names, genders, and e-mail addresses that users voluntarily share, but also background tracking of cookies and browser history, and so on. Even identifiers like location data and IP addresses are explicitly included under personal data now. The new EU rules mandate that companies dealing with high-risk and high-volume data regularly must appoint a data protection officer. Taking transparency up a notch, the regulations give companies a tight 72-hour runway to report data breaches.
How can Indian companies prepare for GDPR?
Not only are EU-based companies required to comply with the regulation, but also firms that target residents of the 28 EU countries for business. Europe is estimated to be a $45-billion potential outsourcing opportunity for Indian technology vendors. All such companies need to comply, as well as Europe-headquartered MNCs such as Nestlé, Unilever, Nokia, Heineken and others. Many of these have backend operations or development centers in India, which access data of global customers. These, too, would have to fall in line, as will Indian BPOs that service European clients.
That’s where the trouble lies for Indian companies and multinational companies (MNCs) that have an India presence.
They should review their policies, procedures and existing privacy programs; impart data privacy training to employees; and review or update contracts signed with third-party vendors, among other things. Besides, Indian companies also need to evaluate how equipped they are to deal with the audit process, and use appropriate technology solutions to prepare for the same.
Why? – The Cambridge Analytica Scam
The Facebook–Cambridge Analytica data scandal was a major political scandal in early 2018 when it was revealed that Cambridge Analytica had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political purposes. It has been described as a watershed moment in the public understanding of personal data and precipitated a massive fall in Facebook’s stock price and calls for tighter regulation of tech companies’ use of data. The firm was accused of obtaining a data on 50 million Facebook users via means that deceived both the users and Facebook. Some 270,000 people downloaded the application and logged in with their Facebook credentials, according to Facebook. The application gathered their data and data about their friends based on the recent searches and conversations in the social networking website, or simply by accessing through their information on Facebook.
Role of GDPR in the Cambridge Analytica Scam
In response to years of applications gratuitously gathering users’ personal data, the GDPR clearly espouses the principle of data minimization. This means that data controllers can only collect and use personal data as appropriate for expressly stated objectives. For example, you can’t tell users that you are gathering their personal data to define their digital personality and then use it to send them targeted messages during political campaigns. One of the fundamental tenets of GDPR is to empower users to give their consent willingly, and with full knowledge of how their information will be used and for what purpose. To that end, the regulations prohibit companies from using “long illegible terms and conditions full of legalese,” instead requiring “an intelligible and easily accessible form” that states the reason for data collection clearly and makes it “as easy to withdraw consent as it is to give it.”
Ultimately, the reason for the further surrounding Cambridge Analytica boils down to the fact that the 50 million people whose data was harvested did not give their consent for the company to use their information. Of those 50 million people, only 270,000 had consented to having their data collected.
Compliance with GDPR has become particularly important given the heavy penalties associated with GDPR non-compliance. Failure to comply with the GDPR requirements can attract administrative fines of up to EUR 10,00,000 or 20,000,000, or in the case of an undertaking, up to 2% or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, depending on the nature of provisions breached. Also, for Indian Company with business dealings with EU companies, their EU counterparts are also likely to insist on compliance with the GDPR as part of their standard contractual clauses. We may also add that the Indian Government is also seeking to introduce a more robust regulatory framework for data protection and privacy. Therefore, companies having business interest in EU should take comprehensive look at evolving their data protection practices not just to be GDPR compliant but also in preparation for a more stringer data protection regulatory framework likely to be introduced in India in the near future.