General Data Protection Regulation

Data can be defined simply as a "set of information", but the value of this four-letter word cannot be defined in simple terms as such. Data storage has been practiced even before the digital era, and it has called for the necessity of the protection of the stored data. Right to privacy being a fundamental right enshrined in the Universal Declaration of Human Rights under Article 12 has paved way for many regulations to protect stored data. One such regulation for protection of stored data is the General Data Protection Regulation passed by the European Union which came into force from 25 May 2018 replacing the Data Protection Directive, 1995. Let us now look at some salient features of the regulation:

1. Major Actors

The major actors in the regulation are Data Subjects, Controllers and Processors.

Data Subjects-Data subjects can be inferred and attributed to all identifiable or distinguishable natural persons who are within the European Union whose data is processed. The data subjects have certain rights like right of erasure, right to access, right to rectification and so on.

·       Controllers-Article 2(7) of the regulations defines controllers. Controllers include natural or legal persons, public authority, agency or other body which determines the purposes and means of processing data. Controller shall make sure to implement that processing is done as per the compliances of the regulation.

·       Processors-Article 2(8) of the regulation defines processors. A processor means a natural or legal person who processes the data on behalf of the controller.

2. Applicability of the Act

The applicability of the act can be classified into two categories that are the Material Application and the Territorial Application. The Material Application of the Regulation is of the processing of 'personal data either wholly or partly by automated means or other than by automated means of personal data which forms or intended to form the part of a filing system.

Some exceptions to this include personal data processed during an action which falls outside the scope of Union Law, or the personal data processed by a natural person during personal or household activities. 

The Territorial Application of the Regulation is of the processing of 'personal data for the activities of establishment of a 'Controller' or 'Processor' regardless of whether the processing takes place in the Union or not. The Application also extends to the processing of personal data of the 'Data Subjects' who are in the Union, by a controller or processor outside the Union, where the processing relates to offering of goods or services or monitoring of behavior of the subjects. It also covers data processing by a controller that is not based in the Union but rather in a jurisdiction where Member State law is applicable according to Public International Law.

3. Lawfulness of processing data

Article 6 of the regulation has laid down instances that will make the processing of personal data lawful. If an organization has processed data by the application of at least one of these following instances, then the processing of personal data will be considered as lawful.

·       Data Subject has given consent

·       Processing of the data is necessary for the Data Subject to enter into a contract

·       Processing is necessary to comply with a legal obligation of the controller

·       Processing is necessary to protect the vital interest of the data subject or any other natural person

·       Processing is necessary for the controller to do any task in public interest or to exercise any official authority

·       When the controller has a legitimate interest to process the data except when the interest is overridden by the "fundamental rights and freedoms of the data subject"

4. Data protection by design and default

Article 25 of the regulation lays down that Organizations shall protect the data processed 'by design and default' that is they should consider beforehand the kind of data they will be processing in the course of the business and should implement such technical and organizational measures to protect such data. By default, they shall only process such data as required for specific purposes.

5. Personal Data breach

Article 33 lays that in the case of a data breach, the controller shall notify the supervisory authority within 72 hours of becoming aware of such breach if such breach is likely to result in a risk to the rights and freedoms of natural persons. In case of a processor, he shall notify the controller as soon as he become aware of a data breach. Any breaches involving personal data must also be documented by the controller, along with the incident's details, consequences, and corrective action. According to article 34 any breach of personal data shall be communicated to the Data Subject by the controller without any delay.

6. Data Protection Officer

According to Article 37, the controller or processor shall appoint a Data Protection Officer when the processing operations consists of large-scale monitoring of personal data. Article 39 has conferred the Data Protection Officer with wide variety of powers like to advise the controllers and processors on their obligations under the regulation, to check compliance with the regulation, to act as the link between the organisation and the supervisory authority and to evaluate and advise regarding to carry out the Data Protection Impact Assessment.

7. Fines and Penalties

The regulation has clearly outlined various remedial measures for the data subjects in the event of a breach of their personal data. The data subjects can claim compensation when there rights are infringed as mentioned under Article 82. Besides this Article 83 has laid down administrative fines. GDPR has classified the monetary fines based on the seriousness of the infringements, that is, into less serious offenses and more serious offenses.

Less Serious Offenses- These offenses include infringements like general obligations of controllers and processors and obligations regarding a child's consent certification and certification bodies obligations to name out a few. The fines prescribed are up to 10 million euros or 2 percent of the annual global turnover of the organisation, whichever is higher.

More Serious Offenses- These offenses include offenses like infringements of principles of processing personal data, infringement on any rights of the data subject and infringement on any criteria for consent and so on. The fines prescribed are up to 20 million euros or 4 percent of the annual global turnover of the organisation, whichever is higher.

Society is dynamic, so laws should also be dynamic to cater the needs of the society. Digitalization of data has made it extremely necessary that the data available in a public virtual environment should be protected before it being processed by a third party. Breach of personal data is one of the biggest reasons for the growing number of cyber-crimes. European Union has been prioritising the protection of Personal Data for nearly two decades, UK after exiting the European Union has enforced the UK GDPR and Data Protection Act 2018 as its substitutes. Right to Privacy is a fundamental right that should be read alongside Article 21(Right to Life) of the Indian Constitution as held by the Supreme Court in KS Puttaswamy (Retd.) vs Union Of India (Writ Petition No. 494/2012), but data protection laws in the country is still at infancy. Digital Personal Data Protection Act, 2023 was passed but is yet to come into force in India. When the world is moving towards a new digital supernova in the form of Artificial Intelligence it is high time India also implement ample personal data protection laws.

REFERENCES

·       General Data Protection Regulation (GDPR)-Legal Text

·       What is GDPR, the EU's new data protection law? - GDPR.eu

·       Art. 6 GDPR - Lawfulness of processing - GDPR.eu

·       Chapter 1-General provisions - General Data Protection Regulation (GDPR)

·       Chapter 4-Controller and processor - General Data Protection Regulation (GDPR)

·       Chapter 8-Remedies, liability and penalties - General Data Protection Regulation (GDPR)

·       GDPR Summary - An overview of the General Data Protection Act

This article is authored by Arjun H Nair. He was among the Top 40 performers in the Legal Drafting Quiz Competition organized by Lets Learn Law.