This article is written by Ayushi Dubey, Tissy Annie Thomas, Shrishti Vatsa, and Christina. The article discusses the provisions and the impact of General Data Protection Rights (GDPR).
GENERAL DATA PROTECTION RIGHTS
What is GDPR?
GDPR is a regulation that protects the personal data and privacy of the EU citizens which are used by either public authorities or businesses. According to Article 1 of the GDPR, it lays down rules relating to the protection of personal data, protecting every individual’s Right to the Protection of Personal Data, and the free movement of personal data within the European Union, without the fear of the leakage of the same. Companies that collect data from citizens in the EU countries have to strictly comply with the GDPR rules and the non- compliance with which would cost companies heavily.
History of GDPR
GDPR was adopted by the European Parliament in April 2016, which replaced an old Data Protection Directive of 1995, officially known as Directive 95/46/ EC.
The Data Protection Directive was built on seven principles, which included:
- Notice
- Purpose
- Consent
- Security
- Disclosure
- Access
- Accountability
However, these guidelines were non- binding, and moreover, the data privacy laws changed depending on where you were located in Europe.
It was only in January 2012, that the European Commission submitted a draft proposal for a reform of data protection rules in the EU, hoping that through the creation of a single, EU- wide law, fragmentation and expensive administrative measures associated with implementing and enforcing the DPD across different member states can be eliminated. This also aimed to facilitate cross-border cooperation in terms of the fight against crime and terrorism.
Hence, on Dec. 15, 2015, the European Parliament, Council, and Commission reached an agreement on the new data protection rules, known as the EU General Data Protection Regulation. It was more modern and had a more collaborative framework.
The GDPR supersedes the DPD and became a national law for all the EU Member States by May 2018. It has more specific data protection requirements, a global scope, and stiffer enforcement and non- compliance penalties.
Why is GDPR the Need of the Hour?
The GDPR applies to controllers and processors that are handling the personal data of European individuals. The Regulation shall apply to the processing of personal data handled by a controller, or a processor in the Union, regardless of whether the processing takes place in the Union or not. It also applies to a controller or a processor not established in the Union, but where the processing activities related to the offering of goods or services to such data subjects in the Union takes place, and would also be applicable in a place where a member state law applies by virtue of public international law.
Now, why is GDPR so important, and why has it been increased to such an extensive territorial jurisdiction?
The making of GDPR is a solution to the modern need for a sustainable development of technological dynamics. In this 21st century, with the advancement of technology and everything going digital, European Government had to make all-encompassing changes in its data protection rules. GDPR will help to bring outdated personal data laws across the EU up to the level to match the pace with the levels of technological change.
It is to be taken into account that, the act of coding rights’ regulations was actually the result of social-driven necessity, coming out from an economic, political and cultural era, afterwards represented onto the judicial field.
In the initial years of DPD, the personal data of an individual only had a value as an information which is just related to the private sphere and was protected only under the right to confidentiality.
Whereas at present, the collection, processing and controlling of personal data are daily activities in any business; the sources and purposes of processing consequently expanded, allowing for more accurate services, requiring increasingly analytical information. Personal data of an individual has more or less become the information society’s “work capital”, and therefore having to cope up with added weight on the individual’s personal data, the existing rules had to be changed, by adopting “data protection right” moving ahead of the conventional, “right to confidentiality”.
As soon as GDPR is enforced by the data protection authorities, it will alter how businesses and public sector organisations can handle the information of their customers. GDPR also boosts the rights of individuals and gives them more control over their information.
Furthermore, companies covered by the GDPR will now be all the more accountable for their handling of people’s ‘personal data’. The processors and controllers have to now come up with different policies, data protection impact assessments having relevant documents on how data is processed.
In the recent past, there had been hundreds of massive data breaches, which included several Yahoo, LinkedIn, and MySpace account details. According to the rules under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator- where it could have a deleterious effect on those people who it is related to. The regulator has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also needs to be told.
Moreover, companies that have “regular and systematic monitoring” of individuals on a large scale or process a lot of sensitive personal data have to appoint a Data Protection Officer (DPO). The DPO has to report to the senior members of the office, so as to check if GDPR is complied with; and as said by Denham, “It means the data protection will be a boardroom issue in a way it hasn’t in the past combined.”
In EU law, personal information leak is a breach of security prompting the unlawful destruction, change, unapproved revelation of, or access to, personal data transmitted, stored or otherwise processed. The GDPR and the Bill in its present frame list the financial outcomes that an information breach may have for the association being referred to. These include:
- Fines from the Information Commissioner’s Office of up to the higher of 4% of an organization’s annual global turnover or €20m;
- The right for affected individuals to seek compensatory damages even if the firm did everything possible to avoid the breach; and
- Reputational problems for the firm, which would include high profile staff’s departure, poor publicity and a drop in their share price.
LIST OF MAJOR BREACHES GLOBALLY
-
FACEBOOK (US-2018)
Facebook revealed that the personal data of up to 87 million clients may have been wrongfully imparted to political consultancy Cambridge Analytica, up from a past media estimation of 50 million. Not only did the scandal lead to a dip in the social media’s market value, it also raised doubts over the latter’s apparent involvement in the elections. The greater part of the 87 million individuals whose information was imparted to Cambridge Analytica, which apparently regulated the US president Donald Trump’s 2016 decision battle, were in the US.
-
YAHOO (US-2017)
Yahoo estimated that at least 500 million user account credentials were stolen; such data would make it the biggest breach of all time — bigger than the Myspace breach which leaked 450 million passwords. The stolen data included names, email addresses, telephone numbers, hashed passwords, and some “encrypted or unencrypted security questions and answers.
-
WANNACRY(2017)
Wannacry, a ransomware worm that perpetrated through a number of computer networks affected window computers and encrypted files making them inaccessible for all the users. More than 300,000 machines were hit across a number of industries, including healthcare, bank, finance and car companies.
-
CLINTON CAMPAIGN (2017)
Hillary Clinton’s campaign network was plagued by hackers who breached the data of several large Democratic Organizations. It was estimated that around 19,000 emails from DNC officials were published on WikiLeaks only prior to the Democratic National Convention, casting a shadow over her presidential race.
-
PANAMA PAPER LEAK(2016)
The Panama Paper leak was one of the most controversial breaches of all time with a number of politicians and celebrities involved. It was an unprecedented leak of 11.5 million files from the database of one of the biggest offshore law firms, Mossack Fonseca. Around 12 national leaders were said to be among the 143 politicians who had indulged in the usage of offshore tax havens.
-
UBER (US-2016)
Uber concealed a hack that affected around 57 million customers worldwide and over 2.7 million users in the UK. The breach which took place in 2016 was kept under wraps by the firm by paying the hackers a sum of $100,000 to delete the data. The company also confirmed that names, addresses and mobile phone number of customers were exposed. Additionally, 60000 drivers had their names and license details exposed.
-
CARPHONE WAREHOUSE (UK-2015)
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), slammed ‘Carphone Warehouse’ with a £400,000 fine after the details of three million customers were accessed in 2015. The organization’s inability to secure the framework enabled unapproved access to the individual information of more than three million clients and 1,000 representatives. The compromised client information included: names, addresses, telephone numbers, dates of birth, and, for in excess of 18,000 clients, card payment details.
-
MALAYSIAN LEAK(2014)
About 46.2 million cell phone numbers from Malaysian telecommunication and mobile virtual network operators (MVNO) have been released on the web. The break incorporates postpaid and prepaid numbers, client points of interest, addresses and sim card data – including unique IMEI and IMSI numbers.
-
TARGET BREACH (US-2013)
The Target breach that affected about 40 million users finally won the battle to receive the compensation for their loss. Target agreed to pay $10 million to establish a fund for victims of the data breach, according to a 97-page settlement reached in a class-action lawsuit. Victims of the breach were eligible for up to $10,000 in compensation each. Losses covered by the claim included unauthorized charges, fees for hiring someone to correct a credit report, and similarly various costs for monitoring accounts or replacing important documents in the wake of the breach.
-
TUMBLR ( US-2013)
Tumblr stated in 2016 that it had found out about a 2013 data breach that hampered the email ids and numbers of only a ‘set of its users’, but the company refused to reveal how many users were affected. As it turned out, that number is 65 million, according to an independent analysis of the data.
-
EVERNOTE (US-2013)
The online note-taking organization endured a security breach that prompted the California based organization to issue a new password for each of their 50 million users. It was found that those responsible for the hack had been able to gain access to Evernote user information such as usernames, linked email addresses, and encrypted passwords as well.
-
DROPBOX (US-2012)
An enormous cache of information from Dropbox that contained the usernames and passwords of about 70 million record holders had been found on the web. The data incorporated the passwords and email locations of 68.7 million clients of the cloud storage service. Dropbox confirmed that the credentials were stolen by hackers who used stolen employee details and accessed a number of users personal information.
Impact of GDPR on India
The General Data Protection Regulation (GDPR) legislated by the EU Parliament is believed to have a far-reaching impact globally. Article 3 of GDPR provides that it shall be applicable to data controllers and processors dealing with personal data of persons belonging to EU nations, irrespective of the fact that the processing takes place in EU or elsewhere. This is a borderless and sector neutral legislation Thereby, the Indian data processing companies handling the data of persons belonging to EU nations shall also fall within the ambit of the said legislation.
Europe has been a substantial marketplace Information Technology Enable Services, Business Process Outsourcing Organizations and pharmaceutical industries in India. Therefore, Indian industries have to comply with these rules, if they have to continue doing their business in EU Countries.
The Indian data processing companies will now have to abide by the General Data Protection Regulation with respect to their EU customers. Indian companies will have to renew their contract with the EU based Data Subjects in accordance with the GDPR. Henceforth, the methodology of data acquisition, processing, management and protection will have to be changed and seen into.
This further becomes necessary because any non- compliance from any industry shall now impose a penalty structure of 20 million Euros or 4% of global turnover.
Though this would require the Indian companies to match the pace of the changing privacy laws, it will also provide a platform to study and update the laws related to data protection and then develop data protection mechanism in India.
What can be the Challenges faced by Indian Companies due to GDPR regulation?
- India as a country has very weak data protection laws. At the same time, BPOs in India contributes nearly 9.3% to the GDP, EU being one of its biggest market. Thereby, India’s weak data protection laws shall act as a drawback to these companies, and make them less competitive than other BPOs around the world.
- GDPR reduces the autonomy of data controllers with respect to risk assessment and data transfer outside EU. Indian companies will hence have to implement sufficient safeguards which will further increase the compliance costs.
- Companies not complying with GDPR will have to face penalties and may even suffer business losses otherwise due to such non-compliance.
What are the opportunities before the Indian Companies that come with GDPR?
- Indian IT companies form the second largest service providers in the EU market, it is hence a huge business opportunity knocking at the door.
- India has developed as a technology hub in the past few years with a large pool of talented and expert human resource. The Indian IT companies can hence utilise the opportunity in providing privacy compliant services and solutions.
- The ‘adequacy requirements’ ensure that the country to which the personal data of data subject is being transferred has adequate safeguards to protect the data. In wake of the data protection framework proposed by the Srikrishna Committee, it is important to see if the legislation will also satisfy the criteria laid in GDPR.
Data Breaches in India
1. Facebook
New York revealed that a researcher linked to Cambridge Analytica (CA), a political consulting firm that worked on Trump’s campaign, had accessed details of 50 million Facebook users, without their knowledge or consent and shared it with the company, which uses online information to reach voters on social media with individual messages.
2. Aadhar
The government’s database is filled with personal details of citizens like fingerprints and iris scans of eyes of registered Indian citizens. Even companies, like Amazon and Uber, can look into the Aadhaar database and identify their customers. Anyone in the database can use their data or their fingerprint to open a bank account, buy a SIM card, enroll in utilities, and even receive state aid or financial help.
3. 2016 Indian Banks Data Breach
2016 Indian Banks data breach occurred in October 2016. It was found that around 3.2 million debit cards were compromised. Major hit were- SBI, HDFC Bank, ICICI, YES Bank and Axis Bank. Many users reported unauthorized use of their cards in locations in China. This resulted in one of the India’s biggest card replacement in banking history. The State Bank of India announced the blocking and replacement of almost 600,000 debit cards.
4. Data Breach Indian Government Organisations
More than 6,000 Indian enterprises information was taken from the servers and was put up for sale on darknet. It is one of the biggest data breach reported in India. Not only the access, the hacker also sold personal details and various contractual business documents and was said to have access to a large database of Asia Pacific Network Information Centre (APNIC).
5. Zomato Data Breach
A hacker stole the email addresses and password details for 17 million users of an Indian food delivery app, Zomato in May 2017. Reportedly, Zomato confirmed that no financial information was reportedly compromised.
6. Identity Theft
The Tribune newspaper said its reporters were able to access names, email addresses, phone numbers and postal codes by typing in 12-digit unique identification numbers of people in the government’s database, after paying an individual about $8. For more money, Tribune said that the individual offered reporters software to print out unique identification cards of citizens.
7. Indian Railways
The online ticket booking site of Indian Railways had been hacked in May 2016 and was reported that personal information of around 10 million customers was at risk of theft from the servers of the online ticketing portal. IRCTC officials also feared that personal details including banking details, date of birth, bank account numbers, phone numbers, and other personal details of citizens had been sold. IRCTC did not accept that their online site had been hacked or any data breach has occurred.
8. Hitachi Payment Services
Virus was introduced in systems of Hitachi Payment Services and it allowed criminals to steal financial information of customers of a number of banking institutions.
Data breach is a modern crime, jeopardizing the identity and personal information of the person who is a victim.
In a case of a data leak, for a claim of compensation to be successful the plaintiff must prove-
- That his personal information has been compromised with, without his consent.
- That injury has been caused to the plaintiff due to such breach of data.
- That such data leak could have been avoided by the data controller by taking adequate security measures/ that such data leak has been voluntarily done by the data controller.
Cases where fine/compensation has been awarded-
The following are a few cases wherein compensation was awarded or fine was imposed for the breach of confidential/personal data-
-
Wm Morrison Supermarkets PLC-
Wm Morrisons is a chain of supermarket in the United Kingdom. One of the Morrisons’ employee, Andrew Skelton, had leaked the payroll data of nearly 100,000 Morrisons’ employees in 2014 including their names, addresses, bank account details and salaries. The information was posted online. The High Court held Morrisons vicariously liable for the act of its former internal auditor, awarding a compensation of £170,000.
-
TalkTalk Telecom Group PLC-
In 2016, a fine of £400,000 was imposed on TalkTalk Telecom Group PLC (“TalkTalk”) by the UK Information Commissioner’s Office (ICO), in respect of a data breach that affected over 157,000 customers who had their personal data stolen. It was found that the company had not encrypted the details of its customers. Hence, it was held that the breach happened due to the failure of the company to implement necessary security measures.
-
Brighton and Sussex University Hospitals NHS Trust-
In 2012, The UK Information Commissioner’s Office (ICO) had imposed a fine of £325,000 on Brighton and Sussex University Hospitals NHS Trust for giving away its computers to a contractor, without ensuring that the sensitive information of its patients was erased, who further auctioned the computers on eBay. Henceforth, putting confidential information of patients at risk.
-
TerraCom Inc. and YourTel America Inc.-
The Federal Communications Commission, an independent agency of the government of the United States had imposed a fine of $10 million on two telecommunication companies- TerraCom Inc. and its affiliate YourTel America Inc., for storing the personal information of customers without adequate security safeguards. The personal information of customers was available online from September 2012 till April 2013 without password protection.
-
Nationwide Building Society-
In 2007, The Financial Services Authority, a quasi-judicial body in the UK, had imposed a fine of £1 million on Nationwide Building Society, UK’s largest building society, after the theft of an employee’s laptop put confidential information of its customers at risk for having contained the same. As opposed to the common notion that customer details are kept safe in the servers of the company locked inside the office, Nationwide Building Society was condemned for carelessly handling its customer records.
GDPR Summary
Chapter No. | Chapters | Sections | Articles |
1. | General Provisions | -nil- | Article 1: Subject matter and objectives
Article 2: Material scope Article 3: Territorial scope Article 4: Definitions |
2. | Principles | -nil- | Article 5: Principles relating to personal data processing
Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of data relating to criminal convictions and offences Article 11: Processing which does not require identification |
3. | Rights of the Data Subject | Section 1: Transparency and Modalities | Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject |
Section 2: Information and Access to Data | Article 13: Information to be provided where personal data are collected from the data subject
Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject |
||
Section 3: Rectification and Erasure | Article 16: Right to rectification
Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability |
||
Section 4: Right to object and automated individual decision making | Article 21: Right to object
Article 22: Automated individual decision-making, including profiling |
||
Section 5: Restrictions | Article 23: Restrictions | ||
4. | Controller and Processor | Section 1: General Obligations | Article 24: Responsibility of the controller
Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority |
Section 2: Security of personal data | Article 32: Security of processing
Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject |
||
Section 3: Data protection impact assessment and prior consultation | Article 35: Data protection impact assessment
Article 36: Prior Consultation |
||
Section 4: Data protection officer | Article 37: Designation of the data protection officer
Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer |
||
Section 5: Codes of conduct and certification | Article 40: Codes of Conduct
Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification Bodies |
||
5. | Transfer of personal data to third countries of international organizations | -nil- | Article 44: General Principle for transfer
Article 45: Transfers of the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data |
6. | Independent Supervisory Authorities | Section 1: Independent status | Article 51: Supervisory Authority
Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory Authority |
Section 2: Competence, Tasks, and Powers | Article 55: Competence
Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity Reports |
||
7. | Co-operation and Consistency | Section 1: Co-operation | Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Article 61: Mutual Assistance Article 62: Joint operations of supervisory authorities |
Section 2: Consistency | Article 63: Consistency mechanism
Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency Procedure Article 67: Exchange of information |
||
Section 3: European Data Protection Board | Article 68: European Data Protection Board
Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality |
||
8 | Remedies, Liability, and Sanctions | -nil- | Article 77: Right to lodge a complaint with a supervisory authority
Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties |
9. | Provisions relating to specific data processing situations | Article 85: Processing and freedom of expression and information
Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations |
|
10. | Delegated Acts and Implementing Acts | -nil- | Article 92: Exercise of the delegation
Article 93: Committee procedure |
11. | Final provisions | -nil- | Article 94: Repeal of Directive 95/46/EC
Article 95: Relationship with Directive 2002/58/EC Article 96: Relationship with previously concluded Agreements Article 97: Commission Reports Article 98: Review of other union legal acts on data protection Article 99: Entry intro force and application |
CONCLUSION
In this article we can see that with the exponential advancement in the technology, and the number of cases coming up with respect to the data leaks, the fear individuals have regarding their personal data has quite obviously increased and now wants the government to give full protection of their personal data. The data protection of every individual has now become the need of the hour, and now the countries worldwide, like, the European Union needs to readapt from the conventional Right to Confidentiality to acknowledging the Data Protection Rights of the individuals. To ensure this, shifting the burden of protection of the individual’s personal data to the companies who have taken them and processes or controls will prove to be more efficient, as now the companies will be penalised for any leakage of the individual’s personal data and shall be heftily fined.