This article has been written by Pulkit Chaudhary pursuing a Diploma in International data protection and privacy Laws from LawSikho. It has been edited by Smriti Katiyar (Associate, LawSikho).

Introduction

Last two decades have turned the world around from a Global Village to the Digital Village with almost everything being digitized, in which data has become the ultimate treasure. Data has gained a lot of importance in the last few years among the various domains of human life like education, research, health, business, marketing, technology etc.

Data Protection Legislations around the world

With the upsurge of use of personal data for business/as business (in case of Data Brokers), the need for the protection of personal data, including the sensitive personal data against unlawful use and leaks has enlarged over time and consequently many states came up with data protection legislations around the world like The General Data Protection Regulation¹ (hereinafter as “GDPR”) in Europe, Brazil’s Lei Geral de Proteçao de Dados (LGPD), Australia’s Privacy Act, California Consumer Privacy Act ( hereinafter as “CCPA”), Japan’s Act on Protection of Personal Information etc.

Position in India

In India , the Supreme Court has become proactive towards the protection of privacy of the citizens as the apex court came up with and observed the right to privacy as a fundamental right in the landmark case of Justice K.S. Puttaswamy (Retd.) Vs. Union of India². The government of India is also pushing towards the personal data protection legislation and came up with Personal Data Protection Bill, 2019 which is pending for scrutiny before the Joint Parliamentary Committee for further course.

Cyber Threats, GDPR and Non-Compliance

The cyber security domain acquires a special status given its ability to deploy all kinds of preventive measures that mitigates the impact of various cyber threats and attacks that may impact the data for which the protection is required. The cybersecurity industry took off not only on account of GDPR but also because of different data protection legislations around the world placing emphasis on the privacy rights of the data subjects. In the present era, cyberattack is one of the most severe threats to human life at the global level. 

In fact, according to the latest ENISA³ report, the 15 most frequent cyber threats faced in 2017 include several issues relating to data leakage and to identity theft, such as phishing and spam campaigns to obtain banking credentials. Thus, although complying with the GDPR may seem tedious, it represents an excellent opportunity for organizations. The data or identity theft poses a huge risk and it extends to the maximum when the data so targeted, leaked or stolen is related to sensitive banking credentials, biometrics etc.

In this respect, it is important for the data controller/processor entities to check the background of this legislation which contemplates the need for such entities to foresee the cyber risk, analyze the same and adopt suitable technical and organizational measures to deal with such risks. The regulation requires the deployment of all the necessary organizational and technical measures to prevent the cyber threats for the protection of data (Article 28 of GDPR). In order to deal with such issues effectively and efficiently, the companies shall plan their strategies accordingly.  

Under such circumstances, the data protection legislations make the entities responsible in case of breach or data leaks for using the personal data of the subjects, even with their consent, where entities have not deployed proper technical or organizational measures for the protection of data of its subjects. The violation of basic principles of GDPR can result in exaggerated fines of up to four percent of annual global revenue.

Additional Consequences of non-compliance of GDPR

• Damage to Reputation –In the event of data leak, breach, non-compliance, the faith of the consumer on the organization gets shaken and consumers tend to look for more worthy organizations. Even a formal reprimand can result in loss of market share and reduced consumer confidence.
• Cost of Damage Control – Once the data leak has happened or non-compliance sanctions have been imposed, it will be costly to pay penalties, conduct investigations and implement remedial measures.
• Withdrawal of Certification – Supervisory authorities can mandate withdrawal of a certification.
• Prohibition on Processing – Supervisory authorities may also order a temporary or permanent prohibition to keep your organization from processing personal data.
• Liability for Damages – As per Article 82 of the GDPR, an individual who has suffered material or non-material damage as a result of an infringement of the GDPR can claim compensation from both data controllers and data processors.

Data anonymization as data protection technique 

In order to tackle the threats to personal data of the data subjects, most of the organizations deploy appropriate technical and organizational measures amongst which Data Anonymization is one important weapon in the hands of the organization which helps it to prevent the misuse of the leaked data.

What is Data Anonymization?

Data anonymization is the process by which the organizations prevent and preserve the confidential or sensitive information which gets leaked, breached or in any way compromised , with or without, proper measures (technical and organizational) adopted by the organization to prevent such breach. In this process the sensitive personal data is combined and shuffled with random anonymous data which makes the identifiable personal data unidentifiable and restricts its misuse.

⁴                                                   

Definition of Data anonymization under the GDPR is as follows:

Article26 defines anonymous information as ‘…information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’.

Data anonymization methods

Data anonymization combinations are designed as a way in order to protect the personal identifiable data automatically in the event of data breach. Some of the data anonymization methods are as follows:

• Synthetic data- In this technique the algorithm is set in such a way that it generates random artificial data sets in place of the original data set containing identifiable personal data.
• Shuffling- The identifiable data set is shuffled with random raw data and is swapped/rearranged in such a way, to render the data unidentifiable.
• Scrambling- In this technique the letters/numbers of the identifiable data are mixed and rearranged.
• Pseudonymization- The profiles and sensitive information is mixed with fake identifiers.
• Generalization- In this technique, some part of the information is eliminated which makes the information less prone to be identified so that the accuracy of the data can also be maintained. 

Some Advantages and Disadvantages of Data Anonymization

Advantages	Disadvantages
1) Strong measure against the misuse of data	Difficulty in obtaining consent of data subject to set data anonymization algorithms in case of sensitive information.
2) Protection against loss of trust and market share.	Restricted use towards targeted purpose.
3) Consistency in data flow and better processing results.	Difficulty in tracking the relevant data set.

Therefore, it is required on the part of the organization to adopt proper measures to protect the vital interests and rights of the data subjects and retain the trust and satisfaction of the consumers towards the organization. After adequately addressing the above mentioned concerns relating to data anonymization, the data can again be decrypted and be brought back to the original data set with help of the data protection professionals in the organization.

This process is known as De-anonymization or re-identification.

The case of Taxa 4×35

Facts

This case relates back to 2018 where a Denmark taxi company namely Taxa 4×35 was audited by the supervisory authority of Denmark, Datatilsynet, which found that Taxa had implemented a data retention policy but had failed to follow it. In this case the investigators found that Taxa had retained the personal data of the subjects i.e. almost 9 million taxi drivers beyond the period of two years as mentioned in the retention policy. To be very specific, Taxa had erased the name, address, email of the data subjects but still retained their phone numbers beyond the period of two years and claimed the phone number to be the account number and contended the same reason to be the legitimate purpose of processing. Along with the same contention, Taxa also admitted the fact that the phone number was not required for the purpose rather an anonymized data would fulfil the purpose. However, the computer systems deployed by Taxa 4×35 were unable to convert the phone number of the data subjects into the anonymized data which is unidentifiable in nature. 

Observations

The Danish Data Protection Authority observed that:-

That the organization cannot set a deletion deadline which is three years longer than necessary simply because the company’s system makes it difficult to comply with the rules.”

Penalty-In March, 2018 the Danish DPA fined Taxa 1.2 million kroner (US$180,000), its first fine under the GDPR.

In its ruling, the Danish DPA found the violation of Article 5 of the GDPR in three ways which violated purpose limitation, storage limitation and data minimization.

Purpose limitation: Article 5(1)(b) of the GDPR provides that the data shall be used only for the legitimate purposes and not for any other purpose not in consonance with the original purpose. Taxa violated this principle when it transformed the numbers into a unique and anonymous account number and even admitted the fact that the phone number was not necessary, only an account number was needed to be linked with the taxi ride.

Storage limitation: Article 5(1)(e) of the GDPR requires the organizations to comply with the requirement to keep the identifiable personal data of its subjects for a limited period, not longer than is necessary for the purposes for which the personal data is processed. The data retention policy of Taxa stated that the data shall be retained for the period of two years and Taxa only deleted the name associated with the taxi-ride but kept all the taxi-ride data relating to the ride (date, GPS coordinates of starting and ending location, distance, payment) and associated that with the customer’s phone number for an additional three years. This was the gross violation of the aforesaid provision of GDPR.

Data minimization: Article 5(1)(c) of the GDPR puts obligation upon the organization to gather the data which is adequate, relevant and limited to what is necessary for which it is processed. In this case Taxa contended that it had met the requirements of the aforesaid provision as it had removed the names associated with the phone numbers but their data systems were unable to transfer the data from mobile numbers to the unique account number. At this, the Danish DPA turned down this contention and stated that “in no uncertain terms, that costs associated with migrating personal data to a new anonymous data structure do not justify continued use of the phone number beyond the retention policy.” ⁵

 Conclusion

The ultimate aim of the GDPR is to empower the individuals to retain the control over their personal data and simultaneously enable the companies to use the data and reap its benefits. By understanding the interpretation and purpose of the GDPR the companies can adequately comply with its provisions and can prevent the hefty fines that can be imposed in the cases of non-compliance. There was a lack of effort on part of Taxa with respect to rights of the data subjects and therefore it suffered a huge penalty to the tune of 1.2 million kroner (US$180,000).

In our journey to be data protection professionals, these loopholes shall be kept in mind and be adequately addressed to prevent the chances of non-compliance and sanctions. 

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.