This article has been written by Arun Nair pursuing the Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from LawSikho. This article has been edited by Dipshi Swara (Senior Associate, Lawsikho).
Your personal data is like an asset or a property that belongs to you, and you have all the rights, titles, and interests in your data. However, all this information gathered about an individual is just waiting to be exploited by someone out there. For instance, we avail the ‘free-services’ of big tech companies with billions of dollars of valuation like Google, Facebook, Apple, Amazon, Microsoft and grant them permission to collect, store and process this ‘all-powerful’ information about us. The digital devices, IoT’s, smartphones are all running on software’s and apps provided by these companies, the majority of which are free for use. We don’t pay for these apps in money, we pay using personal data, and it is far more valuable than any subscription fee that you can pay. Companies treat this information about individuals as a product and quantify it. This information is then sold to advertisers, market research firms and governments, albeit without our knowledge and consent, which in turn generates revenue for them. There is a hugely lucrative business in the area of personal data, and the government’s and regulatory bodies of any country should keep a tight vigil to prevent its misuse by bringing in licit and warranted legislation. This article is aimed at explaining the concept of personal data according to the General Data Protection Regulation legislation of the European Union. It will also cover related topics laid down under the provisions of the General Data Protection Regulation.
General Data Protection Regulation
The European Union’s General Data Protection Regulation was adopted on 14 April 2016 and became enforceable beginning 25 May 2018. It replaced the Data Protection Directive (1995). The EU designed GDPR to harmonise data privacy laws across its member countries as well as to provide better protection and rights to its citizens. It is a law aimed at data protection and privacy and addresses the transfer of personal data outside the EU. It laid down the rules for the safeguarding of ‘fundamental rights’ and ‘freedom’ of a natural person with-regard-to the processing of personal data and their right to the protection of personal data. Simply put, if an organization collects, records, stores, organizes, re-structures, adapts or alters, retrieves, uses, discloses by transmission, dissemination, restricts, erases or destructs the personal data of the people in the EU (Data Subjects), then you must comply with the GDPR or else, face huge fines.
What is personal data?
Article 4(1) of the General Data Protection Regulation defines “Personal Data as any information relating to an identified or identifiable natural person, one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical. The physiological, genetic, mental, economic, cultural, or social identity of that person.” (EU n.d.)
The key elements in the definition are any information relating to an identified or identifiable natural person. These elements together form the crux of personal data. In other words, it is any data that can lead to the identification of a specific person. It can be as obviously identifiable data like a name, but it can also be a combination of data such as age, job, company, city, etc. as when combined can allow for identification of a person. (GDPR 4 n.d.)
Examples of Personal Data:
- a name and surname;
- a home address;
- an email address such as [email protected];
- an identification card number;
- location data (for example the location data function on a mobile phone);
- an Internet Protocol (IP) address;
- a cookie ID;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person. (Europa n.d.)
Examples of Data not considered as Personal Data:
- a company registration number;
- an email address such as [email protected];
- anonymised data.
Examples of special categories of Personal Data:
- racial or ethnic origin;
- political opinions;
- religious beliefs;
- genetic data;
- biometric data;
- health data;
- sex life or sexual orientation;
- criminal offences.
Processing of special categories of Personal Data shall be prohibited except for in certain situations. (GDPR9 n.d.)
Conditions for processing of Personal Data
Article 5 of GDPR holds the Data Controller responsible and accountable for compliance with the following principles related to data processing. It states that Personal Data shall be:
- processed in a lawful, fair and transparent manner (lawfulness, fairness & transparency);
- collected for specific purposes only and not further processed for an unrelated purpose (purpose limitation);
- limited to the minimum and collected only up to the extent that is absolutely necessary (data minimisation);
- accurate, kept up to date and rectified without delay (accuracy);
- stored for no longer than is necessary for processing it (storage limitation);
- protected against unauthorized and unlawful processing and against accidental loss, destruction or damage using appropriate technical and organizational measures (integrity & confidentiality).
Processing of Personal Data shall be considered lawful if at least one of the following applies:
- that the Data Subjects have given their consent for doing so;
- it is necessary for the performance of a contract, to which the Data Subjects are party to;
- when Data Controller has to comply with a legal obligation as laid down by EU or member states;
- in order to protect the interests of the Data Subjects or any other natural person;
- public interest matter as determined by EU or member states;
- for the purpose of legitimate interests of the Data Controller or of a third party.
When the permission to process the Personal Data is granted on the basis of consent from the Data Subject, the following conditions have to be met:
- The request for consent shall be presented in clear and plain language in an intelligible and easily accessible form. Any infringement to this shall not be binding.
- the Data Subjects can withdraw their consent at any time.
- the Data Controller should be able to demonstrate or give evidence of the consent, received from the Data Subject, to process their Personal Data.
- consent should be freely given.
Transfer of Personal Data to International Companies or Other Countries
- when there is a transfer of personal data to a third country or an international organization the commission decides that the third country or territory or the international organization has an adequate level of data protection mechanism as the GDPR;
- transfer of data to a third country or international organizations allowed only if the controller and processor provides safeguards, rights and legal remedies for the Data Subjects;
- legally binding corporate rules shall apply to the concerned enterprises engaged in economic activities including their employees. It shall also confer enforceable rights on the Data Subjects w.r.t processing of their personal data.
Further, any judgment or a court or tribunal or decision of an administrative authority of a third country requiring transfer or disclosure of personal data may be enforceable if there is an international agreement in force between the member state or union and the third country requesting.
Rights of the Data Subjects with respect to their Personal Data
Where Personal Data relating to Data Subjects are collected from the Data Subjects, the Data Controllers are bound to provide the Data Subjects with information such as identity and contact details of the controller or of his representatives, contact details of the Data Protection Officer (DPO), purposes of the processing for which data is being sought; whether the controller intends to transfer data to a third country or international organizations. The controller shall provide the information within a reasonable time, generally one month.
The Data Subjects shall have the following privacy rights
- Right of Access – Data subjects can submit requests to access any individual data that an organisation might be holding. The organisation in general will have one month to produce this information. The following data can be requested from the data controller:
- Confirming whether any personal data concerning the individual is being processed
- If personal data is being processed, a copy of the same can be requested
- Other additional information like, purpose of processing, category of personal data, particular recipients in third countries or international organisations, and the retention period.
- Right to Rectification – Data Controllers and Data Processors to rectify any inaccurate personal data concerning the Data Subjects. The Data Subjects shall also have the right to have incomplete data completed;
- Right to Erasure – also known as the right to be forgotten, provides that the Data Controller shall have the obligation to erase Personal Data without any delay when: the data is no longer required for which they were collected, consent was withdrawn, objection by Data Subjects, unlawful processing of data, compliance to a legal obligation in the EU;
- Right to Restrict Processing – when the accuracy of the data is contested, the processing is unlawful, the controller no longer requires the personal data for processing and when there is an objection from the Data Subject;
- Right of Data Portability – to receive the personal data concerning the Data Subject in a commonly used, structured, readable format to transmit it to another controller without hindrance;
- Right to Object – on matters relating to the Data Subjects particular situation, at any time to processing of data concerning him or her. The controller shall no longer process the data unless it demonstrates compelling grounds for doing so.
Restriction on the rights of Data Subjects
European Union or the EU Member State Law may restrict by way of legislation the scope of the obligations and rights provided to the data subjects, albeit such restrictions respects the rights and freedoms, but is necessary, and proportionate measure to safeguard: national security, defence, public security, investigation, protection of judicial proceedings, protection of rights and freedoms of other data subjects, and enforcement of civil law.
Safeguards and derogations relating to processing
With respect for the freedom of Data Subjects and their rights, data safeguards; both technical and organizational measures, and data minimisation principle, the legislation allows for moderation in the rights of Data Subjects, for archiving of Personal Data for the following reasons:
- Public Interest;
- Historical Research;
- Scientific Research;
- Statistical Purposes.
Subject to safeguard measures like pseudonymization and encryption, provided that the purposes mentioned above can be fulfilled and at the same time does not permit the identification of Data Subjects.
Landmark judgment in data privacy and protection
The case of Max Schrems v. Data Protection Commissioner involved a complaint by a data privacy activist requiring the DPC of Ireland to suspend data transfers by Facebook Ireland to Facebook Inc. (USA) due to the concern that his personal data would get accessed by U.S. intelligence authorities under their national security laws (revealed by Edward Snowden) and thereby violating his rights. However, the Irish DPC refused to investigate, stating the existence of adequate protection under the Safe Harbor framework signed between the US and EU. The Court of Justice of the European Union in 2015 ruled that the European Commission’s adequacy determination for the U.S.-EU Safe Harbor Framework was invalid.
This led to the creation of the EU-U.S. Privacy Shield arrangement (US organizations are required to self-certify and publicly commit to complying with its requirements, although it’s completely voluntary). In a separate case, often referred to as “Schrems 2”, the CJEU invalidated the European Commission’s adequacy determination for Privacy Shield after Mr. Scherms further complained of Facebook Ireland to the Irish Data Protection Commissioner.
GDPR data breach fines & penalties
The GDPR allows the data protection authorities of the EU to levy fines up to the tune of euro 20 million or 4% of the global annual turnover (whichever is higher) to companies who fail to comply with the guidelines listed under the GDPR legislation. Since its inception in 2018, the data protection authorities across the EU have been on an enforcement rampage. In 2021, the GDPR fines have risen by 40% from last year, penalties have aggregated to around euro 158 million and 121,000 data breaches have been recorded. Some of the biggest fines are:
- Google (Euro 50 million) – This is the biggest fine levied to date by a DPA (in this case the French DPA), for violation of users consent policies and for not granting them more control over how their personal data is processed.
- H&M (Euro 35 million) – The Hamburg DPA imposed the second-largest fine on clothing retailers for violations of the principle of data minimization when they processed sensitive data about their own employees’ health, religious beliefs and did a detailed profiling to evaluate their performance and take decisions on their employment matters.
- British Airways (Euro 22 million) – The fine was imposed when the company’s system was breached and it affected approx. 400,00 customers when their personal data like login details, card details and name and address got leaked. British Airways didn’t maintain basic security measures in place to prevent the breach.
More recently Amazon is looking at a Euro 300 million fine for GDPR breaches which will dwarf any other fines levied to date. The fine has been proposed by the Luxembourg DPA for the collection and use of personal data for marketing purposes.
Your personal data is power, and it is for sale. Targeted information jeopardizes an individual’s privilege to make informed decisions, however, with data privacy protection regulations like GDPR gaining prominence, companies should tread cautiously and limit the processing of personal data to, only when necessary, and to the absolute minimum, to meet the purpose.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.