The European General Data Protection Regulation (GDPR) has been in the limelight these last few weeks. And for good reason, too. It is an extensive document, to say the least. One reporter found that the number of pages in the document are enough to cover a football field — which is 360 feet long and 360 feet wide.
The document has been in the pipeline since the former Vice-President of the European Commission Viviane Reding initiated it in 2012 and it finally went into effect on 25 May. It seeks to not only set the standard for data protection and privacy in Europe but across the globe for all “data subjects” (read: anyone on the internet anywhere).
The GDPR makes two critical changes to the Data Protection Directive of 1995 that preceded it. First, it emphasises the universal nature of the legislation. For any legislation to apply to all world citizens, this is undoubtedly a prerequisite. The GDPR tries to prescribe the best possible rules and practices for data regulation that can be common to citizens of all nations. Second, it is legally binding. Any company that breaks the regulation is liable to pay up to 4 percent of their worldwide sales as retribution.
This, of course, is a macroscopic view of the regulation that is presented by experts. The regulation is still expected to have loopholes. To device perfect laws in complicated matters such as protection of data privacy is close to impossible. The GDPR will be prone to discrepancies in interpretation and implementation. Nonetheless, some things are as clear as daylight in it. The document is strongly against companies sharing personal data of their users or customers with any third parties. If this must be done, it must be after gaining prior permission, or at risk of serious consequence.
Viviane Reding, referred to the recent Facebook Cambridge Analytica scandal to make this clear. She said, “The Facebook Cambridge Analytica scandal, if it had happened on 26 May, this year, would have cost billions of euros to Facebook, among others. You cannot hand over the personal data of citizens without having asked if the citizens agree that you hand it over. And you cannot steal it and just tell them after. That is not possible anymore, according to the new law. If you do, then the penalties will be very, very severe.”
The Road Ahead
Companies are taking the GDPR seriously. It’s why you have been receiving and will continue to receive emails from digital services about updates in their privacy policies. According to experts, MNCs are hiring as many as 300 to 500 people just to ensure their compliance with the GDPR. They are spending as much as 50 million dollars on this. Of course, the same cannot be said of small companies. Bigger companies are better poised to absorb the GDPR than smaller ones. This is one of the drawbacks of having extensive regulation for privacy. Having said that, it paves the way for overall information hygiene, which was always bound to have a cost.
This cost is not solely borne by companies, mind you. The GDPR is also adding to the costs of agencies that are responsible for the enforcement of its provisions. The Irish Data Protection Committee has also added around 100 employees to their books with 40 or so more professionals expected to join soon. These new hires come from varied backgrounds. Some are lawyers, others are media professionals or business analysts, system analysts — all hired with the goal of cracking down and investigating as many breaches to the GDPR as possible.
One provision of the GDPR that supports this goal is article 80, which gives validity to class-action lawsuits. It gives NGOs and active citizens, who care about data protection, the right to protect public interest – to protect the rights of those individuals in society, who do not have the time to keep up with the challenges and issues of protecting data privacy.
The GDPR is an ambitious legislative document. It is the first of its kind in the pursuit of global cybersecurity. And it includes substantial measures for enforcement. It is also very extensive, making compliance a challenge. But companies are making changes to their privacy policies, which is positive. Whether these changes are merely words of caution exposing loopholes in the GDPR, or actual reforms for data protection remains to be seen. All eyes will be on the Irish Data Protection Committee and other GDPR enforcing agencies to see if it’s truly effective.
