One of the most sweeping data privacy regulations so far - the General Data Protection Regulation (GDPR) - came into effect in the European Union on May 25. The new regulations give EU citizens significant control over the kind of data that is being collected from them, and the purposes for which it will be used. The law will allow users to get their data that is collected by a company deleted, if they so wish.
Apart from companies such as Facebook and Google, this regulation will also have to be complied with by hospitals, insurance companies, banks and even grocery shops that hold the personal data of EU citizens.
The applicability of this new regulation is not limited to EU-based companies, but extends to all the businesses across the world which possess, manage or process data on EU citizens. A violation of the rules of GDPR can leave a company vulnerable to a penalty of 4% of its previous year’s global revenue or 20 million euros (23.4 million dollars), whichever is higher.
Many companies outside the EU, which had not set up the required infrastructure to comply with the new regulations, temporarily stopped their services to Europe. Giants like Facebook, Google, Instagram and WhatsApp, which claimed to have made the required modifications to comply with the law, had complaints filed against them for violation of the GDPR within hours of the new regulation coming to effect.
This regulation, which has been in the making for seven years, replaced the 1995 Data Protection Directive, which was formulated well before firms like Facebook engaged in large scale data collection and profiling. The directive offered very limited control for individuals over their online data.
GDPR was ratified in 2016. A grace period given for companies to adjust their practices in order to comply with the new rules ended on May 25.
What does the GDPR mandate?
Under the new regulation, a company will need to ask for explicit consent from a consumer before collecting any data. Until now, users were only offered the option of opting out of their data being collected, but now, companies will require an affirmative confirmation, or 'opt-in' consent from the consumer. Further, companies are obliged to inform the users about the purposes for which their data will be used.
In order to collect the data of those under the age of 16, companies are required to obtain parental consent.
Companies are also required to disclose to their clients the full data they are holding on them. A clause in the regulation - the “right to be forgotten” - makes it mandatory for a company to delete all the data it is holding about a client, if she so demands. Further, a consumer can also transfer the data regarding herself from one company to another, and instruct the former to delete the same, which is of particular relevance to healthcare providers, insurance companies etc. GDPR also requires a firm to inform a client within 72 hours in case of a data breach.
GDPR also restricts the data that can be collected by companies to only that information which is necessary for the company to provide their services. Explaining this rule with an analogy, a director for the Electronic Frontier Foundation Danny O’Brien said, “A birthday cake company needs your name to put on the birthday cake. If it isn’t essential information, you can deny them consent to use that data and you still have to get the service,” New York Times reported.
Tech giants in the dock
It is this clause that led to complaints being filed against Facebook, Google, Instagram and WhatsApp. A privacy group, noyb.eu, led by activist Max Schrems filed the complaints. These firms, the complainant argued, were using a “take it or leave it approach”, requiring their users to give an opt-in consent for having their data collected and shared with advertisers if they wanted to retain their accounts.
“The GDPR explicitly allows any data processing that is strictly necessary for the service - but using the data additionally for advertisement or to sell it.. needs the users' free opt-in consent,” noyb.eu has said. Max Schrems was quoted by BBC to have said, “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”
The new law, however, is susceptible to different interpretations. The advocates of the companies, for example, could argue that this data is necessary for Facebook and other companies to earn their advertising revenues. If such an argument is made in defence, the final verdict will provide clarity on whether or not the maintenance of a company’s current profit margin can be regarded under the regulation as necessary for provision of the service.
A verdict in favour of the companies would allow the tech giants to deny services to those who refuse to divulge certain personal data. While such monopolies may thus manage to get the consent, smaller businesses and start-ups may not, causing them considerable hurdles in operating, especially because IP address is also regarded a user’s personal data under the GDPR.
How are smaller firms affected?
Further, the required changes a company needs to make in its operation and the legal advice it needs to procure in order to make itself compliant with the new regulations may impose additional costs, which many smaller businesses may struggle to afford.
According to the report, “Forrester Predictions 2018: A year of reckoning”, “80% of firms affected by GDPR will not comply with the regulation by May 2018.” The costs of setting up the required mechanism to comply is high, and companies will have to weigh the additional costs of complying against the risks of non-compliance.
50% of those not complying will have made an intentional decision, after assessing that the costs of complying will be more expensive than the risk of non-compliance. The other 50%, the report predicts, will try to comply but fail. “This will be a fluid environment; any successful case against a well-known giant will change the risk/cost balance,” the report added.