The world is witnessing technological advancements now more than ever, thus providing leeway for an increase in the number of cybersecurity breaches and violations of privacy laws. The scope of the internet has broadened to such an extent that the protection of privacy and personal data has become a major concern for all the countries. Every nation is coming up with stringent privacy and data protection laws to avoid the misuse of any confidential data. The General Data Protection Regulation (GDPR) adopted by the European Union, comprising of 99 articles is supposed to be the biggest gamechanger for all the companies, Union Institutions, bodies and offices in the European Union as well for the member nations of the European Union that collect personal data of its users via an online interface.
The General Data Protection Regulation (GDPR) is a privacy and personal data protection law that has been applied in Europe and the member nations of the European Union. The Regulation has been adopted to monitor and control the processing of personal data of natural persons (known as data subjects) as well as the free movement of data with a motive to protect the fundamental right of privacy of the people. The GDPR ensures that the free movement of personal data should neither be restricted nor prohibited to protect the rights of natural persons. It defines personal data as any information that helps in identifying a natural person with the help of his name, identification number, location data or other physiological, cultural, social, economic, mental or genetic conditions of that person.
The GDPR protects the personal information of the users which is processed by automated means i.e., the personal data which forms a part of any operation whether collecting, recording, storing, structuring, organizing, retrieving or disseminating. The GDPR also applies to any personal data that forms a part of the filing system and becomes accessible according to certain criteria.
The main objective of the GDPR is to protect the fundamental right of privacy of persons and to protect them against the misuse of their personal data. Therefore, it lays down certain principles that are to be necessarily followed by any company while processing personal data of the users.
● The primary principle is the lawful, fair and transparent processing of personal data which shall be collected only for specific and legitimate purposes.
● The GDPR ensures that personal data should be kept only for the required period. It should be stored for longer periods only if it is required for public interest or scientific or historical research.
● Another principle is that personal data shall be processed appropriately to prevent its unlawful processing, accidental loss or damage.
GDPR makes it necessary to obtain the consent of the person whose personal data will be processed. Consent under Article 7 of the GDPR is to be obtained in the form of a written declaration. The consent shall be requested in a distinguishable form using clear language. One of the most important provisions of GDPR that majorly helps in securing personal data is that the user or the data subject providing his personal information will be allowed to revoke his consent at any given time. There are various factors to determine the consent of the data subjects.
1. Free- The first factor that determines the consent of the user is that the consent should be obtained freely in an unambiguous manner. The user shall indicate with a clear affirmative act that he agrees to the processing of his personal data. The affirmative action may include a written statement through electronic means or an oral statement or ticking a box. Consent will not be considered if there is inactivity or silence or pre-ticked boxes on a website.
2. Separate consent- The GDPR requires the companies to obtain separate consent for different processing operations of personal data. For example, in the case of the performance of a contract, the data subject will have to provide consent for the performance of the contract and separate consent for processing personal information.
The GDPR secures the fundamental right of privacy of the data subjects. It provides a list of rights that are available to the users providing their personal data.
1. Transparency- the GDPR provides the right of transparent information to the data subjects. The processor shall maintain transparency while providing information regarding the processing of personal data. The information shall be provided in writing in an electronic manner. While obtaining personal data, the processor or controller which determines the purpose and means of data processing shall provide its complete details to the data subject, thus maintaining transparency.
2. Right of Access– the data subjects have the right to access the processing of their personal data. They have the right to know the purpose of processing, the categories of personal data obtained, third parties having access to personal data of the data subject, the period for which the data will be stored. The data subjects also have the right to obtain a copy of their personal data undergoing processing.
3. Erasure and Rectification- The data subjects have the right to get their personal data erased or rectified. The data can be erased by the data subject by withdrawing his consent or when the data is no longer of use or if the data has been processed unlawfully or does not comply with a legal obligation or has been made public. A data subject can also restrict the processing of personal data on the abovementioned grounds.
4. Right to Object– Processing of personal data can be objected on the grounds in the cases where it overrides the interests, rights or freedom of the data subject or when the data is processed for direct marketing purposes. The data subject can also object when his personal data is being used for some scientific or historical research provided it is not in public interest.
The General Data Protection Regulation provides for severe measures for the protection of personal data. In addition to making strict rules for determining consent and providing several rights to the data subject, the Regulation has imposed strict liabilities on infringement of privacy laws and security breaches concerning personal data.
1. Lodge Complaint- A data subject can lodge a complaint to the supervisory authority or approach a judicial or administrative body if any provision of the GDPR has been violated.
2. Compensation- If there is an infringement of privacy laws or breach of personal data, the data processor or controller will be liable to pay compensation to the data subject whose privacy has been violated. If the data subject suffers damage, the processor or controller will be responsible to cover the damages. In most cases of infringement of provisions of the GDPR, the processor will be required to pay administrative fine and infringements which are not subjected to fine will be covered under penalties.
The protection of privacy has become a primary concern in today’s cyber world. Any website can gain access to our personal data without our (free) consent, thus allowing free movement of personal data in cyberspace. This poses a major threat to the security of the users. Hence, the European Union has adopted the GDPR that has imposed several restrictions on processing personal data of the data subjects while making it difficult to obtain personal information without the consent of the user.