General Data Protection Regulation (GDPR) [UPSC Notes]

The General Data Protection Regulation (GDPR) is a regulation (EU Regulation 2016/679) in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It is one of the most significant and wide-ranging laws passed relating to technology and the internet. In this article, you will learn about the General Data Protection Regulation or GDPR, an important topic for the IAS exam.

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) is a Regulation in EU law on data protection and privacy in the EU (European Union) and the European Economic Area (EEA). It was approved by the EU in April 2016 and came into force on 25th May 2018.

  • The GDPR replaces the UK’s 1984 Data Protection Act and the EU’s Data Protection Directive, which initially came into force in 1995, with new guidelines that are better suited to the modern technology-dominated world. 
  • The GDPR’s primary objective is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
  • It is a regulation, not a directive, and therefore is directly binding and applicable to each member state of the European Union.
  • There are 11 chapters containing 99 articles.
  • Under the terms of GDPR,  organisations have to ensure that personal data is gathered legally and under strict conditions and those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
  • GDPR also provides additional rights to people who want their personal data to get deleted, provided there are no grounds for retaining it (Right to Erasure).
  • The GDPR also makes reporting obligations and enforcement stronger and the data breaches are to be reported within 72 hours. Failure to comply with the GDPR rules could result in a fine of up to 4% of global turnover or 20 million euros, whichever is greater.

To Whom Does GDPR Apply?

GDPR applies to any organisation operating within the European Union, as well as any organisation outside of the EU which offers goods and services to customers or businesses in the EU. Therefore, GDPR is having global implications. There are two different types of data handlers the legislation applies to – Processors and Controllers.

  • Controllers – A ‘controller’ is a person, public authority, agency or any other body which alone or jointly with others, determines the purposes and means of processing the personal data.
  • Processor – A ‘processor’ is a person, public authority, agency or any other body which processes personal data on behalf of the controller. Controllers are forced to ensure that all contracts with processors are in compliance with GDPR.

Personal Data under GDPR

Personal data is data that relates to an identifiable living individual and includes names, e-mail IDs, ID card numbers and IP addresses. It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.

Also read: Privacy in India

Supervisory Authority under GDPR

Under GDPR all member states need to appoint a supervisory authority.  It is an independent public authority which is established in each member state to ensure the implementation and compliance with the GDPR.

Data Protection Officer

GDPR legislation says that Data Protection Officers (DPO) must be appointed by some companies. This refers to public authorities and companies that process large amounts of data.

  • The controller and the processor ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
  • The appointed DPO (Data Protection Officer) must have a high level of expert knowledge of the legislation, practices and GDPR compliance.

Pros and Cons of GDPR

The Pros

  • The GDPR acts as a guide to achieve a higher degree of data security.
  • To comply with the GDPR rules, the companies doing business in the EU or serving EU customers have increased their cybersecurity status.
  • With improved cybersecurity clients put their trust in companies and share their data knowing that they are doing so in a secure environment.
  • GDPR provides maximum importance to consumers’ consent.

The Cons

  • As is often the case with legislation, there is a concern about overregulation when it comes to GDPR.
  • If the company fails to comply with the norms mentioned by the GDPR, the penalty is huge, 4% of the global turnover of the company or 20 million euros whichever is greater.
  • GDPR increases a huge amount of complexity in online business. Every business needs to be compliant irrespective of their turnover.

GDPR and India

In India, the Information Technology Act, 2000 (IT Act) and IT Rules deal with online data protection. 

  • While both the IT Act and GDPR have the objective of controlling and regulating the transferring of data for e-commerce, GDPR is more concerned with safeguarding the rights of the citizens (of the EU) whereas the same is missing in the Indian legislation.
  • Both direct that data collection should be done with legal justification and that data should be collected only for the purpose stated.
  • While GDPR applies to data processing also, the IT Act applies only to data gathering and usage (and not processing).
  • Data integrity, protection from unauthorised processing, accountability, fairness, and transparency are among the principles stated in the GDPR but not included in the IT Act.
  • The GDPR gives the Member States the authority to set special processing requirements and list five additional conditions on the necessity of processing. The IT Act does not entail such requirements.
  • Both the IT Act and GDPR require consent before data collection and give consent providers the option to revoke such consent.
  • GDPR defines consent, specifies conditions for children’s consent and requires the data controller to provide evidence of such consent, while the IT Act does not.
  • Certain provisions of Section 43A of the IT Act (dealing with rights to rectification, to information, and to revoke consent) align roughly with GDPR.

Frequently Asked Questions on General Data Protection Regulation (GDPR)

Q1

What is GDPR and why does it matter?

The GDPR is a European Union law that was implemented on 25th May 2018 and requires organisations to safeguard personal data and uphold the privacy rights of anyone in the EU territory.
Q2

What happens if a company fails to comply with GDPR?

If a company fails to adhere to the norms of GDPR, it can be fined up to €20m or 4% of global turnover, whichever is higher.
Q3

What are the 7 principles of General Data Protection Regulation?

Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.

General Data Protection Regulation (GDPR):- Download PDF Here

Related Links
Puttaswamy Case Personal Data Protection Bill 2022
Right to Be Forgotten Budapest Convention
Digital Rights Global Cybersecurity – India in Top 10

Comments

Leave a Comment

Your Mobile number and Email id will not be published.

*

*