General Data Protection Regulation

Internet has revolutionized various sectors of economy. And with its rise, it has become indispensible for smoothly carrying out day to day functions. Prevalent times are often termed as ‘Age of Data’ which often leads to parting of personal data while using various internet services. With the exponential rise in users incidents of identity theft, unauthorised access and other such breaches have increased. Privacy concerns exist wherever personally identifiable information or other sensitive information is collected, stored, used and finally destroyed or deleted in digital for or otherwise. The challenge of data privacy is to utilise data and at the same time protecting individual’s privacy preferences and their personally identifiable information.

The Right to Privacy is a highly developed area of law in Europe and all the member states of the European Union are also signatories of the European Convention on Human Rights. An important part of EU privacy and human rights law is the data protection directive. It is a European Union directive adopted in 1995 which regulates the processing of personal data within the European Union.

The General Data Protection Regulation (GDPR) which was adopted in April 2016 will replace the Data Protection Directive and will be enforceable from May 2018. GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection law for all individuals within the European Union. It will also look into the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It does not require national governments to pass any enabling legislation and is thus directly binding and applicable, unlike the current directive which needs legislations to be passed. GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It also brings a new set of digital rights for EU citizens in an age when the economic value of personal data is increasing in the digital economy.

The GDPR is the most significant piece of European Privacy legislation in the last twenty years seeking to unify data protection laws across Europe. Under this regime companies must keep a thorough record of how and when an individual gives consent to store and use their personal data. When somebody withdraws consent at any point of time, then their details must be permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to be forgotten.

Privacy by Design and Default is the cornerstone of the GDPR. Privacy by design is a fundamental component in the design and maintenance of information systems and mode of operations for each organisation. This mandates that from the initial stages onwards organisation must consider the impact that processing data can have on an individual’s privacy. This means that every new business process or product that could involve personal data or impact the privacy of an individual must be designed in accordance with data protection requirements.

Article 25 of the GDPR codifies the concept of privacy by design. According to this, a data controller is required to implement appropriate technical and organisational measures both at the time of determination of the means for processing itself in order to ensure data protection principles such as data minimisation are met. The concept of privacy by design promotes compliance with data protection laws and regulations from the earliest stages of initiatives involving personal data. It puts more strain on the conception and development of new initiatives, following privacy by design principles can be used as a mean to help ensure full compliance with data protection principles issues being identified at an earlier and less costly stage and to the increase of awareness of privacy and data protection related matters throughout an organisation. Under the current regime no specific requirement to implement privacy by design by default exits but under GDPR which will come into force it’s inherent.

The data controller while implementing privacy by design needs to take into account the state of the art, cost of implementation and the nature, scope, context and purposes of processing as well as the likelihood and severity of risks of the rights and freedoms of natural persons posed by the processing of their personal data. Privacy by design is a technical approach. While the incentives and will to invade privacy may be social problems, the actual ability to do so is a technical problem in many instances. Thus, dealing with it at technology level is necessary.

Works Cited

1. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (1995). Official Journal of the European Union, L281, 31-50. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML
2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (2016). Official Journal of the European Union, L119, 1-88. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
3. O'Hara, K. (2018). The European Union's General Data Protection Regulation: A practical guide. OUP Oxford.
4. Dixon, P. (2018). The EU General Data Protection Regulation (GDPR): A commentary. Oxford University Press.
5. Solove, D. J., & Schwartz, P. M. (2014). Privacy law fundamentals. IAPP.
6. Macnish, K. (2018). Privacy by design: Origins, meaning, and prospects for the GDPR. Computer Law & Security Review, 34(2), 193-204.
7. Cavoukian, A., & Jonas, J. (2011). Privacy by design: Essential for organizational accountability and strong business practices. Identity in the Information Society, 4(2), 247-252.
8. Bennett Moses, L., & Chan, J. (2018). Algorithmic decision-making and the GDPR. Computer Law & Security Review, 34(3), 496-516.
9. Mitrano, T. S. (2017). The right to be forgotten: An insider’s perspective. Harvard Journal of Law & Technology, 31(1), 1-29.
10. Ausloos, J., & Baele, S. J. (2018). GDPR and the risk management of data breaches. Computer Law & Security Review, 34(2), 308-328.