On May 25, 2018, the EU’s General Data Privacy Regulation (GDPR) came into effect, creating a ripple effect with far-reaching consequences. Hailed as the biggest overhaul to digital law, it has replaced the European Data Protection Directive created in 1995 when the internet was still young.
Privacy is a bit of an irony in this digital age. Our names, age, gender, and addresses, credit card details, browsing history, purchases, loans… everything is stored, tracked and analyzed to make inferences about our preferences and behavior. In one way, this is great because businesses are able to deliver extremely personalized services to us, make relevant recommendations, speed up processes, and so on. But for such convenience, we trading something major: personal data.
Where does the line get drawn? This question is all the more significant today, as we stand at the cusp of an era of AI-driven analytics that is built on data.
What is GDPR?
The GDPR is a set of regulations
The GDPR has also expanded the definition of what constitutes personal data to mean “any information relating to an identified or identifiable natural person (‘data subject’)”. That includes personal identifiers such as IP addresses and mobile device IDs as well as data that is technologically ‘processed’ through hashing or encryption. Any company that violates these rules is liable to a fine of 20 million euros or up to 4% of its revenues, whichever is higher. Those are some pretty clear and specific terms.
A Ripple Effect
The GDPR is applicable to countries that are a part of the EU, but that does not mean the rest of the world isn’t affected. For one, the regulations directly impact companies based elsewhere but which handle the data of EU residents. These now need to be GDPR-compliant.
Second, it has opened up several conversations on the ethics of storing and selling personal information, with the result that people worldwide started thinking about their data consciously and wonder how and where it was being used. The impact of this is already beginning to be felt by multiple businesses in the ecosystem, mainly:
- Content publishers and media houses that collect user data on their site
- Ad tech companies that use this data to place targeted and personalized digital ads
Even as the GDPR is garnering applause (mostly from users) and protests (from all the large and small companies involved in the system) regulatory bodies world over are scrambling to create their own versions. There are many reasons why this is a good idea:
- As the first set of comprehensive, formalized regulations about data privacy, the GDPR has become the benchmark for similar laws worldwide.
- The GDPR was not formulated unilaterally but with the participation and consent of 28 EU nations, where it is applicable. This increases its credibility and acceptability.
- While the GDPR was passed in 2016, EU organizations took the next two years to ensure they were fully compliant with its terms. This time has also brought out the gaps in the regulations and unveiled unintended consequences. This provides a learning opportunity in the creation of similar laws elsewhere.
Reactions From LawMakers
In the past year, many countries around the world have strengthened their existing data privacy and protection laws or started working towards creating them if none existed. Here are a few:
California Consumer Privacy Act (CCPA)
Passed in June 2018, it is now considered one of the most stringent data privacy laws in the US. It not only upholds the spirit of GDPR but goes a few steps further:
- It provides explicit provision for damages of $100-$750 to be awarded to individuals in case of a data breach.
- It is more specific in its wording compared to the GDPR. For instance, where the GDPR talks about the need for transparency and the use of simple language to let users know what personal information is being collected and what it will be used for, the CCPA says that ‘a consumer has the right to be informed of the categories of personal data, categories of sources of data and categories of third parties that a business shares personal data with.’
Since California has long been a pioneer of innovation and is also the base of many large US businesses, all of which must now comply with CCPA regulations, it can be expected that other state governments and the US federal government itself might soon follow suit.
US States Updating Data Breach Regulations
Colorado, Louisiana, Virginia, Arizona and Alabama among other states have updated their data breach regulations to expand the definition of what constitutes personal information. Virginia, for instance, includes income tax details under personal information. Many have also tightened the notification procedures and timelines (between 45 and 60 days) that companies must comply with in case of a data breach.
India’s Personal Data Protection Bill 2018
In India, the Srikrishna Committee has put together the Personal Data Protection Bill, a framework that helps safeguard user data. This is especially significant given that India is a high-growth digital market; with 270 million users, India tops the list of Facebook users.
Interesting highlights of the framework include:
- Setting up an independent regulatory body to enforce these regulations.
- Recommendations for severe penalties in case of non-compliance, including criminal liability.
- The requirement that one copy of all personal data collected to be stored in a server or data centre located in India.
So Should Everyone Copy The GDPR?
There’s much to emulate, especially the spirit with which these regulations were formed, but there are multiple factors other lawmakers need to consider.
Local realities vs Global regulations: In developing nations, the spread of digital media is just picking up and picking up fast. Laws as stringent as the GDPR in these markets may stifle or slow down the growth of a number of small businesses and the adoption of tech-enabled conveniences in these markets.
Cost on companies: According to the GDPR and similar laws, companies will need to employ resources to ensure compliance and establish separate data protection teams for the future. Small businesses (sometimes exempt as in the case of CCPA) may not have pockets deep enough for this.
Cost on governments: The GDPR mandates that governments establish an independent data protection agency (DPA) to regulate and enforce these. This comes with high operational costs and bureaucratic procedures.
Cost to users: Data privacy laws help put personal information back in the hands of their true owners, but companies can still use their muscle power or psychological moves to trick users into trading their privacy for convenience.
Exciting times ahead
The GDPR seems to have opened a Pandora’s Box of privacy concerns, questions about the ethics of storing and selling personal data, and speculations about the future of companies whose revenue models depend heavily on these.
These are interesting times and we must wait and watch to see how things unfold.