“Meta threatens to pull Instagram and Facebook in Europe over privacy laws.”
This is the headline that has been doing rounds across the globe over the last couple of days. If you have also come across some articles and your inquisitiveness in the matter has risen, then you are at the right place.
Meta (formerly known as Facebook) has raised grave concerns over GDPR rules and privacy laws and has threatened to pull Facebook and Instagram from Europe if it is unable to keep transferring user data back to the US. However, the regulators stand firm on their decisions.
Although we are not here to comment on the rift between Meta and European authorities, we will definitely try to shed some light on it by discussing about GDPR and other regulatory policies that form the backdrop of the events that have taken place.
As we know, in the recent years, the web has emerged like a parallel universe. The demand for website builders and free app makers is at an all time high, and numerous new online businesses are emerging every day.
Therefore, just like the citizens of any country need safeguarding of their privacy and general interests, the netizens, website visitors, app users, etc., also need to have a similar assurance.
Everyday, infinite data and information exchange takes place between numerous parties. Thus, authorities around the world are working to monitor and regulate such exchanges and ensure that the privacy and security of their citizens is not compromised.
Almost every nation and federal authority around the globe has laws to regulate data monitoring, mining, and processing practices. GDPR, and other such regulatory policies fall within the same framework. Let us learn more about them!
What is the need for data protection & privacy policies?
The need for protection of data is just like any basic human right in its essence. As individuals, we must know how our data is being collected, utilized, and transferred.
However, without a legally binding provision or policy, it is difficult to ensure that the data collecting entities will respect this basic right of users.
This is just one aspect of data protection and privacy. To safeguard this, and all other such aspects, nations draft regulations and implement laws.
Data protection and privacy policies ensure our interests as consumers on many fronts. This has been summarized in the points listed below.
We can say that we need data protection and privacy policies to ensure the following benefits:
- Data is mined, recorded, stored, processed, used, and transferred ethically.
- User data is protected from leaks, loss, misuse, theft, and other hazards.
- Robust policy and framework increase credibility and boost brand value and image.
- Businesses can earn the trust of the market, consumers, investors, and other stakeholders.
- Brands get to develop better understanding of the data and its value.
- Data collection, processing and usage improves, facilitating overall business growth.
- Brands can ensure better decision-making and fix liabilities and accountability.
What is General Data Protection Regulation (GDPR)?
Let us define GDPR in layman terms for you!
General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).
It set out with the following three main goals:
- Establish and protect the fundamental privacy rights of data subjects (users or consumers).
- Unify 28 disparate privacy laws of the EU member states.
- Update privacy laws to align with the changed technology landscape over the last 25 years.
Although GDPR was not the first privacy law, it has been the most comprehensive one and has set examples for the rest of the world. It also reflects the demands and dynamics of the new digital era and totally aligns with it.
The European Union Parliament approved GDPR in 2016 to replace a data protection initiative from 1995, and the changes came into existence in May 25, 2018. This has been designed to accommodate all types of businesses, from multi-nationals to micro-enterprises.
It applies to all the companies within the EU as well as organizations in other countries that offer goods or services to EU citizens, attract European traffic, or collect, monitor, and handle their data in any form.
In fact, GDPR has fundamentally revolutionized how businesses handle consumer data and any entity that fails to comply faces severe penalty. The amount of fine can be as much as €20 million or 4% of the annual global revenue of the company, depending on the severity and circumstances of the violation.
What does it mean to be GDPR compliant?
The answer to the above question is quite simple. Being GDPR compliant means that the platform (business, website, app, etc.) falls within the purview of GDPR and meets all the data handling requirements as defined under the law.
An organization that falls within the purview of GDPR and fails to abide by its laws, will be considered non-compliant and charged with hefty fines (discussed in detail below).
Therefore, any organization that needs to avoid any legal complication or any conflict in general, must follow all the principles outlined under the GDPR. It must also ensure that the third-parties also remain compliant and must conduct compliance audits for the same.
What are GDPR Fines?
GDPR fines are designed to ensure that the related platforms are compelled to follow all the directives of the policy and remain compliant with the same.
The nuances of the fines mentioned in the GDPR documentation are quite complex and beyond the scope of this space. However, we will try our best to walk you through the most significant and noticeable ones.
Under GDPR, some violations are considered more severe than others. This depends on the nature of the failure of compliance, infringement of laws, and other related factors.
The less severe violations could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year (whichever is higher).
The more serious infringements are those that severely violate the right to privacy and the right to be forgotten, two core principles of the GDPR. This type of violation could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue based on the preceding financial year (whichever is higher).
The fines are administered by the data protection regulator in each EU country and these authorities also establish infringements and severity of the violation. Several factors are taken into consideration for determining the same. This includes:
- The gravity and nature of the violation or infringement
- The history of violations of the particular organization
- The type of data that was compromised and how it affects the users, consumers, etc.
- What precautionary measures were in place when the violation took place
- How the firm co-operates to identify, notify, and remedy the violations
- Whether the violation was intentional or due to negligence
- Efforts that were taken to control the hazards caused due to the violation
- Whether efforts were made to compensate affected parties or not
- The other issues and aspects (financial or otherwise) related to the violation
These are some of the most common factors thar are considered to fathom the gravity of GDPR violations and to impose fines and penalties for non-compliance.
Glossary definition of significant GDPR terms
Just like any other law or policy, GDPR documentation has its own glossary of terms with attributed definitions and meanings. While it is difficult to get into the semantics of the document in its entirety, we will decipher some of the most significant terms for you.
The key terms of the GDPR documents and their definitions are as follows:
- Data Controller: Entity determining the purposes and means of processing of personal data.
- Data Processor: Entity that processes data on behalf of the data controller.
- Data Subject: Person whose personal data is monitored, recorded, or processed by a data controller or processor.
- Data Processing: Any operation(s) performed on the data (recording, alteration, erasure, transfer, etc.) by the use of any means (automated or otherwise).
- Profiling: Any form of processing of personal data consisting of the use of the data to evaluate certain personal aspects related to a person (preferences, user behaviour, location, etc.)
- Pseudonymization: Processing of data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information. Here the subject is replaced by “pseudonyms” or identifiers and the identity remains concealed.
These were some of the key terms of GDPR and their definitions. We hope this helps you in gaining better understanding of the detailed aspects of the law.
What are the types of data governed by GDPR?
GDPR compliance is not at all optional and must be followed by all. It governs almost every data point that an entity may collect, including the following:
- Personal data (any information relating to an identified or identifiable data subject)
- Basic identity information (name, address, email address, social media profiles & posts, etc.)
- Web data (location, IP address, cookie data, Radio Frequency Identification tags, etc.)
- Biometric data (fingerprints, facial recognition, etc.)
- Health and genetic data (medical history, vital statistics, etc.)
- Racial or ethnic data (caste, color, creed, lineage, etc.)
- Sexual orientation
- Socio-political opinions
As evident from the very first point above, GDPR essentially governs almost every kind of data related to a data subject and thus aims to safeguard all kinds of information.
Who is responsible for GDPR compliance in an organization?
Essentially, 4 types of personnel are responsible for GDPR compliance. This includes the GDPR Data Protection Officer, Data Controller, Data Processor, and the Supervisory Authority.
We learnt about Data Controllers and Processors above. Let us tell you about the other two in this section.
According to article 39 of the legislation, an organization must recruit a GDPR Data Protection Officer (DPO). This person is made responsible for overseeing the organization’s GDPR compliance, including the data protection strategy and implementation.
The essential duties of a DPO includes the following:
- Assess and audit the organization to ensure it is GDPR compliant
- Conduct training for employees regarding their compliance obligations
- Record data processing activities performed by the company
- Respond to data subject inquiries and inform them how their data is used
- Address data subject requests to view or delete their personal data
- Serve as a point of contact between the company and the GDPR authority
On the other hand, Supervisory Authority (SA) refers to a public authority in an EU country that is responsible for monitoring the compliance of GDPR. An SA is appointed for each EU member state and is also sometimes referred to as the Privacy Commissioner or Data Protection Authority.
Their key responsibility is to advise companies about GDPR, conduct audits, address complaints from data subjects, and issue fines for non-compliance.
Sounds confusing? Relax!
Many professional agencies, services and solutions offering assistance for GDPR compliance have emerged on the web. An entity that finds the GDPR compliance process overwhelming can hire such agencies and professionals and make the process easier.
What are the key provisions of GDPR?
While the provisions of the GDPR are quite extensive, it can be best understood by understanding the rights of the data subjects mentioned in the law.
The GDPR establishes eight rights that are universal in nature. These rights must be respected and upheld by entities at all times. This includes the following:
- The right to information: The users or consumers must be informed about the data collection, utilization, processing, etc. Users must also get advised of the privacy guidelines and policies by the platforms.
- The right to be notified: Users must get notified about any data breach or compromise within 72 hours of the discovery of the breach.
- The right to rectification: Users must get the right to request for an update, rectification or change in their personal data. They can also choose to opt in or out of data sharing, collection, management of information, etc.
- The right to access: Individuals may request access to their personal data. They may also ask how their data is used, processed, stored, or transferred to other organizations. Entities must provide an electronic copy of the personal data, free of charge if requested.
- The right to data portability: Individuals may transfer their data from one service provider to another at any time.
- The right to be forgotten: Users can ask the entity to delete their data if they are no longer customers or are just not willing to share data anymore.
- The right to object: Users get the right to object to the data collection or restrict processing of the data. All processing must stop as soon as the user makes the request.
- The right to restrict processing: Users can ask to stop processing their data or stop a certain kind of processing.
As evident, the GDPR gives consumers a lot of power and they can determine how their data is handled and used and also restrict or alter that.
Therefore, businesses must ensure that consumers’ data is secure and there is no unauthorized access and that they comply with all the necessary safety, privacy, and protection standards.
These points have just been listed here to help you understand the gist of it in layman terms. The actual provisions and guidelines of the GDPR are quite expansive, and complicated and one may even need expert guidance to fully comprehend and understand it.
However, it all boils down to the fact that the users’ (consumer, audience, viewer, visitor, etc.) interests must be safeguarded at all times and there should be no misuse of any information or data by the companies or organizations.
Controversies & challenges associated with GDPR
Every coin has a flip side! Not everything about the GDPR is all good and glorious. In fact, it has attracted enough criticism on many fronts (the Meta conflict discussed at the opening of the blog being the most recent one).
Many entities believe that the compulsion to appoint DPOs imposes an administrative burden that is unfair. The ambiguity of the terms, definitions, provisions etc., also make it difficult for businesses to comprehend the guidelines and manage data while remaining in compliance with the law.
Additionally, GDPR restricts data transfer to another country outside the EU, unless the receiving company guarantees the same level of compliance.
This leads to challenges of alignment in terms of enforcement and interpretation of the rules and guidelines. As per businesses, this leads to unnecessary complications and costly disruption to business practices.
There are also concerns around costs and resources required to educate customers and employees about data protection threats and solutions. It is believed that GDPR will strengthen the large players and weaken the small and medium-sized entities.
Some also say that GDPR is against free speech and expression and hinders innovation and research. There have also been allegations that GDPR is just a tool to increase the control and power of the government at the pretense of the customers.
We leave this for the public and the stakeholders to judge. Do let us know what you think of the same in the comments section.
Other countries with GDPR like policies
While GDPR is unique to the European Union and meant for all platforms that attract European visitors, there are similar policies by the other nations and authorities as well.
Let us take you through some of them:
USA is yet to have a data privacy law on a federal level. However, different states in the Union have their own data privacy laws that businesses and organizations need to abide by. For example, the New York and the California Consumer Privacy Act, that is quite similar to GDPR.
The Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act was introduced in February 2018. Organizations are bind by it and need to disclose data breaches that pose a “real threat of serious harm” within 30 days of their discovery, failure of which results into hefty fines.
Brazil has Lei Geral de Proteçao de Dados (LGPD) that is quite identical to GDPR only with less harsh financial penalties for non-compliance. This was introduced to effect in September 2020.
Canadian government introduced a bill known as the Digital Charter Implementation Act on November 17, 2020, for the amendment of its data privacy policies.
India’s Personal Data Protection Bill (PDPB) was introduced to parliament in December of 2019 and is modelled after GDPR. While it is yet to become an act, companies will have to show full compliance or suffer hefty fines once it does come into force.
People’s Republic of China’s data privacy draft was released in October 2020 and is known as the Personal Data Protection Law or PDPL. This draft has managed to attract many eyeballs due to its extraterritorial applicability. The provisions are quite clear with hefty fines for non-compliance.
These were some of the examples of GDPR equivalents in other countries. Along the similar lines, other countries also have their own policies. This includes:
- Switzerland’s Data Protection Act “Datenschutzgesetz” (DSG) that is quite similar to GDPR.
- Chile has Ley 19,628, that reflects the constitution amendment including data privacy as a human right.
- Egypt has a draft of Law No. 151 approved by the House of Representatives for data protection.
- Israel has multiple laws and provisions for data protection including Israel’s Protection of Privacy Law of 1981 and Israel’s Privacy Protection Authority (PPA) that is a regulatory body for monitoring.
- Japan has Act on Protection of Personal Information that applies to both foreign and domestic companies.
- South Africa has Protection of Personal Information Act (POPIA) that came into effect on July 1, 2020.
These are just some of the many examples. You can search the web and find out many more such examples of data protection laws corresponding to different governments and international authorities. However, more or less, all of them align with the crux of the provisions of the GDPR.
That was all about GDPR and other policies that you must know about if you are running a business in today’s age.
We hope that it will now be easier for you to comply with the same and ensure that your business is user-friendly and aligns with the laws and regulations.
If you found this useful, then stay tuned to this space and do not forget to checkout our other blogs as well. We love sharing such entertaining and informative updates with you.
We also love hearing from you so do tell us about your experience in the comments section. While you are at it, you can also checkout AppMySite and convert your WordPress website to mobile app without writing a single line of code.
Build an app for your website and test it in real mobile device environments. You can also choose to pay only when you are ready to publish your apps on the app stores. Go and experience the futuristic app building technology now!