By Nethra Katikaneni

Abstract

This article traces the origins of the General Data Protection Regulation (GDPR), the toughest privacy and security law in the world, drafted and passed by the European Union, imposing obligations on organisations anywhere as long as they target or collect data regarding people in the European Union. It delves into the reasons for its incorporation and involvement regarding information privacy. At a time when more individuals are entrusting cloud services with their data and breaches are occurring on a daily basis, Europe is indicating with the GDPR its hard stance on data privacy and security. Due to the regulation’s expansive scope and lack of specificity, small and medium-sized businesses (SMEs) may find it difficult to comply with GDPR. The ongoing debate relating to GDPR is also discussed further in this essay.

Introduction

The General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy regulation that was implemented in the European Union (EU) on May 25, 2018. The GDPR replaced the Data Protection Directive of 1995 and aims to strengthen and unify data protection for individuals. The regulation is designed to equip individuals with control over their personal data and to ensure that corporations handle them responsibly and securely. The GDPR applies not only to syndicates based in the EU but also to those outside the EU that process the personal data of EU residents. Any company operating in the EU as well as any business outside the EU that sells goods or provides services to clients in the EU is subject to the rules and provisions of GDPR. The GDPR has been generally considered as a positive step towards strengthening privacy rights and increasing accountability for handling personal data. It has influenced global discussions on data protection and privacy, and some countries outside the European Union have implemented or are considering similar regulations.

What advantages do citizens receive?

The reform gives people power over their personal information, which is protected as a basic right in the European Union. The reform of data protection will fortify the rights of citizens and foster their confidence. Seven out of ten Europeans are concerned about the possible use that firms may make of the information supplied, and nine out of ten are concerned about the mobile apps that gather their data even before they know. The revised regulations take these issues into account:

“Right to be forgotten”: the process of deleting personal data when a person requests that it no longer be processed and there are no justifiable reasons to keep it. This isn’t about censoring history or limiting journalistic freedom—this is about safeguarding people’s right to privacy.

Greater transparency regarding data processing: People will have easier access to information on how their data is being handled, and this information needs to be presented comprehensively. People will find it simpler to transfer their personal data between service providers if they have the right to data portability.

The right to be informed when one’s data is compromised: Businesses and operations are required to notify the National Supervisory Authority of any data breaches that pose a risk to individuals and promptly notify the data subject of any high-risk breaches so that users can take the necessary precautions.

“Data protection by design” and “Data protection by default”: These two concepts are fundamental to EU data protection regulations. Products and services will come with built-in data protection measures from the outset, and default settings that respect users’ privacy will be standard across the board, including on social media platforms and mobile applications.

Many organisations run special promotions and marketing campaigns during the holiday season. It’s important to ensure that any personal data collected for these campaigns is processed in compliance with GDPR requirements. This includes obtaining clear and informed consent for data processing, providing opt-out options, and being transparent about the purpose of data collection. With increased online shopping during the holidays, firms must prioritise the security of personal data, especially payment information. Implementing strong security measures, using encryption, and ensuring secure payment gateways are essential to protect customer data. Some corporations may have specific policies regarding holiday-related events, bonuses, or time off. It’s important to handle employee personal data, such as payroll information or holiday leave requests, in accordance with GDPR principles. The holiday season may see an increase in cyber threats and phishing attempts. Institutions should be vigilant about data security, monitor for potential breaches, and have a plan in place to respond promptly and transparently if a data breach occurs. Individuals’ rights under the GDPR, such as the right to access personal data or request its deletion, are always applicable. Institutions must be prepared to respond to such requests even during the holiday season and are expected to integrate data protection principles into their day-to-day operations, including during holiday-related activities. This ensures that individuals’ privacy rights are respected, and organisations remain in compliance with the regulation. Corporations might also provide staff with training and reminders to uphold data protection standards during the holiday seasons.

Effectiveness of the GDPR-an ongoing concern

While the GDPR has been praised for enhancing individuals’ privacy rights and increasing accountability for organisations handling personal data, there are also concerns and criticisms associated with its implementation. Compliance with the GDPR can be complex and resource-intensive, especially for small and medium-sized enterprises (SMEs). Meeting the regulatory requirements may require significant investments in technology, legal expertise, and staff training. The GDPR’s provisions are open to interpretation, leading to variations in how different EU member states implement and enforce the regulation. This can create legal uncertainty for businesses operating across borders. Obtaining clear and explicit consent from individuals for data processing can be challenging. Some argue that the consent mechanisms prescribed by the GDPR, such as cookie banners, may lead to “consent fatigue” among users who are bombarded with consent requests. Critics argue that the GDPR’s strict data protection requirements may stifle innovation, particularly in areas like artificial intelligence and machine learning where the use of large datasets is essential. Striking a balance between privacy and innovation remains a challenge. Unlike vehicle emissions standards, for instance, GDPR compliance is multidimensional and compliance outcomes can be difficult to observe. The European Commission (2019) status report on the GDPR acknowledges that the regulation fell short of its potential due to a lack of enforcement. The GDPR literature has shown variation in compliance efforts by industry, by country, by compliance requirement, by firm size, and over time. Compliance is costly to firms, and small and medium-sized firms in particular may lack the resources to comply. Implementing data subject rights, such as the right to be forgotten and the right to data portability, poses operational challenges for organisations. Responding to access requests and ensuring data portability can be complex, especially for businesses with vast amounts of data. The GDPR places restrictions on the transfer of personal data outside the European Economic Area (EEA). The adequacy of data protection measures in non-EEA countries can become a hurdle for international data transfers. Some critics argue that national Data Protection Authorities (DPAs) may lack the resources and capacity to effectively enforce the GDPR. This can lead to inconsistencies in enforcement across different jurisdictions. Small businesses may find it challenging to navigate the GDPR’s requirements, leading to concerns about compliance costs and potential negative impacts on entrepreneurship. Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement. Experts claim that companies are now reluctant to use people’s data in questionable ways when prior to the GDPR, they would not have given it a second thought. According to a recent study, with greater privacy measures, there are about one-third fewer Android apps on the Google Play Store now than there were before the GDPR was implemented.

Conclusion

By prioritising individual privacy rights, GDPR fosters a more responsible and ethical approach to data handling, ultimately leading to better data management practices and mitigating the risks of data breaches and misuse. These advantages contribute to a more sustainable and trustworthy digital ecosystem, benefiting both consumers and businesses in the long run. To enhance the efficacy of GDPR, there’s a need for streamlined compliance procedures, ensuring that businesses, especially smaller ones, can navigate the regulations more easily. Secondly, bolstering enforcement mechanisms would deter non-compliance and strengthen the overall integrity of the regulation. Additionally, as technology evolves, GDPR should continuously adapt to address new data processing methods and emerging privacy challenges. Aligning GDPR with global privacy standards would facilitate smoother data transfers and international cooperation. Moreover, initiatives to raise public awareness about data privacy rights and GDPR provisions are essential for empowering individuals. Incorporating stakeholder feedback through regular consultations would enable ongoing refinement, ensuring that GDPR remains effective in safeguarding privacy while supporting innovation and economic development.

Author’s Bio

Nethra Katikaneni is a law student at Jindal Global Law School, OP Jindal Global University and is a columnist at Nickeled and Dimed.

Image Source: https://gdpr.eu/what-is-gdpr/