eu rules and regulations

GDPR | Seers Article

The EU  has always maintained strong regard in protecting the individual’s privacy about the processing of their data by GDPR. This fundamental right is enshrined in many EU human rights legislation, and now, after great endeavours, this right is enforced throughout Europe and enforced by Europe rather than national legislation.  As per Article 99, GDPR is “mandatory in all its elements and directly applicable in each Member State”.

The European Data Privacy Directive of 1995, received overwhelming support in 2014 by the European Parliament. This has been tweaked and fine-tuned to impose and establish a wide range of rights for individuals, including the following:

Improved Data Portability

Allowing individuals to practice the right of accessing “my data,” i.e. personal data held by organisations such as businesses and consumer groups.

In particular, this information can be used to compare the various money-saving websites to provide clear information to assist in decision-making processes about comparing such consumables as:

  • Bank accounts
  • Credit cards
  • Credit reports
  • Utility suppliers
  • Mobile phones

The regulation establishes that individuals can enjoy the right to receive the requested personal data in a structured format and with the ability to transmit this data to another data controller.

Extra Protection on Profiling and Automated Decision Making

An impartial and independent body known as “Article 29 Working Party” has been working alongside the EU Commission since 1995, providing and publishing opinions and guidance throughout the journey.  Their advice and guidelines on automated decision making and profiling of individuals are strict due to the genuine need to safeguard the rights and freedoms of individuals.

What exactly constitutes Profiling and Automated Decision Making, and when would they ever be legitimately utilized?

Organisations will use the data to predict online behavior; generally within the context of marketing purposes, for example, email marketing campaigns use profiling with the view to assist with the targeting of goods and services.  The purpose is to predict an individual’s’ online behavior and make “automated decisions” regarding this behavior which leads to the second issue of Automated Decision Making.

The Working Party advice on automated decision making is clear, while it recognizes the benefits of these activities, it also points out that significant risks may arise for the rights and freedoms of individuals. This Law stipulates that individuals “have the right not to be the subject of a decision based solely on profiling or automated methods” when this is based on direct marketing.

It will be an interesting GDPR obligation journey in this respect to witness the reactions of big data-driven organisations and popular social networking organisations when it becomes the norm for individuals objecting at every turn to the processing of their data, including the creation of profiles to the extent that it is related to unwanted marketing.

What is GDPR

Privacy by Design

Rather like new housing development that has to include, in the initial planning stages, essential technological advances must assure protection to the environment and be eco-friendly. The same can be implemented for any new technological construction regarding protecting the individual user.

Also known as “privacy by default”, this law’s new concept provides data security guarantee from the beginning of any new technical construction or design development. For example, an application or program, an app, development of electronic commerce, the internet of things, anything where personal data will be processed. Developers of applications, products or services are required to have specialized knowledge in the privacy and data protection field from the design, development and launch phases.

GDPR Obligation Acts

One positive gain is, this obligation acts as a safeguard from the outset regarding any new development.  Privacy in the design is a proactive measure and seeks protection throughout the life cycle of the product or service.

Proactive design and development will eventually lead to improved organisations, that build software with the Data Protection obligation in mind because it is easier to plan and develop from the starting point based on a clear legal framework. This will facilitate peace of mind when engaging in business to business activity, eliminating the worry of not complying with the data protection obligation requirements regarding data protection.

What is Privacy by Default?

The default privacy is to offer the maximum privacy guarantees by default in the design of applications or general products or services that deal with personal data. If there are several privacy settings, they have to be marked accurately by default, because that offers greater guarantees of privacy as required by the individual.

The default privacy also implies:

  • The minimizing of data, that is, the minimum possible data to be collected to ensure that the product or service can fulfill its purpose.
  • The control of access can be given to only personnel that requires access to the data for the development of their profession, will have access to this data, and that data will not be transferred to third parties, is not mandatory or is not explicitly informed and consented to by the interested party. For this, techniques of pseudonymization can be applied (pseudonymization encrypts the data as a security measure to ensure data can become anonymous).
  • The data storage periods must be made fully transparent to users and personnel and be limited to what is strictly necessary with any extension of storage to be minimized to recommended legal storage periods.
  • Transparency is integral and requires informing the user about the processing of their data with clear, concise and understandable information.

A practical example is found in many gaming apps where, personal information is requested, like permission to access phone contacts, camera images, SMS and phone calls. Whereas, access to all of these is unnecessary to play the game.

GDPR Social Networking and the Right to be Forgotten

Privacy is a fundamental right and must be preserved with a degree of firmness.

Mark Zuckerberg recently announced that his organisation, Facebook, will not be implementing the same level of GDPR protection in the US, but would tweak GDPR obligation for European users. It will be seen that the US users will lack in protection, but one of the most apparent rights that Facebook might wish to play down is the right to erasure, or the right to be forgotten. The scandal about the unauthorized and unwarranted utilization of the personal data of 50 million Facebook users has put the dominant tech-company in a complicated situation that may actually damage its already in-dangered reputation due to its role in the circulation of fake news.

Ensuring the privacy and protection of user information is an unavoidable GDPR obligation for all organisations, especially that of Facebook. Such rights are daily violated and make the need for legislation like the GDPR compulsory. Brands such as Google and Amazon accumulate innumerable private information and manipulate this data for their marketing campaigns.

Advocates concerned with privacy have campaigned against the incorrect use of data. The future of the GDPR obligation is looking to be a bright one for those who seek or defend the right to privacy. Facebook’s decision not to implement the full scope of the GDPR for US users has raised suspicions about its ability and efforts to regain the trust of users especially in light of recent data mining abuses.

The company can do so with its firewalls for false information on the Web and established software to enable it to identify content reliably, also has an increasing responsibility of ensuring control over the advertising of political campaigns, even at the cost of losing part of its primary source of revenue. There is no denying that technology companies such as social networking sites have helped to create a free, open and interconnected world. They have become not just the engine but also the DNA of globalization. Leaking private data highlights the fragile and vulnerable nature of our personal information in the hands of these giants.

The US Government, British Parliament, and the European Parliament as well as representatives of the 500 million people affected by Facebook’s personal data leak, demand assurances, convincing answers and effective measures from Facebook.

✓ International Data Transfers

In this current global economy, it is ubiquitous for cross-border transfers of personal data. Sometimes this data is maintained on servers in several different international countries. The GDPR protection will go along with this data, which ensures that the GDPR obligation regulations that secure personal data with the EU will keep on applying regardless of where the data will eventually end up.

Article 49.1 states that data can be transferred only to those countries where there is no same level of protection. Also, when there has been an express consent to the transfer, and then only after the individual whose data is being transferred has been made fully aware of the risks of such transfer. Such awareness has to be in the form of an explicit statement in writing, and the consent of the individual concerned has to be seen to have been obtained in an indisputable manner, through a written declaration and signed by the individual.

Article 7.1 of the GDPR obligation gives a comprehensive list mentioning the ways to be able to demonstrate this appropriate consent in an accurate way and the recommendations by Article 29 Working Party – in its document “Guidelines on Consent under Regulation 2016/679”. At times, the EC can make a decision, based on the rules of adequacy where it is declared that a non-EU State offers an adequate level of data protection thus allowing data to be transferred to an organisation within that country.

This would provide for less explicit requirements to gain consent and provide guarantees because such transfers are deemed to be to a “suitable” country with processes assimilated to that of data transmiss