The entry into force of the EU’s new legal framework is expected to transform the data protection landscape across the EU and beyond. This comes at a critical time for consumers, as recent revelations into the Cambridge Analytica debacle have unveiled the vast potential for abuse connected to vast mines of personal data, such as those held by Facebook and other global players in the Big Data industry. Local headlines report that over 6000 Facebook users in Malta alone, may have fallen prey to such practices.
The GDPR grants consumers (“data subjects”) numerous rights, most of which have been around since its precursor, the Data Protection Directive. The essential difference in this respect, is that the GDPR spells out these rights more clearly, addressing ambiguities and furthermore imposing a number of obligations upon businesses and other organisations (“data controllers”) that process data. Here is a breakdown of the salient features of the GDPR:
1. Extends the reach of Data Protection Law
Besides being applicable to data controllers and processors within the European Economic Area (EEA), it also applies to those established outside it who target or monitor data subjects within the EEA. This fact will inevitably set the global standards for data protection.
2. Bolsters the Rights of Data Subjects
The new framework grants natural persons numerous rights in relation to their personal data. Data subjects may object to processing, and their wish must be respected unless other legal grounds for processing exist, such as a legal obligation to process or the processing is necessary for a contractual relationship with the Data Subject. Furthermore, data subjects enjoy the right to access any data held about them by controllers free of charge and within a reasonable time and may request that any inaccuracy or incompleteness in any data held about them be rectified. Additionally, they may request that their personal data be deleted or restricted. Data subjects also enjoy the ability to lodge an official complaint to data protection supervisory authorities, being the IDPC (the Information and Data Protection Commissioner) in Malta.
3. Clearer “Consent”
The hitherto vague and ambiguous concept of data subject consent has been considerably clarified under the GDPR. To be considered valid, it must be freely-given, informed, unambiguous, distinguishable and by clear affirmative action. Therefore, it cannot be hidden in the fine-print and pre-ticked boxes or cookie notice banners will no longer be legal. Additionally, consent to processing may be withdrawn at any time, in which case processing must stop immediately, unless other legal grounds for processing exist.
4. More Stringent Obligations for Data Controllers
Controllers are now bound by stricter obligations and clearer rules relating to data protection. The GDPR enshrines a number of principles which controllers and processors must comply with when processing data. Most notably they are bound to process data in a transparent manner, providing data subjects information about the way data is processed. Controllers are furthermore bound to keep records of their processing activities and must be able to demonstrate their compliance with the GDPR, should the need arise.
5. More Robust Supervisory Authorities
The GDPR has also enhanced the role of data protection supervisory authorities, including Malta’s IDPC. They may conduct investigatory audits, and have the ability to access premises and data, to request information from controllers or processors, issue warnings, reprimands and fines and order compliance with the GDPR. Supervisory authorities are also entrusted with the role of promoting data protection awareness.
6. Higher Administrative Penalties
One notable change which the GDPR will bring about relates to sanctions for non-compliance. Fines up to €20 million or 4% of annual global revenue can be imposed on controllers who breach the law; a considerable sum which should deter even the largest players in big data from abusing their position.
7. Data transfers outside the EEA
Any personal data transferred outside the EEA must be subject to the same safeguards and protection accorded by the GDPR.
For the most part, GDPR has been welcomed as a regulation that champions consumer rights. It has has brought about a paradigm shift in so far as the awareness of data subject rights is concerned. Pre-GDPR there may have been some ambiguity on the level of control that we enjoy over our personal data. However, the GDPR has empowered us in a way that we are able to control the manner in which businesses alienate and profit from our personal data.
From the business side, it remains to be seen whether consumers around the world will demand to transact with business that are GDPR-regulated, and therefore give an advantage to European business and business that transact with European consumers, or whether the burden of compliance will merely impinge on creativity and profitability.