Have you been receiving a string of solicitous e-mails from newsletter publishers, e-marketers and sundry financial spammers, asking you if you would like to continue receiving their mailers? If you are surprised by their new-found respect for your time and privacy, thank the European Union for it. It is the EU’s newly enforced data protection law, GDPR, that is prompting them to ask for your permission.

What is it?

General Data Protection Regulation (GDPR) is a law enacted by the European parliament in May 2016 to lay down stringent ground rules for all entities that collect, store or use personal data belonging to residents in 28 EU countries. The law came into force on May 25 after a two-year grace period. The primary objective of the GDPR is to establish the right to privacy as one of the fundamental rights for EU residents. It requires all firms dealing with personal data to be open and transparent about what they will do with it, and to take the user’s permission before they share it. The law also requires firms to seek user consent through an explicit opt-in, or a signature on a consent form. That’s bye-bye to check-boxes that are ticked by default.

 

bl29thinkslatepix
 

Once the data is shared, consumers also have the right to object to specific uses of their personal data and can demand a playback or deletion of their past records any time. Firms that lose data to a hacking attempt or data breach can no longer keep mum; they need to notify customers within 72 hours of the breach.

Why is it important?

Within a day of its implementation, the GDPR had already made its presence felt. It has shut down a couple of US news websites and prompted a billion-dollar lawsuit against Google and Facebook by an Austrian privacy activist.

There are three aspects to the new GDPR that make its provisions far more stringent than any existing data privacy law. One, it applies not just to companies based in the EU, but to all firms that sell goods or services or even ‘monitor the behaviour of’ EU residents. Two, the GDPR affects not just the entities collecting the data but also all those who ‘process’ the data on their behalf. Three, falling foul of GDPR can cost companies a packet; the law imposes a fine of €20 million or 4 per cent of a company’s global sales, whichever is higher, for serious violations.

India has sketchy privacy laws contained in its archaic Information Technology Act 2000, and an expert committee is working on a new set of laws. Hopefully, the EU’s GDPR will set the bar high.

Why should I care?

If you’re an avid social media user, you may have had a few sleepless nights worrying about the political views, scandalous posts and vacation pics that you’ve unwittingly uploaded into cyberspace over the last many years. Recent revelations about how Cambridge Analytica mined Facebook posts to influence voter behaviour in the US, have fanned fears about the extent to which ‘free’ social media platforms may go to monetise user data. Even if you were aware of the dangers, the consent forms of the dominant social media platforms allow you very little room to say ‘No’ if you are keen to use their services. GDPR may change all that.

The law is applicable only to EU residents and Indian residents will not enjoy the same rights. But you can rejoice in the fact that global tech giants have been forced to modify their global privacy policies to comply with the GPDR, due to their statutory obligations to EU users.

The bottomline

Please read privacy policies carefully. You’ve just earned the right to say No.

The weekly column that puts the fun into learning.

comment COMMENT NOW