INTRODUCTION
In this era, where everyone has the access to the internet, data security is one of the big concerns of every country. The phrase “data is the oil of the 21st century” could not be more than true then it today. For a lot of business personal data processing is a significant activity. Nearly every countries company is processing some personal data on a regular basis. So, to protect the data breaches and the privacy of the citizens, the European Union framed a concept of General Data Protection Regulation in May 2016 and a period of two years was given to the corporate and multinationals to comply with the regulations.
This regulation protects the data of the EU citizens. If any type of data shared with any company based in Europe region, then the company who is collecting the data is responsible to comply with the GDPR. It aims to simplify the regulatory environment for business so both citizens and business in EU can fully benefit from the digital economy. After this companies in India came into picture. Europe is a significant market for the ITeS, BPO and Pharma Sector in India. Indian sector owing to their global relations collect to personal data of EU based individuals. Now, all these companies required to the GDPR complaint before they can do so. This regulation (GDPR) imposes heavy penalties on those who fail to comply.
GDPR Impact on India-
The concept of GDPR is not only impact on the EU citizen but it impacts globally. Article 3 of the General Data Protection Regulation (GDPR) says that, “it shall be applicable to data controllers and processors dealing with personal data of persons belonging to EU nations, categorical of the fact that the processing takes place in European Union or elsewhere. GDPR is neutral and borderless legislation. The Indian companies who are handling the personal data of the EU citizens shall also fall within the ambit of said legislation. The Indian companies who collect data like Infosys, Pharma Sectors etc. will have to abide the GDPR with respect to their EU customers. Indian Data Processing companies will have to renew their contract with GDPR. This anteriorly becomes necessary because any non-compliance from any industry shall now impose the penalty structure of 20 million Euros or 4% of global turnover.
After some time in India we can see a Data Protection Officer (DPO) who may have been designated by the company and he is responsible for monitoring how process personal data about their obligations. The DPO also co-operates with the Data Protection Authority (DPA), serving as a contract point towards the DPA and Individuals.
DRAWBACKS OF GDPR AT THE TIME OF PANDEMIC-
Covid-19 created a big chaos in the whole world. One thing that this pandemic made us realized that is, how privacy is fundamental in preserving our freedom even in difficult times. The European Union’s General Data Protection Regulation (GDPR) appreciated by many countries. But this pandemic found some flaws in this regulation.
Italy one of the countries in Europe hit hardest by Covid-19, at the beginning of this pandemic, and it was found that the GDPR prevented businesses from taking basic steps to trace and tracks potential infections. Last year Italy was entering an eventual lockdown and the cases of corona virus were spiking day by day. After that the Italian Data Protection Authority (DPA) issued a statement explaining that, “information on the presence of any signs of influenza in the workers and his or her closest contacts.” That means employers couldn’t record body temperature to ensure compliance with safety protocols for essential workers.
As the pandemic increased, it became clear that the GDPR had also become a barrier to biomedical research. This regulation creates significant challenges to research organization in the EU sharing data with research located in the most countries outside the European Union. One of the most recent incident that indicate the flaws in the GDPR is that when a Public Health Officials in Brussels reported in February that nearly three out of four primary care workers didn’t show up for the vaccines, and local officials in charge of vaccination invitations or follow up directly with these individuals because of the GDPR. This regulation imposes strict rules on how organizations can share data with the third parties and organization that violates these rules face the risk of strict compensations.
At the time of the pandemic GDPR created some issues in data sharing because of their strict regulations. After that some countries have made minor changes in this regulation. For example- The Italian Government issued a decree creating a special legal framework for public health authorities to collect and share health relating data for the duration of the state of emergency. Also Germany adds some laws to clarify the rules for processing personal data during the time of pandemic or any state emergency.
Cases of Major Data Breaches Globally-
SOME EXAMPLES OF THE MAJOR DATA BREACHES ARE GIVEN BELOW
British Airways (2018)- ICO fined $26 million for a breach that took place in 2018. This is considerably less than $238 million fine that the ICO originally said it intended to issue back in 2019. British Airways systems were compromised. The breach affected 4 lakhs customers and hackers got their hands on login details, payment card information and PI like traveller’s name and addresses. According to the ICO, the attack was preventable, but didn’t have sufficient security measures in place to protect their systems, data and networks. In fact, they didn’t have the basic like multi-factor authentication in place at the time of breach. Going forward, the airline should take a data first security approach, invest in security solutions and ensure they have strict data privacy policies and procedures in place.
Facebook (2018)- In the year 2018, Facebook revealed the data of up to 87 million users may have been wrongfully imparted to political consultancy Cambridge Analytica. It raises doubts over the latter’s apparent involvement in the election of the USA. The 87 million peoples whose information was imparted to Cambridge Analytica , which apparently regulated to US president.
Carphone Warehouse (UK-2015)- The United Kingdom Data Protection Regulator, the Information Commissioner Officer (ICO), slammed ‘Carphone Warehouse’with a 400000 Euro fine after the details of three million customers were accessed in the year of 2015. The inability of the organization to secure the framework enabled unapproved access to the individual data of more than three million clients and One thousand representatives. The information of the client included the names, addresses, phone numbers, birth dates, card payment details.
Indian Bank Data Breach (2016)- This breach occurred in the year of 2016. It was found that around 3.2 million debit cards were compromised. SBI, HDFC Bank, ICICI Bank, Yes Bank and Axis Bank were the major hit in that year, Many account holders of these banks reported unauthorized axis of their cards in China’s Locations.
HOW INDIA PLAN TO PROTECT INDIVIDUALS DATA
The Pandemic year 2020, is the year when the whole world went in the digital era than even before, owing to the pandemic that altered life as we knew it. And the silver lining of the Pandemic year is the spotlight on the importance of data and data flow. After taking this indication, the Government of India took important steps in the field of data protection for example- non-personal data, health data, financial data etc. The Indian Judiciary and legislature also made some observations on rights of Individuals regarding the data privacy, and the ever deliberated Personal Data Protection Bill, 2019 (PDP Bill).
Indian Government, inspired by the General Protection Data Regulation (GDPR), proposed PDP bill in 2019 to bring a comprehensive overhaul to India’s current data protection regime, which is currently governed by the Information Technology Act (IT Act) 2000. The PDP bill prescribes adherence requirements for all forms of personal data, introduces a central data protection regulator and institute data localization requirements for certain form of sensitive data.
In August 2020 NITI Aayog (a policy think tank), released a draft framework on Data Empowerment and Protection Architecture (DEPA).
Please read concluding on thedailyguardian.com
Through this framework NITI Aayog aims to institute a mechanism for secure data sharing in any sector only after the consent is given, which they believe it will be “a historic step towards control over their personal data and empowering individuals”.
Recently, The Government of India framed New Information Technologies (Guidelines for Intermediaries and Digital Media Ethics Code) Rule, 2021, and after that this whole issue of data protection and data sharing is in news. This rule aims to empower the users of digital media or social media, on the Online Streaming Platforms (OTT) and online news sites, like holding all those companies accountable for the wrong or hateful content that is being circulated on their platforms. Through, this code the Indian Government trying to ensure online security and dignity of users, enabling the identity of the users who is spreading hatred on online platforms, removal on unlawful information etc. With the help of new IT Rules 2021, the Indian Government tried to solve the long pending issues of social media.
Conclusion-
GDPR is adopting by many other countries in the world. India should also move with a positive outlook to safeguard the interests of the individuals and their data privacy. New IT Rules 2021 on some fronts tries to follow the aspects of GDPR by putting intermediaries under compliance requirements such as asking the consent of the users, disclosing information of the users. But many of the companies are not supporting the New IT rules. The Individual’s data protection has now become the need of hour, and now the countries across the globe like European Union needs to readapt from the conventional rights to confidentiality to acknowledging the Individual’s Data Protection Rights.