“AI is one of the most important things humanity is working on. It is more profound than, I dunno, electricity or fire,” said Sundar Pichai, speaking at a town hall event in San Francisco in January. Come end-May and data collection and processing, which is at the core of this all-important, revolutionary technology, is going to be much costlier and riskier, thanks to the General Data Protection Regulation (GDPR) coming into effect in the EU.
Why? Well, the “intelligence” in artificial intelligence (AI) refers to machine learning or deep learning, which simulates human intelligence to work and react like humans. And to arrive at this deep learning, machines rely on pattern recognition, which draws out patterns and regularities in layers and layers of data. Naturally, the GDPR, which aims to provide a stricter and clearer understanding of data control, processing, and ‘users’ consent, will make it difficult for companies to collect data, thereby making it dearer as well. In fact, flouting the Regulation can attract fines of up €20 Mn or 4% of the annual global turnover of a company (whichever is greater).
Replacing the existing Data Protection Directive 95/46/EC, the EU GDPR will be effective from May 25 across the EU and the UK (due to a similar bill passed by UK parliament). While the regulation is likely to be welcomed by individuals, who are increasingly seeking data protection, it is bound to affect companies and startups involved in collecting and analysing EU data around the world.
Speaking to Inc42, Anirudh Rastogi, co-founder at TRA Law, a legal firm representing tech businesses and startups, stated, “The GDPR not only affects establishments within the EU but also those located elsewhere that process the data of EU residents.”
Thus, it will also affect Indian data-based startups that are seeking to expand to markets in the EU and the UK. According to an EY survey, over 60% of Indian companies, however, are still unfamiliar with this new regulation.
Let’s take a closer look at GDPR and find out how it will affect Indian startups.
What is GDPR?
While news of the Facebook-Cambridge Analytica data fiasco or the alleged involvement of the Russians in the US general election of 2016 broke only in 2017-2018, the EU parliament had approved and adopted the GDPR back in April 2016, with a transition period of two years.
On January 25, 2012, the European Commission (EC) had unveiled a draft legislative package to establish a unified European data protection law by the name of the General Data Protection Regulation, aimed at replacing the patchwork of different data protection laws that have been in force in different member states.
Being a regulation, it is much more empowered than the existing EU Data Protection Directive 95/46/EC, which was subject to differing interpretations by states during its transposition into an individual national law.
Speaking to Inc42, Rachel Kenyon, cybersecurity, University of Manchester, clarified, “The GDPR is about users, making it crystal clear that users’ data belongs to users and they have a right to access the information and to take back their consent i.e. the right to be forgotten.” She added, “The GDPR empowers the users.”
Unlike the Directive, the GDPR will become an immediately enforceable law in all member states on May 25 onwards.
The GDPR protects and empowers the data privacy of all EU citizens and aims to reshape the way organisations across the region approach data privacy.
According to GDPR FAQs:
- The regulation not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of EU data subjects.
- It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Speaking to Inc42, Matthew Hancock, the UK Secretary of State for digital, culture, media, and sport said, “I think it’s a good thing to have data protection standards that are mutually recognised around the world. That makes it easy to have a free flow of data. People’s personal privacy will be respected. This is for the good and it’s not without the challenges, but ultimately it’s the right thing to do.” Inc42 met Hancock on his India visit to launch the UK-India Tech Partnership.
India Perspective: Key Points
Unlike the Directive, which set a process for it to be implemented by member states, the GDPR will immediate applicable and enforceable by law in all the member states. The GDPR takes EU data into account and hence will be applicable to all companies dealing with data of EU residents regardless of their operational location. Thus, as mentioned above, even if a company that is based in India processes or controls any data belonging to subjects of any EU member countries, the company will have to abide by the GDPR.
The regulation further says: “Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.”
Recently, Facebook, in its investigation, found numerous third parties that were lifting the data of users and their friends without their consent. The GDPR strengthens the data privacy and will make it impossible for third parties to lift the ones’ friends’ data without their friends’ consent.
Strict Penalties for Breach of GDPR
As per the Regulation, organisations that breach the GDPR can be fined up to 4% of their annual global turnover or €20 Mn (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements of the GDPR, for example not having customer consent to process data or violating the core of Privacy by Design concept. There is a tiered approach to fines; for instance, a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach, or not conducting the impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from the GDPR.
Explaining the nature and extent of penalties, Anirudh said, “It imposes some of the highest sanctions for regulatory non-compliance, including revenue-based fines which could go up to 4% of the company’s annual worldwide turnover. The power to fine comes coupled with a broad power to investigate.”
Right to Access
The GDPR also brings more transparency into whether one’s data has been processed or not. One of the expanded rights of data subjects outlined by the GDPR is the right of data subjects to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, where it is being processed, and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format to the subject. This is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten
The right to be forgotten entitles the data subject to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure of data include data no longer relevant to original purposes for processing or a data subject withdrawing the consent. It should also be noted that this right requires controllers to compare the subject’s rights to “the public interest in the availability of the data” when considering such requests.
Privacy by Design
“The GDPR requires data protection and privacy features to be built into products at the design stage and not as an afterthought. This is a big change from the prior regulation,” said Anirudh.
Designed with a focus on privacy, the GDPR calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically — “The controller shall implement appropriate technical and organisational measures in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects.” Article 23 of the GDPR calls for controllers to hold and process only data that is absolutely necessary for the completion of their duties (data minimisation), as well as limits the access to personal data to those needing to carry out the processing.
Data Breach Notifications
Under the GDPR, breach notifications will become mandatory in all member states where data breaches are likely to “result in risking the rights and freedoms of individuals.” This must be done within 72 hours of coming to awareness about the breach. Data processors will also be required to notify their customers and the controllers “without undue delay.”
GDPR After Effects
The aftereffects of the GDPR can be divided into two parts. First, the essential measures that Indian startups and other companies will have to take to meet the requirements while doing business in the member countries of the EU. Second, the regulatory measures now being taken up by regulators across the world, following the GDPR.
Supporting the move, T V Mohandas Pai, former director of Infosys and chairman of Manipal Global Education, explained that Europe and the US have strict norms to keep their financial data within their country. Similarly, payments data of our country must also be stored or processed only in India and no company should be allowed to operate it without adhering to this requirement.
“The regulator has announced a time window of six months to adhere to this data storage guideline, and these companies have the technology and resources to easily meet this deadline. If global tech companies want access to the Indian market, they have to abide by the regulations of our country. The data of Indian citizens is their property and no government or regulator can allow such data to be stored outside the country of origin. They cannot treat India as a digital colony,” he added.
In India, however, most of the companies are still not prepared for a tough data protection law. Recently, when the RBI, with a six-month transition period, mandated that all system providers ensure that all the data relating to payment systems being operated by them be stored only in India, payments companies vehemently opposed the move.
“What the RBI is doing is heavy-handedness. A regulator should not bring about such fundamental changes without consultation with a cross-section of affected parties,” said Subho Ray, president of the Internet and Mobile Association of India (IAMAI) in a press statement.
Homegrown payments company Paytm, which is funded by SoftBank and Alibaba, was one of the few companies that welcomed the move. “Payments data must be processed and stored only in India,” said Paytm, in support of the RBI notification.
It added, “Every payment system, app, and payments platform starting now must be compliant of this regulation. No one should be allowed to commercially launch services unless their systems are clearly only and only in India.”
Digital payments arm of Flipkart, PhonePe has also supported the RBI’s regulation.
Data Protection And Privacy: Where Does The US Stand?
Apart from the EU, the US and Turkey are two developed nations that fail to meet data privacy and protection benchmarks. The Consumer Privacy Bill of Rights, passed by the Obama administration in 2012, does have some substantive protections based on the Fair Information Practice Principles. However, data practices across all industry sectors have continued to fall short of individual privacy and security expectations, observed the Council on Foreign Relations.
With the US, the EU has made a Privacy Shield, an agreement allowing for the transfer of personal data from the EU to the US. As per the EU, the transfer of data must only happen to countries deemed as having adequate data protection laws.
The Privacy Shield so far allows EU and US companies to continue their operation in cross-territories; however, it does not guarantee GDPR compliance.
Data Protection Laws in China
The first nationwide (Mainland) data protection legislation in China called the Cyber Security Law (the CS Law), came into effect on June 1 last year. Richard Bird, partner of Freshfields legal firm stated, “The CS Law imposes several data privacy obligations on network operators. The term ‘network operator’ in both the CS Law and the Draft Security Assessment Measures includes both owners and administrators of a network as well as network service providers.”
The Chinese government has further released a new national standard on personal information protection applicable from May 1, 2018 onwards. Samm Sacks, senior fellow, Technology Policy Program at the Centre For Strategic and International Studies, wrote, “Despite uncertainty about its effect, the language in the standard is comprehensive and contains more onerous requirements than even the European Union’s General Data Protection Regulation (GDPR). Yet, even with these differences, there is a growing convergence between Europe and China’s approaches in the emerging data protection regimes, leading the United States to be more isolated with US-based companies in reactive mode.”
Can You Just Get Rid Of GDPR?
However, the website gdpr-shield (.io) currently shows “forbidden” in India.
Is India Prepared for GDPR?
As the Indian IT industry has deep roots across the EU and the UK, the GDPR is going to affect most companies here. And it will not only affect IT companies; startups and other enterprises catering to EU consumers also need to understand and comply with the GDPR.
Rama Vedashree, CEO of the Data Security Council of India (DSCI), said, “We (the DSCI) along with industry body NASSCOM, have set up a GDPR helpdesk to help companies with the transition.”
It’s not only the GDPR that will hike the cost of data processing by Indian startups companies. With the Supreme Court already having recognised the Right to Privacy as a fundamental right, it’s just a matter of time for the Indian Parliament enacts the Data Protection Bill, which is likely to impose restrictions on the processing of data subjects within India as well.
While companies like Cambridge Analytica and many others including Facebook almost got away with data leaks due to ambiguities in the interpretation of the outdated 95/46/EC Directive, which had focussed more on how data should be dealt with, the GDPR is keeping users’ privacy at the centre. Companies and startups all over the world dealing with data need to understand what the GDPR seeks to enforce — that processing and controlling users’ data do not mean that it belongs to the companies.