There is no gainsaying that we live in two separate worlds – the physical and the internet world. The internet world being a data-driven world. Arguably, a person is “non-existent” if he/she has no internet presence whatsoever.
The General Data Protection Regulation (GDPR) is a regulation under the European Union (EU) laws on data protection and privacy of all individuals within the EU and European Economic Area (EEA). It came into applicability on the 25th May, 2018 to harmonized data laws across Europe and to protect EU citizens from policy and data breaches.
The Regulation applies to the processing of personal data of data subjects who are in the Union by a Controller or Processor not established in the Union, where the processing activities are related to: the offering of goods and services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behavior as far as their behavior takes place within the Union. See, Article 3.2 of the Regulation.
This regulation, though applicable only within EU member states, is to me, the most important and relevant piece of legislation in this data-driven era. Here are some of the salient provisions [in no particular order]-
EXTENDED TERRITORIAL SCOPE:
By Article 3 of the GDPR, the Regulation “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the union, regardless of whether the processing takes place in the Union or not”.
By implication, GDPR applies to all companies processing personal data of data subjects residing in the EU regardless of the company’s location.
CONSENT:
By Article 7.1, the Controller or Processor of data must be able to demonstrate that the data subject consented to the processing of his or her personal data. By Article 7.2, where consent is required, the request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear plain. Similarly, any part of a consent requirement (as the case may be) which constitute an infringement of the Regulation shall not be binding against a data subject.
Article 7.3 now enables a data subject to exercise the right to withdraw his or her consent at any time.
CHILD’S CONSENT:
By Article 8.1, processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.
Article 8.3 places on the Controller of data the duty to make reasonable efforts to verify such consent in cases where consent is given or authorized by the holder of parental responsibility over the child, taking into consideration the available technology.
PROHIBITED PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA:
Article 9 prohibits the processing of personal data revealing racial or ethnic, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data concerning health or data concerning a natural person’s sex life or sexual orientation.
RIGHT OF ACCESS
By Article 15.1, data subject can now exercise the right to request and obtain from the data Controller confirmation as to whether or not personal data concerning them is being processed, and if yes, for what purpose. A Controller of personal data must clearly disclose any data collection, the lawful basis and purpose for the data processing, how long the data is being retained, and if it is being shared with any third party.
The infamous Facebook-Cambridge Analytica data scandal, which involves the collection of personal identifiable information of about 87 million Facebook users, is a complete example of what would amount to breaches under Article 15 of GDPR.
DATA PORTABILITY:
Data subject can now receive from the Controller personal data concerning him or her, which him or she has previously provided in a structured, commonly use and machine-readable format and have the right to transmit that data to another Controller without hindrance from the Controller to which the personal data have been provided. See, Article 20. This provision is similar to Article 15.3 on access of data.
RIGHT TO ERASURE (“Right to be forgotten”)
Under Article 17.1 of the Regulation, data subject shall have the rights to have the data controller erase his/her personal data, cease from dissemination of the data, and potentially have third parties halt processing of the data.
Paragraph 2 of Article 17 provides that-
“where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.”
Paragraph 3 of Article 17 provides some exceptions to the exercise of the “right to be forgotten” –to the extent that the processing is necessary for-
exercising the right of freedom of expression and information;
compliance with a legal obligation;
public interest in the area of public health;
achieving purposes in the public interest, scientific or historical research purposes or statistical purposes:
the establishment, exercise or defence of legal claims.
RIGHT TO COMPENSATION AND LIABILITY
Pursuant to Article 82 GDPR, any person who has suffered material or non-material damages as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damages suffered.
It is submitted that by the use of the words material or non-material damage, data subject can claim damages even where no harm was caused by the infringement. It’s by implication actionable per se.
CONCLUSION
As stated earlier, the EU’s GDPR is the most important regulation in this present ‘digital-data-centric’ world. The imposition of responsibility on the Controller to ensure that appropriate ‘Child’s Consent’ is obtained or authorized by the holder of parental responsibility over the child, is a step forward in promoting Child’s Right and Protection.
The extended territoriality of the GDPR should be of concerned to companies outside the EU. For instance, Nigerian companies, that provide worldwide services should be in compliance with the provisions of the GDPR in other to avoid penalty and/or claims for damages from data subjects.
It is worthy to note, that the Regulation appears to have legitimized, legislatively, the ‘Right to Personal Data’ as a Fundamental Right. Paragraphs 1 and 2 of the Preamble to the Regulation states thus-
“the protection of natural persons in relation to the processing of personal data is a fundamental right… The principles of and rules on the protection of natural person with regards to the processing of their personal data should whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data….”
Africa, at large, should take a leaf from the EU’s GDPR to ensure protection of the personal data of ‘data subjects’ within its territory. With a population of grossly “data subjects”, a specific regulation on use of data is a sine qua non.
Harvey Anyalewechi is a legal practitioner with bias for Technology Law and writes from Nigeria.
lordharveys@gmail.com
Spruce Legal™
No comments:
Post a Comment