GDPR: Data privacy protection with teeth?
The recent data breach issues has been a trending topic in the media. Likewise, lawyers and business people are turning their attention toward the biggest update of data protection laws, namely the European Union’s General Data Protection Regulation (GDPR), which already came into force since May 25.
They perceive that the GDPR imposes a very decisive penalty for any incompliance with data privacy protection. In particular, the fine will be up to the equivalent of Rp 340 billion in euros, 4 percent of global turnover, whichever is greater.
GDPR has been intensively debated since 2015 in EU institutions, as this regulation is being enacted to repeal outdated Data Protection Directive 1995. After more than four years dealing with the GDPR, the holistic approaches in the protection of personal data are, among others, a wide scope of personal and sensitive data, new implementation of the accountability principle, strict conditions for users’ consent and one-stop shop Data Protection Authority (DPA).
Further, the GDPR introduced improved regulatory safeguards, including data protection impact assessment (DPIA), data protection by design and by default, the right to data portability, right to object or obtain human intervention from automated decision-making, profiling rules, legal obligations for companies to appoint a data protection officer (DPO), rules and conditions on trans-border data transfer and liability and concept of joint controller (Daniar, 2016).
According to The Guardian and Reuters, an online social media platform quietly decided to move 70 percent of its global users’ data back from its office in Ireland to the United States. The GDPR could expose foreign or multinational companies established offshore. This may cover your activities in data processing regardless of whether you are in Indonesia on account of the long-arm jurisdiction provisions in the GDPR.
Whether or not the processing takes place in the EU, all business activities around the world are subject to the GDPR provisions providing that they perform effective and real exercise through stable arrangements directed to the EU, regardless of whether there is a branch or a subsidiary in the EU. Other conditions include offering (digital) goods and services to EU citizens or monitoring the behavior of people in the EU (for example, via internet cookies).
If you operate a webpage (e.g. e-commerce webshop) that features internet cookies, European languages or accept payment in euros, there is a strong possibility that the GDPR applies to you. A mere internet cookie is considered data processing according to the GDPR. Hotels, airlines, telcom firms, newspapers, online media providers and other organizations apparently recognize the potential applicability of the GDPR to their business and activities. Earlier last week, some may have already noticed several online media players flooded their inboxes with GDPR emails stating that privacy policies have been adjusted asking customers to remain on the services, other forced users to agree to new terms of services. Even further, dozens of websites halt their activities completely (The Guardian, May 25).
Similarly, the Indonesian government also seems keen on enacting a similar regulation on personal data protection this year, especially following a recent data privacy breach affecting 1 million citizens or cyberattacks on critical infrastructure. Apart from criminal sanctions, a bill on personal data protection plans administrative fines from minimum Rp 1 billion to maximum Rp 25 billion, which would be applicable to personal data controllers or processors, regardless of their business model/services.
Indonesia already has a law on electronic transactions and a ministerial regulation on personal data protection; however those rules are considered by some professionals not providing sufficient safeguards, in particular, enforcement issues.
With data having become a very valuable resource, personal data protection should no longer be perceived as a minor issue addressed only by sectoral regulation.
To compare with the GDPR, a data controller who determines the purposes and means of the processing shall notify the DPA within a maximum 72 hours after a personal data breach becomes known, and shall also communicate with data subjects whenever such data breach could result in high risk. The bill, however, does not constrain a period to report the incident to either the authority or data owner.
The bill should not only harmonize rules on data protection but also needs to delineate key principles relating to the processing of personal data beyond the consent-based approach. Ideally, data processing should be fair and transparent, purpose limitation, accurate, minimizing collection/storage, maintaining integrity and confidentiality, as well as demonstrating accountability.
Particularly for accountability, this could be achieved by requiring a data controller to undertake the following activities, inter alia, duty to data processing, cooperation on data subject’s requests, adopting security and policies measures, notification of data breach, performing DPIA, appointing DPO, and consultation to DPA whenever the data processing would result in a high risk for data subjects.
Beyond consent, the condition of lawful data processing could also be rooted in whenever the processing is strictly required. For instance, data processing is for pre-contractual agreements, the performance of legal duties by data controllers, requisite processing in the event of vital interests of the data subject is at risk, and so forth. Meaningful consent could also be provided by distinguishing when processing appropriate for freely given consent, informed consent and very specific consent. Alternatively, requesting a consent use tiered-layered-staged model (explicit, layered, and structured). For example, when internet users navigate a webpage, first layer consent is given, while the further deep accessing of a website requires greater and specific informed consent.
Most importantly, an independent authority is necessiated to enforce data protection rights when a data subject lodges a complaint, to supervise and control the data controller, and to impose fines for any incompliance or privacy violations. A data controller could also demonstrate accountability (e.g. audit, training, monitoring, certification) to that authority and data subject (if necessary) where the collection, usage, disclosure, storage and recycling of personal data safeguards rules and rights related to data protection.
GDPR: Data privacy protection with teeth?
Published in The Jakarta Post, 4th June 2018
Written by: Daniar Supriyadi and Selvy Anissa R.
Member of Digital Business and Technology at BAHAR Law Firm