Friday Dec 13, 2024
Wednesday, 6 June 2018 00:00 - - {{hitsCtrl.values.hits}}
In the preceding few weeks, you may have noticed an influx of notifications from the websites and applications you have subscribed to regarding a change in their data privacy policy.
The popular misconception is that this is a consequence of the Facebook and Cambridge Analytica data breach. However, on the contrary this is the direct result of GDPR and the Facebook data breach just coincided with the GDPR implementation deadline (25 May).
What is GDPR? The acronym stands for General Data Protection Regulation and it is a European Union (EU) regulation regarding the protection of personal data of individuals residing within the EU. It should be noted that this is not an entirely new body of law or regulation in the EU; it only supersedes the existing laws on data protection. However, it incorporates significant developments to the law and therefore has gained traction.
How does GDPR affect Sri Lanka? One of the significant developments introduced by the new regulation is its application outside the EU. Sri Lankans and more specifically Sri Lankan corporates that deal with personal data of EU residents shall be required to comply with GDPR.
The perennial question with this and other such laws having extra territorial application is, how does a foreign government or authority have jurisdiction over Sri Lanka and how do they implement such law? GDPR is not directly enforced on persons outside the EU (third countries); instead the EU authorities shall enforce the law on the EU counterparty dealing with such persons. This will result in the EU counterparty severing ties with any GDPR non-compliant counterparties outside of the EU. Therefore, the risk of losing business relationships in the EU shallcompel Sri Lankan corporates to comply with GDPR.
Summary of GDPR
As stated above, GDPR is a law onpersonal data protection and it fortifies this as a fundamental right of individuals. It applies to anyone processing personal data, either manually or through automated means, which form part of a filing system.
Personal data is defined as information relating to a natural person who can be identified directly or indirectly. Therefore, anyone processing information, which includes a name, home address, email address or IP address, shall be liable to comply with GDPR.
GDPR enshrines the following principles regarding data protection:
The aforementioned rights accorded to data subjects can be enforced through couple of avenues.
Firstly, the data subject has the right to lodge a complaint with the supervisory authority in the member state in which he or she resides. Secondly, without prejudice to the former administrative relief, the data subject has the right to seek judicial remedy and receive compensation from the controller or processor for any damage suffered.
However, it is the first approach that has gainedmuch attention due to the fact that the supervisory authorities are empowered to impose enhanced fines. For serious infringements the fine could be as high as 4% of the annual global turnover or Euro 20 million, whichever is greater.
Data processing outside the EU and relevance to Sri Lanka
There several situations where the processing of EU personal data takes place outside the EU:
a)The offering of goods and services (export) to data subjects in the EU. This makes Sri Lankan exportersprocessing EU personal data liable to comply with GDPR.
b) The monitoring of the behaviour of EU data subjects as far as the behaviour takes place in the EU. This becomes relevant to market research companies and ICT companies that deal with EU personal data.
The response strategy for Sri Lankan companies
As stated in the beginning GDPR compliance is ensured in third countries indirectly by enforcing the same on the EU counterparty. Therefore, to avoid the risk of losing EU clients/customers, Sri Lankan companies that deal with EU personal data must comply with GDPR.
What is required by Sri Lankan companies to comply with GDPR? GDPR is literally an alien law/regulation; therefore,to ensure compliance corporates may need to seek external assistance froma qualified professional or firm.It isshould be noted that GDPR is not solely a compliance requirement of a legal nature; it requires the revamp of an organisation’s data processing operations and the inextricable IT systems used in the process.
The companies that are involved in large scale processing of EU personal will have to adopt appropriate safeguards referred to above in order comply with the conditions for transfer of EU personal data to third countries. Whereas, organisations that process EU personal data on an infrequent basis may qualify for exceptions or derogations provided in the regulation; however, again, before deciding on such course of action it is highly advisable to consult a qualified professional in order to avoid any risk of being GDPR non-compliant.
Lessons for Sri Lanka
GDPR is a progressive piece of legislation that elevates the protection of personal data to an inalienable right of an individual. Sri Lanka has no such legalisation addressing data protection and hence the reason for the existence of datapirates (not a typo!). The proof of thisis in the numerous text message advertisements pushed by the mobile operators and not to mention the mobile software solutions promoted by some of these mobile operators, which claim to track the physical movement of the employees of their corporate customers.
It is difficult to surmise when a legislation of this nature will see the light of day in Sri Lanka. Perhaps if it is tied to a future IMF loan tranche, we may see a hasty copy paste of a data protection law enacted somewhere else in the world. Still, it would be welcomed given the lacuna of such law in the country.
The criticism of any copy paste law is the excesses or shortfall of the law in addressing the specific context of a given jurisdiction. Therefore, the ideal scenario would be an enactment of a data protection law incorporating the views of all relevant stakeholders in the country.
(The writer is Chief Consultant at SGBMC and can be reached via [email protected].)