What is General Data Protection Regulation (GDPR)?
26-08-2023
12:33 PM
What’s in today’s article?
- Why in news?
- What is General Data Protection Regulation (GDPR)?
- GDPR compliance
- News Summary: Meta Faces Record $1.3B Fine for European Data Privacy Violations
- Why did the ruling come from the Irish regulator?
- What is the significance of this ruling?
Why in news?
- The European Union has slapped Meta’s business in Ireland with a record fine of $1.3 billion for transferring the personal data of Facebook users to the U.S.
- As per EU, this transfer of personal data was in breach of the General Data Protection Regulation, or European Union law on data protection and privacy.
What is General Data Protection Regulation (GDPR)?
- GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals of the European Union (EU).
- The law was approved in 2016 but did not go into effect until May 2018.
- It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
- Its aim is to give consumers control over their own personal data by holding companies responsible for the way they handle and treat this information.
- The law makes it difficult for companies to mislead consumers with confusing or vague language when they visit their websites.
GDPR compliance
- Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation.
- Companies are also required to respect the rights of data owners - or face penalties for not doing so.
News Summary: Meta Faces Record $1.3B Fine for European Data Privacy Violations
- Tech giant Meta was hit with a record € 1.2 billion fine by the Irish data protection board for not complying with the European Union’s privacy framework.
- The protection board found that Meta infringed Article 46(1) of the GDPR.
- This article allows cross border data transfers only if an entity has ensured appropriate safeguards for it.
- As per the Irish privacy watchdog, Meta’s use of an instrument known as standard contractual clauses (SCCs) to move data to the US did not sufficiently protect European’s data from America’s privacy regime.
- It was also ordered to stop data transfers of Facebook users in Europe to the United States.
- The penalty – which is the highest ever for violating EU’s GDPR – applies only to Facebook and not to other Meta group entities like Instagram.
- The ruling comes with a period of at least five months for Meta to comply, but the company has said that it will appeal the decision.
Why did the ruling come from the Irish regulator?
- As per the GDPR, cross-border cases are to be handled by the data-protection authority in the country where the company is based.
- As a result, the Irish Data Protection Commission (DPC) is the lead regulatory authority for Meta and a number of other US tech majors that have their headquarters in Ireland.
What is the significance of this ruling?
- The right of the individual over his/her data
- The outcome of the case buttresses the overarching theme of the EU’s GDPR:
- the right of the individual over her data; and
- the need for a person to give explicit consent before their data can be processed.
- The outcome of the case buttresses the overarching theme of the EU’s GDPR:
- Meta will have to change its permission seeking mode
- The DPC’s decision could imply that Meta would have to tweak its apps to ensure that they do not leverage personal data for advertising or transferring to third countries.
- Earlier, in January 2023, Meta was slapped with two sets of fine totalling €390 million ($414 million).
- This fine was slapped as the EU regulator concluded that the company’s advertising and data handling practices were in breach of the EU's GDPR.
- These fines could be a big blow to the company in terms of how its advertising model works:
- Meta earlier relied on a user’s consent to process this information for the purposes of behavioural ads.
- However, it tweaked the terms of service for both Facebook and Instagram on the processing of the information after the GDPR kicked in.
- But these changes, activists allege, essentially forced users to accept the processing of their information for ad targeting for essentially using the platforms.
- The DPC’s decision could imply that Meta would have to tweak its apps to ensure that they do not leverage personal data for advertising or transferring to third countries.
- Likely ripple effect
- Given that the EU is the de facto global technology regulator, the rulings based on the GDPR’s broader tenets could have resonance across geographies, including India.
- In India, the government is currently working on a policy framework for the tech sector, which includes:
- the new personal data protection bill,
- a comprehensive digital India Act that would eventually replace the existing IT Act, and
- the new telecom Bill.
- In India, the government is currently working on a policy framework for the tech sector, which includes:
- Given that the EU is the de facto global technology regulator, the rulings based on the GDPR’s broader tenets could have resonance across geographies, including India.
Q1) What is the European Union and what does it do?
The modern European Union, founded in 1992, attempts to integrate European economies and prevent future conflicts. It consists of seven major institutions and dozens of smaller bodies that make law, coordinate foreign affairs and trade, and manage a common budget.
Q2) What is the aim of GDPR?
At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
Source: Why has the EU slapped a record €1.2B fine on Meta? | Financial Times | GDPR.EU | Investopedia