The internet has changed the way we work and play – and it has done so at a rapid pace. Just consider how back in 2007, just 55 per cent of households in the EU had internet access. Fast-forward by a decade and the latest statistics show an EU internet penetration of 87 per cent – ranging from 98 per cent in The Netherlands to 67 per cent in Bulgaria. These statistics show that the internet was used mainly to send and receive e-mails (73 per cent) and to find information about goods and services (70 per cent). A majority of people also used the internet to watch video content (57 per cent), be active on social media networks (56 per cent), use banking facilities (54 per cent) and look for health information (52 per cent).

The Maltese population enjoys significant internet penetration. According to National Statistics Office, in 2018, 81.4 per cent of the total population made regular use of the internet. Of these users, 56.8 per cent used e-Government services, 46.1 per cent made use of cloud computing services and 66.4 per cent used the internet to purchase goods and services online.

Social media is also popular, with the Times of Malta reporting last year that only 10 per cent of the local population have yet to join a social networking website. The popularity of social media in Malta is significantly higher than most of the other EU member states, where on average, just 65 per cent – compared to Malta’s 90 per cent – of the population participates in social networking activities.

Internet use may only be a click of the mouse – or a finger swipe – away. But this ease of use requires a strong and safe protective context.

When accessing the web, users often entrust vital personal information – name, surname, location, banking details – to internet service providers and to the websites being used. What happens to this data? Could it fall into the wrong hands? And what rights do users have regarding the processing of their personal information?

In an increasingly connected world, trust is key. A Eurobarometer report on data protection found that more than six out of ten respondents said they do not trust landline and mobile phone companies and internet service providers. The low trust levels were further exacerbated in the wake of the 2018 Facebook – Cambridge Analytica scandal, when the data of about 87 million users was harnessed and potentially used to influence political outcomes.

Trust does not only determine the use of a product or service – in this case, the internet. Online trust is also critical, as lack of it, hinders the digital economy.

May 2018 saw a groundbreaking development in the protection of data. After four years of preparation and debate, the General Data Protection Regulation came into force in all EU member states, thus replacing the Data Protection Directive 95/46/EC.

The main aim of GDPR is to protect all EU citizens from privacy and data breaches in today’s data-driven world. It ensures that a number of policies are followed, in order to protect data owners and withhold or limit the use or storage of private information, in accordance with the owners’ will. Specifically, GDPR harmonises data privacy laws across the EU; protects and empowers all EU citizens’ data privacy; and reshapes the way organisations across the EU approach data privacy.

GDPR also reshapes the way in which businesses manage data by redefining the roles for key leaders in businesses, from chief information officers to chief marketing officers. For instance, CIOs must ensure that their business has consent management processes in place, while CMOs require effective data rights management systems to ensure that their most valuable asset – data – is not lost.

GDPR introduced stronger rules on data protection in the sense that individuals will gain more control over their personal data – deciding who can view it and where it will be available from. It also regulates how businesses can make use of personal data and for what purpose. Therefore, the legislation regulates how data belonging to an individual, a company, an organisation and other forms of personal data is processed.

Understanding the definition of personal data is critical. Personal data relates to any form of information that can help to identify a living individual – here deceased people and legal entities are not taken into consideration. A vast amount of information is classified in this category including, name, surname, address, contact information, IP address, medical information and police records to name a few.

This type of shared information does not relate to any data processed by an individual for genuine personal reasons – flags are raised when this information is spread in a professional or commercial environment. Data processing covers a wide sphere of operations that manage personal data – apart from collecting, recording and organising all information, there are retrieval, consultation and dissemination processes that are covered by GDPR.

As with any other law, GDPR needs to be understood by the citizens it seeks to protect. Awareness about one’s rights enables one to defend them and seek their enforcement. EU citizens have the right to information concerning the processing of their personal data, access to data that may be shared with third parties, as well as the right to update, erase, object to or restrict any shared data that may be accessed by others. This is usually insured by means of check-boxes that ask for your permission when accessing a site, before going ahead with gathering information for statistical, marketing and analytical research.

Only 10 per cent of the local population have yet to join a social networking website

GDPR imposes stiff fines on data controllers and processors for non-compliance. These fines are determined by a set of criteria, including: nature of infringement, intention, mitigation, preventative measures, history, cooperation, data type, notification, certification and other mitigating factors.

Such were the expectations and interest raised by GDPR that the European Commission reported that the term ‘GDPR’ featured in more online searches than Facebook CEO Mark Zuckerberg and superstars Beyonce and Kim Kardashian.

In January, the European Commission reported that since GDPR legislation came into force, it  received 95,100 complaints about data practices and 41,502 breach notifications. The most common types of complaints regarded telemarketing, promotional e-mails and video surveillance. The fines meted out included one of €50 million against Google for lack of consent on ads.

According to a GDPR data breach survey carried out by the global law firm DLA Piper, until last February, the number of data breaches notified by Malta were 100, which translates into 22.3 data breaches per 100,000 people, putting it in ninth place out of the 26 countries included in the survey.  Of these 100 breaches, 17 led to a fine, which according to the report, is ‘a surprisingly large number given the relatively small size of the country’. The significant number of fines is also indicative of good enforcement.

Locally, the DPA is the Office of the Information and Data Protection Commissioner, which is responsible for upholding the rights of individuals under the Data Protection Act and enforcing the obligations upon data controllers. The Commissioner has a broad range of powers including those relating to obtaining information, enforcing compliance with the Data Protection Act, entering and searching premises of a data controller or data processer, and imposing administrative penalties.

When accessing the web, users often entrust vital personal information – name, surname, location, banking details – to internet service providers and to the websites being used.When accessing the web, users often entrust vital personal information – name, surname, location, banking details – to internet service providers and to the websites being used.

Know your rights

Everyone has the right to:

▪ the protection of personal data concerning them

▪ access to data which has been collected concerning them, and the right to have it rectified

GDPR key changes

Controller, processor and authority

GDPR determines a number of critical roles, including those of data controller, data processor and Data Protection Authority.

The data controller determines the purposes for which and the means by which personal data is processed. It is their role to determine ‘why’ and ‘how’ personal data should be processed..

The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.

The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated.

The Data Protection Authority of each member state is an independent public authority that supervises, through investigative and corrective powers, the application of the data protection law.

Increased territorial scope

GDPR applies to all companies processing the personal data of data subjects residing in the EU, regardless of where the company is located. GDPR makes its applicability very clear – it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.

Penalties

Businesses and organisations in breach of GDPR can be fined up to four per cent of annual global turnover of the previous financial year, or €20m, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to fines. Rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.

Earlier this year, the French data protection authority fined Google €50m. If the maximum four per cent had been imposed, this would have amounted to around $3.6bn (based on 2017 revenue of $110bn).

Consent

Conditions for consent have been strengthened. The request for consent must be given in a clear and easily accessible form, with the purpose for data processing attached to that consent. It must be as easy to withdraw consent as it is to give it.​

Data subject rights

Under GDPR, breach notifications are now mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals."  This must be done within 72 hours of first having become aware of the breach. Data processors are also required to notify their customers and controllers without undue delay after first becoming aware of a data breach.

Right to access

GDPR gives data subjects the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, where and for what purpose. Furthermore, the controller shall provide a copy of the personal data, free of charge, in an electronic format.

Right to be forgotten

Data erasure entitles the data subject to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

Data portability

GDPR introduces data portability – the right for a data subject to receive the personal data concerning them – which they have previously provided in a ‘commonly used and machine readable format’ and have the right to transmit that data to another controller.

Privacy by design

Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Controllers should hold and process only the data absolutely necessary for the completion of its duties as well as limiting the access to personal data to those needing to act out the processing.

Data Protection Officers

Controllers will no longer be required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Internal record keeping requirements were introduced, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale, or of special categories of data or data relating to criminal convictions and offences.

Comments

Comments not loading?

We recommend using Google Chrome or Mozilla Firefox.

Comments powered by Disqus