By Vijeth Shivappa
The news of a global on-line retail platform being hit with a fine of 746 million Euros (roughly 887 million US $) by the European Union data privacy regulator for violating user privacy regulations- the GDPR- has taken the media by storm. According to reliable sources in European financial circuit, the fine was imposed on July 16 and was made public in a recent financial filing. It is the largest fine to the date in the GDPR ’s 3-year history. It has been alleged that the e-commerce giant had violated European Union Data Privacy Regulation GDPR, in its advertising-related decisions. The fine for the alleged regulatory violation was levied by data regulators in Luxembourg by Luxembourg’s National Commission for Data Protection (CNPD), where the on-line retail giant has its EU HQ.
This regulatory fine is the outcome of a complaint in 2018 by a French privacy rights group La Quadrature du Net, a group that claims to represent the interests of Europeans to ensure their data isn’t consumed by the Big Tech companies to manipulate citizens behavior for political or commercial purposes. This complaint was filed on behalf of more than 10,000 customers.
This regulatory fine is the latest action by European regulators on Big Tech companies. Regulators in Europe have increasingly been scrutinizing the business practices of tech giants. GDPR, or the General Data Protection Regulation, aims to rein in how companies use consumer data and to regulate data breaches. Back in 2019, another tech giant was fined €50 million. Regulators cited that the company’s way of processing of consumers personal data didn’t comply with GDPR requirements & it has been ordered to change its business practices.
GDPR is an EU regulation with compulsory rules for how organizations and companies must use personal data in an integrity friendly way. Under the EU’s personal privacy law GDPR, violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
Taking cue from European Union regulators, On August 20, 2021, China’s 13th Standing Committee of the National People’s Congress passed the Personal Information Protection Law (the “PIPL”). PIPL is China’s first comprehensive data protection law. It is modeled, in part, on other data protection regimes, including the EUs General Data Protection Regulation (“GDPR”).
The PIPL will become effective on November 1, 2021.The rules say that businesses must get consent from customers to use personal data & companies must take measures to protect the data. If such information’s security is breached, it can cause great harm to individuals personal security and property safety.Penalties for serious violations of the PIPL include fines in the range of 50 million RMB to 5% of an entity’s revenue in the prior year.
The need for the Personal Data Protection Regulation
Personal data is valuable. There are no second thoughts about it. Data makes it possible to formulate business models, gain an understanding of its customers, conduct effective marketing campaigns and develop products and services. But just like rules for protecting any other asset class, there is a need of regulatory frameworks for responsible use of personal data. In the last few years, we have seen breaking news of personal data breaches and scandals around the world. Hundreds of millions of individuals’ personal information (social security numbers, addresses, credit scores, etc.) were compromised. The regulations like GDPR & PIPL , not only clearly states that an individual’s personal data belongs to the individual, but it also can impose substantial penalties for companies not following the rules.
In US, Europe & China, privacy and data protection are considered vital components . The regulations like GDPR & PIPL are designed to safeguard these prerequisites and is an upgrade of the past data protection directives. It is high time for other emerging economies to adopt one such stringent regulation to safeguard their citizens privacy & larger social interests.
Entities dealing with personal data of citizens can comply with such regulatory requirements by storing & protecting the allowed user data with compliance. Entities can even automate the process of identifying different data types through a technology that uses data analytics, machine learning & artificial intelligence (AI) to power intelligent data cataloguing to identify and classify individual data points within large volumes of data. This means that companies can easily turn their data lakes into searchable, easy to analyse resources, enabling them to make use of the data in question more effectively and comply with legislation such as GDPR & PIPL . The technology, which is already used in the financial services, pharmaceutical and healthcare industries, is designed to be applied on-premises or even in public cloud environments.
– All views expressed are personal