EU law is a grand response to growing concern that consumers are losing
control of their personal data and privacy to businesses. FILE PHOTO |
NMG
In Greek mythology, Argus Panoptes was an ever watchful giant
with a hundred eyes to boot. Even when asleep, some of his eyes would be
awake watching on-goings around him.
Jeremy Bentham,
the 18th century philosopher, borrowing from this myth, designed a
prison called the Panopticon, that was structured in such a way that a
single guard at the centre could observe all the prisoners.
The
prisoners wouldn’t know whether they were being watched, or not, as the
guard could look in any direction. This made the prisoners to “behave”
all the time. Bentham’s Ponopticon has been replicated in different
shapes in the digital world.
Digital natives have
volunteered their personal data to tech giants such as Facebook and
Google, which keep track of their activities. These firms are
accumulating big data from customers, which they sell for marketing and
other purposes.
With digital civilisation, there is unprecedented access to
data. This is certainly a revolution, not a passing cloud. Application
of machine learning and artificial intelligence (AI) has created big
data analytics that is unlocking the value of this big data.
Industrial
revolution improved humanity’s standard of living, but brought new
problems such as pollution. In similar fashion, the data revolution is
enriching people’s lives, but has its banes, as the Facebook and
Cambridge Anaytica fiasco has recently demonstrated.
The
Economist recently vouched data to be the new oil that will give rise
to a new economy. Indeed, big-data analytics and data-driven businesses
have become embedded in countless new products and services. The
Internet and digitisation of goods and services have further transformed
the global economy.
In a globalised world, transfer
of data, including personal data, across national borders is part of the
operations of companies. AI is facilitating accumulation of derived
data for business ends. To this end, personal data has fallen victim.
Consumers
have historically placed confidence in data companies to protect their
personal data. These companies, on diverse times, have breached this
trust. Instead, they have employed this data, however personal, as an
asset to create monopolies and generate income. They have turned privacy
into a commodity.
Yet, privacy is not a commodity to
be traded. Respecting privacy is a prerequisite for stable, secure and
competitive global trade. As trade exchanges rely on personal data
flows, privacy and security have become a key factor of consumer trust.
Protection
of personal data is non-negotiable. Various countries have been
enacting data protection legislation in response to the growing demand
for stronger data security and privacy protection.
Gladly,
there seems to be a trend towards convergence on data protection
principles. On May this year, the General Data Protection Regulation
(GDPR), the EU law on data protection, will come into force.
This
law is a grand response to growing concern that consumers are losing
control of their personal data and privacy to businesses that are
increasingly engaging in data analytics to gain a competitive edge.
It
can be argued the GDPR provisions meet the mark as international
customary law on data protection. It heralds a mutiny to the old order
of data protection, by detailing broad mechanisms of protecting
information identifiable with individual to an individual.
Some
of the protected information, as per GDPR, includes search-engine
entries, employee authentication, payment transactions,
closed-circuit-television footage, and visitor logs, among others.
It
is immaterial whether such data is structured or unstructured, or it’s
medium. It will be a requirement for a company processing data of an EU
citizen to adhere accordingly.
The companies that will
be most affected are Internet service providers, airlines, mobile phone
service providers, banks, international couriers and numerous service
providers, and related businesses. These often deal with clients across
national and virtual borders. The extra-territorial application of GDPR
will require them to comply.
GDPR’s protective
mechanism requires companies to inform their customers that they are
storing and, or processing personal data, why they are holding that
data, how long they plan to hold it and the interest the company has in
the data.
Equally, it creates one data protection
authority that will be responsible for supervision of cross-border data
processing operations carried out by a company in the EU.
In
addition, GDPR introduces stringent consent requirements, data-subject
rights, and obligations on organisations that gather, control, and
process data.
Some unique rights, such as the right to
be forgotten (also right of data erasure), right to data portability,
right to revoke consent, and right to restrict processing, are
introduced.
Entities handling personal data are
required to report data breaches likely to result in high risk to
individuals’ rights and freedoms to the authorities within 72 hours, and
subsequently to the data subjects as well in certain cases.
The
fines for failure to comply will be high, as much as four per cent of
annual worldwide revenues. Individuals are also allowed to seek civil
actions (including class-action lawsuits) against entities that violate
their data-protection rights.
The effectiveness of GDPR
regulatory approach is yet to be seen. In the age of advanced data
analytics, which by nature require lots of digital information, giving
people notice that their data is being collected, and then asking for
consent for it to be used may be an uphill task.
It may result into unintended consequences of stifling innovation, especially for digital start-ups.
Kenya
is yet to formulate a coherent law on data protection. There is a Data
Protection Bill 2015, which needs to be updated with emerging trends,
such as borrowing some elements from GDPR.
The country
has so far been casual in handling personal data. Many companies are
taking and holding even biometric information, yet there is no
regulatory mechanism to govern privacy and remedy in cases of breach.
The enactment of data protection laws needs to be expedited.
No comments:
Post a Comment