GDPR works: 7 principles for protecting Internet users' data

With the development of modern technologies and various applications, social networks and public channels in messengers, the protection of users' personal data has become a major concern for their owners. From time to time, the information space is stirred up by reports of another leak. Only at the end of last year, it was reported that the data of a million Facebook users had been leaked. Moreover, Meta, the owner of this social network, has repeatedly been in trouble for data leaks. Sofia Lavreniuk, Coordinator of the Internews Ukraine NGO, told Mind how the EU is solving this problem and why the EU is conducting investigations of these incidents.

One of the largest European offices of Meta, Inc, the company that runs Facebook, is located in Dublin. Meta has a lot of work to do in the European Union: the American company has to comply with EU human rights standards as it manages millions of accounts of EU residents – Facebook, Instagram, and WhatsApp users.

Dublin also has the office of Digital Rights Ireland, a well-known Meta critic. It protects the digital rights of social media users, including Facebook.

In February 2023, Digital Rights Ireland (DRI) stated that it planned to file a lawsuit for damages against Facebook users in the EU whose data was compromised and published online.

The DRI's statement came after the consummation of a court case brought by the Irish Data Protection Commission (DPC). According to the DRI, the court case resulted in a victory for Facebook users whose data was made public.

Earlier, in November 2022, the Irish regulator fined Meta, Inc, as the owner of Facebook, for €265 million.

Why are there numerous investigations into data protection in the EU in particular?

The answer is obvious: the EU has created many safeguards against violations of digital human rights, including personal data protection.

This area is regulated in the EU by several documents that outline the rights and obligations of web resource owners and their users.

One of the main requirements of Directive 95/46/EC was that any organisation collecting personal data had to obtain permission from the person providing the data. In addition, organisations had to ensure that the personal data of their users was processed and stored in a secure place.

Personal data could be processed only in specific cases, and owners of online resources had to protect this data from unauthorised access.

GDPR is being successfully applied in practice

With the rapid development of the Internet, the complexity of its architecture, the growing influence and the increasing number of misuses by unscrupulous users, the EU needed to thoroughly review its regulatory framework. In 2018, EU institutions adopted the General Data Protection Regulation (GDPR), which replaced Directive 95/46/EC. Unlike the directive, which EU countries had to integrate into their legislation, the GDPR is a direct-effect act – member states did not have to implement it further.

The 7 principles of the GDPR

The GDPR is based on seven principles underpinning all legislation:

1. Lawfulness, Fairness, and Transparency

Lawfulness – the company must have a valid reason to process personal data. Fairness – the company cannot deliberately hide the motives for collecting data. And users should not catch the company in the act of misusing their data. Transparency – clarity, openness, and honesty about how and why the company processes personal data.

2. Purpose Limitation

This GDPR principle means that data is "collected only for a specific, explicit and legitimate purpose".

3. Data Minimisation

Companies should only collect the data they need to achieve their purpose. For example, if a company wants to collect subscribers for its email newsletter, it should only ask for the information necessary to send out its materials.

4. Accuracy

A company must ensure the accuracy of the data it collects and stores. It should take steps to correct, update or delete incorrect or incomplete data.

5. Storage Limitations

According to the GDPR, a company must justify the duration of data storage. It is about the deadlines for storing data to comply with the retention policy.

6. Integrity and confidentiality

The GDPR requires maintaining the integrity and confidentiality of data by protecting it from internal and external threats. Data must be protected from unauthorised or unlawful processing and accidental loss, destruction, or damage.

7. Accountability

In accordance with the principle of accountability, companies must have appropriate documentation to prove compliance with data processing principles. The regulator may request to see this documentation.

Fines for non-compliance with the GDPR can be up to 4% of a company's annual turnover or up to €20 million, whichever is higher. These sanctions are rarely enforced, and practice shows that fines are actually much lower. However, the regulator can impose harsher sanctions. A vivid example of this is the significant fines for tech giants such as Meta, Inc.

The material was prepared within the Updating Privacy in the Digital Sphere in Ukraine project (Personal Data Protection Index 2022), implemented by NGO Internews Ukraine, with the support of ABA ROLI Ukraine / Rule of Law Initiative.