This article is written by M.S.Bushra Tungekar, from the University of Mumbai Law Academy. The author in this article analyses international data privacy laws with reference to India and the European Union.
Table of Contents
Introduction
More than three lakh cybersecurity incidents were handled by Indian Computer Emergency Response Team (CERT-In) in the year 2019, as published by the agency in its annual report. Data breaches have been on the rise with humans becoming increasingly dependent on technology. Therefore, systematic tools and procedures for data protection have become the need of the hour. The increasing use of cloud storage, social media apps, apps for the most menial tasks makes the data vulnerable, more than ever.
It only takes a minute for a data breach to occur and the discovery of such a breach might take up to a week. The educational startup Unacademy, worth 510 million dollars, disclosed a data breach that jeopardized the data of 22 million users. The SBI data leak, Justdial data breach, Grindr app location leak are a few to name.
Indian data privacy protection and laws
Currently, in India, data protection is regulated by the Information Technology Act, 2000, and Information Technology Rules(Reasonable security practices and procedures and sensitive personal data or information),2011. The Information Technology Act has a very restricted scope, as it applies only to companies.
Due to the arising need for protection of data, an expert committee was set up by the Union Government chaired by Hon’ble Shri Justice B N Srikrishna to examine the various issues related to personal data protection. In the year 2019, Personal Data Protection Bill, 2019 (PDPB) was introduced in Lok Sabha.
EU General Data Protection Rules, 2016
The European Union takes data protection and security very seriously. General Data Protection Rules is a piece of legislation that regulates personal data processing, storing, transferring by companies or individuals. GDPR is uniform across all 27 countries of the EU.
They are said to be one of the resilient security laws. Although it is passed by the European Union to protect the data of the residents of the EU countries, it is also applicable to organizations beyond the borders of Europe. For example, the legislation will be applicable for a company processing personal data or offering similar services to citizens of EU countries and a company established outside the European Union, which offers any personal data processing services or processes data of the citizens of the EU countries.
The main aim of this legislation is to secure and shield the personal data of residents of the EU. GDPR levies heavy fines and enforces stringent rules on both territorial as well as extraterritorial companies. With the implementation of GDPR, the EU is taking a strong standpoint against breach of data privacy. It took 4 years of negotiations, debates, and discussions to finally put GDPR in place. It came into effect on 25th May 2018.
Definitions
Before going into the depths of the subject, it is important to understand the meaning of the terms which occur often in the GDPR:
Processing
For the purpose of this regulation processing means procedures performed on personal data including automated means. It includes controlling, storing, structuring, organizing, altering, using, recording, etc.
Data Subject
Any person or individual whose personal data is being processed, are considered to be customers.
Data Processor
Any natural person, company, agency, or public authority processes the data on behalf of the controller. This is a third party as well.
Data Controller
Any legal or natural person, government authority, or agency determining the intention and means of processing the said data. The person deciding the reason and means as to how the personal data shall be processed.
Key features of GDPR
Jurisdiction
The application of GDPR has a territorial as well as an extraterritorial impact. It applies to any organization established in the European Union, irrespective of whether the data processing, storing, or usage takes place within or outside the EU. Furthermore, it is also applicable to organizations established outside the EU, provided the organization provides its data processing or related services to the data subjects who are in the EU or monitors the activities of the data subjects who are in the EU.
For example: An Indian based web developer or e-commerce website providing its services to the European Union customers. If an organization uses tools that collect IP addresses of the EU customers visiting the organizations’ website, GDPR is applicable.
Consent of the data subject
There should be a definitive and clear consent to be given by the data subject. Requests for consent by the controller or the processor must be clearly distinguishable and in plain language as per Article 7. The consent can be revoked by the data subject at any time, and such an action shall have no effect on the lawfulness of the data processed before the withdrawal. The revocation of consent should be easy. According to Recital 32, GDPR, consent should be unambiguous in nature therefore consent in the form of pre-ticked boxes or silence is not considered. In case of a breach, the Data Protection Authority (DPA) must be notified by the controller or the processor within 72 hours.
Accountability
It is the responsibility of the controller to ensure that the personal data is duly protected. Even in cases where the controller engages with a third party (e.g. cloud storage) for data processing, it must ensure that the third party adheres to GDPR. Engaging a third party (i.e.Data Processor) does not absolve the Controller from the liability or the responsibility of safeguarding the personal data. The controller must designate the responsibility among their team and also maintain a record of activities undertaken.
Rights of the data subjects
The GDPR recognizes the Privacy Rights of the data subjects as its main goal is to safeguard the personal data from any intrusion. Data subjects must have sufficient information as to where their data is processed, what kind of data is being processed, how much, and the reason for which their data is being processed. Data subjects can request the controller or the processor to delete or erase their data after the fulfillment of the purpose for which it was collected or processed.
Data protection officers
Every controller and the processor must appoint a Data protection officer to look after the compliance of GDPR. Data protection officers only report to the highest level of management and no other employee of the organization can interfere in the execution of tasks by the data protection officers. A DPO must be a person who has a legal understanding of privacy in all jurisdictions as well as technical expertise in terms of conducting GDPR evaluations. Article 39 elaborates on the tasks and duties of the Data Protection Officer.
Privacy by design
Organizations are encouraged to analyze the data which shall be collected and figure out a way to minimize the amount of data that is collected. This can be done by installing systems right at the initial stages of development. Privacy by design in other words means that organizations have to consider the implementation of data protection principles while designing a new product.
Penalties
GDPR is devised to apply to all types of organizations be it micro-enterprises or multinational organizations. Fines and penalties are imposed on the organizations irrespective of their size. Article 83 and along with recitals 148 to152 deal with the imposition of fines and penalties.
Offenses that are not very severe offenses such as improper maintenance of records would attract a penalty up to €10 million, or two percent (2%) of the organization’s worldwide yearly revenue, which is more.
Critical infringements such as insufficient or improper consent, or neglect of basic principles of data processing attract hefty fines. Fine for grave infringements go up to €20 million, or Four percent (4%) of the organization’s worldwide yearly revenue., whichever is more.
The amount of fine to be imposed by the authority is determined after considering the following criteria- Intention, gravity and nature of the infringement, mitigation and preventive measures adopted by the organization, prior infringements, and the kind of personal data that is affected.
Comparison between GDPR and data protection regime in India
Data processing principles
General Data Protection Rules (GDPR) |
Personal Data Protection Bill (PDPB) |
Data processing principles include
|
PDPB does not mention principles in particular but it has similar requirements to GDPR. Such as:
|
GDPR permits the data to be retained for a longer period of time, unlike PDPB. PDPB restricts the storage of personal data beyond the time for which the data principal had consented.
Grounds for processing personal data
General Data Protection Rules (GDPR) |
Personal Data Protection Bill (PDPB) |
Following are the grounds;
|
Following are the grounds;
|
Security and compliance
General Data Protection Rules (GDPR) |
Personal Data Protection Bill (PDPB) |
The controllers and the processors are responsible to ensure that the processing of personal data is secured from any intrusion. |
Under PDPB the duty lies on the data fiduciary to make sure that the personal data is sufficiently safeguarded from any intrusions. |
Territorial and material scope
General Data Protection Rules (GDPR) |
Personal Data Protection Bill (PDPB) |
GDPR applies to:
|
PDPB applies to:
|
It can be said that the scope of PDPB is wider as compared to GDPR. Any organization may fall within the scope of processing personal data within India. PDPB further defines critical data as well as sensitive data, it also gives the authority to the union government to alter or add what may constitute as sensitive personal data. Powers of the union government to exempt organizations from the application of the bill may narrow down the scope of PDPB.
Data localization and cross border data flows
General Data Protection Rules (GDPR) |
Personal Data Protection Bill (PDPB) |
Data localization is not needed. Data under certain categories maybe be restricted from being transferred outside the EU |
Does not restrict data transfer outside the country. However, it is mandatory that sensitive personal data is to be stored within the Indian domain. |
PDPB lays down more stringent standards for data transfer as compared to GDPR. Therefore, compliance with GDPR does not result in automatic compliance of PDPB
Notice and consent
General Data Protection Rules (GDPR) |
Personal Data Protection Bill (PDPB) |
GDPR lays down the requirements of a valid consent
|
Under PDPB to constitute valid consent, it must be
|
Penalties
General Data Protection Rules (GDPR) |
Personal Data Protection Bill (PDPB) |
Under GDPR penalties are broadly classified into penalties for severe infringement and minor infringement. In the event of minor infringement, a fine may go up to €10 million, or two percent (2%) of the organization’s worldwide yearly revenue, which is more.
|
Under PDPB penalties and fines are based on infringement. In case of a breach relating to data protection, the fine may go up to five crore rupees or two percent (2%) of its total turnover across the world of the preceding financial year. In case of a breach relating to processing and transfer of data outside India a fine may go up to fifteen crore rupees or four percent(4%) of its total turnover across the world of the preceding financial year, whichever is more.
|
Breach notification
General Data Protection Rules (GDPR) |
Personal Data Protection Bill (PDPB) |
Data Protection Authority (DPA) must be notified within 72 hours in the event of a breach. If there is a probability that the breach is likely to cause harm to the right of the data subject, the data subject must be informed about the breach without any delay. |
Data Fiduciary must notify about the breach to the Data Protection Authority (DPA) as instantly as it can, only if the breach is likely to cause harm to the individual. Data Protection Authority determines whether the data principal is to be informed in case of a data breach. |
There is no fixed timeline given under PDPB not only that the data principal shall be informed about the breach if authorized by the DPA. The baseline for reportable data breaches is different under GDPR and PDPB. Under GDPR all breaches are reported to the authority. Under PDPB the breaches which may harm the data principal are to be reported to the DPA.
A Glimpse of data protection laws in the US
The United States does not have a uniform or primary legislation that deals with data protection laws. Rather the legislation changes from state to state. The US has more than 100 laws governing data protection and security amongst its states. Therefore, it creates a mess between self-regulation, public regulation, and varied state laws. Enforcement as well is carried out by the different government agencies such as health insurance portability and accountability.
Conclusion
It can be seen from the structure of GDPR and the fines which have been levied, that the European Union has given utmost priority in regulating and safeguarding the personal data of its citizens. GDPR ensures transparency and accountability. Stringent fines act as a deterrent for the organization to not neglect or compromise fulfilling their duties under GDPR. Similar legislation is needed in India. Personal Data Protection Bill is required to be converted into an Act. GDPR and PDPB have many similarities as seen above.
References
- https://www.cert-in.org.in/
- https://gdpr-info.eu/
- https://gdpr.eu/Recital-32-Conditions-for-consent/
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: