Centre for Internet and Society

Response Submission on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector

Amber Sinha, Elonnai Hickok and Udbhav Tiwari — 2019-03-13T00:27:30Z

CIS submitted its comments on the consultation paper on privacy, security and ownership of data in telecom sector which was published by the Telecom Regulatory Authority of India on August 9, 2017.

The submission is divided in four parts. The first part introduces the document, the second part gives an overview of CIS and its work, the third part contains general comments on the consultation paper and the fourth part contains specific comments on questions posed in the consultation paper. Click to read the full submission made to the Telecom Regulatory Authority of India on November 6, 2017.

For more details visit https://cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector

GDPR and India: A Comparative Analysis

Aditi Chaturvedi — 2017-11-28T15:17:39Z

At present, companies world over are in the process of assessing the impact that EU General Data Protection Regulations (“GDPR”) will have on their businesses.

The post is written by Aditi Chaturvedi and edited by Amber Sinha

High administrative fines in case of non-compliance with GDPR provisions are a driving force behind these concerns as they can lead to loss of business for various countries such as India.

To a large extent, future of business will depend on how well India responds to the changing regulatory changes unfolding globally. India will have to assess her preparedness and make convincing changes to retain the status as a dependable processing destination. This document gives a brief overview of data protection provisions of the Information Technology Act, 2000 followed by a comparative analysis of the key provisions of GDPR and Information Technology Act and the Rules notified under it.

Download the full blog post

For more details visit https://cis-india.org/internet-governance/blog/gdpr-and-india-a-comparative-analysis

MediaNama - #NAMAprivacy: The Future of User Data (Delhi, Sep 6)

sumandro — 2017-09-05T10:22:12Z

MediaNama is hosting a full day conference on "the future of user data in India", on the 6th of September 2017, which is particularly significant given the recent Supreme Court ruling on the fundamental right to privacy, and two government consultations: one at the TRAI, and another at MEITY. This discussion is supported by Facebook, Google, and Microsoft. Sumandro Chattapadhyay, Research Director, will participate as a speaker in the session titled "regulating storage, sharing and transfer of data."

Details

Time: September 6th 2017, 9 am to 4:30 pm

Venue: Gulmohar Hall, India Habitat Centre, Lodhi Road (please enter from Gate #3)

Agenda: https://www.medianama.com/2017/08/223-agenda-namaprivacy-future-of-user-data/

Announced Speakers

Chinmayi Arun, Centre for Communication Governance at NLU Delhi
Malavika Raghavan, IFMR Finance Foundation
Renuka Sane, NIPFP
Smitha Krishna Prasad, Centre for Communication Governance at NLU Delhi
Ananth Padmanabhan, Carnegie India
Avinash Ramachandra, Amazon
Hitesh Oberoi, Naukri
Jochai Ben-Avie, Mozilla
Mrinal Sinha, Mobikwik
Murari Sreedharan, Bankbazaar
Sumandro Chattapadhyay, Centre for Internet and Society

Facilitators

Saikat Datta, Asia Times Online
Shashidar KJ, MediaNama
Nikhil Pahwa, MediaNama

Attendees

We have confirmed 140+ attendees from: Adobe, Amber Health, Amazon, APCO Worldwide, Bank Bazaar, Bloomberg-Quint, Blume Ventures, Broadband India Forum, Business Standard, BuzzFeed News, CCOAI, CEIP, Change Alliance, Chase India, CIS, CNN News18, DEF, Deloitte, DNA, DSCI, E2E Networks, British High Commission, Eurus Network Services, FICCI, Firefly Networks, Flipkart, Forrester Research, Fortumo, DoT, MEITY, IAMAI, IBM, ICRIER, IFMR Finance Foundation, IIMC, Indian Law Institute, Indic Project, Info Edge, ISPAI, IT for Change, ITU-APT, Jamia Millia Islamia, Jindal Global Law School, Mimir Technologies, Mozilla, Newslaundry, NIPFP, Nishith Desai Associates, NIXI, NLU-Delhi, ORF, Paytm, PLR Chambers, PRS Legislative Research, Publicis Groupe, Quartz India, Reliance Jio, Reuters, Saikrishna & Associates, Scroll.in, SFLC.in, Spectranet, The Economics Times, The Indian Express, The Times of India, The Wire, Times Internet, Twitter, and more.

For more details visit https://cis-india.org/internet-governance/news/medianama-namaprivacy-the-future-of-user-data-delhi-sep-6

Privacy is not a unidimensional concept

amber — 2017-08-07T08:02:20Z

Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all citizens in India to defend their individual autonomy in the face of invasive state actions purportedly for the public good. The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all.

This article, written by Amber Sinha was published in the Economic Times on July 23, 2017.

In a disappointing case of judicial evasion by the apex court, it has taken over 600 days since a reference order passed in August 11, 2015, for this bench to be constituted. Over two days of arguments, the counsels for the petitioners have presented before the court why the right to privacy, despite not finding a mention in the Constitution of India, is a fundamental right essential to a person’s dignity and liberty, and must be read into not one but multiple articles of the Constitution. The government will make its arguments in the coming week.

One must wonder why we are debating the contours of the right to privacy, which 40 years of jurisprudence had lulled us into believing we already had. The answer to that can be found in a series of hearings in the Aadhaar case that began in 2012. Justice KS Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court, questioning the validity of the Aadhaar project due its lack of legislative basis (since then the Aadhaar Act was passed in 2016) and its transgressions on our fundamental rights. Over time, a number of other petitions also made their way to the apex court, challenging different aspects of the Aadhaar project. Since then, five different interim orders by the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number. Aadhaar, according to the court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.

The real spanner in the works in the progress of this case was the stand taken by Mukul Rohatgi, then attorney general of India who, in a hearing before the court in July 2015, stated that there is no constitutionally guaranteed right to privacy. His reliance was on two Supreme Court judgments in MP Sharma v Satish Chandra (1954) and Kharak Singh v State of Uttar Pradesh (1962): both cases, decided by eight- and six-judge benches respectively, denied the existence of a constitutional right to privacy. As the subsequent judgments which upheld the right to privacy were by smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh still prevailed over them, until they were overruled by a larger bench.

The reference to a larger bench has since delayed the entire matter, even as a number of government schemes have made Aadhaar mandatory. This reading of privacy as a unidimensional concept by the courts is, with due respect, erroneous. Privacy, as a concept, includes within its scope, spatial, familial, informational and decisional aspects. We all have a legitimate expectation of privacy in our private spaces, such as our homes, and in our personal relationships. Similarly, we must be able to exercise some control over how personal data, like our financial information, are disseminated. Most importantly, privacy gives us the space to make autonomous choices and decisions without external interference. All these dimensions of privacy must stand as distinct rights. In MP Sharma, the court rejected a certain aspect of the right of privacy by refusing to acknowledge a right against search and seizure. This, in no way prevented the court, even in the form of a smaller bench, from ruling on any other aspects of privacy, including those that are relevant to the Aadhaar case.

The limited referral to this bench means that the court will have to rule on the status of privacy and its possible limitations in isolation, without even going into the details of the Aadhaar case (based on the nature of protection that this bench accords to privacy, the petitioners and defendants in the Aadhaar case will have to argue afresh on whether the project does impede on this most fundamental right). There are no facts of the case to ground the legal principles in, and defining the contours of a right can be a difficult exercise. The court must be wary of how any limits they put on the right may be used in future. Equally, it is important to articulate that any limitations on the right to privacy due to competing interests such as national security and public interest must be imposed only when necessary and always be proportionate.

It will not be enough for the court to merely state that we have a constitutional right to privacy. They would be well advised to cut through the muddle of existing privacy jurisprudence, and unequivocally establish the various facets of the right. Without that, we may not be able to withstand the modern dangers of surveillance, denial of bodily integrity and self-determination through forcible collection of information. The nine judges, in their collective wisdom, must not only ensure that we have a right to privacy, but also clearly articulate a robust reading of this right capable of withstanding the growing interferences with our autonomy.

For more details visit https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept

Comments on the Statistical Disclosure Control Report

Srinivs Kodali and Amber Sinha — 2019-03-13T00:28:44Z

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.

1. PRELIMINARY

CIS is thankful for the opportunity to put forth its views.
This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.

2. ABOUT CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.

CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

3. Comments

3.1 General Comments

As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.

We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.

3.2 Integrity of Information and Data

We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.

3.3 Data Security

One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.

We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.

3.4 Anonymization of microdata

We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.

3.5 Data Dissemination

Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.

We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,

The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.

Thank you for this opportunity and we look forward to work with you in future.

For more details visit https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report

(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

Amber Sinha and Srinivas Kodali — 2019-03-13T00:29:01Z

Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. In this study, we document numerous instances of publicly available Aadhaar Numbers along with other personally identifiable information (PII) of individuals on government websites. This report highlights four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites.

Read the updated report: Download (pdf)

Read the first statement of clarification (May 16, 2017): Download (pdf)

Read the second statement of clarification (November 05, 2018): Link to page (html)

We are grateful to Yesha Paul and VG Shreeram for research support.

In the last month, there have been various reports pointing out instances of the public disclosure of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these public disclosures reported contain personally identifiable information of beneficiaries or subjects of the non UIDAI databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of such events, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.

For more details visit https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1

Survey on Data Protection Regime

Aditi Chaturvedi and Elonnai Hickok — 2017-02-10T10:47:00Z

We request you to take part in this survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union. Recently the General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. We are grateful for your voluntary contribution to our research, and all information shared by you will be used for the purpose of research only. Questions that personally identify you are not mandatory and will be kept strictly confidential.

The survey form below can also be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime

Comparison of General Data Protection Regulation and Data Protection Directive

Aditi Chaturvedi and Edited by Leilah Elmokadem — 2017-02-07T14:08:35Z

Recently, the General Data Protection Regulation (REGULATION (EU) 2016/679) was passed. It shall replace the present Data Protection Directive (DPD 95/46/EC), which is a step that is likely to impact the workings of many organizations. This document intends to offer a clear comparison between the General Data Protection Regulation (GDPR) a the Data Protection Direction (DPD).

Download the file here

INTRODUCTION

The GDPR i.e. General Data Protection Regulation (REGULATION (EU) 2016/679) was adopted on May 27th, 2016. It will come into force after a two-year transition period on May 25th, 2018 and will replace the Data Protection Directive (DPD 95/46/EC). The Regulation intends to empower data subjects in the European Union by giving them control over the processing of their personal data. This is not an enabling legislation. Unlike the previous regime under the DPD (Data Protection Directive), wherein different member States legislated their own data protection laws, the new regulation intends uniformity in application with some room for individual member states to legislate on procedural mechanisms. While this will ensure a predictable environment for doing business, a number of obligations will have to be undertaken by organizations, which might initially burden them financially and administratively.

2. SUMMARY

The Regulation contains a number of new provisions as well as modified provisions that were under DPD and has removed certain requirements under the DPD. Some significant changes mentioned in the document have been summarized in this section.. These changes suggest that GDPR is a comprehensive law with detailed substantive and procedural provisions. Yet, some ambiguities remain with respect to its workability and interpretation. Clarifications will be required.

2.1 Provisions from the DPD that were retained but altered in the GDPR include:

2.1.1 Scope:

GDPR has an expanded territorial scope and is applicable under two scenarios; 1) when processor or controller is established in the Union, and 2) when processor or controller is not established in the Union. The conditions for applicability of the GDPR under the two are much wider than those provided for DPD. Also, the criteria under GDPR are more specific and clearer to demonstrate application.

2.1.2 Definitions:

Six definitions have remained the same while those of personal data and consent have been expanded.

2.1.3 Consent:

GDPR mentions "unambiguous" consent and spells out in detail what constitutes a valid consent. Demonstration of valid consent is an important obligation of the controller. Further, the GDPR also explains situations in which child's consent will be valid. Such provisions are absent in DPD.

2.1.4 Special categories of data:

Two new categories, biometric and genetic data have been added under GDPR.

2.1.5 Rights:

The GDPR strengthens certain rights granted under the DPD. These include:

a. Right to restrict processing: Under DPD the data subject can block processing of data on the grounds of data inaccuracy or incomplete nature of data. GDPR, on the other hand , is more elaborate and defined in this respect. Many more grounds are listed together with consequences of enforcement of this right and obligations on controller.

b. Right to erasure: This is known as the "right to be forgotten". Here, the DPD merely mentions that the data subject has the right to request erasure of data on grounds of data inaccuracy or incomplete nature of data or in case of unlawful processing. The GDPR has strengthened this right by laying out 7 conditions for enforcing this right including 5 grounds on which the request for erasure shall not be processed. This means that the "right to erasure" is not an absolute right. GDPR provides that if data has been made public, controllers are under an obligation to inform other controllers processing the data about the request.

c. Right to rectification: This right is similar under GDPR and DPD.

d. Right to access: GDPR has broadened the amount of information data subject can have regarding his/her own data. For example, under the DPD the data subject could know about the purpose of processing, categories of processing, recipients or categories to whom data are disclosed and extent of automated decision involved. Now under GDPR, the data subject can also know about retention period, existence of certain rights, about source of data and consequences of processing. It specifically states controllers obligations in this regard.

e. Automated individual decision making including profiling: This is an interesting provision that applies solely to automate decision-making. This includes profiling, which is a process by which personal data is evaluated solely by automated means for the purpose of analyzing a person's personal aspect such as performance at work, health, location etc. The intent is that data subjects should have the right to obtain human intervention into their personal data. This upholds philosophy of data safeguard as the subject can get an opportunity to express himself, obtain explanation and challenge the decision. Under GDPR, such decision-making excludes data concerning a child.

2.1.6 Code of conduct:

A voluntary self-regulating mechanism has been provided under both GDPR and DPD.

2.1.7 Supervisory Authority:

As compared to the DPD, the GDPR lays down detailed and elaborate provisions on Supervisory Authority.

2.1.8 Compensation and Liability:

Although compensation and liability provisions under GDPR and DPD are similar, the GDPR specifically mentions this as a right with a wider scope. While the Directive enforces liability on the controller only, under the GDPR, compensation can be claimed from both, processor and controller.

2.1.9 Effective judicial remedies:

Provisions in this area are also quite similar between the DPD and GDPR. The difference is that GDPR specifically mentions this as a "right" and the Directive does not. Use of such words is bound to bring legal clarity. It is interesting to note that in the DPD, recourse to remedy has been mentioned in the Recitals and it is the national law of individual member states, which shall regulate the enforceability. GDPR, on the other hand, mentions this under its Articles together with the jurisdiction of courts and exceptions to this right.

2.1.10 Right to lodge complaint with supervisory authority:

The right conferred to the data subject to seek remedy under unlawful processing has been strengthened under GDPR. Again, as mentioned above, GDRP specifically words this as a "right" while the DPD does not.

2.2 New provisions added to the GDPR include:

2.2.1 Data Transfer to third countries:

Provisions under Chapter V of GDPR regulate data transfers from EU to third countries and international organizations and data transfer onward. DPD only provides for data transfer to third countries without reference to international organizations.

A mechanism called adequacy decisions for such transfers remains the same under both laws. However, in situations where Commission does not take adequacy decisions, alternate and elaborate provisions on "Effective Safeguards" and "Binding Corporate Rules" have been mentioned under the GDPR. Other certain situations have been envisaged under both GDPR and DPD for data transfers in absence of adequacy decision. These are more or less similar with a only few modifications.

Significantly, GDPR brings clarity with respect to enforceability of judgments and orders of authorities that are outside of EU over their decision on such data transfer. Additionally, it provides for international cooperation for protection of personal data. These are not mentioned in the DPD.

2.2.2 Certification mechanism:

Just like code of conduct, this is also a voluntary mechanism, which can aid in demonstrating compliance with Regulation.

2.2.3 Records of processing activities:

This is a mandatory "compliance demonstration" mechanism under GDPR, which is not mentioned under DPD. Organizations are likely to face initial administrative and financial burdens in order to maintain records of processing activities.

2.2.4 Obligations of processor:

DPD fixes liability on controllers but leaves out processors. GDPR includes both. Consequently, GDPR specifies obligations of the processor, the kinds of processors the controller can use and what will govern processing.

2.2.5 Data Protection officer:

This finds no mention in the DPD. Under the GDPR, a data protection officer must be mandatorily appointed where the core business activity of the organization pertains to processing, which requires regular and systematic monitoring of data subjects on large scale, processing of large scale special categories of data and offences, or processing carried out by public authority or public body.

2.2.6 Data protection impact assessment:

This is a Privacy Impact assessment for ensuring and demonstrating compliance with the Regulation. Such assessment can identify and minimize risks. GDPR mandates that such assessment must be carried out when processing is likely to result in high risk. The relevant Article mentions when to carry out processing, the type of information to be contained in assessment and a clause for prior consultation with supervisory authority prior to processing if assessment indicates high risk.

2.2.7 Data Breach:

Under this provision, the controller is responsible for two things: 1) reporting personal data breach to supervisory authority no later than 72 hours . Any delay in notifying the authority has to be accompanied by reasons for delay; and 2) communicating the breach to the data subject in case the breach is likely to cause high risk to right and freedoms of the person. As far as the processor is concerned, in the event of data breach, the processor must notify the controller. This provision is likely to push some major changes in the workings of various organizations. A number of detection and reporting mechanisms will have to be implemented. Above all, these mechanisms will have to be extremely efficient given the time limit.

2.2.8 Data Protection by design and default:

This entails a general obligation upon the controller to incorporate effective data protection in internal policies and implementation measures.

2.2.9 Rights:

Under the GDPR, a new right called the " Right to data portability " has been conferred upon the data subjects. This right empowers the data subject to receive personal data from one controller and transfer it to another.

2.2.10 New Definitions:

Out of 26 definitions, 18 new definitions have been added. "Pseudonymisation" is one such new concept that can aid data privacy. This data processing technique encourages processing in a way that personal data can no longer be attributed to a specific data subject without using additional information. This additional information is to be stored separately in a way that it is not attributed to an identified or identifiable natural person.

2.2.11 Administrative fines:

Perhaps much concern about GDPR is due to provisions on high fines for non-compliance of certain provisions. Organizations simply cannot afford to ignore it. Non-compliance can lead to imposition of very heavy fines up to 20,000,000 EUR or 4% of total worldwide turnover.

2.3 Deleted provisions under DPD include :

2.3.1 Working Party:

Working party under the DPD has been replaced by the European Data Protection Board provided by the GDPR. The purpose of the Board is to ensure consistent application of the Regulation.

2.3.2 Notification Requirement:

The general obligation to notify processing supervisory authorities has been removed. It was observed that this requirement imposed unnecessary financial and administrative burden on organizations and was not successful in achieving the real purpose that is protection of personal data. Instead, now the GDPR focuses on procedures and mechanisms like Privacy Impact assessment to ensure compliance.

3. BRIEF OVERVIEW

The GDPR is the new uniform law, which will now replace older laws. A brief overview has been given below:

Topic	GDPR (General Data Protection Regulation)	DPD (Data Protection Directive)

Name	REGULATION (EU) 2016/679	DPD 95/46/EC
Enforcement	Adopted on 27 May 2016 To be enforced on 25 May 2018	Adopted on 24 October 1995
Effect of legislation	It is a Regulation. Is directly applicable to all EU member states without requiring a separate national legislation.	It is an enabling legislation. Countries have to pass their own separate legislations.
Objective	To protect "natural persons" with regard to processing of personal data and on free movement of such data. It repeals DPD 95/46/EC.	To protect "individuals" with regard to processing of personal data and on free movement of such data.
Number of Chapters	XI	VII
Number of Articles	99	34
Number of Recitals	173	72
Applicability	To processors and controllers	Same

4. COMPARATIVE ANALYSIS OF GDPR AND DPD

This section offers a comparative analysis through a set of tables and text analysing and comparing the provisions of General Data Protection Regulation (GDPR) with those of the Data Protection Direction (DPD). Spaces left blank in the tables imply lack of similar provisions under the respective data regime.

4.1 Territorial Scope

GDPR has expanded territorial scope. The application of Regulation is independent of the place where processing of personal data takes places under certain conditions. The focus is the data subject and not the location. The DPD made application of national law, a criterion for determining the applicability of the Directive. Under the GDPR, the following conditions need to be satisfied for application of Regulation.

Sub-topics in the section	GDPR	DPD

Given in Article	3	4

When processor or controller is established in the Union, the Regulation/ Directive will apply if: (DPD is silent on location of processors )	1. Processing is of personal data 2. Processing is in "context of activities" of the establishment 3. Processing may or may not take place in the Union	Processing is of personal data.
When processor or controller is not established in Union, the Regulation/Directive will apply if: (DPD is silent on location of processors )	1. Data subjects are in the Union; and 2. Processing activity is related to: I. Offering of goods or services; or II. Monitoring their behavior within Union 3. Will apply when Member State law is applicable to that place by the virtue of public international law	1. Like GDPR the DPD mentions that national law should be applicable to that place by virtue of public international law; Or 2. If the equipment for processing is situated on Member state territory unless it is used only for purpose of transit.

4.2 Material Scope

The Recital under GDPR explains that data protection is not an absolute right. Principle of proportionality has been adopted to respect other fundamental rights.

Sub-topics in the section	GDPR	DPD

Given in Article	2	3
Applies to	Processing of personal data Processing is by automated means, wholly or partially When processing is not by automated means, the personal data should form or are intended to form a part of filing system	Same
Does not apply to	Processing of personal data: 1. For activities which lie outside scope of Union law 2. By Member State under Chapter 2 Title V of TEU 3. By natural person in course of purely personal or household activity 4. By competent authorities in relation to criminal offences and penalties and threats to public security 5. Under Regulation (EC) No 45/2001. This needs to be adapted for consistency with GDPR 6. Which should not prejudice the E commerce Directive 2000/31/EC especially the liability rules of intermediary service providers	The provisions in DPD are similar to GDPR. In addition to Title V, the DPD did not apply to Title VI of TEU. DPD doesn't mention Regulation (EC) No 45/2001 or the E commerce Directive 2000/31/EC.

4.3 Definitions

GDPR incorporates 26 definitions as compared to 8 definitions under DPD. There are 18 new definitions in GDPR. Some definitions have been expanded.

Sub-topics in the section	GDPR	DPD

Given in Article	4	2
New Definitions under GDPR	1. Restriction of processing 2. Profiling 3. Pseudonymisation 4. Personal data breach 5. Genetic data 6. Biometric data 7. Data concerning health 8. Main establishment 9. Representative 10. Enterprise 11. Group of undertakings 12. Binding corporate rules 13. Supervisory authority 14. Supervisory authority concerned 15. Cross border processing 16. Relevant and reasoned objection 17. Information society service 18. International organizations
2 definitions that have been expanded under GDPR	1. Personal data 2. Consent
6 Definitions which have remained same in GDPR and DPD	1. Processing of personal data 2. Personal data filing system 3. Controller 4. Processor 5. Third party recipient

4.3.1 Expanded definition of personal data

Both DPD and GDPR apply to 'personal data'. The GDPR gives an expanded definition of 'personal data'. Recital 30 gives example of an online identifier such as IP addresses.

Sub-topics in the section	GDPR	DPD

Given in Article	4(1)	2(a)
New term added in the definition	A new term " online identifier" has been added. Example of online identifier is given under Recital 30. An IP address is one such example.

4.3.2 Expanded definition of consent

Valid consent must be given by the data subject. The definition of valid consent has been added under GDPR. Recital 32 further explains that consent can be given by "means of a written statement including electronic means or an oral statement". For example, ticking a box on websites signifies acceptance of processing while "pre ticked boxes, silence or inactivity" do not constitute consent.

Sub-topics in the section	GDPR	DPD

Given in Article	4(11)	2(h)
Term added in GDPR	Consent must be unambiguous, freely given, specific and informed.	The word "unambiguous" is not contained in DPD.
Means of signifying assent to processing own data	Assent can be given by a statement or by clear affirmative action signifying assent to processing.	DPD merely mentions that freely given, specific and informed consent signifies assent.

4.4 Conditions for consent

GDPR lays down detailed provisions for valid consent. Such provisions are not given in DPD.

Sub-topics in the section	GDPR	DPD

Article	7
Obligation of controller	Must demonstrate consent has been given
Presentation of written declaration of consent	It should be in a clearly distinguishable, intelligible and easily accessible form. Language should be clear and plain.
If declaration or any part of it infringes on Regulation	Declaration will be non-binding.
Right of data subject	To withdraw consent at any time.
Right of data subject	If consent is withdrawn, it will not make processing done earlier unlawful.
For assessing whether consent is freely given	Must consider whether performance of contract or provision of service is made conditional on consent to processing of data not necessary for performance of contract.

4.5 Conditions applicable to child's consent in relation to information society services

This article prescribes an age limit for making processing lawful when information society services (direct online service) are offered directly to a child.

Sub Topics in the Section	GDPR	DPD

Given in Article	8
Conditions for valid consent in this case	If child is at least 16 years old his consent is valid. If child is below 16 years consent must be obtained from holder of parental responsibility over the child.
Age relaxation can be given when	Member States provides a law lowering the age. Age cannot be lowered below 13 years.
Controller's responsibility	Verify who has given the consent
Exceptions	This law will not affect: General contract law of member states; Effect of contract law on a child;

4.6 Processing of special categories of personal data

Like the DPD, the GDPR spells out the data that is considered sensitive and the conditions under which this data can be processed. Two new categories of special data, "genetic data" and "biometric data", have been added to the list in the GDPR.

Sub Topics in the Section	GDPR	DPD

Article	9	8
Categories of data considered sensitive	Racial or ethnic origin	Same
	Political opinions	Same
	Religious or philosophical beliefs	Same
	Trade union membership	Same
	Health or sex life or sexual orientation	Same
	Genetic data or Biometric data uniquely identifying natural person
Circumstances in which processing of personal data may take place	If there is explicit consent of data subject provided Member State laws do not prohibit such processing
	Necessary for carrying out specific rights of controller or data subject	Under DPD these rights can be for employment. The GDPR adds social security and social protection to this list. These rights are to be authorized by Member state or Union. The GDPR adds "Collective agreements" to this.
	In the vital interest of data subject who cannot give consent due to physical or legal causes.	Same
	In the vital interest of a Natural person physically or legally incapable of giving consent	Same
	For legitimate activities carried on by not-for profit-bodies for political, philosophical or trade union aims subject to certain conditions.	Same
	When personal data is made public by data subject	Same
	For establishment, exercise of defense of legal claims or for courts	Same
	For substantial public interest in accordance with Member State or Union law
	Is necessary for: Preventive or occupational medicine Assessing working capacity of employee Medical diagnosis Healthcare or social care services Contract with health professional
	Is necessary in Public interest in the area of public health
	For public interest, scientific or historical research or statistical purpose
Data for preventive or occupational medicine, medical diagnosis etc. can be processed when:	Data is processed by or under responsibility of a professional under obligation of professional secrecy as state in law	Here the processing is done by health professional under obligation of professional secrecy

4.7 Principles relating to processing of personal data

The principles set out in GDPR are similar to the ones under DPD. Some changes have been introduced. Accountability of the controller has been specifically given under GDPR.

Sub-topics in this section	GDPR	DPD

Given in Article	5	6
Lawfulness, fairness, transparency	Processing must be Lawful, fair and transparent	Does not mention transparent
Purpose limitation	Data must be specified, explicit and legitimate.	Same
Purpose limitation	Processing for achieving public interest, scientific or historical research or statistical purpose is not to be considered incompatible with initial purpose.	Same
Data minimization	Processing is adequate, relevant and limited to what is necessary	Same
Accuracy	Data is accurate, up to date, erased or rectified without delay	Same
Storage limitation	Data is to be stored in a way that data subject can be identified for no longer than is necessary for purpose of processing	Same
	Data can be stored for longer periods when it is processed solely in public interest, scientific or historical research or statistical purpose	Same However, public interest is not mentioned.
	There must be appropriate technical and organizational measures to safeguard rights and freedoms	Same Additionally, it specifically states that Member States must lay down appropriate safeguards
Integrity and confidentiality	Manner of processing must: Ensure security of personal data, Protection against unlawful processing and accidental loss, destruction or damage	Not mentioned
Accountability	Controller is responsible for and must demonstrate compliance with all of the above.	DPD states it is for the controller to ensure compliance with this Article. Unlike GDPR, DPD doesn't specifically state the responsibility of controller for demonstrating compliance.

4.8 Lawfulness of processing

The conditions for "lawfulness of processing" under DPD have been retained in the GDPR with certain modifications allowing flexibility for member states to introduce specific provisions in public interest or under a legal obligation. It should be noted that protection given to child's data and rights and freedoms of data subject should not be prejudiced. Additionally, a non-exhaustive list has been laid down in the GDPR for determining if processing is permissible in situations where the new purpose of processing is different from original purpose.

Sub Topics in the Section	GDPR	DPD

Given in Article	6	7
Processing is lawful when :	If at least one of the principles applies: Data subject has given consent to processing for specific purpose(s).	Same However it mentions "unambiguous" consent.
	Processing is necessary for performance of contract to which data subject is party or at request of data subject before entering into a contract	Same
	Processing is necessary for controller's compliance with legal obligation.	Same
	Is necessary for legitimate interests pursued by controller or by third party subject to exceptions (should not override rights and freedoms of data subject and protections given to child's data.)	Same
	It is necessary for performance of task carried out in public interest or for exercise of official authority vested in controller	Same It additionally mentions third party: "…exercise of official authority vested in controller or in a third party to whom data are disclosed"
	For protections of vital interest of data subject or another natural person	Same Does not mention natural person.
Member States may introduce specific provisions when:	When processing is necessary for compliance with a legal obligation or to protect public interest
	Basis for processing for shall be laid down by: Union law or Member State law
If processing is done for purpose other than for which data is collected and is without data subject's consent or is not collected under law:
To determine if processing for another purpose is compatible with the original purpose	Controller shall take into account following factors:
	Link between purposes for which data was collected and the other purpose
	Context in which personal data have been collected
	Nature of personal data
	Possible consequences of other purpose
	Existence of appropriate safeguards

4.9 Processing which does not require identification:

This article lays down the conditions under which the controller is exempted from gathering additional data in order to identify a data subject for the purpose of complying with this Regulation. If the controller is able to demonstrate that identification is not possible, the data subject is to be informed if possible.

Sub Topics in the Section	GDPR	DPD

Given in Article	11
Conditions under which the controller is not obliged to maintain process or acquire additional information to identify data subject	If purpose for processing doesn't not require identification of data subject by the controller
Consequence of not maintaining the data	Art 15 to 20 shall not apply provided controller is able to demonstrate its inability to identify the data subject
Exception to above consequence will apply when :	Data subject provides additional information enabling identification

4.10 Rights of the data subject

The General Data Protection Rules (GDPR) confers 8 rights upon the data subject.These rights are to be honored by the controller:-

1. Right to be informed

2. Right of access

3. Right to rectification

4. Right to erasure

5. Right to restrict processing

6. Right to data portability

7. Right to object

8. Rights in relation to automated decision making and profiling

4.10.1 Right to be informed

The controller must provide information to the data subject in cases where personal data has not been obtained from the data subject. A number of exemptions have been listed. Additionally, GDPR lays down the time period within which the information has to be provided.

Sub Topics in the Section	GDPR	DPD

Given in Article	14	10
Type of information to be provided	Identity and contact details of the controller or controller's representative	Same
	Contact details of the data protection officer
	Purpose and legal basis for processing	Purpose of processing
	Recipients or categories of recipients of personal data	Same
	Intention to transfer data to third country or international organization and Information regarding adequacy decision or suitable safeguards or Binding Corporate Rules or derogations. This includes means to obtain a copy of these as well as information on place of availability.
Additional information to be provided by controller to ensure fair and transparent processing	Storage period of personal data and criteria for determining the period
	Legitimate interests pursued by controller or third party
	Existence of data subject's rights with regard to access or rectification or erasure of personal data, automated decision making
	Where applicable, existence of right to withdraw consent
Time period within which information is to be provided	Information to be given within a reasonable period, latest within one month.
	To be provided latest at the time of first communication to data subject, if personal data are to be used for communication with data subject
	In case of intended disclosure to another recipient , at the latest when personal data are first disclosed.
	If processing is intended for a new purpose other than original purpose, information to be provided prior to processing on new purpose.
Situations in which exceptions are applicable	Data subject already has information	Same
	Provision of information involves disproportionate effort or is impossible or renders impossible or seriously impairs achievement of objective of processing. This is particularly with respect to processing for archiving purposes in public interest, scientific or historical research or statistical purpose. However controller must take measures to protect data subject's rights and freedom and legitimate interests including make information public.	Provision involves impossible or disproportionate effort, in particular where processing is for historical or scientific research. However, appropriate safeguards must be provided by Member States.
	Obtaining or disclosure is mandatory under Union or member law and it provides protection to data subject's legitimate interests	Where law expressly lays down recording or disclosure provided appropriate safeguards are provided by Member States. This is particularly applicable to processing for scientific or historical research.
	Confidentiality of data mandated by professional secrecy under Union or Member State law

4.10.2 Right to access

Both Data Protection Directive (DPD) and General Data Protection Rules (GDPR) confer right to access information regarding personal data on the data subject.

CJEU in YS V. Minister voor Immigrate Integratie en Asiel stated that it is the data subject's right "to be aware of and verify the lawfulness of the processing".

Sub-topics in the section	GDPR	DPD

Given in Article	15	12
Data subject has the right to know about:	Purpose of processing	Same
	Categories of processing the data	Same
	Recipients or categories to whom data are disclosed	Same
	Retention period of the data and criteria for this
	Existence of right to request erasure, rectification or restriction of processing
	Right to lodge complaint with supervisory authority
	Knowledge about source of data
	To know about any significant and envisaged consequences of processing for the data subject
	Existence of automated decision making and logic involved	Same
In case of data transfer to third country	Right to be informed about the safeguards
Controller's obligation	To provide a copy of data undergoing processing. Reasonable fee based on administrative costs can be charged for this.

4.10.3 Right to rectification

GDPR and DPD both give the data subject the right to rectify their personal data. Under the GDPR the data subject can complete the incomplete data by giving a supplementary statement.

Sub-topics in the section	GDPR	DPD

Given in Article	16	12(b)
Right can be exercised when:		Processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55) OR
Right can be exercised when:	When data is incomplete	When data is incomplete or inaccurate
Obligations of controller	To enforce the right without undue delay
Obligation of controller to give notification when data is disclosed to third party	Given under Art 19 Request of erasure of personal data to be communicated to each recipient of such data	Given under Article 12(c) Request must be communicated to third parties
	It should not involve an impossible or disproportionate effort	Same

4.10.4 Right to erasure

This is also referred to as the "right to be forgotten". It empowers the individual to erase personal data under certain circumstances. The data subject can request the controller to remove the data for attaining this purpose.

Sub-topics in the section	GDPR	DPD

Given in Article	17	12(b)
Obligation of the controller	To erase the data without undue delay
Conditions under which the right can be exercised		When processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55) OR When data is incomplete or inaccurate
	Personal data is no longer necessary for the purpose for which it was collected or processed
	Data Subject withdraws consent for processing
	Data subject objects to processing and there are no overriding legitimate grounds for processing
	Data subject objects to processing for direct marketing purpose
	Personal data has been unlawfully processed
	When personal data has to be erased under a legal obligation of Union or member State law
	When personal data has been collected in offer of information society services to a child
Condition of processing under which request to erasure shall not be granted	For exercising right of freedom of expression and information
	Processing is done under Union or Member State law in public interest or exercise of official authority vested in controller
	Done for public interest in public health
	For public interest, scientific or historical research or statistical purpose.
	For establishment, exercise or defense of legal claims.
Controller's obligations when personal data has been made public	Controller to take reasonable steps to inform controllers who are processing the data, of the request of erasure. All links, copy or replication of personal data to be erased. Technology available and cost of implementation to be taken into account.
Notification when data is disclosed to third party	Given under obligation of controller under Art 19: Request of erasure of personal data to be communicated to each recipient of such data	Given under obligation of controller under 12(c) : Request must be communicated to third parties
Notification when data is disclosed to third party	It should not involve an impossible or disproportionate effort	Same

4.10.5 Right to restrict processing

While DPD provided for "blocking", the GDPR strengthened this right by specifically conferring the " Right to Restrict Processing" upon the data subject. This Article gives data subject the right to restrict processing under certain conditions. Recital 67 explains that these methods could include steps like removing published data from website or temporarily moving the data to another processing system.

Sub-topics in the section	GDPR	DPD

Given in Article	18	12(b)
About this right	Data subject can restrict processing of data	Data subject is allowed to erase, rectify or block processing of personal data.
Conditions under which the right can be exercised	When accuracy of personal data is contested	Besides accuracy, the DPD also mentions "incomplete nature of data" as grounds for exercising this right.
	When processing is unlawful and data subject opposes erasure and requests restriction of data use
	When data is no longer needed by controller but is required by data subject for establishment, exercise or defense of legal claims.
	Data subject objects to processing and the verification by controller of compelling legitimate grounds for processing is ongoing
Consequences of this enforcement of this right	Controller can store data but not process it
	Processing can be done only with the data subject's consent; or
	Processing can be done for establishment exercise or defense of legal claims; or
	Processing can be done for protecting rights of another natural or legal person ;or
	It can be done in public interest of Union or Member State.
Obligations of controller under Art 18	The controller must inform the data subject before the restrictions are lifted.
Obligations of controller under Art 19	Inform each recipient of personal data about the restriction.
	This obligation need not be performed if it is impossible to do so or it involved disproportionate effort.
	Inform data subject about the recipients when requested by the data subject.

4.10.6 Right to data portability

This right empowers the data subject to receive personal data from one controller and transfer it to another. This gives the data subject more control over his or her own data. The controller cannot hinder this right when the following conditions are met.

Sub-topics in the section	GDPR	DPD

Given in article	20
Conditions for data transmission	The data must have been provided to the controller by data subject himself; and
	Processing is based on: Consent; or For performance of contract; and is carried out by automated means
	Data transfer must be technically feasible
Format of personal data	It should be in a: Structured Commonly-used Machine readable format
Time and cost for data transfer	Given in Art 12(3) Should be free of charge Information to be provided within one month. Further extension by two months permissible under certain circumstances.
Circumstance under which this Right cannot be exercised	When the exercise of the Right prejudices rights and freedom of another individual
	When processing is necessarily carried out in public interest
	When processing is necessarily done in exercise of official authority vested in controller
	When this Right adversely affects the "Right to be forgotten"

4.10.7 Right to Object

Both DPD and GDPR confer upon the data subject the right to object to processing on a number of grounds. The GDPR strengthens this right . Under GDPR, there is a visible shift from the data subject to the controller as far as the burden of showing " compelling legitimate grounds" is concerned. Under the DPD, when processing is undertaken in public interest or in exercise of official authority or in legitimate interests of third party or controller, the data subject not only has to show existence of compelling legitimate grounds but also that objection is justified. On the other hand, GDPR spares the data subject from this exercise and instead places the onus on the controller of demonstrating that "compelling legitimate grounds" exist such that these grounds override the interests, rights and freedom of the data subject.

GDPR also provides a new ground for objecting to processing. The data subject can object to processing when it is for scientific or historical research or statistical purpose unless such processing is necessary in public interest.

Under the GDPR the data subject must be informed of this right "clearly and separately" and "at the time of first communication with data subject" when processing is done in public interest/exercise of official authority/legitimate interest of third party or controller or for direct marketing purpose. This right can be exercised by automated means in case of information society service.

The DPD also provides that the data subject must be informed of this right if the controller anticipates processing for direct marketing or disclosure of data to third party. It specifically states that this right is to be offered "free of charge". Additionally, it places responsibility upon the Member States to ensure that data subjects are aware of this right.

Sub-topics in the section	GDPR	DPD

Given in Article	21	14
Conditions under which the right can be exercised during processing	When performance of task is carried out in public interest or in exercise of official authority vested in controller. (Art 6(1)(e)) Exception: If controller demonstrates processing is for compelling legitimate grounds which override interests of data subject For establishment, exercise or defense of legal claims.	Grounds are same but the data subject also has to show existence of compelling legitimate grounds. Processing will cease if objection is justified. Exceptions: Unless provided by national legislation the data subject can object on this ground.
	For legitimate interests of controller or third party (Art 6(1)(f)) Exception: 1. If controller demonstrates processing is for compelling legitimate grounds that override interests of data subject. 2. For establishment, exercise or defense of legal claims.	Same as above
	When data is processed for scientific/historical research/ statistical purpose under Art 89(1) Exception: If processing is necessary for public interest
	When personal data is used for marketing purpose. Can object at anytime. No exceptions	Same

4.10.8 Rights in relation to automated individual decision making including profiling

This Article empowers the data subject to challenge automated decisions under certain conditions. This is to protect individuals from decisions taken without human intervention.

Sub-topics in the section	GDPR	DPD

Given in Article	22	15
This right can be exercised when decisions are based:
	Only on automated processing Including profiling; and	Same
	Produce legal effects or have similarly significant effects on data subject	Same
Conditions under which this right will not be guaranteed
	For entering into or performance of contract;	Same
	If Member State or Union law authorizes the decision provided it lays down suitable measures for safeguarding data subject's rights, freedoms and legitimate interests; Or	Same
	When decision is based on data subject's explicit consent.
Controller's obligation	Enforce measures to safeguard rights and freedom and interests
Controller's obligation	Ensure data subject can obtain human intervention, express his point of view, challenge decisions
Automated decision making will not apply when:	"Special categories of personal data" are to be processed However, if the data subject gives his explicit consent or such processing serves substantial public interest then the restriction can be waived.
Automated decision making will not apply when:	Concerns a child

4.11 Security and Accountability

4.11.1 Data protection by design and default

This is another new concept under GDPR. It is a general obligation on the controller to incorporate effective data protection in internal policies and implementation measures. Measures include: minimization of processing, pseudonymisation, transparency while processing, allowing data subjects to monitor data processing etc. The implementation of organizational and technical measures is essential to demonstrate compliance with Regulation.

Sub-topics in the section	GDPR	DPD

Article	25
Responsibility of controller when determining means of processing and at the time of processing	Implementation of appropriate technical and organizational measures for data protection
	Ensure that by default only personal data necessary for purpose of processing is processed
Means of demonstrating compliance with this Article	Approved certification mechanism may be used. Data minimization Transparency etc.

4.11.2 Security of personal data

Security of processing is mentioned in the GDPR under Article 32. The controller and processor must implement technical and organizational measures to ensure data security. These may include pseudonymisation, encryption, ensuring confidentiality, restoring availability and access to personal data, regularly testing etc. Compliance with the code may be demonstrated by adherence to Code of conduct and certification mechanism. Further, all processing which is done by a natural person acting under authority of controller or processor can be done only under instructions from the controller.

4.11.3 Notification of personal data breach

This Article provides the procedure for communicating the personal data breach to supervisory authority. If the breach is not likely to result in risk to rights and freedoms of natural persons, then the controller is not required to notify the supervisory authority.

Sub-topics in the section	GDPR	DPD

Given in Article	33
Responsibility of controller	Report personal data breach to supervisory authority after being aware of it
Time limit for reporting data breach	Must be reported no later than 72 hours
In case of delay in reporting	Reasons to be stated
Responsibility of processor	Notify the controller after being aware of breach
Description of notification	Describe nature of personal data
	Name contact details of data protection officer
	Likely consequences of personal data breach
	Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect
When information cannot be provided at same time	Provide it in phases without further undue delay
For verification of compliance	Controller has to document any personal data breach. It must contain Facts , effects and remedial action taken

4.11.4 Communication of personal data breach to the data subject

Not only is the supervisory authority to be notified, but data subjects are also to be informed about personal data breaches without undue delay under certain conditions.

Sub-topics in the section	GDPR	DPD

Given in Article	34
Conditions under which controller is to communicate the breach to data subject	When breach is likely to cause high risk to rights and freedoms of natural persons
Nature of communication	Must be in a clear and plain language. Must describe the nature of breach. Must Contain at least: Name contact details of data protection officer Likely consequences of personal data breach Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect
Condition under which communication will not be required	If controller has implemented appropriate technical and organizational measures and these were applied to the affected data. E.g.: encryption
	Subsequent measures have been taken by controller to ensure there is no high risk
	If communication involves disproportionate effort. Public communication or similar measures can be undertaken under such circumstances.
Role of supervisory authority	In case of likelihood of high risk, the authority may require the controller to communicate the breach if the controller has not already done so.

4.11.5 Data protection impact assessment

This is also known as Privacy Impact Assessment. While DPD provides general obligation to notify the processing to supervisory authorities, the GDPR, taking into account the need for more protection of personal data, has replaced the notification process by different set of mechanisms.

To serve the above purpose, the data protection impact assessment (DPIA) has been provided under this Article.

Sub-topics in the section	GDPR	DPD

Given in Article	35
When to carry out assessment	When new technology is used; and Processing is likely to result in high risk to rights and freedoms of natural persons
	Automated processing including profiling involving systematic and extensive evaluation of personal aspects of natural persons; and When decisions based on such processing produce legal effects
	Large scale processing of special categories of data or personal data relating to criminal convictions and offences
	Large scale systematic monitoring of publicly accessible area
Type of information contained in assessment	Description of processing operations and purpose
	Assessment of necessity and proportionality of processing operations
	Assessment of risks to individuals
	Measures to address risks and demonstration of compliance with Regulation
Sub-topics in the section	GDPR	DPD

Topic	Prior Consultation
Given in Article	36
When should controller consult supervisory authority	Prior to processing; and DPIA indicates high risk; and In absence of risk mitigation measures by controller

Data protection officer

GDPR mandates that a person with expert knowledge of data protection law and practice is appointed for helping the controller or processor to comply with the data protections laws. A single data protection officer (DPO) may be appointed by a group of undertakings or where controller or processor is a public authority or body.The DPO must be accessible from each establishment.

Sub Topics in the Section	GDPR	DPD

Article	37
Situations in which DPO must be appointed	When processing is carried out by public authority or body. Note: Courts acting in judicial capacity are excluded.
	Core activity involves processing which requires regular and systematic monitoring of data subjects on large scale; or
	Core activity involves processing of large scale special categories of data and criminal convictions and offences

Position of Data Protection Officer

The DPO must directly report to the highest management level of the controller or processor. Data subjects may contact the DPO in case of problems related to processing and exercise of rights.

Sub Topics in the Section	GDPR	DPD

Article	38
Responsibility of controller and processor	Ensure DPO is involved properly and in timely manner
	Provide DPO with support, resources and access to personal data and processing operations
	Not dismiss or penalize DPO for performing his task.
	Ensure independence of working and not give instruction to DPO

Tasks of Data Protection officer

The DPO must be involved in all matters concerning data protection. He is expected to act independently and advice the controllers and processors to facilitate the establishment's compliance with Regulations.


Sub Topics in the Section	GDPR	DPD

Article	39
Tasks	Inform and advise the controller or processor and employees over data protection laws
	Monitor compliance with data protection laws. Includes assigning responsibilities, awareness- raising, staff training and audits
	Advice and monitor performance
	Cooperate with supervisory authority
	Act as point of contact for supervisory authority for processing, prior consultation and consultation on other matter

4.11.6 European Data Protection Board

For consistent application of the Regulation, the GDPR envisages a Board that would replace the Working Party on Protection of Individuals With Regard to Processing of Personal Data established under the DPD. This Regulation confers legal personality on the Board.

Sub Topics in the Section	GDPR	DPD

Article	68
Represented by	Chair
Composition of the Board	Head of one supervisory authority of each Member State and European Data Protection Supervisor or of their representatives. Joint representative can be appointed where Member State has more than one supervisory authority.
Role of Commission	Right to participate in activities and meetings of the Board without voting rights. Commission to designate a representative for this.
Functions of the Board	Consistent application of Regulation
	Advise Commission of level of protection in third countries or international organizations
	Promote cooperation of supervisory authorities
	Board is to act independently

4.11.7 Supervisory Authority

GDPR lays down detailed provisions on supervisory authorities, defining their functions, independence, appointment of members, establishment rules, competence, competence of lead supervisory authority, tasks, powers and activity reports. Such elaborate provisions are absent in DPD.

Sub-topics in this section	GDPR	DPD

Given in Article	Chapter VI, Article 51 -59	28

4.12 Processor

The Article spells out the obligations of a processor and conditions under which other processors can be involved.

Sub Topics in the Section	GDPR	DPD

Article	28
What kind of processors can be used by controller	● Those which provide sufficient guarantees to implement appropriate technical and organizational measures ● Those which comply with Regulation and Rights
Obligations of processor in case of addition or replacement of processor	● Not engage another processor without controller's authorization ● In case of general written authorization inform the controller
Processing shall be governed by	Contract or legal act under Union or Member State law.
Elements of Contract	● Is binding on processor ● Sets out subject matter and duration of processing ● Nature of processing ● Type of personal data ● Categories of data subjects ● Obligations and Rights of the controller
Obligations of processor under contract or legal act	Processor shall process under instructions from controller unless permitted under law itself. Controller is to be informed in the latter case.
	Ensures that persons authorized to process have committed themselves to confidentiality
	Processor to undertake all data security measures (mentioned under Art 32)
	Enforces conditions on engaging another processor
	Assists the controller by appropriate technical and organizational measures
	Assists controller in compliance with Art 32 to 36
	Delete or return all personal data to controller at the choice of controller at the end of processing
	Make information available to controller for demonstrating compliance with obligations. Contribute to audits, inspections etc. Inform the controller if it believes that an instruction infringes the regulation or law.
Conditions under which a processor can engage another processor	● Same data protection obligations will be applicable to other processor. ● If other processor fails to fulfill data protection obligations, initial processor shall remain fully liable to controller for such performance.

4.13 Records of processing activities

The controller or processor must maintain records of processing activities to demonstrate compliance with the Regulation. They are obliged to cooperate with and make record available to the supervisory authority upon request. DPD does not contain similar obligations.

Sub Topics in the Section	GDPR	DPD

Article	30
Obligation of controller or controller's representative	Maintain a record of processing activities
Information to be contained in the record	Name and contact details of: ● Controller /joint controller / controller's representatives ● Data protection officer
	Purpose of processing
	Categories of data subjects and categories of personal data
	Categories of recipients to whom data has been or will be disclosed
	Transfers of personal data to third party, identification of third party, documentation of suitable safeguards
	Expected time duration for erasure of different categories of data
	Technical and organizational security measures
Obligation of processor	Maintain a record of processing activities carried out on behalf of controller
Record maintained by processor shall contain information such as:	Name and contact details of: ● Processor /processor's representative ● Controller /controller's representative ● Data protection officer
	Categories of processing
	Data transfer to third party Identification of third party Documentation of safeguards
	Technical and organizational security measures
Form in which record is to be maintained	In writing and electronic form
Conditions under which exemption will apply	● Organizations employing fewer than 250 employees are exempted; ● Processing should not cause risk to rights and freedoms of data subjects ● Processing should not be occasional ● Processing should not include special categories of data

4.14 Code of Conduct

These mechanisms have been provided under GDPR to demonstrate compliance with the Regulation. This is important as the GDPR ( under Art 83 ) provides that adherence to code of conduct shall be one of the factors taken into account for calculating administrative fines. This is not an obligatory provision.

Sub Topics in the Section	GDPR	DPD

Article	40	27
Who will encourage drawing up of code of conduct	● Member States ● Supervisory Authorities ● Commission. Specific needs of micro, small and medium enterprises to be taken into account.	● Member States ● Commissions Does not mention the rest
Who may prepare amend or extend code of conduct	Associations and other bodies representing categories of controller or processors
Information contained in the code	Fair and transparent processing
	Legitimate interests of controller
	Collection of personal data
	Pseudonymisation
	Information to public and data subjects
	Exercise of rights of data subject
	Information provided to and protection of children and manner in which consent of holders of parental responsibility is obtained
	Measures under: ● Data protection by design and default ● Controller responsibilities ● Security of processing
	Notification of data breach to authorities and communication of same to data subjects
	Data transfer to third party
	Dispute resolution procedures between controllers and data subjects
	Mechanisms for mandatory monitoring
Mandatory monitoring	Code of conduct containing the above information enables mandatory monitoring of compliance by body accredited by supervisory authority. (Art 41)

4.15 Certification

Like the code of conduct, Certification is a voluntary mechanism that demonstrates compliance with the Regulation. Establishment of data protection certification mechanism and data protection seals and marks shall be encouraged by Member States, supervisory authorities, Boards and Commission. As in case of code of conduct, specific needs of micro, small and medium sized enterprise ought to be taken into account. DPD does not mention such mechanisms.

Sub Topics in the Section	GDPR	DPD

Article	42
Who will issue the certificate	Certification bodies or competent supervisory authority on basis of approved criteria.
Time period during which certification shall be issued	Maximum period of three years. Can be renewed under same conditions.
Who accredits certification bodies	Competent Supervisory bodies or National accreditation body.
When can accreditation be revoked	When conditions of accreditation are not or no longer met. OR Where actions taken by certification body infringe this Regulation.
Who can revoke	Competent supervisory authority or national accreditation body

4.16 Data Transfer

4.16.1 Transfers of personal data to third countries or international organizations

Chapter V lays down the conditions with which the data controller must comply in order to transfer data for the purpose of processing outside of the EU to third countries or international organizations. The chapter also stipulates conditions that must be complied with for onward transfers from the third country or international organization.

4.16.2 Transfer on the basis of an adequacy decision

Under GDPR, transfer of data can take place after the Commission decides whether the third country, territory, specified sector within that third country or international organization ensures adequate level of data protection. This is called adequacy decision. A list of countries or international organizations which ensure adequate data protection shall be published in the Official Journal of the European Union and on the website by the Commission. Once data transfer conditions are found to be compliant with the Regulation, no specific authorization would be required for data transfer from the supervisory authorities. The commission would decide this by means of an "Implementing Act" specifying a mechanism for periodic review, its territorial and sectoral application and identification of supervisory authorities. Decisions of Commission taken under Art 25(6) of DPD shall remain in force. DPD also provides parameters for the same.

Sub-topics in this section	GDPR	DPD

Given in article	45	25
Conditions apply when transfers take place to	Third country or international organization	International organization not mentioned.
Functions of the commission	Take adequacy decisions	Same
	Review the decision periodically every four years
	Monitor developments on ongoing basis
	Repeal, amend or suspend decision
		Inform Member States if third country doesn't ensure adequate level of protection. Similarly, member state has to inform the Commission.
Functions of Member State		Inform Commission if third country doesn't ensure adequate level of protection.
		Take measures to comply with Commission's decisions
		Prevent data transfer if Commission finds absence of adequate level of protection.
Factors, with respect to third country or international organization, to be considered while deciding adequacy of safeguards	Rule of law, human rights, fundamental freedoms, access of public authorities to personal data, data protection rules, rules for onward transfer of personal data to third country or international organization etc.	Circumstances surrounding data transfer operations: nature of data; purpose and duration of processing operation; rule of law, professional rules and security measures in third country; country of origin and final destination; professional rules and security measures;
	Functioning of independent supervisory authorities, their powers of enforcing compliance with data protection rules and powers to assist and advise data subject to exercise their rights.
	International commitments entered into. Obligations under legally binding conventions.	Same
When adequate level of protection no longer ensues	The Commission, to the extent necessary: repeal, amend or suspend the decision. This is to be done by the means of an implementing act. No retroactive effect to take place	The member state will have to suspend data transfer if Commission finds absence of adequate level of protection.
When adequate level of protection no longer ensues	Commission to enter into consultation with the third country or international organization to remedy the situation	Same

4.16.3 Transfers subject to appropriate safeguards

This article provides for a situation when the Commission takes no decision. (Mentioned above under Transfer on the basis of an adequacy decision). In this case, the controller or processor can transfer data to third country or international organization subject to certain conditions. Specific authorization from supervisory authorities is not required in this context. Procedure for the same has been mentioned.

Sub-topics in this section	GDPR	DPD

Given in article	46
When can data transfer take place	When appropriate safeguards are provided by the controller or processor; AND On condition that data subject enjoys enforceable rights and effective legal remedies for data safety.
Conditions to be fulfilled for providing appropriate safeguards without specific authorization from supervisory authority	Existence of legally binding and enforceable instrument between public bodies or authorities
	Existence of Binding Corporate Rules
	Adoption of Standard Protection Clauses adopted by the Commission
	Adoption of Standard data protection clauses by supervisory authorities and approved by Commission.
	Approved code of conduct along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights OR Approved certification mechanism along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights.
Conditions to be fulfilled for providing appropriate safeguards subject to authorization from competent authority	Existence of contractual clauses between: Controller or Processor and Controller, Processor or recipient of personal data (third party)
	Provisions inserted in administrative arrangements between public authorities or bodies. Provisions to contain enforceable and effective data subject rights.
	Consistency mechanism to be applied by supervisory authority
Unless amended, replaced or repealed, authorization to transfer given under DPD will remain valid when:	Third country doesn't ensure adequate level of protection but controller adduces adequate safeguards; or Commission decides that standard contractual clauses offer sufficient safeguards

4.16.4 Binding Corporate Rules

These are agreements that govern transfers between organizations within a corporate group

Sub-topics in this section	GDPR	DPD

Given in Article	47
Elements of Binding Corporate Rules	Legally binding
	Apply to and are enforced by every member of group of undertakings or group of enterprises engaged in joint economic activity. Includes employees
	Expressly confer enforceable rights on data subject over processing of personal data
What do they specify	Structure and contact details of group of undertakings
	Data transfers or set of transfers including categories of personal data , type of processing, type of data subjects affected, identification of third countries
	Legally binding nature
	Application of general data protection principles
	Rights of data subjects Means to exercise those right
	How the information on BCR is provided to data subjects
	Tasks of data protection officer etc.
	Complaint procedure
	Mechanisms within the group of undertakings, group of enterprises for ensuring verification of compliance with BCR. Eg. Data protection audits Results of verification to be available to person in charge of monitoring compliance with BCR and to board of undertaking or Group of enterprises. Should be available upon request to competent supervisory authority
	Mechanism for reporting and recording changes to rules and reporting changes to supervisory authority
	Cooperation mechanism with supervisory authority
	Data protection training to personnel having access to personal data
Role of Commission	May specify format and procedures for exchange of information between controllers, processors and supervisory authorities for BCR

4.16.5 Transfers or disclosures not authorized by Union law

This Article lays down enforceability of decisions given by judicial and administrative authorities in third countries with regard to transfer or disclosure of personal data.

Sub-topics in this section	GDPR	DPD

Given in Article	48
Article concerns	Transfer of personal data under judgments of courts, tribunals, decision of administrative authorities in third countries.
When can data be transferred or disclosed	International agreement between requesting third country and member state or union. E.g.: mutual legal assistance treaty

4.16.6 Derogations for specific situations

This Article comes into play in the absence of adequacy decision or appropriate safeguards or of binding corporate rules. Conditions for data transfer to a third country or international organization under such situations have been laid down.

Sub-topics in this section	GDPR	DPD

Given in Article	49	26
Conditions under which data transfer can take place	On obtaining Explicit consent of data subject after being informed of possible risks	On obtaining unambiguous consent of data subject to the proposed transfer
	Transfer is necessary for conclusion or performance of contract. The contract should be in the interest of data subject. The contract is between the controller and another natural or legal person.	Contractual conditions are same. DPD also includes implementation of pre contractual measures taken upon data subject's request.
	Transfer is necessary in public interest	Same
	Is necessary for establishment, exercise or defense of legal claims	Same
	To protect vital interest of data subject or of other persons where data subject is physically or legally incapable of giving consent	Includes vital interest of data subject but doesn't include "other person". Condition for consent is also not included.
	Transfer made from register under Union or Member State law to provide information to public and is open to consultation by public or person demonstrating legitimate interest.	Same
Conditions for transfer when even the above specific situations are not applicable	Transfer is not repetitive
	Concerns limited number of data subjects
	Necessary for compelling legitimate interests pursued by controller
	Legitimate interests are not overridden by interests or rights and freedoms of data subject
	Controller has provided suitable safeguards after assessing all circumstances surrounding data transfer
	Controller to inform supervisory authority about the transfer
	Controller to inform data subject of transfer and compelling legitimate interests pursued
		Member may authorize transfer personal data to third country where controller adduces adequate safeguards for protection of privacy and fundamental rights and freedoms of individuals

4.17 International cooperation for protection of personal data

This Article lays down certain steps to be taken by Commissions and supervisory authorities for protection of personal data.

Sub-topics in this section	GDPR	DPD

Given in Article	50
Steps will include	Development of international cooperation mechanisms to facilitate enforcement of legislation for protection of personal data
	Provide international mutual assistance in enforcement of legislation for protection of personal data
	Engage relevant stakeholders for furthering international cooperation
	Promote exchange and documentation of personal data protection legislation and practice

4.18 Remedies, Liability and Compensation

4.18.1 Right to lodge complaint with a supervisory authority

This article gives the data subject the right to seek remedy against unlawful processing of data. GDPR strengthens this right as compared to the one provided under DPD.

Sub-topics in this section	GDPR	DPD

Given in Article	77	28(4)
Right given	Right to lodge complaint	Under GDPR the data subject has been conferred the "right" specifically. This is not so in DPD. DPD merely obliges the supervisory authority to hear claims concerning rights and freedoms.
Who can lodge complaint	Data subject	Any person or association representing that person
Complaint to be lodged before	Supervisory authority in the Member State of habitual residence, place of work or place of infringement	Supervisory authority
When can the complaint be lodged	When processing of personal data relating to data subject allegedly infringes on Regulation	When rights and freedom are to be protected while processing. When national legislative measures to restrict scope of Regulations is adopted and processing is alleged to be unlawful.
Accountability	Complainant to be informed by Supervisory authority on progress and outcome of complaint and judicial remedy to be taken up	Complainant to be informed on outcome of claim or if check on unlawfulness has taken place

4.18.2 Right to an effective judicial remedy against supervisory authority

The concerned Article seeks to make supervisory authorities accountable by bringing proceedings against the authority before the courts. GDPR gives a specific right to the individual. DPD under Article 28(3) merely provides for appeal against decisions of supervisory authority in the courts.

Sub-topics in this section	GDPR	DPD

Given in Article	78 (1)
Who has the right	Every natural or legal person
When can the right be exercised	Against legally binding decision of supervisory authorities concerning the complainant

Sub-topics in this section	GDPR	DPD

Given in Article	78(2)
Who has the right	Data subject
When can the right be exercised	When the competent supervisory authority doesn't handle the complaint Or Doesn't inform data subject about progress / outcome of complaint within 3 months

The jurisdiction of court will extend to the territory of the Member State in which the supervisory authority is established (GDPR Art 78(3)). The supervisory authority is required to forward proceedings to the court if the decision was preceded by the Board's decision in the consistency mechanism. (GDPR 78(4))

4.18.3 Right to effective judicial remedy against a controller or processor

The data subject has been conferred with the right to approach the courts under certain circumstance. The GDPR confers the specific right while DPD provides for judicial remedy without using the word "right".

Sub-topics in this section	GDPR	DPD

Given in	Art 79	Recital 55
Right can be exercised when:	1. Data has been processed; and 2. Processing Results in infringement of rights; and 3. Infringement is due to non compliance of Regulation	Similar provisions provided under DPD: When controller fails to respect the rights of data subjects and national legislation provides a judicial remedy. Processors are not mentioned.
Jurisdiction of the courts	Proceedings can be brought before the courts of Member States wherein: 1. Controller or processor has an establishment Or 2. Data Subject has habitual residence
Right cannot be exercised when	1. The controller or processor is a public authority of Member State And 2. Is exercising its public powers

4.18.4 Right to compensation and liability

GDPR enables a person who has suffered damages to claim compensation as a specific right. DPD merely entitles the person to receive compensation. Although Liability provisions under GDPR and DPD are similar, the liability under GDPR is stricter as compared to DPD. This is because DPD exempts the processor from liability but GDPR does not. For example, DPD imposes liability on controllers only.

Sub-topics in this section	GDPR	DPD

Given in Article	82	23
Who can claim compensation	Any person who has suffered material or non material damage	Similar provisions. But DPD doesn't mention "material or non-material damage" specifically.
Right arises due to	Infringement of Regulation	Same
Right granted	Right to receive compensation	Same
Compensation has to be given by	Controller or processor	Compensation can be claimed only from controller
Liability of controller arises when	Damage is caused by processing due to infringement of regulation	Same
Liability of processor arises when	1. Processor has not complied with directions given to it under Regulation OR 2. Processor has acted outside or contrary to lawful instructions of controller
Exemptions to controller or processor from liability	If there is proof that they are not responsible	Exemption for controller is same
Liability when more than one controller or processor cause damage	Each controller or processor to be held liable for entire damage

4.19 General conditions for imposing administrative fines

GDPR makes provision for imposition of administrative fines by supervisory authorities in case of infringement of Regulation. Such fines should be effective, proportionate and dissuasive. In case of minor infringement, "reprimand may be issued instead of a fine" ^{^[1]}. Means of enforcing accountability of supervisory authority have been provided. If Member state law does not provide for administrative fines, then the fine can be initiated by the supervisory authority and imposed by courts. However, by 25 May 2018, Member States have to adopt laws that comply with this Article.

Sub-topics in this section	GDPR	DPD

Given in Article	83
Who can impose fines	Supervisory Authority
Fines to be issued against	Controllers or Processors
Parameters to be taken into account while determining administrative fines	Nature, gravity and duration of infringement and Nature scope or purpose of processing and Number of data subjects affected and Level of damage suffered
	Intentional or negligent character of infringement
	Action taken by controller or processor to mitigate damage suffered by data subjects
	Degree of responsibility of con controller or processor. Technical and organizational measures implemented to be taken into account.
	Relevant previous infringement
	Degree of cooperation with supervisory authority
	Categories of personal data affected
	Manner in which supervisory authorities came to know of the infringement and Extent to which the controller or processor notified the infringement
	Whether corrective orders of supervisory authority under Art 58(2) have been issue before and complied with
	Adherence to approved code of conduct under Art 40 or approved certification mechanisms under Art 42
	Other aggravating or mitigating factors like financial benefits gained losses avoided etc.
If infringement is intentional or due to negligence of processor or controller	Total amount of administrative fine to not exceed amount specified for gravest infringement
Means checking power of supervisory authority to impose fines	Procedural safeguards under Member State or Union law. Including judicial remedy and due process

Article 83 splits the amount of administrative fines according to obligations infringed by controllers, processors or undertakings. The first set of infringements may lead to imposition of fines up to 10,000,000 EUR or 2% of total worldwide turnover.

Sub-topics in this section	GDPR	DPD

Article	83(4)
Fine imposed	Up to 10,000,000 EUR or in case of undertaking, 2% of total worldwide turnover of preceding financial year, whichever is higher
Infringement of these provisions will cause imposition of fine (Provisions infringed)	Obligations of controller and processor under:
	Art 8 Conditions applicable to child's consent in relation to information society services
	Art 11 Processing which does not require identification
	Art 25 to 39 General obligations , Security of personal data , Data Protection impact assessment and prior consultation
	Art 42 Certification
	Art 43 Certification bodies
	Obligations of certification body under: Art 42 Art 43
	Obligations of monitoring body under: Art 41(4)

Second set of infringements may cause the authority to impose higher fines up to 20,000,000 EUR or 4% of total worldwide turnover.

Sub-topics in this section	GDPR	DPD

Article	83(5)
Fine imposed	Up to 20,000,000 EUR or in case of undertaking, 4% of total worldwide turnover of preceding financial year, whichever is higher
Infringement of provisions that will cause imposition of fine (Provisions infringed)	Basic principles for processing and conditions for consent under:
	Art 5 Principles relating to processing of personal data
	Art 6 Lawfulness of processing
	Art 7 Conditions for consent
	Art 9 Processing of special categories of personal data
	Data subject's rights under: Art 12 to 22
	Transfer of personal data to third country or international organization under: Art 44 to 49
	Obligations under Member State law adopted under Chapter IX
	Non Compliance with supervisory authority's powers under provisions of Art 58:
	Imposition of temporary or definitive limitation including ban on processing (Art 58 (2)(f))
	Suspension of data flows to third countries or international organization (Art 58(2) (j))
	Provide access to premises or data processing equipment and means (Art 58 (1) (f))

4.20 Penalties

Article 84 makes provision for penalties in case of infringement of Regulation.

The penalties must be effective, proportionate and dissuasive.

Sub-topics in this section	GDPR	DPD

Given in Article	84
When will penalty be imposed	In case of infringements that are not subject to administrative fines
Who imposes them	Member State
Responsibility of Member State	To lay down the law and ensure implementation. To notify to the Commission, the law adopted, by 25 May 2018

^{^[1]} Recital 148 , GDPR

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive

Comments on the Report of the Committee on Digital Payments (December 2016)

Sumandro Chattapadhyay and Amber Sinha — 2017-01-12T12:32:22Z

The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.

1. Preliminary

1.1. This submission presents comments by the Centre for Internet and Society (“CIS”) [1] in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) [2].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

2.2. CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.

3. Comments

3.1. CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 [3], have generated unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.

3.2. While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services. Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.

3.3. The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.

3.4. The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice.

3.5. The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise. Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments.

3.6. The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.

3.7. CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities.

3.8. We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity [4]. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report. The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.

3.9. A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic.

3.10. The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment. A mandate for replacement of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.

3.11. The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud.

3.12. In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats.

3.13. The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.

3.14. CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities.

3.15. The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.

3.16. As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://finmin.nic.in/reports/Note-watal-report.pdf and http://finmin.nic.in/reports/watal_report271216.pdf.

[3] See: http://finmin.nic.in/cancellation_high_denomination_notes.pdf.

[4] Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: http://www.budapestopenaccessinitiative.org/read.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016

Developer team fixed vulnerabilities in Honorable PM's app and API

pranesh — 2016-12-04T19:08:56Z

The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.

This blog post has been authored by Bhavyanshu Parasher. The original post can be read here.

What were the issues?

The main issue was how the app was communicating with the API served by narendramodi.in.

I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.
There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.
The API was still being served over HTTP instead of HTTPS.

Fixed

The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.
A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.
Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.

Detailed Vulnerability Disclosure

Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app, I would suggest you to change your password immediately. Can’t leave out a possibility of it being compromised.

Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.

The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).

Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,

They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.

Disclosure to officials

The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.

Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM

After about 30 hours of reporting the vulnerabillity

Proposed Solution

Consulted @pranesh_prakash as well regarding the issue.

After this, I mailed them a solution regarding the issues.

Discussion with developer

Received phone call from a developer. Discussed possible solutions to fix it.

The solution that I proposed could not be implemented since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that people don’t upgrade to latest versions leaving themselves vulnerable to security flaws. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.

On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. I can now confirm they have fixed all three issues.

Update 12/02/2016

This vulnerability in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.

Privacy after Big Data: Compilation of Early Research

Saumyaa Naidu — 2016-11-12T01:37:03Z

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research

Trans Pacific Partnership and Digital 2 Dozen: Implications for Data Protection and Digital Privacy

Shubhangi Heda — 2016-07-12T07:56:24Z

In this essay, Shubhangi Heda explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations.

1. Introduction

2. Analysis of TPP and D2D

2.1. Trans Pacific Partnership (TPP)

2.2. Digital 2 Dozen (D2D)

3. Major Criticisms of the Digital Agenda of TPP

3.1. Data Protection

3.2. Digital Privacy

4. Implications of TPP for RCEP

5. Implications of TPP in the Context of EU Safe Harbour Judgement

6. Implications of TPP for India after US-India Cyber Relationship Agreement

7. Conclusion

8. Endnotes

9. Author Profile

1. Introduction

This essay explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia [1]. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations. TPP requires the member countries to facilitate unhindered digital data flow across nations, for commercial and governmental purposes, which evidently have major implications for national and regional data protection and privacy regimes. These implications must also be seen in the context the recent judgement by the EU Court of Justice against the validity of the EU-USA data transfer agreement of 2000. Further, the essay discusses the potential impacts that TPP/D2D might have on India, in the context of the ongoing USA-India Cyber Relationship dialogue. If the privacy concerns are not raised right now TPP might act as a model framework for future FTAs which will fail to encompass proper data protection and digital privacy regime within it.

2. Analysis of TPP and D2D

2.1. Trans Pacific Partnership (TPP)

Trans Pacific Partnership (TPP) is a large multi-partner free trade agreement amongst twelve Asia-Pacific countries, which is closely led by geo-political and economic strategies of the USA. Countries started the negotiation of TPP in 2008 when USA joined Pacific Four (P-4) negotiations and in 2015 negotiations of TPP was concluded and text was released. Ministers from the member countries signed the agreement on February 4, 2016 [2]. The main aim of TPP is to liberalise trade and investment beyond what is provided for within the WTO. It is also considered to be a strategic move by the US to counter the trade linkages that are being established in the Asian region. TPP largely covers topics of market access, and rules on various related issues such as intellectual property rights, labour laws, and environment standards [3].

Between 1992 -2012 there has been an upsurge in bilateral trade agreements being signed in Asia from 25 to 103 and the effect of these FTAs is called the ‘noodle bowl effect’. TPP is seen as framework which will replace these FTAs which are causing the ‘noodle bowl effect’.While these FTAs are being replaced but with TPP being signed there are various bilateral arrangements signed along with TPP. USA has also stated that TPP will not affect the already existing NAFTA [4]. While TPP is being concluded there is another free trade agreement being negotiated between USA and EU , which is Trans Trade and Investment Partnership (TTIP). Both TPP and TTIP and are considered to be serving similar objective which is to deal with new and modern trade issues. Also both the agreements are US led and since negotiation for TPP are now finalised it may have a significant impact on TTIP [5].

TPP is one of the first document which deals specifically with digital economy and applies across borders. The main aims of TPP are to promote free flow of data across borders without data localisation. It aims to remove national clouts and regional internets. It also includes provisions to combat theft of trade secrets. It allows you to create transparent regulatory process with inputs from various stakeholders. It also aims to provide access to tools and procedures for conduct of e-commerce [6].

Some of the major criticism to TPP were regarding the issues related to [7]:

environment, wherein it does not address the issue of climate change and the language used in the agreement is very weak;
labour rights provision mandates parties to adhere to the ILO provision but it does not seem to provide for effective framework and might not bring the desired change;
investment chapter is seen to be controversial because of the investor state dispute settlement clause which will allow foreign investor to sue government over policies that might cause harm to them;
e-commerce and telecommunication chapter raises major privacy concerns;
intellectual property chapter wherein it includes controversial rules regarding pharmaceutical companies and data exclusivity apart from the privacy concerns.

2.2 Digital 2 Dozen (D2D)

D2D is set of rules and aims which is specifically drafted to be followed for the trade agreements related to open internet and digital economy. More specific aims of TPP as provided within the ‘Digital 2 Dozen,’ aiming for more liberalised trade in digital goods and services, are [8]:

promoting free and open internet,
prohibiting digital custom duties,
securing basic non-discrimination principles,
enabling cross-border data flows,
preventing localization barriers,
barring forced technology transfers,
advancing innovative authentication methods,
delivering enforceable consumer protections,
safeguarding network competition,
fostering innovative encryption products, and
building an adaptable framework.

Strategic goal of the US in introducing D2D as goals of TPP has been to set up a trend within Asian region for all the trade agreements. It is expected to ensure that if TPP is a success, similar goals and policy frameworks will be followed for other trade agreements as we. For example, the USA-India partnership also enshrines similar aims and so does the USA-Korea partnership. Hence while India is not part of TPP, USA is nonetheless trying to get India into a partnership which is similar to the TPP. The language proposed by the USA in TPP negotiations has always been supportive for cross border data flows as it claims that companies have mechanism to keep a privacy check and privacy would not be undermined, but countries like New Zealand and Australia which have strong privacy protection laws nationally have raised concerns which will be discussed in further sections [9]. Also not only in privacy rights but Digital Dozen initiative also affects other digital rights related to - excessive copyright terms TPP proposed to extend the term of copyright to hundred years which deprive access to knowledge; as in the U.S motive to give more power to private entities , the ISP obligations enumerated within TPP which puts freedom of expression and privacy at risk as ISPs are allowed to check for copyright infringement and TPP does not put any privacy restriction in this regard; introduction of new fair use rules; ban on circumvention of digital locks or DRMs; no compulsory limitation for persons with disabilities; lack of fair use for journalistic right; while net neutrality is major issue is many developing nations in Asia no effective provision for net neutrality is aimed at in the D2D initiative; prohibits open source mandates which puts barrier for countries which want to release any software as open source as a policy decision [10].

3. Major Issues Related to Data Protection and Privacy in the TPP

3.1. Data Protection

One of the major concern raised against TPP is regarding data protection provisions that have been integrated within the E- Commerce chapter of the agreement. Article 14.11 and Article 14 .13 are the ones that deal with data flow related to consumer information.Article 14.11 in the agreement puts a requirement on the member states to allow transfer of data across border and Article 14.13 does not allow the companies to host data on local servers. Concerns were raised in few member states for instance, Australian Privacy Foundation raised concerns over Article 14.11 which requires transfers to be allowed in context of business activities of service suppliers. It claimed that exception to this provision is very narrow and the repercussion for not following the exception is that investor state dispute settlement proceedings can be initiated, which is not sufficient to protect privacy. Also, it highlighted the issue that with the narrow exception provided under Article 14.13 which relates to prohibition on data localisation, it might have adverse effect on the implementation of national privacy laws within Australia [11].

Another provision which is of major concern is Article 14.13 which prohibit data localisation. It will raise problems for countries like Indonesia and China which will have to change their local laws to implement the provision [12]. Since there already has been a major concern with regard to USA- EU Safe Harbour Agreement which was later made subject to the ECJ’s ruling on data protection, which invalidated any arrangement which provides voluntary enterprises responsibility to enforce privacy. But both the USA and EU are in process of renegotiating the agreement.The major concern was that in EU data protection is a fundamental right while in USA data protection is more consumer centric. When similar concerns were raised in TPP negotiations, they were rebutted as USA claimed that FTA does not concern itself with data protection [13].

In 2012 Australia proposed an alternative language to TPP which allowed countries to place restriction on data flow as long as it was not a barrier to trade. U.S responded to concerns raised by the Australia through a side letter which ensured Australia that U.S and Australia have a mutual understanding in relation to privacy and U.S will ensure the privacy of data with regards to Australia. While Australia’s concern was given acknowledgement other countries which raised similar issues were not given any assurances [14]. US instead proposed ad- hoc strategy that gave private companies power to form privacy policy with implementation through state machinery [15].

3.2. Digital Privacy

Article 14.8 in the E- Commerce chapter of the agreement states that countries can form legal framework for the protection of rights but the kind of ‘legal framework’ is not defined. Also, nowhere it states that the privacy protection or data protection laws are expressly exempted, rather it states that any such policy implemented by member states will be put under review of TPP standards. The standards which TPP proposes to follow are based on the underlying idea that any such policy should not hinder free trade in any way. This test will be applied by tribunals which are experts in trade and investment and not on data protection or human rights [16]. While Article 14.8 provides for protection of private information of consumers but the footnote to the provision renders it ineffective. The footnote states that member countries can adopt legal framework for the protection of data which can be done by self-regulation by industry and does not provide for any comprehensive data protection obligation upon the member states [17]. Similar to this Article 13.4 of the telecommunications chapter under TPP also states that the countries can apply regulation regarding confidentiality of the messages as long as it is not “a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services" [18].

Another chapter which raises major concerns about the privacy rights is intellectual property. It affects privacy through the provisions related to technological protective measures and the provision that regulate ISP’s liability. Regarding the TPM provision, the TPP follows the DMCA model whereby the exception to anti- circumvention provision is very narrow and does not apply to anti- trafficking provision. The exception allows user to circumvent TPM if it affect the user's privacy in any way, although this provision does not apply to ant- trafficking of TPM. The provision regarding ISP’s liability states that there should be cooperation between ISPs and rights holders and it does not prohibit ISPs to monitor its users. Also TPP proposes the notice for takedown and identification of the infringer by the ISP but this provision is not in consonance with laws of member states, like that of Peru which does not have any copyright law on ISP . Also many countries have tried to introduce proper privacy laws along with implementation of ISP liability but that is not done within the TPP [19]. TPP as whole aims to give greater power to private regulators without providing for minimum standard for protection of privacy.

Although TPP is not a data protection agreement but it consequently deals with various aspects of data protection, hence it is prospective model for privacy and data protection practices in future trade agreements. If positive obligations are included within the free trade agreements it will have an advancing impact on the data protection regime.

4.Implications of TPP for RCEP

While TPP has such lacunas similar provision are proposed in RCEP to which India is a party and which will have serious implication as many of the countries have inadequate data protection laws nationally and with the introduction of such an FTA the exploitation of privacy rights will be rampant [20]. To avoid this EU directive on data protection should be taken into consideration in the negotiations of such FTAs. But for the RCEP negotiations are still going on and in India many companies like Flipkart, Snapdeal etc. have started preparing for the changing norms. The government claims that it is going to accept best practices in the region which indicates that it is going to have same policies as that of TPP. Although people from industry have raised concerns that while there are national laws but it is difficult to check third party involvement within the business and it is becoming increasingly difficult to keep the consumer data confidential [21].

5. Implications of TPP in the Context of EU Safe-Harbour Judgement

Mr. Maximillian Schrems, an Austrian National residing in Austria, has been a user of the Facebook social network since 2008. Any person residing in EU who wishes to use Facebook is required to conclude, at the time of his registration, a contract with Facebook Ireland (a subsidiary of Facebook Inc. which itself is established in Unites States). Some or all of the personal data of the Facebook Ireland’s users who residing in EU is transferred to servers belonging to Facebook Inc. that are located in United States, where it undergoes processing. On 25 June 2013 Mr Schrems made a complaint to the commissioner by which he in essence asked the latter to exercise his statutory powers by prohibiting Facebook Ireland from transferring his personal data to Unites States, and this led to the Maximillian Schrems v Data Protection Commissioner case [22]. He contended that in his complaint that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in thereby by the public authorities. Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the NSA.(para 26, 27, 28). The case came in the court ruled that “that a third country which ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of the EU 94/46 directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection. The ruling implies that personal data cannot be transferred to third country which does not provide adequate level of protection.

EU safe harbour judgment and EU directive on privacy provide contrasting rules related to privacy. While TPP gives power to private entities to formulate rules regarding privacy while the recent ECJ judgment invalidated giving such power to private entities under EU-US Safe Harbour Agreement. Also in context of the same judgment Hamburg’s Commissioner for Data Privacy And Freedom of Information announced an investigation into the data transfer taking place through Facebook and Google to U.S. Hence in the light of the recent judgment member states within EU are not allowed to permit cross border data flow, in contrast to this one of the main goals of TPP is to maintain free flow of data across border [23]. EU is this regard has also set forth the proposal to introduce General Data Protection Regulation. (GDPR). Although U.S and EU are trying to renegotiate the agreement but the privacy concerns raised cannot be ignored. Hence following the same model as was invalidate under the ECJ judgment lets US exploit privacy of member states under TPP. Similar concerns as raised within the judgment are also raised in India as it also following the same model within U.S-India Cyber Relationship Agreement and in RCEP negotiations.

6. Implications of TPP in the context of USA-India Cyber Relationship

While India is not part of TPP but it might have an effect on the U.S India Cyber Relationship Agreement. In August 2015 there was re- initiation of the India-U.S cyber dialogue to address common concerns related to cybersecurity and to develop better partnerships between public and private sector for betterment of digital economy [24]. One of the key aim of this agreement is free flow of information between two nations, which suffers from similar problem that it will put privacy of the citizens at risk. Also India does not have any bilateral treaty which ensures cyber data protection in such a scenario the only solution is data localisation, but this agreement will put data at risk [25]. Hence while the TPP negotiations were going on and also RCEP is being discussed the concerns about privacy and data protection need to be raised as mention in earlier section regarding implications of TPP on RCEP, the USA-India Cyber Relationship also faces the same implications..Although the aim of USA-India Cyber Relationship is to ensure cybersecurity. After the cases of Muzaffarnagar riots, upheaval in North -Eastern states and Gujarat riots, India has realised it is important to ensure compliance from the social media companies. India sees the USA-India Cyber Relationship as an opportunity to achieve this goal. The Google Transparency Report states that that India made around three thousand requests to Google for user data [26], which indicate at the country's interest in having a common data understanding with the major social media companies (almost all of which are located in USA) about requesting and sharing of user activity data. While this concern is being addressed through the agreement, it is difficult to ignore the clause related to free flow of information, and if the meaning of the term is extended and adopted from TPP itself will put digital privacy of Indian citizens at risk [27].

7. Conclusion

Even though TPP negotiation are completed but the ratification of the agreement is still underway. TPP is being seen as one of a kind trade agreement because it is the first time that countries across the globe have come together as a whole to address concerns of modern trade. Although it fails to address some of the key concerns related to privacy and data protection which are becoming increasingly important. Data protection and privacy issues cannot be seen in isolation and needs to merged within the modern day trade agreements. The D2D component by the USA is strategic move to have trade dominance in Asia and to compete with China’s growth . TPP has privacy and data protection lacunae within the e- commerce , telecommunications and intellectual property discussion.Although it might have serious implications on RCEP negotiation and USA- India Cyber Relationship Dialogue. Similar concern regarding data protection has already been addressed by ECJ judgment invalidating USA-EU Safe Harbour Agreement but the similar ad - hoc strategy has been incorporated within TPP. Since TPP might be considered as best practice model for future FTAs in the Asian region it is important to raise and address these privacy concerns now.

8. Endnotes

[1] The signatory countries include Australia, Canada, Japan, Malaysia, Mexico, Peru, United States of America, Vietnam, Chile, Brunei, Singapore, New Zealand. "The Trans-Pacific Partnership," http://www.ustr.gov/tpp (last visited Jul 7, 2016).

[2] "The Origins and Evolution of the Trans-Pacific Partnership (TPP)," Global Research, http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495 (last visited Jul 7, 2016).

[3] Fergusson, Ian F., Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP): In Brief," (2015), http://digitalcommons.ilr.cornell.edu/key_workplace/1477/ (last visited Jul 1, 2016).

[4] Gajdos, Lukas, The Trans-Pacific Partnership and its impact on EU trade, Policy Department, Directorate-General for External Policies, Policy Briefing (2013), http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf.

[5] Twining, Daniel, Hans Kundnani & Peter Sparding, Trans-Pacific Partnership: geopolitical implications for EU-US relations, Policy Department, Directorate-General for External Policies, June 24 (2016), http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf.

[6] USTR, "Remarks by Deputy U.S. Trade Representative Robert Holleyman to the New Democrat Network," https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade (last visited Jul 4, 2016).

[7] Murphy, Katharine, "Trans-Pacific Partnership: four key issues to watch out for," The Guardian, November 6, 2015, https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for (last visited Jul 7, 2016).

[8] USTR, "The Digital 2 Dozen" (2016), https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf (last visited Jul 1, 2016).

[9] Fergusson, Ian F.m Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP) negotiations and issues for congress," (2015), http://digitalcommons.ilr.cornell.edu/key_workplace/1412/ (last visited Jul 8, 2016).

[10] "How the TPP Will Affect You and Your Digital Rights," Electronic Frontier Foundation (2015), https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights (last visited Jul 7, 2016).

[11] Australian Privacy Foundation (APF), Trans Pacific Partnership Agreement (2016), https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf.

[12] Greenleaf, Graham, "The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?," SSRN (2016), http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386 (last visited Jul 1, 2016).

[13] "GED-Project: Transatlantic Data Flows and Data Protection," GED Blog (2015), https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/ (last visited Jul 1, 2016).

[14] Geist, Michael, "The Trouble with the TPP, Day 14: No U.S. Assurances for Canada on Privacy," (2016), http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/ (last visited Jul 4, 2016).

[15] Aaronson, Susan Ariel, "What does TPP mean for the Open Internet?" From Policy Brief on Trade Agreements and Internet Governance Prepared for the Global Commission on Internet Governance (2015), https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf (last visited Jul 5, 2016).

[16] Lomas, Natasha, "TPP Trade Agreement Slammed For Eroding Online Rights," TechCrunch, http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/ (last visited Jun 30, 2016).

[17] "Q&A: The Trans-Pacific Partnership," Human Rights Watch (2016), https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership (last visited Jul 1, 2016).

[18] "TPP Full Text Released," People Over Politics (2015), http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/ (last visited Jul 7, 2016).

[19] "Right to Privacy in Trans-Pacific Partnership (TPP ) Negotiations," Knowledge Ecology International, http://keionline.org/node/1164 (last visited Jul 1, 2016).

[20] Asian Trade Centre, "E-Commerce and Digital Trade Proposals for RCEP (2016)," http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf (last visited Jul 1, 2016).

[21] "E-commerce companies like Flipkart, Snapdeal to beef up data security to meet RCEP norms," The Economic Times, http://economictimes.indiatimes.com//articleshow/49068419.cms (last visited Jul 1, 2016).

[22] ECLI:EU:C:2015:650 (C -362/14)

[23] King et al., "Privacy law, cross-border data flows, and the Trans Pacific Partnership Agreement: what counsel need to know," Lexology, http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209 (last visited Jul 4, 2016).

[24] "U.S.-India Business Council Applauds Resumption of Cybersecurity Dialogue," U.S.-India Business Council (2015), http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue (last visited Jul 5, 2016).

[25] Sukumar, Arun Mohan, "India Is Coming up Against the Limits of Its Strategic Partnership With the United States," The Wire (2016), http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/ (last visited Jul 4, 2016).

[26] Countries – Google Transparency Report, https://www.google.com/transparencyreport/userdatarequests/countries/ (last visited Jul 8, 2016).

[27] Sukumar, Arun Mohan, "A case for the Net’s Ctrl+Alt+Del," The Hindu, September 5, 2015, http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece (last visited Jul 5, 2016).

9. Author Profile

Shubhangi Heda is a Student of Jindal Global Law School, O.P Jindal Global University. She has completed her fourth year. She gives due importance to popular culture in her life and loves to read fiction and like to watch TV-shows, her favorite being 'White Collar'.

For more details visit https://cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy

Comments on the RBI's Consultation Paper on Peer to Peer Lending

sumandro — 2016-06-01T20:21:13Z

The Reserve Bank of India published a Consultation Paper on Peer to Peer Lending on April 28, 2016, and invited comments from the public. CIS submitted the following response, authored by Elonnai Hickok, Pavishka Mittal, Sumandro Chattapadhyay, Vidushi Marda, and Vipul Kharbanda.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) on the Consultation Paper on Peer to Peer Lending (“the consultation paper”) by the Reserve Bank of India (“RBI”) [1].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS [2], is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the concerns of citizens’ and users’ rights in the context of products, services, and transactions facilitated by digital media technologies, the , the principle that regulation should be defined around functions of the acts concerned, and not the technologies of delivery. Our comments are limited to the clauses that most directly have an impact on these concerns.

3. Response

3.1. Whether there is a felt need for regulating peer to peer lending platforms?

3.1.1. Peer to peer (“P2P”) lenders are platforms serving as marketplaces for the lenders and the borrowers of funds to connect. Their very business model does not render them as a provider of finance, as they aspire to function as pure intermediaries to enable lending and borrowing.

3.1.2. The Section 45I.(f)(iii) of the RBI Act, 1935 [3], provides RBI the authority to classify any financial institution as a non-banking financial company (“NBFC”) “with the previous approval of the Central Government and by notification in the Official Gazette.” Since the P2P lending platforms do not provide any finance themselves, undertake acquisition of financial instruments, deliver financial and/or insurance services, or collect financial resources directly, the only ground for classifying such companies as “financial institutions” [4] appears to be their involvement in “managing, conducting or supervising, as foreman, agent or in any other capacity, of chits or kuries as defined in any law which is for the time being in force in any State, or any business, which is similar thereto” [5]. P2P lending platforms can be considered to be brokers and thus there are other aspects that merit scrutiny such as antitrust issues, obligations of either party, company activities and the transactional system involved, as we will discuss in this document.

3.1.3. The consultation paper itself states that the balance sheet of the platform cannot indicate any borrowing / lending activity, which entails that the platform cannot itself provide finance or receive any funds for the provision of loans to others. Platforms are not allowed to determine the interest rates as they are not a party to the transaction. Neither would they be liable in cases of default by the borrower. These rules, standard for P2P platforms in other jurisdictions as well, confirm the assumption that the platform itself is not providing finance and thus, cannot be entrusted with any liability, obligation from the transaction.

3.1.4. Further, with RBI raising the threshold asset size for an NBFC to be considered systemically important (NBFC-ND-SI) from Rs. 100 Crores to Rs. 500 Crores [6], and Economic Times reporting that one of the biggest Indian P2P lending platform’s enterprise valuation (which can be taken as indicative of its net assets) is Rs 50 Crores [7], we may assume that most P2P lending platforms will have net assets worth less than 500 crore, at least in the near future; although there is a possibility for exponential growth with some companies.

3.1.5. Given the limited sphere of operation, restricted ability (by design) of these platforms to shape interest rates and other features of financial instruments, and their generally non-systemically-important nature, we would submit that the regulation of such P2P lending platforms are kept to an absolute minimum, so that their economic viability is not undermined, and at the same time the key risks associated with their operations are addressed by RBI.

3.2. Is the assessment of P2P lending and risks associated with it adequate?

3.2.1. CIS observes that the following are the key risks involved with the operations of the P2P lending platforms, and these are being respectively addressed by, or can be addressed by RBI in the following manners.

Insufficient information about the conditions of lending, leading to defrauding of the borrower: The borrower may not receive appropriate information about the terms of the loan, and/or the P2P lending platform may not act in a “fair” manner (say, in case of collusion between the P2P lending platform and the lender, or the lending platform and the borrower), which may lead to defrauding and/or economic loss of either party. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Guidelines on Fair Practices Code for NBFCs [8], which extensively addresses concerns related to this type of risks.
Insufficient information about the borrower, or her/his ability to repay the loan, may lead to non-repayment and economic loss of the lender: If the P2P lending platform allows the lender to offer loans to borrowers without acquiring and/or providing sufficient information to the lender about the borrower’s credit history and/or ability to repay the loan, modes of formulating security for loans, this may heighten the risks of non-repayment of loans. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Master Circular – 'Know Your Customer' (KYC) Guidelines – Anti Money Laundering Standards (AML) - Prevention of Money Laundering Act, 2002 - Obligations of NBFCs [9], which extensively addresses concerns related to this type of risks.
Credit-related information of the lenders and the borrowers collected by P2P lending platforms may not be made available to other financial institutions and that will lead asymmetry in credit information available across various actors in the sector: Credit information, related to both lending and borrowing practices of entities using the platform concerned, is a key asset of the P2P lending platforms. Lack of sharing of such information with Credit Information Companies, for economic reasons or otherwise, may however, lead to information asymmetry within the financial sector, which will structurally weaken the entire sector (with pieces of credit information being distributed across actors and not being shared internally). By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Credit Information Companies (Regulation) Act, 2005 [10], which extensively addresses concerns related to this type of risks.
P2P lending platforms diversifying their financial operations without informing RBI and hence without appropriate regulatory control: It is possible that P2P lending platforms may decide to diversify their activities. There have been similar examples in other related sectors, say e-commerce marketplaces, that have started their own product re/selling companies that use the same online marketplace concerned. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies provide RBI with detailed and regular reports of their economic activities and investments, which is expected to address concerns related to this type of risks.

3.3. Are there any other risks which ought to be addressed?

3.3.1. CIS observes that as part of the usual transaction related activities of the P2P lending platforms, the companies will come into possession of what has been defined as “sensitive personal data or information” by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 [11]. The concerns related to this type of risk is directly addressed by the Rules concerned, and may not require additional attention from the RBI.

3.3.2. CIS observes that as borrowers and lenders start using specific P2P lending platforms, the data regarding their credit histories and/or “financial reputation” will be owned by these companies. While such information might be shared internally within the financial sector through the Credit Information Companies, the borrowers and lenders themselves may not get direct access to such data. Hence, the borrowers and lenders will not be able to move easily and smoothly to a new P2P lending platform and make use of their existing credit information and/or “financial reputation” when accessing services offered via the new P2P lending platform. In other words, the borrowers and lenders may face a service provider lock-in, and inability to move between P2P lending platforms easily, without explicit access to their own credit history/reputation, and will not have the ability to migrate such information from one P2P lending platform to another (or to any other agency, for that matter). CIS submits that RBI must provide a mechanism to allow users to migrate between platforms as it has not been discussed in the consultation paper.

3.4. Is the proposed approach to regulating these platforms adequate?

3.4.1. CIS observes that while classification of P2P lending platforms will appropriately address key risks associated with their operations (as listed in 3.2.1. A-D), it will not address a major risk emerging out of their operations that is unique to the technological basis of the business concerned (as mentioned in 3.3.2.), and further, it will impose substantial financial and management obligations that have a very high probability of undermining the economic viability of this emerging and niche sector of intermediated direct lending and borrowing.

3.4.2. CIS observes that these financial and management obligations may involve the following topics among others discussed: 1) minimum net worth requirement for registration, 2) minimum investments required to be made government securities, 3) transferring of minimum percentage of net profits to RBI, 4) guidelines regarding corporate governance [12], etc.

3.4.3. Given this, CIS submits that instead of classifying P2P lending platforms as “Misc NBFCs,” a new sub-classification is created under the category of NBFC for such platforms, that directly addresses the key risks associated with businesses of P2P lending platforms, and protects lenders as well as borrowers while enhancing transparency in operations. This new sub-classification of P2P lending companies should also be divided into systemically-important and non-systemically-important like other NBFCs, and requirements regarding financial operations and corporate management should only be enforced for the former category of P2P lending companies.

3.5. Any other relevant issues pertaining to P2P lending

Beyond the issues already discussed above, CIS seek clarity from the RBI around the following aspects:

Transactional system pertaining to P2P lending:
1. What are the requirements and prerequisites for mandating the collection of user identity?
2. Establishing a maximum sum that can be transferred per transaction.
Company activities:
1. Fees that can be charged by platforms.
2. How data security can be best addressed.
3. How the financial transactions are brokered.
4. Modes of redressal.
5. Restitution to users if something goes amiss in the transaction.
6. Insurance that the company has to buy or capital on hand to support.

Endnotes

[1] See: https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=3164.

[2] See: http://cis-india.org/.

[3] See: https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.pdf.

[4] See Section 45I.(c) of RBI Act, 1923, last amended on January 07, 2013.

[5] See Section 45I.(c)(v) of RBI Act, 1923, last amended on January 07, 2013.

[6] See: https://rbidocs.rbi.org.in/rdocs/content/pdfs/PNNBFC200315.pdf.

[7] See: http://economictimes.indiatimes.com/small-biz/startups/faircent-com-raises-pre-series-a-funding-of-250k/articleshow/47630279.cms.

[8] See: https://rbi.org.in/scripts/NotificationUser.aspx?Id=7866.

[9] See: https://rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=8168.

[10] See: http://www.incometaxindia.gov.in/Pages/acts/credit-information-companies-act.aspx.

[11] See: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf.

[12] See: https://www.rbi.org.in/scripts/BS_NBFCNotificationView.aspx?Id=3706.

For more details visit https://cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending

RBI Consultation Paper on P2P Lending: Data Security and Privacy Concerns

vipul — 2016-06-01T11:41:17Z

On April 28, 2016 the Reserve Bank of India published a consultation paper on P2P Lending and invited comments from the public on the same. The Paper discusses what P2P lending is, the various regulatory practices that govern P2P lending in different jurisdictions and lists our arguments for and against regulating P2P lending platforms.

Arguments against Regulation

The arguments against regulation of P2p lending companies as set out in the paper are (briefly):

Regulating an exempt or nascent sector may be perceived as rubber stamping the industry through regulation, thus lending credibility to the P2P lending which could attract ill informed lenders to the sector who may not understand all the risks associated with the industry. In this way Regulation may cause more harm than good.
Regulations may also be perceived as too stringent, thus stifling the growth of an innovative, efficient and accessible industry.
The P2P lending market is currently in a nascent stage and does not pose an immediate systemic risk meriting regulation.

Arguments in favour of Regulation

The arguments for regulating the market on the other hand are:

Considering the significance of the online industry and the impact which it can have on the traditional banking channels/NBFC sector, it would be prudent to regulate this emerging industry.
The, the importance of these methods of financing, specially in sectors where formal lending cannot reach, needs to be acknowledged.
If the sector is left unregulated altogether, there is the risk of unhealthy practices being adopted by one or more players, which may have deleterious consequences.
Section 45S of RBI Act prohibits an individual or a firm or an unincorporated association of individuals from accepting deposits “if its business wholly or partly includes any of the activities specified in clause (c) of section 45-I (i.e. activities of a financial institution); or if his or its principal business is that of receiving of deposits under any scheme or arrangement or in any other manner, or lending in any manner. Contravention of Section 45S is an offence punishable under section 58B (5A) of RBI Act. As per the Act, ‘‘deposit’’ includes and shall be deemed always to have included any receipt of money by way of deposit or loan or in any other form, but does not include any amount received from an individual or a firm or an association of individuals not being a body corporate, registered under any enactment relating to money lending which is for the time being in force in any State. Since the borrowers and lenders brought together by a P2P platform could fall within these prohibitions, absence of regulation may lead to perpetrating an illegality.”

After listing out the arguments, the paper adopts the approach of regulating this industry and proposes to bring P2P lending platforms under the purview of RBI’s regulation by defining them as Non Banking Financial Companies (NBFCs) under section 45-I(f)(iii) of the RBI Act. Once notified as NBFCs, RBI can issue regulations under sections 45JA and 45L. Though there is scope to comment on many aspects of the consultation paper our comments here will be limited to the data security and privacy aspects of the recommendations.

Data Security and Privacy Concerns

While the understanding of potential borrowers, specially those who have had experiences with commercial financial institutions, is that the more amount of information they provide, the better their chances become of getting a loan. This perception emanates from the fact that any potential borrower is asked for a myriad of documents, including personally identifying documents before a request for a loan is considered, infact for almost all financial institutions it is part of their core prudential norms to ask for identity documents before disbursing a loan. Getting as much information as possible from the borrower is not just a quirk of the financial institutions but it makes business sense for them, since it is those institutions who bear the risk of recovery of their money. There is no reason why the same logic or allowing creditors all the information about the borrower should not be applicable to P2P lending platforms, as far as the principle of prudential business practices is concerned. However, the key difference between disclosing information to P2P lending platforms as opposed to financial institutions is that whilst the information supplied to financial institutions stays limited to the institution and its employees, a large amount of the information (though not necessarily all) given to P2P platforms is made available to all potential creditors, which in P2P lending translates to any internet user who registers as a potential creditor. In this way the potential for the information to reach a wider group of people is much higher and therefore privacy and data security risks require special attention in P2P lending.

In section 5.3(v) of the Paper it is recommended that “Confidentiality of the customer data and data security would be the responsibility of the Platform. Transparency in operations, adequate measures for data confidentiality and minimum disclosures to borrowers and lenders would also be mandated through a fair practices code.” Whilst the fair practices code has not yet been developed or at least not yet made publicly available, as companies in the P2P lending industry are body corporates, these fair practice codes should be in line with and satisfy the requirements of section 43A of the Information Technology Act, 2000 (“IT Act”) as well as the Guidelines issued by the RBI’s Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds [1].

The minimum standards for data protection in Indian law have been laid down by section 43A of the IT Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Rules”) issued under section 43A. As per Rule 4 of the Rules P2P platforms would be required to have a privacy policy to deal with sensitive personal data, which includes any details regarding financial information such bank account, credit/debit cards, etc [2].

This policy would have to be published on the website of the platforms and would provide for a number of things such as (i) Clear and easily accessible statements of its practices and policies; (ii) type of personal or sensitive personal data or information collected; (iii) purpose of collection and usage of such information; (iv) disclosure of information including sensitive personal data or information; (v) reasonable security practices and procedures for the data. The other requirements of the Rules as regards consent before usage of the information, collection limitations, imparting information/notice to the consumer (information provider), retention limitation, purpose limitation, opt-out option, disclosure, etc. will also be applicable to P2P platforms and the fair practices code that the RBI would issue for this purpose will have to take all these issues into account.

The Rules also provide that body corporates will be considered to have complied with reasonable security practices if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Although there are no such practices which have been endorsed by any governmental body for P2P lending platforms, however the Department of Banking Supervision, Reserve Bank of India, has issued guidelines on “Information security, Electronic Banking, Technology risk management and cyber frauds" [3]. which could be relied upon until a fair practices code is put into place. The major privacy and data security provisions of these guidelines are given below:

Security Baselines: The guidelines require banks to be proactive in identifying and specifying the minimum security baselines to be adhered to by the service providers to ensure confidentiality and security of data;
Back up records: A cloud computing system must ensure backup of all its clients' information;
Security steps: An institution may take the following steps to ensure that risks with respect to confidentiality and security of data are adequately mitigated: (i) Address, agree, and document specific responsibilities of the respective parties in outsourcing; (ii) Discuss and agree on the instances where customer data shall be accessed; (iii) Ensure that service provider employees are adequately aware and informed on the security and privacy policies.
Confidentiality: Agreements should provide for maintaining confidentiality of customer's information even after the contract expires or is terminated by either party and specify the liability in case of security breach or leakage.
Encryption: Normally, a minimum of 128-bit SSL encryption is expected. Banks should only select encryption algorithms which are well established international standards.
Fraud Risk Management: It is also necessary that customer confidential information and other data/information available with banks is secured adequately to ensure that fraudsters do not access it to perpetrate fraudulent transactions.

Although inclusion of the above principles in the fair practices code would be helpful, however since the workings of P2P platforms are quite unique, therefore it would be counterproductive to restrict the security and privacy protocols to only those applied to regular banking transactions and the fair practices code should take into account these unique problems of P2P lending rather than seek to apply the existing norms blindly.

Endnotes

[1] See: https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf.

[2] The Rules define “sensitive personal data or information” as information relating to: "(i) password, (ii) financial information such as Bank account or credit card or debit card or other payment instrument details, (iii) physical, physiological and mental health condition, (iv) sexual orientation, (v) medical records and history, (vi) Biometric information, (vii) any detail relating to the above clauses as provided to body corporate for providing service, and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise."

[3] See: http://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf.

For more details visit https://cis-india.org/raw/rbi-consultation-paper-on-p2p-lending

The National Privacy Principles

Pooja Saxena and Amber Sinha — 2016-03-21T09:48:23Z

In this infographic, we try to break down the National Privacy Principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/the-national-privacy-principles