The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 45.
MediaNama - #NAMAprivacy: The Future of User Data (Delhi, Sep 6)
https://cis-india.org/internet-governance/news/medianama-namaprivacy-the-future-of-user-data-delhi-sep-6
<b>MediaNama is hosting a full day conference on "the future of user data in India", on the 6th of September 2017, which is particularly significant given the recent Supreme Court ruling on the fundamental right to privacy, and two government consultations: one at the TRAI, and another at MEITY. This discussion is supported by Facebook, Google, and Microsoft. Sumandro Chattapadhyay, Research Director, will participate as a speaker in the session titled "regulating storage, sharing and transfer of data."</b>
<p> </p>
<h4>Details</h4>
<p>Time: September 6th 2017, 9 am to 4:30 pm</p>
<p>Venue: Gulmohar Hall, India Habitat Centre, Lodhi Road (please enter from Gate #3)</p>
<p>Agenda: <a href="https://www.medianama.com/2017/08/223-agenda-namaprivacy-future-of-user-data/">https://www.medianama.com/2017/08/223-agenda-namaprivacy-future-of-user-data/</a></p>
<h4>Announced Speakers</h4>
<ul><li>Chinmayi Arun, Centre for Communication Governance at NLU Delhi</li>
<li>Malavika Raghavan, IFMR Finance Foundation</li>
<li>Renuka Sane, NIPFP</li>
<li>Smitha Krishna Prasad, Centre for Communication Governance at NLU Delhi</li>
<li>Ananth Padmanabhan, Carnegie India</li>
<li>Avinash Ramachandra, Amazon</li>
<li>Hitesh Oberoi, Naukri</li>
<li>Jochai Ben-Avie, Mozilla</li>
<li>Mrinal Sinha, Mobikwik</li>
<li>Murari Sreedharan, Bankbazaar</li>
<li>Sumandro Chattapadhyay, Centre for Internet and Society</li></ul>
<h4>Facilitators</h4>
<ul><li>Saikat Datta, Asia Times Online</li>
<li>Shashidar KJ, MediaNama</li>
<li>Nikhil Pahwa, MediaNama</li></ul>
<h4>Attendees</h4>
<p>We have confirmed 140+ attendees from: Adobe, Amber Health, Amazon, APCO Worldwide, Bank Bazaar, Bloomberg-Quint, Blume Ventures, Broadband India Forum, Business Standard, BuzzFeed News, CCOAI, CEIP, Change Alliance, Chase India, CIS, CNN News18, DEF, Deloitte, DNA, DSCI, E2E Networks, British High Commission, Eurus Network Services, FICCI, Firefly Networks, Flipkart, Forrester Research, Fortumo, DoT, MEITY, IAMAI, IBM, ICRIER, IFMR Finance Foundation, IIMC, Indian Law Institute, Indic Project, Info Edge, ISPAI, IT for Change, ITU-APT, Jamia Millia Islamia, Jindal Global Law School, Mimir Technologies, Mozilla, Newslaundry, NIPFP, Nishith Desai Associates, NIXI, NLU-Delhi, ORF, Paytm, PLR Chambers, PRS Legislative Research, Publicis Groupe, Quartz India, Reliance Jio, Reuters, Saikrishna & Associates, Scroll.in, SFLC.in, Spectranet, The Economics Times, The Indian Express, The Times of India, The Wire, Times Internet, Twitter, and more.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/medianama-namaprivacy-the-future-of-user-data-delhi-sep-6'>https://cis-india.org/internet-governance/news/medianama-namaprivacy-the-future-of-user-data-delhi-sep-6</a>
</p>
No publishersumandroBig DataDigital EconomyPrivacyInternet GovernanceData GovernanceData ProtectionDigital Rights2017-09-05T10:22:12ZBlog EntryPrivacy is not a unidimensional concept
https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept
<b>Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all citizens in India to defend their individual autonomy in the face of invasive state actions purportedly for the public good. The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all.</b>
<div>This article, written by Amber Sinha was published in the <a class="external-link" href="http://economictimes.indiatimes.com/news/politics-and-nation/aadhar-privacy-is-not-a-unidimensional-concept/articleshow/59716562.cms">Economic Times</a> on July 23, 2017. </div>
<div>
<br /></div>
<div>In a disappointing case of judicial evasion by the apex court,
it has taken over 600 days since a reference order passed in
August 11, 2015, for this bench to be constituted. Over two days
of arguments, the counsels for the petitioners have presented
before the court why the right to privacy, despite not finding a
mention in the Constitution of India, is a fundamental right
essential to a person’s dignity and liberty, and must be read into
not one but multiple articles of the Constitution. The government
will make its arguments in the coming week.</div>
<div>One must wonder why we are debating the contours of the right
to privacy, which 40 years of jurisprudence had lulled us into
believing we already had. The answer to that can be found in a
series of hearings in the Aadhaar case that began in 2012. Justice
KS Puttaswamy, a former Karnataka High Court judge, filed a
petition before the Supreme Court, questioning the validity of the
Aadhaar project due its lack of legislative basis (since then the
Aadhaar Act was passed in 2016) and its transgressions on our
fundamental rights. Over time, a number of other petitions also
made their way to the apex court, challenging different aspects of
the Aadhaar project. Since then, five different interim orders by
the Supreme Court have stated that no person should suffer because
they do not have an Aadhaar number. Aadhaar, according to the
court, could not be made mandatory to avail benefits and services
from government schemes. Further, the court has limited the use of
Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social
Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.<br />
<br /></div>
<div>The real spanner in the works in the progress of this case was
the stand taken by Mukul Rohatgi, then attorney general of India
who, in a hearing before the court in July 2015, stated that there
is no constitutionally guaranteed right to privacy. His reliance
was on two Supreme Court judgments in MP Sharma v Satish Chandra
(1954) and Kharak Singh v State of Uttar Pradesh (1962): both
cases, decided by eight- and six-judge benches respectively,
denied the existence of a constitutional right to privacy. As the
subsequent judgments which upheld the right to privacy were by
smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh
still prevailed over them, until they were overruled by a larger
bench.</div>
<div>The reference to a larger bench has since delayed the entire
matter, even as a number of government schemes have made Aadhaar
mandatory. This reading of privacy as a unidimensional concept by
the courts is, with due respect, erroneous. Privacy, as a concept,
includes within its scope, spatial, familial, informational and
decisional aspects. We all have a legitimate expectation of
privacy in our private spaces, such as our homes, and in our
personal relationships. Similarly, we must be able to exercise
some control over how personal data, like our financial
information, are disseminated. Most importantly, privacy gives us
the space to make autonomous choices and decisions without
external interference. All these dimensions of privacy must stand
as distinct rights. In MP Sharma, the court rejected a certain
aspect of the right of privacy by refusing to acknowledge a right
against search and seizure. This, in no way prevented the court,
even in the form of a smaller bench, from ruling on any other
aspects of privacy, including those that are relevant to the
Aadhaar case.</div>
<div> </div>
<div>The limited referral to this bench means that the court will
have to rule on the status of privacy and its possible limitations
in isolation, without even going into the details of the Aadhaar
case (based on the nature of protection that this bench accords to
privacy, the petitioners and defendants in the Aadhaar case will
have to argue afresh on whether the project does impede on this
most fundamental right). There are no facts of the case to ground
the legal principles in, and defining the contours of a right can
be a difficult exercise. The court must be wary of how any limits
they put on the right may be used in future. Equally, it is
important to articulate that any limitations on the right to
privacy due to competing interests such as national security and
public interest must be imposed only when necessary and always be
proportionate. <br />
<br /></div>
<p>
It will not be enough for the court to merely state that we have a
constitutional right to privacy. They would be well advised to cut
through the muddle of existing privacy jurisprudence, and
unequivocally establish the various facets of the right. Without
that, we may not be able to withstand the modern dangers of
surveillance, denial of bodily integrity and self-determination
through forcible collection of information. The nine judges, in
their collective wisdom, must not only ensure that we have a right
to privacy, but also clearly articulate a robust reading of this
right capable of withstanding the growing interferences with our
autonomy.</p>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept'>https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept</a>
</p>
No publisheramberInternet GovernanceAadhaarData ProtectionPrivacy2017-08-07T08:02:20ZBlog EntryComments on the Statistical Disclosure Control Report
https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report
<b>This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.
</b>
<p><strong id="docs-internal-guid-a12fe2b3-c746-4c1a-0287-1814414668af"><br /></strong></p>
<h3 style="text-align: justify;" dir="ltr">1. PRELIMINARY</h3>
<p style="text-align: justify;" dir="ltr">This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.</p>
<p style="text-align: justify;" dir="ltr">CIS is thankful for the opportunity to put forth its views.<br class="kix-line-break" />This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<h3 style="text-align: justify;" dir="ltr">2. ABOUT CIS</h3>
<p style="text-align: justify;" dir="ltr">CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.<br class="kix-line-break" /><br /></p>
<p style="text-align: justify;" dir="ltr">CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.</p>
<h3 style="text-align: justify;" dir="ltr">3. Comments</h3>
<h4 style="text-align: justify;" dir="ltr">3.1 General Comments</h4>
<p style="text-align: justify;" dir="ltr">As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.</p>
<p><span style="text-align: justify;">We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. </span><span style="text-align: justify;">While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. </span><span style="text-align: justify;">Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. </span><span style="text-align: justify;">At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.</span></p>
<h4 style="text-align: justify;" dir="ltr">3.2 Integrity of Information and Data</h4>
<p style="text-align: justify;" dir="ltr">We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.</p>
<h4 style="text-align: justify;" dir="ltr">3.3 Data Security</h4>
<p style="text-align: justify;" dir="ltr">One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.</p>
<p style="text-align: justify;" dir="ltr">We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.</p>
<h4 style="text-align: justify;" dir="ltr">3.4 Anonymization of microdata</h4>
<p style="text-align: justify;" dir="ltr">We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.</p>
<h4 style="text-align: justify;" dir="ltr">3.5 Data Dissemination</h4>
<p style="text-align: justify;" dir="ltr">Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.</p>
<p style="text-align: justify;" dir="ltr">We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,</p>
<p style="text-align: justify;" dir="ltr">The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">Thank you for this opportunity and we look forward to work with you in future.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report'>https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report</a>
</p>
No publisherSrinivs Kodali and Amber SinhaCall for CommentsDigital AccessOpen DataOpen Government DataData ProtectionData GovernanceAadhaarDigitisationInformation SecurityOpennessInternet GovernanceData Management2019-03-13T00:28:44ZBlog Entry(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information
https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1
<b>Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. In this study, we document numerous instances of publicly available Aadhaar Numbers along with other personally identifiable information (PII) of individuals on government websites. This report highlights four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites.
</b>
<p> </p>
<h4>Read the updated report: <a class="external-link" href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof/" target="_blank">Download</a> (pdf)</h4>
<h4>Read the first statement of clarification (May 16, 2017): <a class="external-link" href="https://cis-india.org/internet-governance/clarification-on-information-security-practices-of-the-aadhaar-report/" target="_blank">Download</a> (pdf)</h4>
<h4>Read the second statement of clarification (November 05, 2018): <a class="external-link" href="https://cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report" target="_blank">Link to page</a> (html)</h4>
<hr />
<p><em>We are grateful to Yesha Paul and VG Shreeram for research support.</em></p>
<hr />
<p>In the last month, there have been various reports pointing out instances of the public disclosure of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these public disclosures reported contain personally identifiable information of beneficiaries or subjects of the non UIDAI databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of such events, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1'>https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1</a>
</p>
No publisherAmber Sinha and Srinivas KodaliDigital IDPrivacyNDSAPData ProtectionAccountabilityFeaturedData GovernanceAadhaarDigitisationHomepageInternet GovernanceData Management2019-03-13T00:29:01ZBlog EntrySurvey on Data Protection Regime
https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime
<b>We request you to take part in this survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union. Recently the General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. We are grateful for your voluntary contribution to our research, and all information shared by you will be used for the purpose of research only. Questions that personally identify you are not mandatory and will be kept strictly confidential. </b>
<p> </p>
<h4>The survey form below can also be accessed <a href="https://goo.gl/forms/61d4W0kPQ8SqNaMO2" target="_blank">here</a>.</h4>
<hr />
<iframe src="https://docs.google.com/forms/d/e/1FAIpQLSepvhTUkkc7s3jFDfJZ90wFJAIuVexrbVSO5icV4kW0-1uyNA/viewform?embedded=true" frameborder="0" marginwidth="0" marginheight="0" height="800" width="600">Loading...</iframe>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime'>https://cis-india.org/internet-governance/blog/survey-on-data-protection-regime</a>
</p>
No publisherAditi Chaturvedi and Elonnai HickokGeneral Data Protection RegulationInternet GovernanceFeaturedData ProtectionHomepage2017-02-10T10:47:00ZBlog EntryComparison of General Data Protection Regulation and Data Protection Directive
https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive
<b>Recently, the General Data Protection Regulation (REGULATION (EU) 2016/679) was passed. It shall replace the present Data Protection Directive (DPD 95/46/EC), which is a step that is likely to impact the workings of many organizations. This document intends to offer a clear comparison between the General Data Protection Regulation (GDPR) a the Data Protection Direction (DPD).
</b>
<p>Download the <a class="external-link" href="http://cis-india.org/internet-governance/files/comparison-table-gdpr-dpd">file here</a></p>
<hr />
<h1 style="text-align: justify; ">INTRODUCTION</h1>
<p style="text-align: justify; ">The GDPR i.e. General Data Protection Regulation (REGULATION (EU) 2016/679) was adopted on May 27th, 2016. It will come into force after a two-year transition period on May 25th, 2018 and will replace the Data Protection Directive (DPD 95/46/EC). The Regulation intends to empower data subjects in the European Union by giving them control over the processing of their personal data. This is not an enabling legislation. Unlike the previous regime under the DPD (Data Protection Directive), wherein different member States legislated their own data protection laws, the new regulation intends uniformity in application with some room for individual member states to legislate on procedural mechanisms. While this will ensure a predictable environment for doing business, a number of obligations will have to be undertaken by organizations, which might initially burden them financially and administratively.</p>
<h1 style="text-align: justify; "><a name="_s6hlmorxmhjt"></a> 2. SUMMARY</h1>
<p style="text-align: justify; ">The Regulation contains a number of new provisions as well as modified provisions that were under DPD and has removed certain requirements under the DPD. Some significant changes mentioned in the document have been summarized in this section.. These changes suggest that GDPR is a comprehensive law with detailed substantive and procedural provisions. Yet, some ambiguities remain with respect to its workability and interpretation. Clarifications will be required.</p>
<h2 style="text-align: justify; "><a name="_bx6wcm39fme2"></a> 2.1 Provisions from the DPD that were retained but altered in the GDPR include:</h2>
<h3 style="text-align: justify; "><a name="_dgj5eiqdp6rg"></a> 2.1.1 Scope:</h3>
<p style="text-align: justify; ">GDPR has an expanded territorial scope and is applicable under two scenarios; 1) when processor or controller is established in the Union, and 2) when processor or controller is not established in the Union. The conditions for applicability of the GDPR under the two are much wider than those provided for DPD. Also, the criteria under GDPR are more specific and clearer to demonstrate application.</p>
<h3 style="text-align: justify; "><a name="_xkff9yuwpdhu"></a> 2.1.2 Definitions:</h3>
<p style="text-align: justify; ">Six definitions have remained the same while those of personal data and consent have been expanded.</p>
<h3 style="text-align: justify; "><a name="_ubv6cbv0v00"></a> 2.1.3 Consent:</h3>
<p style="text-align: justify; ">GDPR mentions "unambiguous" consent and spells out in detail what constitutes a valid consent. Demonstration of valid consent is an important obligation of the controller. Further, the GDPR also explains situations in which child's consent will be valid. Such provisions are absent in DPD.</p>
<h3 style="text-align: justify; "><a name="_uqvt1qhmvy2p"></a> 2.1.4 Special categories of data:</h3>
<p style="text-align: justify; ">Two new categories, biometric and genetic data have been added under GDPR.</p>
<h3 style="text-align: justify; "><a name="_ap4k8hvlnia"></a> 2.1.5 Rights:</h3>
<p style="text-align: justify; ">The GDPR strengthens certain rights granted under the DPD. These include:</p>
<p style="text-align: justify; ">a. <b>Right to restrict processing: </b>Under DPD the data subject can block processing of data on the grounds of data inaccuracy or incomplete nature of data. GDPR, on the other hand , is more elaborate and defined in this respect. Many more grounds are listed together with consequences of enforcement of this right and obligations on controller.</p>
<p style="text-align: justify; ">b. <b>Right to erasure: </b> This is known as the "right to be forgotten". Here, the DPD merely mentions that the data subject has the right to request erasure of data on grounds of data inaccuracy or incomplete nature of data or in case of unlawful processing. The GDPR has strengthened this right by laying out 7 conditions for enforcing this right including 5 grounds on which the request for erasure shall not be processed. This means that the "right to erasure" is not an absolute right. GDPR provides that if data has been made public, controllers are under an obligation to inform other controllers processing the data about the request.</p>
<p style="text-align: justify; ">c. <b>Right to rectification: </b>This right is similar under GDPR and DPD.</p>
<p style="text-align: justify; ">d. <b>Right to access: </b>GDPR has broadened the amount of information data subject can have regarding his/her own data. For example, under the DPD the data subject could know about the purpose of processing, categories of processing, recipients or categories to whom data are disclosed and extent of automated decision involved. Now under GDPR, the data subject can also know about retention period, existence of certain rights, about source of data and consequences of processing. It specifically states controllers obligations in this regard.</p>
<p style="text-align: justify; ">e. <b>Automated individual decision making including profiling: </b> This is an interesting provision that applies solely to automate decision-making. This includes profiling, which is a process by which personal data is evaluated solely by automated means for the purpose of analyzing a person's personal aspect such as performance at work, health, location etc. The intent is that data subjects should have the right to obtain human intervention into their personal data. This upholds philosophy of data safeguard as the subject can get an opportunity to express himself, obtain explanation and challenge the decision. Under GDPR, such decision-making excludes data concerning a child.</p>
<h3 style="text-align: justify; "><a name="_mirhfotxo6sy"></a> 2.1.6 Code of conduct:</h3>
<p style="text-align: justify; ">A voluntary self-regulating mechanism has been provided under both GDPR and DPD.</p>
<h3 style="text-align: justify; "><a name="_7bkgvf7abyyr"></a> 2.1.7 Supervisory Authority:</h3>
<p style="text-align: justify; ">As compared to the DPD, the GDPR lays down detailed and elaborate provisions on Supervisory Authority.</p>
<h3 style="text-align: justify; "><a name="_khb6zs50ya84"></a> 2.1.8 Compensation and Liability:</h3>
<p style="text-align: justify; ">Although compensation and liability provisions under GDPR and DPD are similar, the GDPR specifically mentions this as a right with a wider scope. While the Directive enforces liability on the controller only, under the GDPR, compensation can be claimed from both, processor and controller.</p>
<h3 style="text-align: justify; "><a name="_bovy1ju2u8iv"></a> 2.1.9 Effective judicial remedies:</h3>
<p style="text-align: justify; ">Provisions in this area are also quite similar between the DPD and GDPR. The difference is that GDPR specifically mentions this as a "right" and the Directive does not. Use of such words is bound to bring legal clarity. It is interesting to note that in the DPD, recourse to remedy has been mentioned in the Recitals and it is the national law of individual member states, which shall regulate the enforceability. GDPR, on the other hand, mentions this under its Articles together with the jurisdiction of courts and exceptions to this right.</p>
<h3 style="text-align: justify; "><a name="_xndzim3hdxxa"></a> 2.1.10 Right to lodge complaint with supervisory authority:</h3>
<p style="text-align: justify; ">The right conferred to the data subject to seek remedy under unlawful processing has been strengthened under GDPR. Again, as mentioned above, GDRP specifically words this as a "right" while the DPD does not.</p>
<h2 style="text-align: justify; "><a name="_68pmqs7h2gvp"></a> 2.2 New provisions added to the GDPR include:</h2>
<h3 style="text-align: justify; "><a name="_pynrk1m03gga"></a> 2.2.1 Data Transfer to third countries:</h3>
<p style="text-align: justify; ">Provisions under Chapter V of GDPR regulate data transfers from EU to third countries and international organizations and data transfer onward. DPD only provides for data transfer to third countries without reference to international organizations.</p>
<p style="text-align: justify; ">A mechanism called adequacy decisions for such transfers remains the same under both laws. However, in situations where Commission does not take adequacy decisions, alternate and elaborate provisions on "Effective Safeguards" and "Binding Corporate Rules" have been mentioned under the GDPR. Other certain situations have been envisaged under both GDPR and DPD for data transfers in absence of adequacy decision. These are more or less similar with a only few modifications.</p>
<p style="text-align: justify; ">Significantly, GDPR brings clarity with respect to enforceability of judgments and orders of authorities that are outside of EU over their decision on such data transfer. Additionally, it provides for international cooperation for protection of personal data. These are not mentioned in the DPD.</p>
<h3 style="text-align: justify; "><a name="_ke5mhncq1f0n"></a> 2.2.2 Certification mechanism:</h3>
<p style="text-align: justify; ">Just like code of conduct, this is also a voluntary mechanism, which can aid in demonstrating compliance with Regulation.</p>
<h3 style="text-align: justify; "><a name="_f6377ap0044"></a> 2.2.3 Records of processing activities:</h3>
<p style="text-align: justify; ">This is a mandatory "compliance demonstration" mechanism under GDPR, which is not mentioned under DPD. Organizations are likely to face initial administrative and financial burdens in order to maintain records of processing activities.</p>
<h3 style="text-align: justify; "><a name="_k6sqaxd28am7"></a> 2.2.4 Obligations of processor:</h3>
<p style="text-align: justify; ">DPD fixes liability on controllers but leaves out processors. GDPR includes both. Consequently, GDPR specifies obligations of the processor, the kinds of processors the controller can use and what will govern processing.</p>
<h3 style="text-align: justify; "><a name="_ggx4qdqpvwl1"></a> 2.2.5 Data Protection officer:</h3>
<p style="text-align: justify; ">This finds no mention in the DPD. Under the GDPR, a data protection officer must be mandatorily appointed where the core business activity of the organization pertains to processing, which requires regular and systematic monitoring of data subjects on large scale, processing of large scale special categories of data and offences, or processing carried out by public authority or public body.</p>
<h3 style="text-align: justify; "><a name="_vmyb0dlytf7z"></a> 2.2.6 Data protection impact assessment:</h3>
<p style="text-align: justify; ">This is a Privacy Impact assessment for ensuring and demonstrating compliance with the Regulation. Such assessment can identify and minimize risks. GDPR mandates that such assessment must be carried out when processing is likely to result in high risk. The relevant Article mentions when to carry out processing, the type of information to be contained in assessment and a clause for prior consultation with supervisory authority prior to processing if assessment indicates high risk.</p>
<h3 style="text-align: justify; "><a name="_jsw1owqhhya3"></a> 2.2.7 Data Breach:</h3>
<p style="text-align: justify; ">Under this provision, the controller is responsible for two things: 1) reporting personal data breach to supervisory authority no later than 72 hours . Any delay in notifying the authority has to be accompanied by reasons for delay; and 2) communicating the breach to the data subject in case the breach is likely to cause high risk to right and freedoms of the person. As far as the processor is concerned, in the event of data breach, the processor must notify the controller. This provision is likely to push some major changes in the workings of various organizations. A number of detection and reporting mechanisms will have to be implemented. Above all, these mechanisms will have to be extremely efficient given the time limit.</p>
<h3 style="text-align: justify; "><a name="_ccc1t8kwx628"></a> 2.2.8 Data Protection by design and default:</h3>
<p style="text-align: justify; ">This entails a general obligation upon the controller to incorporate effective data protection in internal policies and implementation measures.</p>
<h3 style="text-align: justify; "><a name="_w5imfuxpb2ys"></a> 2.2.9 Rights:</h3>
<p style="text-align: justify; ">Under the GDPR, a new right called the " Right to data portability " has been conferred upon the data subjects. This right empowers the data subject to receive personal data from one controller and transfer it to another.</p>
<h3 style="text-align: justify; "><a name="_u0fpe4c3oxoo"></a> 2.2.10 New Definitions:</h3>
<p style="text-align: justify; ">Out of 26 definitions, 18 new definitions have been added. "Pseudonymisation" is one such new concept that can aid data privacy. This data processing technique encourages processing in a way that personal data can no longer be attributed to a specific data subject without using additional information. This additional information is to be stored separately in a way that it is not attributed to an identified or identifiable natural person.</p>
<h3 style="text-align: justify; "><a name="_lh2v66dwa6g5"></a> 2.2.11 Administrative fines:</h3>
<p style="text-align: justify; ">Perhaps much concern about GDPR is due to provisions on high fines for non-compliance of certain provisions. Organizations simply cannot afford to ignore it. Non-compliance can lead to imposition of very heavy fines up to 20,000,000 EUR or 4% of total worldwide turnover.</p>
<h2 style="text-align: justify; "><a name="_ad4hk9ac5g76"></a> 2.3 Deleted provisions under DPD include :</h2>
<h3 style="text-align: justify; "><a name="_f7qp3wle6y52"></a> 2.3.1 Working Party:</h3>
<p style="text-align: justify; ">Working party under the DPD has been replaced by the European Data Protection Board provided by the GDPR. The purpose of the Board is to ensure consistent application of the Regulation.</p>
<h3 style="text-align: justify; "><a name="_79qx7y3yed1o"></a> 2.3.2 Notification Requirement:</h3>
<p style="text-align: justify; ">The general obligation to notify processing supervisory authorities has been removed. It was observed that this requirement imposed unnecessary financial and administrative burden on organizations and was not successful in achieving the real purpose that is protection of personal data. Instead, now the GDPR focuses on procedures and mechanisms like Privacy Impact assessment to ensure compliance.</p>
<h1 style="text-align: justify; "><a name="_mpysf7lokshn"></a> 3. BRIEF OVERVIEW</h1>
<p style="text-align: justify; ">The GDPR is the new uniform law, which will now replace older laws. A brief overview has been given below:</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p><b>Topic</b></p>
</td>
<td>
<p><b>GDPR</b></p>
<p><b>(General Data Protection Regulation)</b></p>
</td>
<td>
<p><b>DPD </b></p>
<p><b>(Data Protection Directive)</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Name</p>
</td>
<td>
<p>REGULATION (EU) 2016/679</p>
</td>
<td>
<p>DPD 95/46/EC</p>
</td>
</tr>
<tr>
<td>
<p>Enforcement</p>
</td>
<td>
<p>Adopted on 27 May 2016</p>
<p>To be enforced on 25 May 2018</p>
</td>
<td>
<p>Adopted on 24 October 1995</p>
</td>
</tr>
<tr>
<td>
<p>Effect of legislation</p>
</td>
<td>
<p>It is a Regulation.</p>
<p>Is directly applicable to all EU member states without requiring a separate national legislation.</p>
</td>
<td>
<p>It is an enabling legislation.</p>
<p>Countries have to pass their own separate legislations.</p>
</td>
</tr>
<tr>
<td>
<p>Objective</p>
</td>
<td>
<p>To protect "natural persons" with regard to processing of personal data and on free movement of such data.</p>
<p>It repeals DPD 95/46/EC.</p>
</td>
<td>
<p>To protect "individuals" with regard to processing of personal data and on free movement of such data.</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: left; ">Number of Chapters</p>
</td>
<td>
<p>XI</p>
</td>
<td>
<p>VII</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: left; ">Number of Articles<a name="_3znysh7"></a></p>
</td>
<td>
<p>99</p>
</td>
<td>
<p>34</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: left; ">Number of Recitals</p>
</td>
<td>
<p>173</p>
</td>
<td>
<p>72</p>
</td>
</tr>
<tr>
<td>
<p>Applicability</p>
</td>
<td>
<p>To processors and controllers</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: justify; "><a name="_rpg4m5a4zaod"></a> 4. COMPARATIVE ANALYSIS OF GDPR AND DPD</h1>
<p style="text-align: justify; ">This section offers a comparative analysis through a set of tables and text analysing and comparing the provisions of General Data Protection Regulation (GDPR) with those of the Data Protection Direction (DPD). Spaces left blank in the tables imply lack of similar provisions under the respective data regime.</p>
<h2 style="text-align: justify; "><a name="_2et92p0"></a> 4.1 Territorial Scope</h2>
<p style="text-align: justify; ">GDPR has expanded territorial scope. The application of Regulation is independent of the place where processing of personal data takes places under certain conditions. The focus is the data subject and not the location. The DPD made application of national law, a criterion for determining the applicability of the Directive. Under the GDPR, the following conditions need to be satisfied for application of Regulation.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>3</p>
</td>
<td>
<p>4</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>When processor or controller is established in the Union, the Regulation/ Directive will apply if:</p>
<p><i>(DPD is silent on location of processors</i> )</p>
</td>
<td>
<p>1. Processing is of personal data</p>
<p>2. Processing is in "context of activities" of the establishment</p>
<p>3. Processing may or may not take place in the Union</p>
</td>
<td>
<p>Processing is of personal data.</p>
</td>
</tr>
<tr>
<td>
<p>When processor or controller is not established in Union, the Regulation/Directive will apply if:</p>
<p><i>(DPD is silent on location of processors</i> )</p>
</td>
<td>
<p>1. Data subjects are in the Union; and</p>
<p>2. Processing activity is related to:</p>
<p>I. Offering of goods or services; or</p>
<p>II. Monitoring their behavior within Union</p>
<p>3. Will apply when Member State law is applicable to that place by the virtue of public international law</p>
</td>
<td>
<p>1. Like GDPR the DPD mentions that national law should be applicable to that place by virtue of public international law;</p>
<p>Or</p>
<p>2. If the equipment for processing is situated on Member state territory unless it is used only for purpose of transit.</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_tyjcwt"></a> 4.2 Material Scope</h2>
<p style="text-align: justify; ">The Recital under GDPR explains that data protection is not an absolute right. Principle of proportionality has been adopted to respect other fundamental rights.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p style="text-align: left; ">Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>2</p>
</td>
<td>
<p>3</p>
</td>
</tr>
<tr>
<td>
<p>Applies to</p>
</td>
<td>
<p>Processing of personal data</p>
<p>Processing is by automated means, wholly or partially</p>
<p>When processing is not by automated means, the personal data should form or are intended to form a part of filing system</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Does not apply to</p>
</td>
<td>
<p>Processing of personal data:</p>
<p>1. For activities which lie outside scope of Union law</p>
<p>2. By Member State under Chapter 2 Title V of TEU</p>
<p>3. By natural person in course of purely personal or household activity</p>
<p>4. By competent authorities in relation to criminal offences and penalties and threats to public security</p>
<p>5. Under Regulation (EC) No 45/2001. This needs to be adapted for consistency with GDPR</p>
<p>6. Which should not prejudice the E commerce Directive 2000/31/EC especially the liability rules of intermediary service providers</p>
</td>
<td>
<p>The provisions in DPD are similar to GDPR.</p>
<p>In addition to Title V, the DPD did not apply to Title VI of TEU.</p>
<p>DPD doesn't mention Regulation (EC) No 45/2001 or the E commerce Directive 2000/31/EC.</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_3dy6vkm"></a> 4.3 Definitions</h2>
<p style="text-align: justify; ">GDPR incorporates 26 definitions as compared to 8 definitions under DPD. There are 18 new definitions in GDPR. Some definitions have been expanded.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>4</p>
</td>
<td>
<p>2</p>
</td>
</tr>
<tr>
<td>
<p>New Definitions under GDPR</p>
</td>
<td>
<p>1. Restriction of processing</p>
<p>2. Profiling</p>
<p>3. Pseudonymisation</p>
<p>4. Personal data breach</p>
<p>5. Genetic data</p>
<p>6. Biometric data</p>
<p>7. Data concerning health</p>
<p>8. Main establishment</p>
<p>9. Representative</p>
<p>10. Enterprise</p>
<p>11. Group of undertakings</p>
<p>12. Binding corporate rules</p>
<p>13. Supervisory authority</p>
<p>14. Supervisory authority concerned</p>
<p>15. Cross border processing</p>
<p>16. Relevant and reasoned objection</p>
<p>17. Information society service</p>
<p>18. International organizations</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>2 definitions that have been expanded under GDPR</p>
</td>
<td>
<p>1. Personal data</p>
<p>2. Consent</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>6 Definitions which have remained same in GDPR and DPD</p>
</td>
<td>
<p>1. Processing of personal data</p>
<p>2. Personal data filing system</p>
<p>3. Controller</p>
<p>4. Processor</p>
<p>5. Third party recipient</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_1t3h5sf"></a> 4.3.1 Expanded definition of personal data</h3>
<p style="text-align: justify; ">Both DPD and GDPR apply to 'personal data'. The GDPR gives an expanded definition of 'personal data'. Recital 30 gives example of an online identifier such as IP addresses.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>4(1)</p>
</td>
<td>
<p>2(a)</p>
</td>
</tr>
<tr>
<td>
<p>New term added in the definition</p>
</td>
<td>
<p>A new term " online identifier" has been added.</p>
<p>Example of online identifier is given under Recital 30. An IP address is one such example.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_tk0fv08fd3b8"></a></h3>
<h3 style="text-align: justify; "><a name="_4d34og8"></a> 4.3.2 Expanded definition of consent</h3>
<p style="text-align: justify; ">Valid consent must be given by the data subject. The definition of valid consent has been added under GDPR.<b> </b>Recital 32 further explains that consent can be given by "means of a written statement including electronic means or an oral statement". For example, ticking a box on websites signifies acceptance of processing while "pre ticked boxes, silence or inactivity" do not constitute consent.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>4(11)</p>
</td>
<td>
<p>2(h)</p>
</td>
</tr>
<tr>
<td>
<p>Term added in GDPR</p>
</td>
<td>
<p>Consent must be unambiguous, freely given, specific and informed.</p>
</td>
<td>
<p>The word "unambiguous" is not contained in DPD.</p>
</td>
</tr>
<tr>
<td>
<p>Means of signifying assent to processing own data</p>
</td>
<td>
<p>Assent can be given by a <i>statement or by clear affirmative action</i> signifying assent to processing.</p>
</td>
<td>
<p>DPD merely mentions that <i>freely given, specific and informed consent </i> signifies assent.</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_2s8eyo1"></a> 4.4 Conditions for consent</h2>
<p style="text-align: justify; ">GDPR lays down detailed provisions for valid consent. Such provisions are not given in DPD.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>7</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligation of controller</p>
</td>
<td>
<p>Must demonstrate consent has been given</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Presentation of written declaration of consent</p>
</td>
<td>
<p>It should be in a clearly distinguishable, intelligible and easily accessible form.</p>
<p>Language should be clear and plain.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>If declaration or any part of it infringes on Regulation</p>
</td>
<td>
<p>Declaration will be non-binding.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Right of data subject</p>
</td>
<td>
<p>To withdraw consent at any time.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>If consent is withdrawn, it will not make processing done earlier unlawful.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>For assessing whether consent is freely given</p>
</td>
<td>
<p>Must consider whether performance of contract or provision of service is made conditional on consent to processing of data not necessary for performance of contract.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_17dp8vu"></a> 4.5 Conditions applicable to child's consent in relation to information society services</h2>
<p style="text-align: justify; ">This article prescribes an age limit for making processing lawful when information society services (direct online service) are offered directly to a child.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>8</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions for valid consent in this case</p>
</td>
<td>
<p>If child is at least 16 years old his consent is valid.</p>
<p>If child is below 16 years consent must be obtained from holder of parental responsibility over the child.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Age relaxation can be given when</p>
</td>
<td>
<p>Member States provides a law lowering the age.</p>
<p>Age cannot be lowered below 13 years.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller's responsibility</p>
</td>
<td>
<p>Verify who has given the consent</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Exceptions</p>
</td>
<td>
<p>This law will not affect:</p>
<p>General contract law of member states;</p>
<p>Effect of contract law on a child;</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_3rdcrjn"></a> 4.6 Processing of special categories of personal data</h2>
<p style="text-align: justify; ">Like the DPD, the GDPR spells out the data that is considered sensitive and the conditions under which this data can be processed. Two new categories of special data, "genetic data" and "biometric data", have been added to the list in the GDPR.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>9</p>
</td>
<td>
<p>8</p>
</td>
</tr>
<tr>
<td rowspan="6">
<p>Categories of data considered sensitive</p>
</td>
<td>
<p>Racial or ethnic origin</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Political opinions</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Religious or philosophical beliefs</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Trade union membership</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Health or sex life or sexual orientation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Genetic data or</p>
<p>Biometric data uniquely identifying natural person</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="9">
<p>Circumstances in which processing of personal data may take place</p>
</td>
<td>
<p>If there is explicit consent of data subject provided Member State laws do not prohibit such processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Necessary for carrying out specific rights of controller or data subject</p>
</td>
<td>
<p>Under DPD these rights can be for employment.</p>
<p>The GDPR adds social security and social protection to this list.</p>
<p>These rights are to be authorized by Member state or Union. The GDPR adds "Collective agreements" to this.</p>
</td>
</tr>
<tr>
<td>
<p>In the vital interest of data subject who cannot give consent due to physical or legal causes.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>In the vital interest of a Natural person physically or legally incapable of giving consent</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>For legitimate activities carried on by not-for profit-bodies for political, philosophical or trade union aims subject to certain conditions.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>When personal data is made public by data subject</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>For establishment, exercise of defense of legal claims or for courts</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>For substantial public interest in accordance with Member State or Union law</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Is necessary for:</p>
<p>Preventive or occupational medicine</p>
<p>Assessing working capacity of employee</p>
<p>Medical diagnosis</p>
<p>Healthcare or social care services</p>
<p>Contract with health professional</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>Is necessary in Public interest in the area of public health</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>For public interest, scientific or historical research or statistical purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data for preventive or occupational medicine, medical diagnosis etc. can be processed when:</p>
</td>
<td>
<p>Data is processed by or under responsibility of a professional under obligation of professional secrecy as state in law</p>
</td>
<td>
<p>Here the processing is done by health professional under obligation of professional secrecy</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_26in1rg"></a> 4.7 Principles relating to processing of personal data</h2>
<p style="text-align: justify; ">The principles set out in GDPR are similar to the ones under DPD. Some changes have been introduced. Accountability of the controller has been specifically given under GDPR.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>5</p>
</td>
<td>
<p>6</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: left; ">Lawfulness, fairness, transparency</p>
</td>
<td>
<p>Processing must be Lawful, fair and transparent</p>
</td>
<td>
<p>Does not mention transparent</p>
</td>
</tr>
<tr>
<td rowspan="2">
<p>Purpose limitation</p>
</td>
<td>
<p>Data must be specified, explicit and legitimate.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Processing for achieving public interest, scientific or historical research or statistical purpose is not to be considered incompatible with initial purpose.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Data minimization</p>
</td>
<td>
<p>Processing is adequate, relevant and limited to what is necessary</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Accuracy</p>
</td>
<td>
<p>Data is accurate, up to date, erased or rectified without delay</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td rowspan="3">
<p>Storage limitation</p>
</td>
<td>
<p>Data is to be stored in a way that data subject can be identified for no longer than is necessary for purpose of processing</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Data can be stored for longer periods when it is processed solely in public interest, scientific or historical research or statistical purpose</p>
</td>
<td>
<p>Same</p>
<p>However, public interest is not mentioned.</p>
</td>
</tr>
<tr>
<td>
<p>There must be appropriate technical and organizational measures to safeguard rights and freedoms</p>
</td>
<td>
<p>Same</p>
<p>Additionally, it specifically states that Member States must lay down appropriate safeguards</p>
</td>
</tr>
<tr>
<td>
<p>Integrity and confidentiality</p>
</td>
<td>
<p>Manner of processing must:</p>
<p>Ensure security of personal data,</p>
<p>Protection against unlawful processing and accidental loss, destruction or damage</p>
</td>
<td>
<p>Not mentioned</p>
</td>
</tr>
<tr>
<td>
<p>Accountability</p>
</td>
<td>
<p>Controller is responsible for and must demonstrate compliance with all of the above.</p>
</td>
<td>
<p>DPD states it is for the controller to ensure compliance with this Article.</p>
<p>Unlike GDPR, DPD doesn't specifically state the responsibility of controller for demonstrating compliance.</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_bezw6fia4pw1"></a> 4.8 Lawfulness of processing</h2>
<p style="text-align: justify; ">The conditions for "lawfulness of processing" under DPD have been retained in the GDPR with certain modifications allowing flexibility for member states to introduce specific provisions in public interest or under a legal obligation. It should be noted that protection given to child's data and rights and freedoms of data subject should not be prejudiced. Additionally, a non-exhaustive list has been laid down in the GDPR for determining if processing is permissible in situations where the new purpose of processing is different from original purpose.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>6</p>
</td>
<td>
<p>7</p>
</td>
</tr>
<tr>
<td>
<p>Processing is lawful when :</p>
</td>
<td>
<p>If at least one of the principles applies:</p>
<p>Data subject has given consent to processing for specific purpose(s).</p>
</td>
<td>
<p>Same</p>
<p>However it mentions "unambiguous" consent.</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Processing is necessary for performance of contract to which data subject is party or at request of data subject before entering into a contract</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Processing is necessary for controller's compliance with legal obligation.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Is necessary for legitimate interests pursued by controller or by third party subject to exceptions (should not override rights and freedoms of data subject and protections given to child's data.)</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>It is necessary for performance of task carried out in public interest or for exercise of official authority vested in controller</p>
</td>
<td>
<p>Same</p>
<p>It additionally mentions third party:</p>
<p>"…exercise of official authority vested in controller <i>or in a third party to whom data are disclosed"</i></p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>For protections of vital interest of data subject or another natural person</p>
</td>
<td>
<p>Same</p>
<p>Does not mention natural person.</p>
</td>
</tr>
<tr>
<td>
<p>Member States may introduce specific provisions when:</p>
</td>
<td>
<p>When processing is necessary for compliance with a legal obligation or to protect public interest</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>Basis for processing for shall be laid down by: Union law or Member State law</p>
</td>
<td></td>
</tr>
<tr>
<td colspan="3">
<p><b> If processing is done for purpose other than for which data is collected and is without data subject's consent or is not collected under law: </b></p>
</td>
</tr>
<tr>
<td rowspan="6">
<p>To determine if processing for another purpose is compatible with the original purpose</p>
</td>
<td>
<p>Controller shall take into account following factors:</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Link between purposes for which data was collected and the other purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Context in which personal data have been collected</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Nature of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Possible consequences of other purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Existence of appropriate safeguards</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_2ke3ydyw8r1i"></a> 4.9 Processing which does not require identification:</h2>
<p style="text-align: justify; ">This article lays down the conditions under which the controller is exempted from gathering additional data in order to identify a data subject for the purpose of complying with this Regulation. If the controller is able to demonstrate that identification is not possible, the data subject is to be informed if possible.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>11</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions under which the controller is not obliged to maintain process or acquire additional information to identify data subject</p>
</td>
<td>
<p>If purpose for processing doesn't not require identification of data subject by the controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Consequence of not maintaining the data</p>
</td>
<td>
<p>Art 15 to 20 shall not apply provided controller is able to demonstrate its inability to identify the data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Exception to above consequence will apply when :</p>
</td>
<td>
<p>Data subject provides additional information enabling identification</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_35nkun2"></a> 4.10 Rights of the data subject</h2>
<p style="text-align: justify; ">The General Data Protection Rules (GDPR) confers 8 rights upon the data subject.These rights are to be honored by the controller:-</p>
<p style="text-align: justify; ">1. Right to be informed</p>
<p style="text-align: justify; ">2. Right of access</p>
<p style="text-align: justify; ">3. Right to rectification</p>
<p style="text-align: justify; ">4. Right to erasure</p>
<p style="text-align: justify; ">5. Right to restrict processing</p>
<p style="text-align: justify; ">6. Right to data portability</p>
<p style="text-align: justify; ">7. Right to object</p>
<p style="text-align: justify; ">8. Rights in relation to automated decision making and profiling</p>
<h3 style="text-align: justify; "><a name="_4ln2v6w83qoy"></a> 4.10.1 Right to be informed</h3>
<p style="text-align: justify; ">The controller must provide information to the data subject in cases where personal data has not been obtained from the data subject. A number of exemptions have been listed. Additionally, GDPR lays down the time period within which the information has to be provided.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p align="left">Sub Topics in the Section</p>
</td>
<td>
<p align="center">GDPR</p>
</td>
<td>
<p align="center">DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Given in Article</p>
</td>
<td>
<p align="center">14</p>
</td>
<td>
<p>10</p>
</td>
</tr>
<tr>
<td rowspan="5">
<p align="left">Type of information to be provided</p>
</td>
<td>
<p align="left">Identity and contact details of the controller or controller's representative</p>
</td>
<td>
<p align="left">Same</p>
</td>
</tr>
<tr>
<td>
<p align="left">Contact details of the data protection officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Purpose and legal basis for processing</p>
</td>
<td>
<p align="left">Purpose of processing</p>
</td>
</tr>
<tr>
<td>
<p align="left">Recipients or categories of recipients of personal data</p>
</td>
<td>
<p align="left">Same</p>
</td>
</tr>
<tr>
<td>
<p align="left">Intention to transfer data to third country or international organization and Information regarding adequacy decision or suitable safeguards or Binding Corporate Rules or derogations. This includes means to obtain a copy of these as well as information on place of availability.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p align="left">Additional information to be provided by controller to ensure fair and transparent processing</p>
</td>
<td>
<p align="left">Storage period of personal data and criteria for determining the period</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Legitimate interests pursued by controller or third party</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Existence of data subject's rights with regard to access or rectification or erasure of personal data, automated decision making</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Where applicable, existence of right to withdraw consent</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p align="left">Time period within which information is to be provided</p>
</td>
<td>
<p align="left">Information to be given within a reasonable period, latest within one month.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">To be provided latest at the time of first communication to data subject, if personal data are to be used for communication with data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">In case of intended disclosure to another recipient , at the latest when personal data are first disclosed.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">If processing is intended for a new purpose other than original purpose, information to be provided prior to processing on new purpose.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p align="left">Situations in which exceptions are applicable</p>
</td>
<td>
<p align="left">Data subject already has information</p>
</td>
<td>
<p align="left">Same</p>
</td>
</tr>
<tr>
<td>
<p align="left">Provision of information involves disproportionate effort or is impossible or renders impossible or seriously impairs achievement of objective of processing.</p>
<p align="left">This is particularly with respect to processing for archiving purposes in public interest, scientific or historical research or statistical purpose.</p>
<p align="left">However controller must take measures to protect data subject's rights and freedom and legitimate interests including make information public.</p>
</td>
<td>
<p align="left">Provision involves impossible or disproportionate effort, in particular where processing is for historical or scientific research.</p>
<p align="left">However, appropriate safeguards must be provided by Member States.</p>
</td>
</tr>
<tr>
<td>
<p align="left">Obtaining or disclosure is mandatory under Union or member law and it provides protection to data subject's legitimate interests</p>
</td>
<td>
<p align="left">Where law expressly lays down recording or disclosure provided appropriate safeguards are provided by Member States.</p>
<p align="left">This is particularly applicable to processing for scientific or historical research.</p>
</td>
</tr>
<tr>
<td>
<p align="left">Confidentiality of data mandated by professional secrecy under Union or Member State law</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_unesl7gv52zg"></a> 4.10.2 Right to access</h3>
<p style="text-align: justify; ">Both Data Protection Directive (DPD) and General Data Protection Rules (GDPR) confer right to access information regarding personal data on the data subject.</p>
<p style="text-align: justify; ">CJEU in YS V. Minister voor Immigrate Integratie en Asiel stated that it is the data subject's right "to be aware of and verify the lawfulness of the processing".</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR </b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>15</p>
</td>
<td>
<p>12</p>
</td>
</tr>
<tr>
<td rowspan="9">
<p>Data subject has the right to know about:</p>
</td>
<td>
<p>Purpose of processing</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Categories of processing the data</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Recipients or categories to whom data are disclosed</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Retention period of the data and criteria for this</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Existence of right to request erasure, rectification or restriction of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Right to lodge complaint with supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Knowledge about source of data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>To know about any significant and envisaged consequences of processing for the data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Existence of automated decision making and logic involved</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>In case of data transfer to third country</p>
</td>
<td>
<p>Right to be informed about the safeguards</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller's obligation</p>
</td>
<td>
<p>To provide a copy of data undergoing processing. Reasonable fee based on administrative costs can be charged for this.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_d0woi8tt0i24"></a> 4.10.3 Right to rectification</h3>
<p style="text-align: justify; ">GDPR and DPD both give the data subject the right to rectify their personal data. Under the GDPR the data subject can complete the incomplete data by giving a supplementary statement.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>16</p>
</td>
<td>
<p>12(b)</p>
</td>
</tr>
<tr>
<td rowspan="2">
<p>Right can be exercised when:</p>
</td>
<td></td>
<td>
<p>Processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55)</p>
<p>OR</p>
</td>
</tr>
<tr>
<td>
<p>When data is incomplete</p>
</td>
<td>
<p>When data is incomplete or inaccurate</p>
</td>
</tr>
<tr>
<td>
<p>Obligations of controller</p>
</td>
<td>
<p>To enforce the right without undue delay</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Obligation of controller to give notification when data is disclosed to third party</p>
</td>
<td>
<p>Given under Art 19</p>
<p>Request of erasure of personal data to be communicated to each recipient of such data</p>
</td>
<td>
<p>Given under Article 12(c)</p>
<p>Request must be communicated to third parties</p>
</td>
</tr>
<tr>
<td>
<p>It should not involve an impossible or disproportionate effort</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_2jxsxqh"></a> 4.10.4 Right to erasure</h3>
<p style="text-align: justify; ">This is also referred to as the "right to be forgotten". It empowers the individual to erase personal data under certain circumstances. The data subject can request the controller to remove the data for attaining this purpose.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>17</p>
</td>
<td>
<p>12(b)</p>
</td>
</tr>
<tr>
<td>
<p>Obligation of the controller</p>
</td>
<td>
<p>To erase the data without undue delay</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="8">
<p>Conditions under which the right can be exercised</p>
</td>
<td></td>
<td>
<p>When processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55)</p>
<p>OR</p>
<p>When data is incomplete or inaccurate</p>
</td>
</tr>
<tr>
<td>
<p>Personal data is no longer necessary for the purpose for which it was collected or processed</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data Subject withdraws consent for processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data subject objects to processing and there are no overriding legitimate grounds for processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data subject objects to processing for direct marketing purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Personal data has been unlawfully processed</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When personal data has to be erased under a legal obligation of Union or member State law</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When personal data has been collected in offer of information society services to a child</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="5">
<p>Condition of processing under which request to erasure shall not be granted</p>
</td>
<td>
<p>For exercising right of freedom of expression and information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing is done under Union or Member State law in public interest or exercise of official authority vested in controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Done for public interest in public health</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>For public interest, scientific or historical research or statistical purpose.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>For establishment, exercise or defense of legal claims.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller's obligations when personal data has been made public</p>
</td>
<td>
<p>Controller to take reasonable steps to inform controllers who are processing the data, of the request of erasure.</p>
<p>All links, copy or replication of personal data to be erased.</p>
<p>Technology available and cost of implementation to be taken into account.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Notification when data is disclosed to third party</p>
</td>
<td>
<p>Given under obligation of controller under Art 19:</p>
<p>Request of erasure of personal data to be communicated to each recipient of such data</p>
</td>
<td>
<p>Given under obligation of controller under 12(c) :</p>
<p>Request must be communicated to third parties</p>
</td>
</tr>
<tr>
<td>
<p>It should not involve an impossible or disproportionate effort</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_z337ya"></a> 4.10.5 Right to restrict processing</h3>
<p style="text-align: justify; ">While DPD provided for "blocking", the GDPR strengthened this right by specifically conferring the " Right to Restrict Processing" upon the data subject. This Article gives data subject the right to restrict processing under certain conditions. Recital 67 explains that these methods could include steps like removing published data from website or temporarily moving the data to another processing system.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>18</p>
</td>
<td>
<p>12(b)</p>
</td>
</tr>
<tr>
<td>
<p>About this right</p>
</td>
<td>
<p>Data subject can restrict processing of data</p>
</td>
<td>
<p>Data subject is allowed to erase, rectify or block processing of personal data.</p>
</td>
</tr>
<tr>
<td rowspan="4">
<p>Conditions under which the right can be exercised</p>
</td>
<td>
<p>When accuracy of personal data is contested</p>
</td>
<td>
<p>Besides accuracy, the DPD also mentions "incomplete nature of data" as grounds for exercising this right.</p>
</td>
</tr>
<tr>
<td>
<p>When processing is unlawful and data subject opposes erasure and requests restriction of data use</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When data is no longer needed by controller but is required by data subject for establishment, exercise or defense of legal claims.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data subject objects to processing and the verification by controller of compelling legitimate grounds for processing is ongoing</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="5">
<p>Consequences of this enforcement of this right</p>
</td>
<td>
<p>Controller can store data but not process it</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing can be done only with the data subject's consent; or</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing can be done for establishment exercise or defense of legal claims; or</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing can be done for protecting rights of another natural or legal person ;or</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>It can be done in public interest of Union or Member State.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations of controller under Art 18</p>
</td>
<td>
<p>The controller must inform the data subject before the restrictions are lifted.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Obligations of controller under Art 19</p>
</td>
<td>
<p>Inform each recipient of personal data about the restriction.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>This obligation need not be performed if it is impossible to do so or it involved disproportionate effort.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Inform data subject about the recipients when requested by the data subject.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_spxapzomj6tn"></a> 4.10.6 Right to data portability</h3>
<p style="text-align: justify; ">This right empowers the data subject to receive personal data from one controller and transfer it to another. This gives the data subject more control over his or her own data. The controller cannot hinder this right when the following conditions are met.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in article</p>
</td>
<td>
<p>20</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Conditions for data transmission</p>
</td>
<td>
<p>The data must have been provided to the controller by data subject himself; and</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing is based on:</p>
<p>Consent; or</p>
<p>For performance of contract; and is carried out by automated means</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data transfer must be technically feasible</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Format of personal data</p>
</td>
<td>
<p>It should be in a:</p>
<p>Structured</p>
<p>Commonly-used</p>
<p>Machine readable format</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Time and cost for data transfer</p>
</td>
<td>
<p>Given in Art 12(3)</p>
<p>Should be free of charge</p>
<p>Information to be provided within one month. Further extension by two months permissible under certain circumstances.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Circumstance under which this Right cannot be exercised</p>
</td>
<td>
<p>When the exercise of the Right prejudices rights and freedom of another individual</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When processing is necessarily carried out in public interest</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When processing is necessarily done in exercise of official authority vested in controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When this Right adversely affects the "Right to be forgotten"</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_ksj4krgmokmt"></a> 4.10.7 Right to Object</h3>
<p style="text-align: justify; ">Both DPD and GDPR confer upon the data subject the right to object to processing on a number of grounds. The GDPR strengthens this right . Under GDPR, there is a visible shift from the data subject to the controller as far as the burden of showing " compelling legitimate grounds" is concerned. Under the DPD, when processing is undertaken in public interest or in exercise of official authority or in legitimate interests of third party or controller, the data subject not only has to show existence of compelling legitimate grounds but also that objection is justified. On the other hand, GDPR spares the data subject from this exercise and instead places the onus on the controller of demonstrating that "compelling legitimate grounds" exist such that these grounds override the interests, rights and freedom of the data subject.</p>
<p style="text-align: justify; ">GDPR also provides a new ground for objecting to processing. The data subject can object to processing when it is for scientific or historical research or statistical purpose unless such processing is necessary in public interest.</p>
<p style="text-align: justify; ">Under the GDPR the data subject must be informed of this right "clearly and separately" and "at the time of first communication with data subject" when processing is done in public interest/exercise of official authority/legitimate interest of third party or controller or for direct marketing purpose. This right can be exercised by automated means in case of information society service.</p>
<p style="text-align: justify; ">The DPD also provides that the data subject must be informed of this right if the controller anticipates processing for direct marketing or disclosure of data to third party. It specifically states that this right is to be offered "free of charge". Additionally, it places responsibility upon the Member States to ensure that data subjects are aware of this right.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p align="center">Sub-topics in the section</p>
</td>
<td>
<p align="center"><b>GDPR</b></p>
</td>
<td>
<p align="center"><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Given in Article</p>
</td>
<td>
<p align="left">21</p>
</td>
<td>
<p align="left">14</p>
</td>
</tr>
<tr>
<td rowspan="4">
<p align="left">Conditions under which the right can be exercised during processing</p>
</td>
<td>
<p align="left">When performance of task is carried out in public interest or in exercise of official authority vested in controller. (Art 6(1)(e))</p>
<p align="left">Exception:</p>
<p>If controller demonstrates processing is for compelling legitimate grounds which override interests of data subject</p>
<p align="left">For establishment, exercise or defense of legal claims.</p>
</td>
<td>
<p align="left">Grounds are same but the data subject also has to show existence of compelling legitimate grounds. Processing will cease if objection is justified.</p>
<p align="left">Exceptions:</p>
<p align="left">Unless provided by national legislation the data subject can object on this ground.</p>
</td>
</tr>
<tr>
<td>
<p align="left">For legitimate interests of controller or third party (Art 6(1)(f))</p>
<p align="left">Exception:</p>
<p>1. If controller demonstrates processing is for compelling legitimate grounds that override interests of data subject.</p>
<p>2. For establishment, exercise or defense of legal claims.</p>
</td>
<td>
<p>Same as above</p>
</td>
</tr>
<tr>
<td>
<p align="left">When data is processed for scientific/historical research/ statistical purpose under Art 89(1)</p>
<p align="left">Exception:</p>
<p align="left">If processing is necessary for public interest</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">When personal data is used for marketing purpose.</p>
<p align="left">Can object at anytime.</p>
<p align="left">No exceptions</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_1y810tw"></a> 4.10.8 Rights in relation to automated individual decision making including profiling</h3>
<p style="text-align: justify; ">This Article empowers the data subject to challenge automated decisions under certain conditions. This is to protect individuals from decisions taken without human intervention.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR </b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>22</p>
</td>
<td>
<p>15</p>
</td>
</tr>
<tr>
<td>
<p>This right can be exercised when decisions are based:</p>
</td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="2"></td>
<td>
<p>Only on automated processing</p>
<p>Including profiling; and</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Produce legal effects or have similarly significant effects on data subject</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Conditions under which this right will not be guaranteed</p>
</td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="3"></td>
<td>
<p>For entering into or performance of contract;</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>If Member State or Union law authorizes the decision provided it lays down suitable measures for safeguarding data subject's rights, freedoms and legitimate interests; Or</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>When decision is based on data subject's explicit consent.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Controller's obligation</p>
</td>
<td>
<p>Enforce measures to safeguard rights and freedom and interests</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Ensure data subject can obtain human intervention, express his point of view, challenge decisions</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Automated decision making will not apply when:</p>
</td>
<td>
<p>"Special categories of personal data" are to be processed</p>
<p>However, if the data subject gives his explicit consent or such processing serves substantial public interest then the restriction can be waived.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Concerns a child</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_4i7ojhp"></a> 4.11 Security and Accountability</h2>
<h3 style="text-align: justify; "><a name="_2xcytpi"></a> 4.11.1 Data protection by design and default</h3>
<p style="text-align: justify; ">This is another new concept under GDPR. It is a general obligation on the controller to incorporate effective data protection in internal policies and implementation measures. Measures include: minimization of processing, pseudonymisation, transparency while processing, allowing data subjects to monitor data processing etc. The implementation of organizational and technical measures is essential to demonstrate compliance with Regulation.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>25</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Responsibility of controller when determining means of processing and at the time of processing</p>
</td>
<td>
<p>Implementation of appropriate technical and organizational measures for data protection</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Ensure that by default only personal data necessary for purpose of processing is processed</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Means of demonstrating compliance with this Article</p>
</td>
<td>
<p>Approved certification mechanism may be used.</p>
<p>Data minimization</p>
<p>Transparency etc.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_1ci93xb"></a> 4.11.2 Security of personal data</h3>
<p style="text-align: justify; ">Security of processing is mentioned in the GDPR under Article 32. The controller and processor must implement technical and organizational measures to ensure data security. These may include pseudonymisation, encryption, ensuring confidentiality, restoring availability and access to personal data, regularly testing etc. Compliance with the code may be demonstrated by adherence to Code of conduct and certification mechanism. Further, all processing which is done by a natural person acting under authority of controller or processor can be done only under instructions from the controller.</p>
<h3 style="text-align: justify; "><a name="_tws6vuoa8tch"></a> 4.11.3 Notification of personal data breach</h3>
<p style="text-align: justify; ">This Article provides the procedure for communicating the personal data breach to supervisory authority. If the breach is not likely to result in risk to rights and freedoms of natural persons, then the controller is not required to notify the supervisory authority.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>33</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Responsibility of controller</p>
</td>
<td>
<p>Report personal data breach to supervisory authority after being aware of it</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Time limit for reporting data breach</p>
</td>
<td>
<p>Must be reported no later than 72 hours</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>In case of delay in reporting</p>
</td>
<td>
<p>Reasons to be stated</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Responsibility of processor</p>
</td>
<td>
<p>Notify the controller after being aware of breach</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Description of notification</p>
</td>
<td>
<p>Describe nature of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Name contact details of data protection officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Likely consequences of personal data breach</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When information cannot be provided at same time</p>
</td>
<td>
<p>Provide it in phases without further undue delay</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>For verification of compliance</p>
</td>
<td>
<p>Controller has to document any personal data breach. It must contain Facts , effects and remedial action taken</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_2bn6wsx"></a> 4.11.4 Communication of personal data breach to the data subject</h3>
<p style="text-align: justify; ">Not only is the supervisory authority to be notified, but data subjects are also to be informed about personal data breaches without undue delay under certain conditions.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>34</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions under which controller is to communicate the breach to data subject</p>
</td>
<td>
<p>When breach is likely to cause high risk to rights and freedoms of natural persons</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Nature of communication</p>
</td>
<td>
<p>Must be in a clear and plain language.</p>
<p>Must describe the nature of breach.</p>
<p>Must Contain at least:</p>
<p>Name contact details of data protection officer</p>
<p>Likely consequences of personal data breach</p>
<p>Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Condition under which communication will not be required</p>
</td>
<td>
<p>If controller has implemented appropriate technical and organizational measures and these were applied to the affected data.</p>
<p>E.g.: encryption</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Subsequent measures have been taken by controller to ensure there is no high risk</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>If communication involves disproportionate effort.</p>
<p>Public communication or similar measures can be undertaken under such circumstances.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Role of supervisory authority</p>
</td>
<td>
<p>In case of likelihood of high risk, the authority may require the controller to communicate the breach if the controller has not already done so.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_qsh70q"></a> 4.11.5 Data protection impact assessment</h3>
<p style="text-align: justify; ">This is also known as Privacy Impact Assessment. While DPD provides general obligation to notify the processing to supervisory authorities, the GDPR, taking into account the need for more protection of personal data, has replaced the notification process by different set of mechanisms.</p>
<p style="text-align: justify; ">To serve the above purpose, the data protection impact assessment (DPIA) has been provided under this Article.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>35</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>When to carry out assessment</p>
</td>
<td>
<p>When new technology is used; and</p>
<p>Processing is likely to result in high risk to rights and freedoms of natural persons</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Automated processing including profiling involving systematic and extensive evaluation of personal aspects of natural persons;</p>
<p>and</p>
<p>When decisions based on such processing produce legal effects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Large scale processing of special categories of data or personal data relating to criminal convictions and offences</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Large scale systematic monitoring of publicly accessible area</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Type of information contained in assessment</p>
</td>
<td>
<p>Description of processing operations and purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Assessment of necessity and proportionality of processing operations</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Assessment of risks to individuals</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Measures to address risks and demonstration of compliance with Regulation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Topic</p>
</td>
<td>
<p>Prior Consultation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>36</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When should controller consult supervisory authority</p>
</td>
<td>
<p>Prior to processing; and</p>
<p>DPIA indicates high risk; and</p>
<p>In absence of risk mitigation measures by controller</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><b>Data protection officer</b></p>
<p style="text-align: justify; ">GDPR mandates that a person with expert knowledge of data protection law and practice is appointed for helping the controller or processor to comply with the data protections laws. A single data protection officer (DPO) may be appointed by a group of undertakings or where controller or processor is a public authority or body.The DPO must be accessible from each establishment.</p>
<p style="text-align: justify; "><b><span> </span></b></p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>37</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Situations in which DPO must be appointed</p>
</td>
<td>
<p>When processing is carried out by public authority or body.</p>
<p>Note: Courts acting in judicial capacity are excluded.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Core activity involves processing which requires regular and systematic monitoring of data subjects on large scale; or</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Core activity involves processing of large scale special categories of data and criminal convictions and offences</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h4 style="text-align: justify; "><a name="_1pxezwc"></a> Position of Data Protection Officer</h4>
<p style="text-align: justify; ">The DPO must directly report to the highest management level of the controller or processor. Data subjects may contact the DPO in case of problems related to processing and exercise of rights.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>38</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Responsibility of controller and processor</p>
</td>
<td>
<p>Ensure DPO is involved properly and in timely manner</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Provide DPO with support, resources and access to personal data and processing operations</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Not dismiss or penalize DPO for performing his task.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Ensure independence of working and not give instruction to DPO</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h4 style="text-align: justify; "><a name="_ewk2mxb1q2ei"></a> Tasks of Data Protection officer</h4>
<p style="text-align: justify; ">The DPO must be involved in all matters concerning data protection. He is expected to act independently and advice the controllers and processors to facilitate the establishment's compliance with Regulations.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>39</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="5">
<p>Tasks</p>
</td>
<td>
<p>Inform and advise the controller or processor and employees over data protection laws</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Monitor compliance with data protection laws. Includes assigning responsibilities, awareness- raising, staff training and audits</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Advice and monitor performance</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Cooperate with supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Act as point of contact for supervisory authority for processing, prior consultation and consultation on other matter</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_2p2csry"></a> 4.11.6 European Data Protection Board</h3>
<p style="text-align: justify; ">For consistent application of the Regulation, the GDPR envisages a Board that would replace the Working Party on Protection of Individuals With Regard to Processing of Personal Data established under the DPD. This Regulation confers legal personality on the Board.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>68</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Represented by</p>
</td>
<td>
<p>Chair</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Composition of the Board</p>
</td>
<td>
<p>Head of one supervisory authority of each Member State and European Data Protection Supervisor or of their representatives.</p>
<p>Joint representative can be appointed where Member State has more than one supervisory authority.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Role of Commission</p>
</td>
<td>
<p>Right to participate in activities and meetings of the Board without voting rights.</p>
<p>Commission to designate a representative for this.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Functions of the Board</p>
</td>
<td>
<p>Consistent application of Regulation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Advise Commission of level of protection in third countries or international organizations</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Promote cooperation of supervisory authorities</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Board is to act independently</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_147n2zr"></a> 4.11.7 Supervisory Authority</h3>
<p style="text-align: justify; ">GDPR lays down detailed provisions on supervisory authorities, defining their functions, independence, appointment of members, establishment rules, competence, competence of lead supervisory authority, tasks, powers and activity reports. Such elaborate provisions are absent in DPD.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>Chapter VI, Article 51 -59</p>
</td>
<td>
<p>28</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_gdvxc914pgtx"></a></h2>
<h2 style="text-align: justify; "><a name="_3o7alnk"></a> 4.12 Processor</h2>
<p style="text-align: justify; ">The Article spells out the obligations of a processor and conditions under which other processors can be involved.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>28</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>What kind of processors can be used by controller</p>
</td>
<td>
<p>● Those which provide sufficient guarantees to implement appropriate technical and organizational measures</p>
<p>● Those which comply with Regulation and Rights</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations of processor in case of addition or replacement of processor</p>
</td>
<td>
<p>● Not engage another processor without controller's authorization</p>
<p>● In case of general written authorization inform the controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing shall be governed by</p>
</td>
<td>
<p>Contract or legal act under Union or Member State law.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Elements of Contract</p>
</td>
<td>
<p>● Is binding on processor</p>
<p>● Sets out subject matter and duration of processing</p>
<p>● Nature of processing</p>
<p>● Type of personal data</p>
<p>● Categories of data subjects</p>
<p>● Obligations and Rights of the controller</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="8">
<p>Obligations of processor under contract or legal act</p>
</td>
<td>
<p>Processor shall process under instructions from controller unless permitted under law itself.</p>
<p>Controller is to be informed in the latter case.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Ensures that persons authorized to process have committed themselves to confidentiality</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processor to undertake all data security measures (mentioned under Art 32)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Enforces conditions on engaging another processor</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Assists the controller by appropriate technical and organizational measures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Assists controller in compliance with Art 32 to 36</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Delete or return all personal data to controller at the choice of controller at the end of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Make information available to controller for demonstrating compliance with obligations.</p>
<p>Contribute to audits, inspections etc.</p>
<p>Inform the controller if it believes that an instruction infringes the regulation or law.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions under which a processor can engage another processor</p>
</td>
<td>
<p>● Same data protection obligations will be applicable to other processor.</p>
<p>● If other processor fails to fulfill data protection obligations, initial processor shall remain fully liable to controller for such performance.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_23ckvvd"></a> 4.13 Records of processing activities</h2>
<p style="text-align: justify; ">The controller or processor must maintain records of processing activities to demonstrate compliance with the Regulation. They are obliged to cooperate with and make record available to the supervisory authority upon request. DPD does not contain similar obligations.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>30</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligation of controller or controller's representative</p>
</td>
<td>
<p>Maintain a record of processing activities</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="7">
<p>Information to be contained in the record</p>
</td>
<td>
<p>Name and contact details of:</p>
<p>● Controller /joint controller / controller's representatives</p>
<p>● Data protection officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Purpose of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Categories of data subjects and categories of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Categories of recipients to whom data has been or will be disclosed</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Transfers of personal data to third party, identification of third party, documentation of suitable safeguards</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Expected time duration for erasure of different categories of data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Technical and organizational security measures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligation of processor</p>
</td>
<td>
<p>Maintain a record of processing activities carried out on behalf of controller</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Record maintained by processor shall contain information such as:</p>
</td>
<td>
<p>Name and contact details of:</p>
<p>● Processor /processor's representative</p>
<p>● Controller /controller's representative</p>
<p>● Data protection officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Categories of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data transfer to third party</p>
<p>Identification of third party</p>
<p>Documentation of safeguards</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Technical and organizational security measures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Form in which record is to be maintained</p>
</td>
<td>
<p>In writing and electronic form</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions under which exemption will apply</p>
</td>
<td>
<p>● Organizations employing fewer than 250 employees are exempted;</p>
<p>● Processing should not cause risk to rights and freedoms of data subjects</p>
<p>● Processing should not be occasional</p>
<p>● Processing should not include special categories of data</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_ihv636"></a> 4.14 Code of Conduct</h2>
<p style="text-align: justify; ">These mechanisms have been provided under GDPR to demonstrate compliance with the Regulation. This is important as the GDPR ( under Art 83 ) provides that adherence to code of conduct shall be one of the factors taken into account for calculating administrative fines. This is not an obligatory provision.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>40</p>
</td>
<td>
<p>27</p>
</td>
</tr>
<tr>
<td>
<p>Who will encourage drawing up of code of conduct</p>
</td>
<td>
<p>● Member States</p>
<p>● Supervisory Authorities</p>
<p>● Commission.</p>
<p>Specific needs of micro, small and medium enterprises to be taken into account.</p>
</td>
<td>
<p>● Member States</p>
<p>● Commissions</p>
<p>Does not mention the rest</p>
</td>
</tr>
<tr>
<td>
<p>Who may prepare amend or extend code of conduct</p>
</td>
<td>
<p>Associations and other bodies representing categories of controller or processors</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="12">
<p>Information contained in the code</p>
</td>
<td>
<p>Fair and transparent processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Legitimate interests of controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Collection of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Pseudonymisation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Information to public and data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Exercise of rights of data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Information provided to and protection of children and manner in which consent of holders of parental responsibility is obtained</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Measures under:</p>
<p>● Data protection by design and default</p>
<p>● Controller responsibilities</p>
<p>● Security of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Notification of data breach to authorities and communication of same to data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data transfer to third party</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Dispute resolution procedures between controllers and data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Mechanisms for mandatory monitoring</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Mandatory monitoring</p>
</td>
<td>
<p>Code of conduct containing the above information enables mandatory monitoring of compliance by body accredited by supervisory authority. (Art 41)</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_32hioqz"></a> 4.15 Certification</h2>
<p style="text-align: justify; ">Like the code of conduct, Certification is a voluntary mechanism that demonstrates compliance with the Regulation. Establishment of data protection certification mechanism and data protection seals and marks shall be encouraged by Member States, supervisory authorities, Boards and Commission. As in case of code of conduct, specific needs of micro, small and medium sized enterprise ought to be taken into account. DPD does not mention such mechanisms.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>42</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who will issue the certificate</p>
</td>
<td>
<p>Certification bodies or competent supervisory authority on basis of approved criteria.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Time period during which certification shall be issued</p>
</td>
<td>
<p>Maximum period of three years.</p>
<p>Can be renewed under same conditions.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who accredits certification bodies</p>
</td>
<td>
<p>Competent Supervisory bodies or National accreditation body.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can accreditation be revoked</p>
</td>
<td>
<p>When conditions of accreditation are not or no longer met.</p>
<p>OR</p>
<p>Where actions taken by certification body infringe this Regulation.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who can revoke</p>
</td>
<td>
<p>Competent supervisory authority or national accreditation body</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_rmo0nrgdb8k6"></a> 4.16 Data Transfer</h2>
<h3 style="text-align: justify; "><a name="_1hmsyys"></a> 4.16.1 Transfers of personal data to third countries or international organizations</h3>
<p style="text-align: justify; ">Chapter V lays down the conditions with which the data controller must comply in order to transfer data for the purpose of processing outside of the EU to third countries or international organizations. The chapter also stipulates conditions that must be complied with for onward transfers from the third country or international organization.</p>
<h3 style="text-align: justify; "><a name="_2grqrue"></a> 4.16.2 Transfer on the basis of an adequacy decision</h3>
<p style="text-align: justify; ">Under GDPR, transfer of data can take place after the <i>Commission decides</i> whether the third country, territory, specified sector within that third country or international organization ensures adequate level of data protection. This is called adequacy decision. A list of countries or international organizations which ensure adequate data protection shall be published in the Official Journal of the European Union and on the website by the Commission. Once data transfer conditions are found to be compliant with the Regulation, no specific authorization would be required for data transfer from the supervisory authorities. The commission would decide this by means of an "Implementing Act" specifying a mechanism for periodic review, its territorial and sectoral application and identification of supervisory authorities. Decisions of Commission taken under Art 25(6) of DPD shall remain in force. DPD also provides parameters for the same.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in article</p>
</td>
<td>
<p>45</p>
</td>
<td>
<p>25</p>
</td>
</tr>
<tr>
<td>
<p>Conditions apply when transfers take place to</p>
</td>
<td>
<p>Third country or international organization</p>
</td>
<td>
<p>International organization not mentioned.</p>
</td>
</tr>
<tr>
<td rowspan="5">
<p>Functions of the commission</p>
</td>
<td>
<p>Take adequacy decisions</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Review the decision periodically every four years</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Monitor developments on ongoing basis</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Repeal, amend or suspend decision</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>Inform Member States if third country doesn't ensure adequate level of protection.</p>
<p>Similarly, member state has to inform the Commission.</p>
</td>
</tr>
<tr>
<td rowspan="3">
<p>Functions of Member State</p>
</td>
<td></td>
<td>
<p>Inform Commission if third country doesn't ensure adequate level of protection.</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Take measures to comply with Commission's decisions</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Prevent data transfer if Commission finds absence of adequate level of protection.</p>
</td>
</tr>
<tr>
<td rowspan="3">
<p>Factors, with respect to third country or international organization, to be considered while deciding adequacy of safeguards</p>
</td>
<td>
<p>Rule of law,</p>
<p>human rights, fundamental freedoms, access of public authorities to personal data,</p>
<p>data protection rules, rules for onward transfer of personal data to third country or international organization etc.</p>
</td>
<td>
<p>Circumstances surrounding data transfer operations: nature of data; purpose and duration of processing operation; rule of law, professional rules and security measures in third country; country of origin and final destination; professional rules and security measures;</p>
</td>
</tr>
<tr>
<td>
<p>Functioning of independent supervisory authorities, their powers of enforcing compliance with data protection rules and powers to assist and advise data subject to exercise their rights.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>International commitments entered into.</p>
<p>Obligations under legally binding conventions.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td rowspan="2">
<p>When adequate level of protection no longer ensues</p>
</td>
<td>
<p>The Commission, to the extent necessary: repeal, amend or suspend the decision.</p>
<p>This is to be done by the means of an implementing act.</p>
<p>No retroactive effect to take place</p>
</td>
<td>
<p>The member state will have to suspend data transfer if Commission finds absence of adequate level of protection.</p>
</td>
</tr>
<tr>
<td>
<p>Commission to enter into consultation with the third country or international organization to remedy the situation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_vx1227"></a> 4.16.3 Transfers subject to appropriate safeguards</h3>
<p style="text-align: justify; ">This article provides for a situation when the Commission takes no decision. (Mentioned above under <b>Transfer on the basis of an adequacy decision</b>). In this case, the controller or processor can transfer data to third country or international organization subject to certain conditions. Specific authorization from supervisory authorities is not required in this context. Procedure for the same has been mentioned.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in article</p>
</td>
<td>
<p>46</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can data transfer take place</p>
</td>
<td>
<p>When <i>appropriate safeguards</i> are provided by the controller or processor;</p>
<p>AND</p>
<p>On condition that data subject enjoys enforceable rights and effective legal remedies for data safety.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="5">
<p>Conditions to be fulfilled for providing <i>appropriate safeguards</i> without specific authorization from supervisory authority</p>
</td>
<td>
<p>Existence of legally binding and enforceable instrument between public bodies or authorities</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Existence of Binding Corporate Rules</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Adoption of Standard Protection Clauses adopted by the Commission</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Adoption of Standard data protection clauses by supervisory authorities and approved by Commission.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Approved code of conduct along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights</p>
<p>OR</p>
<p>Approved certification mechanism along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Conditions to be fulfilled for providing appropriate safeguards subject to authorization from competent authority</p>
</td>
<td>
<p>Existence of contractual clauses between:</p>
<p>Controller or Processor and</p>
<p>Controller, Processor or recipient of personal data (third party)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Provisions inserted in administrative arrangements between public authorities or bodies. Provisions to contain enforceable and effective data subject rights.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Consistency mechanism to be applied by supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Unless amended, replaced or repealed, authorization to transfer given under DPD will remain valid when:</p>
</td>
<td>
<p>Third country doesn't ensure adequate level of protection but controller adduces adequate safeguards;</p>
<p>or</p>
<p>Commission decides that standard contractual clauses offer sufficient safeguards</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_3fwokq0"></a> 4.16.4 Binding Corporate Rules</h3>
<p style="text-align: justify; ">These are agreements that govern transfers between organizations within a corporate group</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>47</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Elements of Binding Corporate Rules</p>
</td>
<td>
<p>Legally binding</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Apply to and are enforced by every member of group of undertakings or group of enterprises engaged in joint economic activity. Includes employees</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Expressly confer enforceable rights on data subject over processing of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="12">
<p>What do they specify</p>
</td>
<td>
<p>Structure and contact details of group of undertakings</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data transfers or set of transfers including categories of personal data , type of processing, type of data subjects affected, identification of third countries</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Legally binding nature</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Application of general data protection principles</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Rights of data subjects</p>
<p>Means to exercise those right</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>How the information on BCR is provided to data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Tasks of data protection officer etc.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Complaint procedure</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Mechanisms within the group of undertakings, group of enterprises for ensuring verification of compliance with BCR.</p>
<p>Eg. Data protection audits</p>
<p>Results of verification to be available to person in charge of monitoring compliance with BCR and to board of undertaking or Group of enterprises.</p>
<p>Should be available upon request to competent supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Mechanism for reporting and recording changes to rules and reporting changes to supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Cooperation mechanism with supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data protection training to personnel having access to personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Role of Commission</p>
</td>
<td>
<p>May specify format and procedures for exchange of information between controllers, processors and supervisory authorities for BCR</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_ior7p9ed8ake"></a> 4.16.5 Transfers or disclosures not authorized by Union law</h3>
<p style="text-align: justify; ">This Article lays down enforceability of decisions given by judicial and administrative authorities in third countries with regard to transfer or disclosure of personal data.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>48</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Article concerns</p>
</td>
<td>
<p>Transfer of personal data under judgments of courts, tribunals, decision of administrative authorities in third countries.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can data be transferred or disclosed</p>
</td>
<td>
<p>International agreement between requesting third country and member state or union.</p>
<p>E.g.: mutual legal assistance treaty</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><b> </b></p>
<h3 style="text-align: justify; "><a name="_4f1mdlm"></a> 4.16.6 Derogations for specific situations</h3>
<p style="text-align: justify; ">This Article comes into play in the absence of adequacy decision or appropriate safeguards or of binding corporate rules. Conditions for data transfer to a third country or international organization under such situations have been laid down.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>49</p>
</td>
<td>
<p>26</p>
</td>
</tr>
<tr>
<td rowspan="6">
<p>Conditions under which data transfer can take place</p>
</td>
<td>
<p>On obtaining Explicit consent of data subject after being informed of possible risks</p>
</td>
<td>
<p>On obtaining unambiguous consent of data subject to the proposed transfer</p>
</td>
</tr>
<tr>
<td>
<p>Transfer is necessary for conclusion or performance of contract.</p>
<p>The contract should be in the interest of data subject.</p>
<p>The contract is between the controller and another natural or legal person.</p>
</td>
<td>
<p>Contractual conditions are same.</p>
<p>DPD also includes implementation of pre contractual measures taken upon data subject's request.</p>
</td>
</tr>
<tr>
<td>
<p>Transfer is necessary in public interest</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Is necessary for establishment, exercise or defense of legal claims</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>To protect vital interest of data subject or of other persons where data subject is physically or legally incapable of giving consent</p>
</td>
<td>
<p>Includes vital interest of data subject but doesn't include "other person". Condition for consent is also not included.</p>
</td>
</tr>
<tr>
<td>
<p>Transfer made from register under Union or Member State law to provide information to public and is open to consultation by public or person demonstrating legitimate interest.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td rowspan="8">
<p>Conditions for transfer when even the above specific situations are not applicable</p>
</td>
<td>
<p>Transfer is not repetitive</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Concerns limited number of data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Necessary for compelling legitimate interests pursued by controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Legitimate interests are not overridden by interests or rights and freedoms of data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller has provided suitable safeguards after assessing all circumstances surrounding data transfer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller to inform supervisory authority about the transfer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller to inform data subject of transfer and compelling legitimate interests pursued</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>Member may authorize transfer personal data to third country where controller adduces adequate safeguards for protection of privacy and fundamental rights and freedoms of individuals</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_2u6wntf"></a> 4.17 International cooperation for protection of personal data</h2>
<p style="text-align: justify; ">This Article lays down certain steps to be taken by Commissions and supervisory authorities for protection of personal data.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>50</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Steps will include</p>
</td>
<td>
<p>Development of international cooperation mechanisms to facilitate enforcement of legislation for protection of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Provide international mutual assistance in enforcement of legislation for protection of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Engage relevant stakeholders for furthering international cooperation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Promote exchange and documentation of personal data protection legislation and practice</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_pn5fviodvkzf"></a> 4.18 Remedies, Liability and Compensation</h2>
<h3 style="text-align: justify; "><a name="_3tbugp1"></a> 4.18.1 Right to lodge complaint with a supervisory authority</h3>
<p style="text-align: justify; ">This article gives the data subject the right to seek remedy against unlawful processing of data. GDPR strengthens this right as compared to the one provided under DPD.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>77</p>
</td>
<td>
<p>28(4)</p>
</td>
</tr>
<tr>
<td>
<p>Right given</p>
</td>
<td>
<p>Right to lodge complaint</p>
</td>
<td>
<p>Under GDPR the data subject has been conferred the "right" specifically. This is not so in DPD.</p>
<p>DPD merely obliges the supervisory authority to hear claims concerning rights and freedoms.</p>
</td>
</tr>
<tr>
<td>
<p>Who can lodge complaint</p>
</td>
<td>
<p>Data subject</p>
</td>
<td>
<p>Any person or association representing that person</p>
</td>
</tr>
<tr>
<td>
<p>Complaint to be lodged before</p>
</td>
<td>
<p>Supervisory authority in the Member State of habitual residence, place of work or place of infringement</p>
</td>
<td>
<p>Supervisory authority</p>
</td>
</tr>
<tr>
<td>
<p>When can the complaint be lodged</p>
</td>
<td>
<p>When processing of personal data relating to data subject allegedly infringes on Regulation</p>
</td>
<td>
<p>When rights and freedom are to be protected while processing.</p>
<p>When national legislative measures to restrict scope of Regulations is adopted and processing is alleged to be unlawful.</p>
</td>
</tr>
<tr>
<td>
<p>Accountability</p>
</td>
<td>
<p>Complainant to be informed by Supervisory authority on progress and outcome of complaint and judicial remedy to be taken up</p>
</td>
<td>
<p>Complainant to be informed on outcome of claim or if check on unlawfulness has taken place</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_28h4qwu"></a> 4.18.2 Right to an effective judicial remedy against supervisory authority</h3>
<p style="text-align: justify; ">The concerned Article seeks to make supervisory authorities accountable by bringing proceedings against the authority before the courts. GDPR gives a specific right to the individual. DPD under Article 28(3) merely provides for appeal against decisions of supervisory authority in the courts.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>78 (1)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who has the right</p>
</td>
<td>
<p>Every natural or legal person</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can the right be exercised</p>
</td>
<td>
<p>Against legally binding decision of supervisory authorities concerning the complainant</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>78(2)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who has the right</p>
</td>
<td>
<p>Data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can the right be exercised</p>
</td>
<td>
<p>When the competent supervisory authority doesn't handle the complaint</p>
<p>Or</p>
<p>Doesn't inform data subject about progress / outcome of complaint within 3 months</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The jurisdiction of court will extend to the territory of the Member State in which the supervisory authority is established (GDPR Art 78(3)). The supervisory authority is required to forward proceedings to the court if the decision was preceded by the Board's decision in the consistency mechanism. (GDPR 78(4))</p>
<h3 style="text-align: justify; "><a name="_nmf14n"></a> 4.18.3 Right to effective judicial remedy against a controller or processor</h3>
<p style="text-align: justify; ">The data subject has been conferred with the right to approach the courts under certain circumstance. The GDPR confers the specific right while DPD provides for judicial remedy without using the word "right".</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in</p>
</td>
<td>
<p>Art 79</p>
</td>
<td>
<p>Recital 55</p>
</td>
</tr>
<tr>
<td>
<p>Right can be exercised when:</p>
</td>
<td>
<p>1. Data has been processed; and</p>
<p>2. Processing Results in infringement of rights; and</p>
<p>3. Infringement is due to non compliance of Regulation</p>
</td>
<td>
<p>Similar provisions provided under DPD:</p>
<p>When controller fails to respect the rights of data subjects and national legislation provides a judicial remedy.</p>
<p>Processors are not mentioned.</p>
</td>
</tr>
<tr>
<td>
<p>Jurisdiction of the courts</p>
</td>
<td>
<p>Proceedings can be brought before the courts of Member States wherein:</p>
<p>1. Controller or processor has an establishment</p>
<p>Or</p>
<p>2. Data Subject has habitual residence</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Right cannot be exercised when</p>
</td>
<td>
<p>1. The controller or processor is a public authority of Member State</p>
<p>And</p>
<p>2. Is exercising its public powers</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_37m2jsg"></a> 4.18.4 Right to compensation and liability</h3>
<p style="text-align: justify; ">GDPR enables a person who has suffered damages to claim compensation as a specific right. DPD merely entitles the person to receive compensation. Although Liability provisions under GDPR and DPD are similar, the liability under GDPR is stricter as compared to DPD. This is because DPD exempts the processor from liability but GDPR does not. For example, DPD imposes liability on controllers only.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>82</p>
</td>
<td>
<p>23</p>
</td>
</tr>
<tr>
<td>
<p>Who can claim compensation</p>
</td>
<td>
<p>Any person who has</p>
<p>suffered material or non material damage</p>
</td>
<td>
<p>Similar provisions.</p>
<p>But DPD doesn't mention "material or non-material damage" specifically.</p>
</td>
</tr>
<tr>
<td>
<p>Right arises due to</p>
</td>
<td>
<p>Infringement of Regulation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Right granted</p>
</td>
<td>
<p>Right to receive compensation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Compensation has to be given by</p>
</td>
<td>
<p>Controller or processor</p>
</td>
<td>
<p>Compensation can be claimed only from controller</p>
</td>
</tr>
<tr>
<td>
<p>Liability of controller arises when</p>
</td>
<td>
<p>Damage is caused by processing due to infringement of regulation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Liability of processor arises when</p>
</td>
<td>
<p>1. Processor has not complied with directions given to it under Regulation</p>
<p>OR</p>
<p>2. Processor has acted outside or contrary to lawful instructions of controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Exemptions to controller or processor from liability</p>
</td>
<td>
<p>If there is proof that they are not responsible</p>
</td>
<td>
<p>Exemption for controller is same</p>
</td>
</tr>
<tr>
<td>
<p>Liability when more than one controller or processor cause damage</p>
</td>
<td>
<p>Each controller or processor to be held liable for entire damage</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_1mrcu09"></a> 4.19 General conditions for imposing administrative fines</h2>
<p style="text-align: justify; ">GDPR makes provision for imposition of <i>administrative fines </i>by supervisory authorities in case of infringement of Regulation. Such fines should be effective, proportionate and dissuasive. In case of minor infringement, "reprimand may be issued instead of a fine" <a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a>. Means of enforcing accountability of supervisory authority have been provided. If Member state law does not provide for administrative fines, then the fine can be initiated by the supervisory authority and imposed by courts. However, by 25 May 2018, Member States have to adopt laws that comply with this Article.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>83</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who can impose fines</p>
</td>
<td>
<p>Supervisory Authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Fines to be issued against</p>
</td>
<td>
<p>Controllers or Processors</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="11">
<p>Parameters to be taken into account while determining administrative fines</p>
</td>
<td>
<p>Nature, gravity and duration of infringement</p>
<p>and</p>
<p>Nature scope or purpose of processing</p>
<p>and</p>
<p>Number of data subjects affected</p>
<p>and</p>
<p>Level of damage suffered</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Intentional or negligent character of infringement</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Action taken by controller or processor to mitigate damage suffered by data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Degree of responsibility of con controller or processor. Technical and organizational measures implemented to be taken into account.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Relevant previous infringement</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Degree of cooperation with supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Categories of personal data affected</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Manner in which supervisory authorities came to know of the infringement and</p>
<p>Extent to which the controller or processor notified the infringement</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether corrective orders of supervisory authority under Art 58(2) have been issue before and complied with</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Adherence to approved code of conduct under Art 40 or approved certification mechanisms under Art 42</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Other aggravating or mitigating factors like financial benefits gained losses avoided etc.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>If infringement is intentional or due to negligence of processor or controller</p>
</td>
<td>
<p>Total amount of administrative fine to not exceed amount specified for gravest infringement</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Means checking power of supervisory authority to impose fines</p>
</td>
<td>
<p>Procedural safeguards under Member State or Union law.</p>
<p>Including judicial remedy and due process</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Article 83 splits the amount of administrative fines according to obligations infringed by controllers, processors or undertakings. The first set of infringements may lead to imposition of fines up to 10,000,000 EUR or 2% of total worldwide turnover.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>83(4)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Fine imposed</p>
</td>
<td>
<p>Up to 10,000,000 EUR</p>
<p>or</p>
<p>in case of undertaking,</p>
<p>2% of total worldwide turnover of preceding financial year, whichever is higher</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="8">
<p>Infringement of these provisions will cause imposition of fine (Provisions infringed)</p>
</td>
<td>
<p>Obligations of controller and processor under:</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 8</p>
<p>Conditions applicable to child's consent in relation to information society services</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 11</p>
<p>Processing which does not require identification</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 25 to 39</p>
<p>General obligations , Security of personal data , Data Protection impact assessment and prior consultation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 42</p>
<p>Certification</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 43</p>
<p>Certification bodies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations of certification body under:</p>
<p>Art 42</p>
<p>Art 43</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations of monitoring body under:</p>
<p>Art 41(4)</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Second set of infringements may cause the authority to impose higher fines up to 20,000,000 EUR or 4% of total worldwide turnover.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>83(5)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Fine imposed</p>
</td>
<td>
<p>Up to 20,000,000 EUR</p>
<p>or</p>
<p>in case of undertaking,</p>
<p>4% of total worldwide turnover of preceding financial year, whichever is higher</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="12">
<p>Infringement of provisions that will cause imposition of fine (Provisions infringed)</p>
</td>
<td>
<p>Basic principles for processing and conditions for consent under:</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 5</p>
<p>Principles relating to processing of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 6</p>
<p>Lawfulness of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 7</p>
<p>Conditions for consent</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 9</p>
<p>Processing of special categories of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data subject's rights under:</p>
<p>Art 12 to 22</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Transfer of personal data to third country or international organization under:</p>
<p>Art 44 to 49</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations under Member State law adopted under Chapter IX</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Non Compliance with supervisory authority's powers under provisions of Art 58:</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Imposition of temporary or definitive limitation including ban on processing</p>
<p>(Art 58 (2)(f))</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Suspension of data flows to third countries or international organization</p>
<p>(Art 58(2) (j))</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Provide access to premises or data processing equipment and means (Art 58 (1) (f))</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_46r0co2"></a> 4.20 Penalties</h2>
<p style="text-align: justify; ">Article 84 makes provision for penalties in case of infringement of Regulation.</p>
<p style="text-align: justify; ">The penalties must be effective, proportionate and dissuasive.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>84</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When will penalty be imposed</p>
</td>
<td>
<p>In case of infringements that are not subject to administrative fines</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who imposes them</p>
</td>
<td>
<p>Member State</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Responsibility of Member State</p>
</td>
<td>
<p>To lay down the law and ensure implementation.</p>
<p>To notify to the Commission, the law adopted, by 25 May 2018</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<div style="text-align: justify; "><br clear="all" />
<hr />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1"> <sup><sup>[1]</sup></sup> </a> Recital 148 , GDPR</p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive'>https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive</a>
</p>
No publisherAditi Chaturvedi and Edited by Leilah ElmokademInternet GovernanceData ProtectionPrivacy2017-02-07T14:08:35ZBlog EntryComments on the Report of the Committee on Digital Payments (December 2016)
https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016
<b>The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.</b>
<p> </p>
<h3><strong>1. Preliminary</strong></h3>
<p><strong>1.1.</strong> This submission presents comments by the Centre for Internet and Society (“CIS”) <strong>[1]</strong> in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) <strong>[2]</strong>.</p>
<h3><strong>2. The Centre for Internet and Society</strong></h3>
<p><strong>2.1.</strong> The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.</p>
<p><strong>2.2.</strong> CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.</p>
<h3><strong>3. Comments</strong></h3>
<p><strong>3.1.</strong> CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 <strong>[3]</strong>, have generated <strong>unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances</strong>. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider <strong>opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken</strong> towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.</p>
<p><strong>3.2.</strong> While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. <strong>CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services.</strong> Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.</p>
<p><strong>3.3.</strong> The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. <strong>We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders</strong>. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.</p>
<p><strong>3.4.</strong> The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. <strong>CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice</strong>.</p>
<p><strong>3.5.</strong> The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. <strong>We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise.</strong> Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). <strong>This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments</strong>.</p>
<p><strong>3.6.</strong> The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” <strong>CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has</strong>. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.</p>
<p><strong>3.7.</strong> CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” <strong>We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities</strong>.</p>
<p><strong>3.8.</strong> We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity <strong>[4]</strong>. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). <strong>The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report.</strong> The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.</p>
<p><strong>3.9.</strong> A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). <strong>This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic</strong>.</p>
<p><strong>3.10.</strong> The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). <strong>Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment.</strong> A mandate for <em>replacement</em> of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.</p>
<p><strong>3.11.</strong> The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. <strong>Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud</strong>.</p>
<p><strong>3.12.</strong> In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. <strong>We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats</strong>.</p>
<p><strong>3.13.</strong> The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. <strong>It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy</strong>. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.</p>
<p><strong>3.14.</strong> CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. <strong>We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities</strong>.</p>
<p><strong>3.15.</strong> The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. <strong>We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away</strong>. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.</p>
<p><strong>3.16.</strong> As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, <strong>it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days</strong>. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.</p>
<h3><strong>Endnotes</strong></h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[2]</strong> See: <a href="http://finmin.nic.in/reports/Note-watal-report.pdf">http://finmin.nic.in/reports/Note-watal-report.pdf</a> and <a href="http://finmin.nic.in/reports/watal_report271216.pdf">http://finmin.nic.in/reports/watal_report271216.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="http://finmin.nic.in/cancellation_high_denomination_notes.pdf">http://finmin.nic.in/cancellation_high_denomination_notes.pdf</a>.</p>
<p><strong>[4]</strong> Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: <a href="http://www.budapestopenaccessinitiative.org/read">http://www.budapestopenaccessinitiative.org/read</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016'>https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016</a>
</p>
No publisherSumandro Chattapadhyay and Amber SinhaUIDDigital IDBig DataDigital EconomyDigital AccessPrivacyDigital SecurityData RevolutionDigital PaymentInternet GovernanceDigital IndiaData ProtectionDemonetisationHomepageFeaturedAadhaar2017-01-12T12:32:22ZBlog EntryDeveloper team fixed vulnerabilities in Honorable PM's app and API
https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="https://cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog EntryPrivacy after Big Data: Compilation of Early Research
https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research
<b>Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This is a growing body of research that we are exploring and
is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.</b>
<p> </p>
<h4><a href="https://github.com/cis-india/website/raw/master/docs/CIS_PrivacyAfterBigData_CompilationOfEarlyResearch_2016.11.pdf">Download the Compilation</a> (PDF)</h4>
<hr />
<h3><strong>Privacy after Big Data</strong></h3>
<p>Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.</p>
<p>These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.</p>
<p>These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.</p>
<p>Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.</p>
<p>Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.</p>
<p>In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.</p>
<p><em>Elonnai Hickok</em><br />Director - Internet Governance</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research'>https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research</a>
</p>
No publisherSaumyaa NaiduHuman RightsIT ActBig DataPrivacyInternet GovernanceSmart CitiesData ProtectionInformation TechnologyPublications2016-11-12T01:37:03ZBlog EntryTrans Pacific Partnership and Digital 2 Dozen: Implications for Data Protection and Digital Privacy
https://cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy
<b>In this essay, Shubhangi Heda explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations.</b>
<p> </p>
<p>1. <strong><a href="#1">Introduction</a></strong></p>
<p>2. <strong><a href="#2">Analysis of TPP and D2D</a></strong></p>
<p>2.1. <strong><a href="#2-1">Trans Pacific Partnership (TPP)</a></strong></p>
<p>2.2. <strong><a href="#2-2">Digital 2 Dozen (D2D)</a></strong></p>
<p>3. <strong><a href="#3">Major Criticisms of the Digital Agenda of TPP</a></strong></p>
<p>3.1. <strong><a href="#3-1">Data Protection</a></strong></p>
<p>3.2. <strong><a href="#3-2">Digital Privacy</a></strong></p>
<p>4. <strong><a href="#4">Implications of TPP for RCEP</a></strong></p>
<p>5. <strong><a href="#5">Implications of TPP in the Context of EU Safe Harbour Judgement</a></strong></p>
<p>6. <strong><a href="#6">Implications of TPP for India after US-India Cyber Relationship Agreement</a></strong></p>
<p>7. <strong><a href="#7">Conclusion</a></strong></p>
<p>8. <strong><a href="#8">Endnotes</a></strong></p>
<p>9. <strong><a href="#9">Author Profile</a></strong></p>
<hr />
<h2 id="1">1. Introduction</h2>
<p>This essay explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia <strong>[1]</strong>. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations. TPP requires the member countries to facilitate unhindered digital data flow across nations, for commercial and governmental purposes, which evidently have major implications for national and regional data protection and privacy regimes. These implications must also be seen in the context the recent judgement by the EU Court of Justice against the validity of the EU-USA data transfer agreement of 2000. Further, the essay discusses the potential impacts that TPP/D2D might have on India, in the context of the ongoing USA-India Cyber Relationship dialogue. If the privacy concerns are not raised right now TPP might act as a model framework for future FTAs which will fail to encompass proper data protection and digital privacy regime within it.</p>
<h2 id="2">2. Analysis of TPP and D2D</h2>
<h3 id="2-1">2.1. Trans Pacific Partnership (TPP)</h3>
<p>Trans Pacific Partnership (TPP) is a large multi-partner free trade agreement amongst twelve Asia-Pacific countries, which is closely led by geo-political and economic strategies of the USA. Countries started the negotiation of TPP in 2008 when USA joined Pacific Four (P-4) negotiations and in 2015 negotiations of TPP was concluded and text was released. Ministers from the member countries signed the agreement on February 4, 2016 <strong>[2]</strong>. The main aim of TPP is to liberalise trade and investment beyond what is provided for within the WTO. It is also considered to be a strategic move by the US to counter the trade linkages that are being established in the Asian region. TPP largely covers topics of market access, and rules on various related issues such as intellectual property rights, labour laws, and environment standards <strong>[3]</strong>.</p>
<p>Between 1992 -2012 there has been an upsurge in bilateral trade agreements being signed in Asia from 25 to 103 and the effect of these FTAs is called the ‘noodle bowl effect’. TPP is seen as framework which will replace these FTAs which are causing the ‘noodle bowl effect’.While these FTAs are being replaced but with TPP being signed there are various bilateral arrangements signed along with TPP. USA has also stated that TPP will not affect the already existing NAFTA <strong>[4]</strong>. While TPP is being concluded there is another free trade agreement being negotiated between USA and EU , which is Trans Trade and Investment Partnership (TTIP). Both TPP and TTIP and are considered to be serving similar objective which is to deal with new and modern trade issues. Also both the agreements are US led and since negotiation for TPP are now finalised it may have a significant impact on TTIP <strong>[5]</strong>.</p>
<p>TPP is one of the first document which deals specifically with digital economy and applies across borders. The main aims of TPP are to promote free flow of data across borders without data localisation. It aims to remove national clouts and regional internets. It also includes provisions to combat theft of trade secrets. It allows you to create transparent regulatory process with inputs from various stakeholders. It also aims to provide access to tools and procedures for conduct of e-commerce <strong>[6]</strong>.</p>
<p>Some of the major criticism to TPP were regarding the issues related to <strong>[7]</strong>:</p>
<ul><li>environment, wherein it does not address the issue of climate change and the language used in the agreement is very weak;</li>
<li>labour rights provision mandates parties to adhere to the ILO provision but it does not seem to provide for effective framework and might not bring the desired change;</li>
<li>investment chapter is seen to be controversial because of the investor state dispute settlement clause which will allow foreign investor to sue government over policies that might cause harm to them;</li>
<li>e-commerce and telecommunication chapter raises major privacy concerns;</li>
<li>intellectual property chapter wherein it includes controversial rules regarding pharmaceutical companies and data exclusivity apart from the privacy concerns.</li></ul>
<h3 id="2-2">2.2 Digital 2 Dozen (D2D)</h3>
<p>D2D is set of rules and aims which is specifically drafted to be followed for the trade agreements related to open internet and digital economy. More specific aims of TPP as provided within the ‘Digital 2 Dozen,’ aiming for more liberalised trade in digital goods and services, are <strong>[8]</strong>:</p>
<ul><li>promoting free and open internet,</li>
<li>prohibiting digital custom duties,</li>
<li>securing basic non-discrimination principles,</li>
<li>enabling cross-border data flows,</li>
<li>preventing localization barriers,</li>
<li>barring forced technology transfers,</li>
<li>advancing innovative authentication methods,</li>
<li>delivering enforceable consumer protections,</li>
<li>safeguarding network competition,</li>
<li>fostering innovative encryption products, and</li>
<li>building an adaptable framework.</li></ul>
<p>Strategic goal of the US in introducing D2D as goals of TPP has been to set up a trend within Asian region for all the trade agreements. It is expected to ensure that if TPP is a success, similar goals and policy frameworks will be followed for other trade agreements as we. For example, the USA-India partnership also enshrines similar aims and so does the USA-Korea partnership. Hence while India is not part of TPP, USA is nonetheless trying to get India into a partnership which is similar to the TPP. The language proposed by the USA in TPP negotiations has always been supportive for cross border data flows as it claims that companies have mechanism to keep a privacy check and privacy would not be undermined, but countries like New Zealand and Australia which have strong privacy protection laws nationally have raised concerns which will be discussed in further sections <strong>[9]</strong>. Also not only in privacy rights but Digital Dozen initiative also affects other digital rights related to - excessive copyright terms TPP proposed to extend the term of copyright to hundred years which deprive access to knowledge; as in the U.S motive to give more power to private entities , the ISP obligations enumerated within TPP which puts freedom of expression and privacy at risk as ISPs are allowed to check for copyright infringement and TPP does not put any privacy restriction in this regard; introduction of new fair use rules; ban on circumvention of digital locks or DRMs; no compulsory limitation for persons with disabilities; lack of fair use for journalistic right; while net neutrality is major issue is many developing nations in Asia no effective provision for net neutrality is aimed at in the D2D initiative; prohibits open source mandates which puts barrier for countries which want to release any software as open source as a policy decision <strong>[10]</strong>.</p>
<h2 id="3">3. Major Issues Related to Data Protection and Privacy in the TPP</h2>
<h3 id="3-1">3.1. Data Protection</h3>
<p>One of the major concern raised against TPP is regarding data protection provisions that have been integrated within the E- Commerce chapter of the agreement. Article 14.11 and Article 14 .13 are the ones that deal with data flow related to consumer information.Article 14.11 in the agreement puts a requirement on the member states to allow transfer of data across border and Article 14.13 does not allow the companies to host data on local servers. Concerns were raised in few member states for instance, Australian Privacy Foundation raised concerns over Article 14.11 which requires transfers to be allowed in context of business activities of service suppliers. It claimed that exception to this provision is very narrow and the repercussion for not following the exception is that investor state dispute settlement proceedings can be initiated, which is not sufficient to protect privacy. Also, it highlighted the issue that with the narrow exception provided under Article 14.13 which relates to prohibition on data localisation, it might have adverse effect on the implementation of national privacy laws within Australia <strong>[11]</strong>.</p>
<p>Another provision which is of major concern is Article 14.13 which prohibit data localisation. It will raise problems for countries like Indonesia and China which will have to change their local laws to implement the provision <strong>[12]</strong>. Since there already has been a major concern with regard to USA- EU Safe Harbour Agreement which was later made subject to the ECJ’s ruling on data protection, which invalidated any arrangement which provides voluntary enterprises responsibility to enforce privacy. But both the USA and EU are in process of renegotiating the agreement.The major concern was that in EU data protection is a fundamental right while in USA data protection is more consumer centric. When similar concerns were raised in TPP negotiations, they were rebutted as USA claimed that FTA does not concern itself with data protection <strong>[13]</strong>.</p>
<p>In 2012 Australia proposed an alternative language to TPP which allowed countries to place restriction on data flow as long as it was not a barrier to trade. U.S responded to concerns raised by the Australia through a side letter which ensured Australia that U.S and Australia have a mutual understanding in relation to privacy and U.S will ensure the privacy of data with regards to Australia. While Australia’s concern was given acknowledgement other countries which raised similar issues were not given any assurances <strong>[14]</strong>. US instead proposed ad- hoc strategy that gave private companies power to form privacy policy with implementation through state machinery <strong>[15]</strong>.</p>
<h3 id="3-2">3.2. Digital Privacy</h3>
<p>Article 14.8 in the E- Commerce chapter of the agreement states that countries can form legal framework for the protection of rights but the kind of ‘legal framework’ is not defined. Also, nowhere it states that the privacy protection or data protection laws are expressly exempted, rather it states that any such policy implemented by member states will be put under review of TPP standards. The standards which TPP proposes to follow are based on the underlying idea that any such policy should not hinder free trade in any way. This test will be applied by tribunals which are experts in trade and investment and not on data protection or human rights <strong>[16]</strong>. While Article 14.8 provides for protection of private information of consumers but the footnote to the provision renders it ineffective. The footnote states that member countries can adopt legal framework for the protection of data which can be done by self-regulation by industry and does not provide for any comprehensive data protection obligation upon the member states <strong>[17]</strong>. Similar to this Article 13.4 of the telecommunications chapter under TPP also states that the countries can apply regulation regarding confidentiality of the messages as long as it is not “a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services" <strong>[18]</strong>.</p>
<p>Another chapter which raises major concerns about the privacy rights is intellectual property. It affects privacy through the provisions related to technological protective measures and the provision that regulate ISP’s liability. Regarding the TPM provision, the TPP follows the DMCA model whereby the exception to anti- circumvention provision is very narrow and does not apply to anti- trafficking provision. The exception allows user to circumvent TPM if it affect the user's privacy in any way, although this provision does not apply to ant- trafficking of TPM. The provision regarding ISP’s liability states that there should be cooperation between ISPs and rights holders and it does not prohibit ISPs to monitor its users. Also TPP proposes the notice for takedown and identification of the infringer by the ISP but this provision is not in consonance with laws of member states, like that of Peru which does not have any copyright law on ISP . Also many countries have tried to introduce proper privacy laws along with implementation of ISP liability but that is not done within the TPP <strong>[19]</strong>. TPP as whole aims to give greater power to private regulators without providing for minimum standard for protection of privacy.</p>
<p>Although TPP is not a data protection agreement but it consequently deals with various aspects of data protection, hence it is prospective model for privacy and data protection practices in future trade agreements. If positive obligations are included within the free trade agreements it will have an advancing impact on the data protection regime.</p>
<h2 id="4">4.Implications of TPP for RCEP</h2>
<p>While TPP has such lacunas similar provision are proposed in RCEP to which India is a party and which will have serious implication as many of the countries have inadequate data protection laws nationally and with the introduction of such an FTA the exploitation of privacy rights will be rampant <strong>[20]</strong>. To avoid this EU directive on data protection should be taken into consideration in the negotiations of such FTAs. But for the RCEP negotiations are still going on and in India many companies like Flipkart, Snapdeal etc. have started preparing for the changing norms. The government claims that it is going to accept best practices in the region which indicates that it is going to have same policies as that of TPP. Although people from industry have raised concerns that while there are national laws but it is difficult to check third party involvement within the business and it is becoming increasingly difficult to keep the consumer data confidential <strong>[21]</strong>.</p>
<h2 id="5">5. Implications of TPP in the Context of EU Safe-Harbour Judgement</h2>
<p>Mr. Maximillian Schrems, an Austrian National residing in Austria, has been a user of the Facebook social network since 2008. Any person residing in EU who wishes to use Facebook is required to conclude, at the time of his registration, a contract with Facebook Ireland (a subsidiary of Facebook Inc. which itself is established in Unites States). Some or all of the personal data of the Facebook Ireland’s users who residing in EU is transferred to servers belonging to Facebook Inc. that are located in United States, where it undergoes processing. On 25 June 2013 Mr Schrems made a complaint to the commissioner by which he in essence asked the latter to exercise his statutory powers by prohibiting Facebook Ireland from transferring his personal data to Unites States, and this led to the <em>Maximillian Schrems v Data Protection Commissioner</em> case <strong>[22]</strong>. He contended that in his complaint that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in thereby by the public authorities. Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the NSA.(para 26, 27, 28). The case came in the court ruled that “that a third country which ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of the EU 94/46 directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection. The ruling implies that personal data cannot be transferred to third country which does not provide adequate level of protection.</p>
<p>EU safe harbour judgment and EU directive on privacy provide contrasting rules related to privacy. While TPP gives power to private entities to formulate rules regarding privacy while the recent ECJ judgment invalidated giving such power to private entities under EU-US Safe Harbour Agreement. Also in context of the same judgment Hamburg’s Commissioner for Data Privacy And Freedom of Information announced an investigation into the data transfer taking place through Facebook and Google to U.S. Hence in the light of the recent judgment member states within EU are not allowed to permit cross border data flow, in contrast to this one of the main goals of TPP is to maintain free flow of data across border <strong>[23]</strong>. EU is this regard has also set forth the proposal to introduce General Data Protection Regulation. (GDPR). Although U.S and EU are trying to renegotiate the agreement but the privacy concerns raised cannot be ignored. Hence following the same model as was invalidate under the ECJ judgment lets US exploit privacy of member states under TPP. Similar concerns as raised within the judgment are also raised in India as it also following the same model within U.S-India Cyber Relationship Agreement and in RCEP negotiations.</p>
<h2 id="6">6. Implications of TPP in the context of USA-India Cyber Relationship</h2>
<p>While India is not part of TPP but it might have an effect on the U.S India Cyber Relationship Agreement. In August 2015 there was re- initiation of the India-U.S cyber dialogue to address common concerns related to cybersecurity and to develop better partnerships between public and private sector for betterment of digital economy <strong>[24]</strong>. One of the key aim of this agreement is free flow of information between two nations, which suffers from similar problem that it will put privacy of the citizens at risk. Also India does not have any bilateral treaty which ensures cyber data protection in such a scenario the only solution is data localisation, but this agreement will put data at risk <strong>[25]</strong>. Hence while the TPP negotiations were going on and also RCEP is being discussed the concerns about privacy and data protection need to be raised as mention in earlier section regarding implications of TPP on RCEP, the USA-India Cyber Relationship also faces the same implications..Although the aim of USA-India Cyber Relationship is to ensure cybersecurity. After the cases of Muzaffarnagar riots, upheaval in North -Eastern states and Gujarat riots, India has realised it is important to ensure compliance from the social media companies. India sees the USA-India Cyber Relationship as an opportunity to achieve this goal. The Google Transparency Report states that that India made around three thousand requests to Google for user data <strong>[26]</strong>, which indicate at the country's interest in having a common data understanding with the major social media companies (almost all of which are located in USA) about requesting and sharing of user activity data. While this concern is being addressed through the agreement, it is difficult to ignore the clause related to free flow of information, and if the meaning of the term is extended and adopted from TPP itself will put digital privacy of Indian citizens at risk <strong>[27]</strong>.</p>
<h2 id="7">7. Conclusion</h2>
<p>Even though TPP negotiation are completed but the ratification of the agreement is still underway. TPP is being seen as one of a kind trade agreement because it is the first time that countries across the globe have come together as a whole to address concerns of modern trade. Although it fails to address some of the key concerns related to privacy and data protection which are becoming increasingly important. Data protection and privacy issues cannot be seen in isolation and needs to merged within the modern day trade agreements. The D2D component by the USA is strategic move to have trade dominance in Asia and to compete with China’s growth . TPP has privacy and data protection lacunae within the e- commerce , telecommunications and intellectual property discussion.Although it might have serious implications on RCEP negotiation and USA- India Cyber Relationship Dialogue. Similar concern regarding data protection has already been addressed by ECJ judgment invalidating USA-EU Safe Harbour Agreement but the similar ad - hoc strategy has been incorporated within TPP. Since TPP might be considered as best practice model for future FTAs in the Asian region it is important to raise and address these privacy concerns now.</p>
<h2 id="8">8. Endnotes</h2>
<p><strong>[1]</strong> The signatory countries include Australia, Canada, Japan, Malaysia, Mexico, Peru, United States of America, Vietnam, Chile, Brunei, Singapore, New Zealand. "The Trans-Pacific Partnership,"
<a href="http://www.ustr.gov/tpp">http://www.ustr.gov/tpp</a> (last visited Jul 7, 2016).</p>
<p><strong>[2]</strong> "The Origins and Evolution of the Trans-Pacific Partnership (TPP)," Global Research, <a href="http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495">http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495</a> (last visited Jul 7, 2016).</p>
<p><strong>[3]</strong> Fergusson, Ian F., Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP): In Brief," (2015), <a href="http://digitalcommons.ilr.cornell.edu/key_workplace/1477/">http://digitalcommons.ilr.cornell.edu/key_workplace/1477/</a> (last visited Jul 1, 2016).</p>
<p><strong>[4]</strong> Gajdos, Lukas, <em>The Trans-Pacific Partnership and its impact on EU trade</em>, Policy Department, Directorate-General for External Policies, Policy Briefing (2013), <a href="http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf">http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf</a>.</p>
<p><strong>[5]</strong> Twining, Daniel, Hans Kundnani & Peter Sparding, <em>Trans-Pacific Partnership: geopolitical implications for EU-US relations</em>, Policy Department, Directorate-General for External Policies, June 24 (2016), <a href="http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf">http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf</a>.</p>
<p><strong>[6]</strong> USTR, "Remarks by Deputy U.S. Trade Representative Robert Holleyman to the New Democrat Network," <a href="https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade">https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade</a> (last visited Jul 4, 2016).</p>
<p><strong>[7]</strong> Murphy, Katharine, "Trans-Pacific Partnership: four key issues to watch out for," The Guardian, November 6, 2015, <a href="https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for">https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for</a> (last visited Jul 7, 2016).</p>
<p><strong>[8]</strong> USTR, "The Digital 2 Dozen" (2016), <a href="https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf">https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf</a> (last visited Jul 1, 2016).</p>
<p><strong>[9]</strong> Fergusson, Ian F.m Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP) negotiations and issues for congress," (2015), <a href="http://digitalcommons.ilr.cornell.edu/key_workplace/1412/">http://digitalcommons.ilr.cornell.edu/key_workplace/1412/</a> (last visited Jul 8, 2016).</p>
<p><strong>[10]</strong> "How the TPP Will Affect You and Your Digital Rights," Electronic Frontier Foundation (2015), <a href="https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights">https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights</a> (last visited Jul 7, 2016).</p>
<p><strong>[11]</strong> Australian Privacy Foundation (APF), <em>Trans Pacific Partnership Agreement</em> (2016), <a href="https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf">https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf</a>.</p>
<p><strong>[12]</strong> Greenleaf, Graham, "The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?," SSRN (2016), <a href="http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386">http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386</a> (last visited Jul 1, 2016).</p>
<p><strong>[13]</strong> "GED-Project: Transatlantic Data Flows and Data Protection," GED Blog (2015), <a href="https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/">https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/</a> (last visited Jul 1, 2016).</p>
<p><strong>[14]</strong> Geist, Michael, "The Trouble with the TPP, Day 14: No U.S. Assurances for Canada on Privacy," (2016), <a href="http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/">http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/</a> (last visited Jul 4, 2016).</p>
<p><strong>[15]</strong> Aaronson, Susan Ariel, "What does TPP mean for the Open Internet?" From <em>Policy Brief on Trade Agreements and Internet Governance Prepared for the Global Commission on Internet Governance</em> (2015), <a href="https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf">https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf</a> (last visited Jul 5, 2016).</p>
<p><strong>[16]</strong> Lomas, Natasha, "TPP Trade Agreement Slammed For Eroding Online Rights," TechCrunch, <a href="http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/">http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/</a> (last visited Jun 30, 2016).</p>
<p><strong>[17]</strong> "Q&A: The Trans-Pacific Partnership," Human Rights Watch (2016), <a href="https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership">https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership</a> (last visited Jul 1, 2016).</p>
<p><strong>[18]</strong> "TPP Full Text Released," People Over Politics (2015), <a href="http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/">http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/</a> (last visited Jul 7, 2016).</p>
<p><strong>[19]</strong> "Right to Privacy in Trans-Pacific Partnership (TPP ) Negotiations," Knowledge Ecology International, <a href="http://keionline.org/node/1164">http://keionline.org/node/1164</a> (last visited Jul 1, 2016).</p>
<p><strong>[20]</strong> Asian Trade Centre, "E-Commerce and Digital Trade Proposals for RCEP (2016)," <a href="http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf">http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf</a> (last visited Jul 1, 2016).</p>
<p><strong>[21]</strong> "E-commerce companies like Flipkart, Snapdeal to beef up data security to meet RCEP norms," The Economic Times, <a href="http://economictimes.indiatimes.com//articleshow/49068419.cms">http://economictimes.indiatimes.com//articleshow/49068419.cms</a> (last visited Jul 1, 2016).</p>
<p><strong>[22]</strong> ECLI:EU:C:2015:650 (C -362/14)</p>
<p><strong>[23]</strong> King et al., "Privacy law, cross-border data flows, and the Trans Pacific Partnership Agreement: what counsel need to know," Lexology, <a href="http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209">http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209</a> (last visited Jul 4, 2016).</p>
<p><strong>[24]</strong> "U.S.-India Business Council Applauds Resumption of Cybersecurity Dialogue," U.S.-India Business Council (2015), <a href="http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue">http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue</a> (last visited Jul 5, 2016).</p>
<p><strong>[25]</strong> Sukumar, Arun Mohan, "India Is Coming up Against the Limits of Its Strategic Partnership With the United States," The Wire (2016), <a href="http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/">http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/</a> (last visited Jul 4, 2016).</p>
<p><strong>[26]</strong> Countries – Google Transparency Report, <a href="https://www.google.com/transparencyreport/userdatarequests/countries/">https://www.google.com/transparencyreport/userdatarequests/countries/</a> (last visited Jul 8, 2016).</p>
<p><strong>[27]</strong> Sukumar, Arun Mohan, "A case for the Net’s Ctrl+Alt+Del," The Hindu, September 5, 2015, <a href="http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece">http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece</a> (last visited Jul 5, 2016).</p>
<h2 id="9">9. Author Profile</h2>
<p><strong>Shubhangi Heda</strong> is a Student of Jindal Global Law School, O.P Jindal Global University. She has completed her fourth year. She gives due importance to popular culture in her life and loves to read fiction and like to watch TV-shows, her favorite being 'White Collar'.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy'>https://cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy</a>
</p>
No publisherShubhangi HedaTrans Pacific PartnershipPrivacyFree Trade AgreementDigital EconomyInternet GovernanceData Protection2016-07-12T07:56:24ZBlog EntryComments on the RBI's Consultation Paper on Peer to Peer Lending
https://cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending
<b>The Reserve Bank of India published a Consultation Paper on Peer to Peer Lending on April 28, 2016, and invited comments from the public. CIS submitted the following response, authored by Elonnai Hickok, Pavishka Mittal, Sumandro Chattapadhyay, Vidushi Marda, and Vipul Kharbanda.</b>
<p> </p>
<h2>1. Preliminary</h2>
<p><strong>1.1.</strong> This submission presents comments and recommendations by the Centre for Internet and Society (<strong>“CIS”</strong>) on the Consultation Paper on Peer to Peer Lending (<strong>“the consultation paper”</strong>) by the Reserve Bank of India (<strong>“RBI”</strong>) <strong>[1]</strong>.</p>
<h2>2. The Centre for Internet and Society</h2>
<p><strong>2.1.</strong> The Centre for Internet and Society, CIS <strong>[2]</strong>, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.</p>
<p><strong>2.2.</strong> This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the concerns of citizens’ and users’ rights in the context of products, services, and transactions facilitated by digital media technologies, the , the principle that regulation should be defined around functions of the acts concerned, and not the technologies of delivery. Our comments are limited to the clauses that most directly have an impact on these concerns.</p>
<h2>3. Response</h2>
<h3>3.1. Whether there is a felt need for regulating peer to peer lending platforms?</h3>
<p><strong>3.1.1.</strong> Peer to peer (<strong>“P2P”</strong>) lenders are platforms serving as marketplaces for the lenders and the borrowers of funds to connect. Their very business model does not render them as a provider of finance, as they aspire to function as pure intermediaries to enable lending and borrowing.</p>
<p><strong>3.1.2.</strong> The Section 45I.(f)(iii) of the RBI Act, 1935 <strong>[3]</strong>, provides RBI the authority to classify any financial institution as a non-banking financial company (<strong>“NBFC”</strong>) “with the previous approval of the Central Government and by notification in the Official Gazette.” Since the P2P lending platforms do not provide any finance themselves, undertake acquisition of financial instruments, deliver financial and/or insurance services, or collect financial resources directly, the only ground for classifying such companies as “financial institutions” <strong>[4]</strong> appears to be their involvement in “managing, conducting or supervising, as foreman, agent or in any other capacity, of chits or kuries as defined in any law which is for the time being in force in any State, or any business, which is similar thereto” <strong>[5]</strong>. P2P lending platforms can be considered to be brokers and thus there are other aspects that merit scrutiny such as antitrust issues, obligations of either party, company activities and the transactional system involved, as we will discuss in this document.</p>
<p><strong>3.1.3.</strong> The consultation paper itself states that the balance sheet of the platform cannot indicate any borrowing / lending activity, which entails that the platform cannot itself provide finance or receive any funds for the provision of loans to others. Platforms are not allowed to determine the interest rates as they are not a party to the transaction. Neither would they be liable in cases of default by the borrower. These rules, standard for P2P platforms in other jurisdictions as well, confirm the assumption that the platform itself is not providing finance and thus, cannot be entrusted with any liability, obligation from the transaction.</p>
<p><strong>3.1.4.</strong> Further, with RBI raising the threshold asset size for an NBFC to be considered systemically important (NBFC-ND-SI) from Rs. 100 Crores to Rs. 500 Crores <strong>[6]</strong>, and Economic Times reporting that one of the biggest Indian P2P lending platform’s enterprise valuation (which can be taken as indicative of its net assets) is Rs 50 Crores <strong>[7]</strong>, we may assume that most P2P lending platforms will have net assets worth less than 500 crore, at least in the near future; although there is a possibility for exponential growth with some companies.</p>
<p><strong>3.1.5.</strong> Given the limited sphere of operation, restricted ability (by design) of these platforms to shape interest rates and other features of financial instruments, and their generally non-systemically-important nature, we would submit that the regulation of such P2P lending platforms are kept to an absolute minimum, so that their economic viability is not undermined, and at the same time the key risks associated with their operations are addressed by RBI.</p>
<h3>3.2. Is the assessment of P2P lending and risks associated with it adequate?</h3>
<p><strong>3.2.1.</strong> CIS observes that the following are the key risks involved with the operations of the P2P lending platforms, and these are being respectively addressed by, or can be addressed by RBI in the following manners.</p>
<ol type="A"><li><strong>Insufficient information about the conditions of lending, leading to defrauding of the borrower:</strong> The borrower may not receive appropriate information about the terms of the loan, and/or the P2P lending platform may not act in a “fair” manner (say, in case of collusion between the P2P lending platform and the lender, or the lending platform and the borrower), which may lead to defrauding and/or economic loss of either party. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Guidelines on Fair Practices Code for NBFCs <strong>[8]</strong>, which extensively addresses concerns related to this type of risks.<br /><br /></li>
<li><strong>Insufficient information about the borrower, or her/his ability to repay the loan, may lead to non-repayment and economic loss of the lender:</strong> If the P2P lending platform allows the lender to offer loans to borrowers without acquiring and/or providing sufficient information to the lender about the borrower’s credit history and/or ability to repay the loan, modes of formulating security for loans, this may heighten the risks of non-repayment of loans. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Master Circular – 'Know Your Customer' (KYC) Guidelines – Anti Money Laundering Standards (AML) - Prevention of Money Laundering Act, 2002 - Obligations of NBFCs <strong>[9]</strong>, which extensively addresses concerns related to this type of risks.<br /><br /></li>
<li><strong>Credit-related information of the lenders and the borrowers collected by P2P lending platforms may not be made available to other financial institutions and that will lead asymmetry in credit information available across various actors in the sector:</strong> Credit information, related to both lending and borrowing practices of entities using the platform concerned, is a key asset of the P2P lending platforms. Lack of sharing of such information with Credit Information Companies, for economic reasons or otherwise, may however, lead to information asymmetry within the financial sector, which will structurally weaken the entire sector (with pieces of credit information being distributed across actors and not being shared internally). By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Credit Information Companies (Regulation) Act, 2005 <strong>[10]</strong>, which extensively addresses concerns related to this type of risks.<br /><br /></li>
<li><strong>P2P lending platforms diversifying their financial operations without informing RBI and hence without appropriate regulatory control:</strong> It is possible that P2P lending platforms may decide to diversify their activities. There have been similar examples in other related sectors, say e-commerce marketplaces, that have started their own product re/selling companies that use the same online marketplace concerned. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies provide RBI with detailed and regular reports of their economic activities and investments, which is expected to address concerns related to this type of risks.</li></ol>
<h3>3.3. Are there any other risks which ought to be addressed?</h3>
<p><strong>3.3.1.</strong> CIS observes that as part of the usual transaction related activities of the P2P lending platforms, the companies will come into possession of what has been defined as “sensitive personal data or information” by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 <strong>[11]</strong>. The concerns related to this type of risk is directly addressed by the Rules concerned, and may not require additional attention from the RBI.</p>
<p><strong>3.3.2.</strong> CIS observes that as borrowers and lenders start using specific P2P lending platforms, the data regarding their credit histories and/or “financial reputation” will be owned by these companies. While such information might be shared internally within the financial sector through the Credit Information Companies, the borrowers and lenders themselves may not get direct access to such data. Hence, the borrowers and lenders will not be able to move easily and smoothly to a new P2P lending platform and make use of their existing credit information and/or “financial reputation” when accessing services offered via the new P2P lending platform. In other words, the borrowers and lenders may face a <em>service provider lock-in</em>, and inability to move between P2P lending platforms easily, without explicit access to their own credit history/reputation, and will not have the ability to migrate such information from one P2P lending platform to another (or to any other agency, for that matter). CIS submits that RBI must provide a mechanism to allow users to migrate between platforms as it has not been discussed in the consultation paper.</p>
<h3>3.4. Is the proposed approach to regulating these platforms adequate?</h3>
<p><strong>3.4.1.</strong> CIS observes that while classification of P2P lending platforms will appropriately address key risks associated with their operations (as listed in 3.2.1. A-D), it will not address a major risk emerging out of their operations that is unique to the technological basis of the business concerned (as mentioned in 3.3.2.), and further, it will impose substantial financial and management obligations that have a very high probability of undermining the economic viability of this emerging and niche sector of intermediated direct lending and borrowing.</p>
<p><strong>3.4.2.</strong> CIS observes that these financial and management obligations may involve the following topics among others discussed: 1) minimum net worth requirement for registration, 2) minimum investments required to be made government securities, 3) transferring of minimum percentage of net profits to RBI, 4) guidelines regarding corporate governance <strong>[12]</strong>, etc.</p>
<p><strong>3.4.3.</strong> Given this, CIS submits that instead of classifying P2P lending platforms as “Misc NBFCs,” a new sub-classification is created under the category of NBFC for such platforms, that directly addresses the key risks associated with businesses of P2P lending platforms, and protects lenders as well as borrowers while enhancing transparency in operations. This new sub-classification of P2P lending companies should also be divided into systemically-important and non-systemically-important like other NBFCs, and requirements regarding financial operations and corporate management should only be enforced for the former category of P2P lending companies.</p>
<h3>3.5. Any other relevant issues pertaining to P2P lending</h3>
<p>Beyond the issues already discussed above, CIS seek clarity from the RBI around the following aspects:</p>
<ol><li><strong>Transactional system pertaining to P2P lending:</strong>
<ol type="a">
<li>What are the requirements and prerequisites for mandating the collection of user identity?</li>
<li>Establishing a maximum sum that can be transferred per transaction.</li></ol>
</li>
<li><strong>Company activities:</strong>
<ol type="a"><li>Fees that can be charged by platforms.</li>
<li>How data security can be best addressed.</li>
<li>How the financial transactions are brokered.</li>
<li>Modes of redressal.</li>
<li>Restitution to users if something goes amiss in the transaction.</li>
<li>Insurance that the company has to buy or capital on hand to support.</li></ol>
</li></ol>
<p> </p>
<h2>Endnotes</h2>
<p><strong>[1]</strong> See: <a href="https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=3164">https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=3164</a>.</p>
<p><strong>[2]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[3]</strong> See: <a href="https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.pdf">https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.pdf</a>.</p>
<p><strong>[4]</strong> See Section 45I.(c) of RBI Act, 1923, last amended on January 07, 2013.</p>
<p><strong>[5]</strong> See Section 45I.(c)(v) of RBI Act, 1923, last amended on January 07, 2013.</p>
<p><strong>[6]</strong> See: <a href="https://rbidocs.rbi.org.in/rdocs/content/pdfs/PNNBFC200315.pdf">https://rbidocs.rbi.org.in/rdocs/content/pdfs/PNNBFC200315.pdf</a>.</p>
<p><strong>[7]</strong> See: <a href="http://economictimes.indiatimes.com/small-biz/startups/faircent-com-raises-pre-series-a-funding-of-250k/articleshow/47630279.cms">http://economictimes.indiatimes.com/small-biz/startups/faircent-com-raises-pre-series-a-funding-of-250k/articleshow/47630279.cms</a>.</p>
<p><strong>[8]</strong> See: <a href="https://rbi.org.in/scripts/NotificationUser.aspx?Id=7866">https://rbi.org.in/scripts/NotificationUser.aspx?Id=7866</a>.</p>
<p><strong>[9]</strong> See: <a href="https://rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=8168">https://rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=8168</a>.</p>
<p><strong>[10]</strong> See: <a href="http://www.incometaxindia.gov.in/Pages/acts/credit-information-companies-act.aspx">http://www.incometaxindia.gov.in/Pages/acts/credit-information-companies-act.aspx</a>.</p>
<p><strong>[11]</strong> See: <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf">http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf</a>.</p>
<p><strong>[12]</strong> See: <a href="https://www.rbi.org.in/scripts/BS_NBFCNotificationView.aspx?Id=3706">https://www.rbi.org.in/scripts/BS_NBFCNotificationView.aspx?Id=3706</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending'>https://cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending</a>
</p>
No publishersumandroPrivacyReserve Bank of IndiaData ProtectionResearchNetwork EconomiesP2P LendingResearchers at Work2016-06-01T20:21:13ZBlog EntryRBI Consultation Paper on P2P Lending: Data Security and Privacy Concerns
https://cis-india.org/raw/rbi-consultation-paper-on-p2p-lending
<b>On April 28, 2016 the Reserve Bank of India published a consultation paper on P2P Lending and invited comments from the public on the same. The Paper discusses what P2P lending is, the various regulatory practices that govern P2P lending in different jurisdictions and lists our arguments for and against regulating P2P lending platforms.</b>
<p> </p>
<h2>Arguments against Regulation</h2>
<p>The arguments against regulation of P2p lending companies as set out in the paper are (briefly):</p>
<ol><li>Regulating an exempt or nascent sector may be perceived as rubber stamping the industry through regulation, thus lending credibility to the P2P lending which could attract ill informed lenders to the sector who may not understand all the risks associated with the industry. In this way Regulation may cause more harm than good.</li>
<li>Regulations may also be perceived as too stringent, thus stifling the growth of an innovative, efficient and accessible industry.</li>
<li>The P2P lending market is currently in a nascent stage and does not pose an immediate systemic risk meriting regulation.</li></ol>
<p> </p>
<h2>Arguments in favour of Regulation</h2>
<p style="text-align: justify;">The arguments for regulating the market on the other hand are:</p>
<ol><li>Considering the significance of the online industry and the impact which it can have on the traditional banking channels/NBFC sector, it would be prudent to regulate this emerging industry.</li>
<li>The, the importance of these methods of financing, specially in sectors where formal lending cannot reach, needs to be acknowledged.</li>
<li>If the sector is left unregulated altogether, there is the risk of unhealthy practices being adopted by one or more players, which may have deleterious consequences.</li>
<li>Section 45S of RBI Act prohibits an individual or a firm or an unincorporated association of individuals from accepting deposits “if its business wholly or partly includes any of the activities specified in clause (c) of section 45-I (i.e. activities of a financial institution); or if his or its principal business is that of receiving of deposits under any scheme or arrangement or in any other manner, or lending in any manner. Contravention of Section 45S is an offence punishable under section 58B (5A) of RBI Act. As per the Act, ‘‘deposit’’ includes and shall be deemed always to have included any receipt of money by way of deposit or loan or in any other form, but does not include any amount received from an individual or a firm or an association of individuals not being a body corporate, registered under any enactment relating to money lending which is for the time being in force in any State. Since the borrowers and lenders brought together by a P2P platform could fall within these prohibitions, absence of regulation may lead to perpetrating an illegality.”</li></ol>
<p>After listing out the arguments, the paper adopts the approach of regulating this industry and proposes to bring P2P lending platforms under the purview of RBI’s regulation by defining them as Non Banking Financial Companies (NBFCs) under section 45-I(f)(iii) of the RBI Act. Once notified as NBFCs, RBI can issue regulations under sections 45JA and 45L. Though there is scope to comment on many aspects of the consultation paper our comments here will be limited to the data security and privacy aspects of the recommendations.</p>
<p> </p>
<h2>Data Security and Privacy Concerns</h2>
<p>While the understanding of potential borrowers, specially those who have had experiences with commercial financial institutions, is that the more amount of information they provide, the better their chances become of getting a loan. This perception emanates from the fact that any potential borrower is asked for a myriad of documents, including personally identifying documents before a request for a loan is considered, infact for almost all financial institutions it is part of their core prudential norms to ask for identity documents before disbursing a loan. Getting as much information as possible from the borrower is not just a quirk of the financial institutions but it makes business sense for them, since it is those institutions who bear the risk of recovery of their money. There is no reason why the same logic or allowing creditors all the information about the borrower should not be applicable to P2P lending platforms, as far as the principle of prudential business practices is concerned. However, the key difference between disclosing information to P2P lending platforms as opposed to financial institutions is that whilst the information supplied to financial institutions stays limited to the institution and its employees, a large amount of the information (though not necessarily all) given to P2P platforms is made available to all potential creditors, which in P2P lending translates to any internet user who registers as a potential creditor. In this way the potential for the information to reach a wider group of people is much higher and therefore privacy and data security risks require special attention in P2P lending.</p>
<p>In section 5.3(v) of the Paper it is recommended that “Confidentiality of the customer data and data security would be the responsibility of the Platform. Transparency in operations, adequate measures for data confidentiality and minimum disclosures to borrowers and lenders would also be mandated through a fair practices code.” Whilst the fair practices code has not yet been developed or at least not yet made publicly available, as companies in the P2P lending industry are body corporates, these fair practice codes should be in line with and satisfy the requirements of section 43A of the Information Technology Act, 2000 (“<strong>IT Act</strong>”) as well as the Guidelines issued by the RBI’s Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds <strong>[1]</strong>.</p>
<p>The minimum standards for data protection in Indian law have been laid down by section 43A of the IT Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“<strong>Rules</strong>”) issued under section 43A. As per Rule 4 of the Rules P2P platforms would be required to have a privacy policy to deal with sensitive personal data, which includes any details regarding financial information such bank account, credit/debit cards, etc <strong>[2]</strong>.</p>
<p>This policy would have to be published on the website of the platforms and would provide for a number of things such as (i) Clear and easily accessible statements of its practices and policies; (ii) type of personal or sensitive personal data or information collected; (iii) purpose of collection and usage of such information; (iv) disclosure of information including sensitive personal data or information; (v) reasonable security practices and procedures for the data. The other requirements of the Rules as regards consent before usage of the information, collection limitations, imparting information/notice to the consumer (information provider), retention limitation, purpose limitation, opt-out option, disclosure, etc. will also be applicable to P2P platforms and the fair practices code that the RBI would issue for this purpose will have to take all these issues into account.</p>
<p style="text-align: justify;">The Rules also provide that body corporates will be considered to have complied with reasonable security practices if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Although there are no such practices which have been endorsed by any governmental body for P2P lending platforms, however the Department of Banking Supervision, Reserve Bank of India, has issued guidelines on “Information security, Electronic Banking, Technology risk management and cyber frauds" <strong>[3]</strong>. which could be relied upon until a fair practices code is put into place. The major privacy and data security provisions of these guidelines are given below:</p>
<ul>
<li><strong>Security Baselines</strong>: The guidelines require banks to be proactive in identifying and specifying the minimum security baselines to be adhered to by the service providers to ensure confidentiality and security of data;</li>
<li><strong>Back up records</strong>: A cloud computing system must ensure backup of all its clients' information;</li>
<li><strong>Security steps</strong>: An institution may take the following steps to ensure that risks with respect to confidentiality and security of data are adequately mitigated: (i) Address, agree, and document specific responsibilities of the respective parties in outsourcing; (ii) Discuss and agree on the instances where customer data shall be accessed; (iii) Ensure that service provider employees are adequately aware and informed on the security and privacy policies.</li>
<li><strong>Confidentiality</strong>: Agreements should provide for maintaining confidentiality of customer's information even after the contract expires or is terminated by either party and specify the liability in case of security breach or leakage.</li>
<li><strong>Encryption</strong>: Normally, a minimum of 128-bit SSL encryption is expected. Banks should only select encryption algorithms which are well established international standards.</li>
<li><strong>Fraud Risk Management</strong>: It is also necessary that customer confidential information and other data/information available with banks is secured adequately to ensure that fraudsters do not access it to perpetrate fraudulent transactions.</li></ul>
<p>Although inclusion of the above principles in the fair practices code would be helpful, however since the workings of P2P platforms are quite unique, therefore it would be counterproductive to restrict the security and privacy protocols to only those applied to regular banking transactions and the fair practices code should take into account these unique problems of P2P lending rather than seek to apply the existing norms blindly.</p>
<p> </p>
<h2>Endnotes</h2>
<p><strong>[1]</strong> See: <a href="https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf">https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf</a>.</p>
<p><strong>[2]</strong> The Rules define “sensitive personal data or information” as information relating to: "(i) password, (ii) financial information such as Bank account or credit card or debit card or other payment instrument details, (iii) physical, physiological and mental health condition, (iv) sexual orientation, (v) medical records and history, (vi) Biometric information, (vii) any detail relating to the above clauses as provided to body corporate for providing service, and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise."</p>
<p><strong>[3]</strong> See: <a href="http://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf">http://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/raw/rbi-consultation-paper-on-p2p-lending'>https://cis-india.org/raw/rbi-consultation-paper-on-p2p-lending</a>
</p>
No publishervipulPrivacyReserve Bank of IndiaData ProtectionResearchNetwork EconomiesP2P LendingResearchers at Work2016-06-01T11:41:17ZBlog EntryThe National Privacy Principles
https://cis-india.org/internet-governance/blog/the-national-privacy-principles
<b>In this infographic, we try to break down the National Privacy Principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012.</b>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p><img alt="" /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-national-privacy-principles'>https://cis-india.org/internet-governance/blog/the-national-privacy-principles</a>
</p>
No publisherPooja Saxena and Amber SinhaData ProtectionPrivacy2016-03-21T09:48:23ZBlog EntryContestations of Data, ECJ Safe Harbor Ruling and Lessons for India
https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india
<b>The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse. </b>
<p align="justify">The European Court of Justice
(ECJ) has invalidated a European Commission (EC) decision<a class="sdfootnoteanc" name="sdfootnote1anc" href="#sdfootnote1sym"><sup>1</sup></a>
which had previously concluded that the 'Safe Harbor Privacy
Principles'<a class="sdfootnoteanc" name="sdfootnote2anc" href="#sdfootnote2sym"><sup>2</sup></a>
provide adequate protections for European citizens’ privacy rights<a class="sdfootnoteanc" name="sdfootnote3anc" href="#sdfootnote3sym"><sup>3</sup></a>
for the transfer of personal data between European Union and United
States. This challenge stems from the claim that public law
enforcement authorities in America obtain personal data from
organisations in safe harbour for incompatible and disproportionate
purposes in violation of the Safe Harbour Privacy Principles. The
court's judgment follows the advice of the Advocate General of the
Court of Justice of the European Union (CJEU) who recently opined<a class="sdfootnoteanc" name="sdfootnote4anc" href="#sdfootnote4sym"><sup>4</sup></a>
that US practices allow for large-scale collection and transfer of
personal data belonging to EU citizens without them benefiting from
or having access to judicial protection under US privacy laws. The
inadequacies of the framework is not news for the Commission and
action by ECJ has been a long time coming. The ruling raises
important questions about how increasingly the contestations of
personal data are being employed in asserting claims of citizenship
in context of the internet.</p>
<p align="justify">
As the highest court in Europe,
the ECJ's decisions are binding on all member states. With this
ruling the ECJ has effectively restrained US firms from
indiscriminate collection and sharing of European citizens’ data on
American soil. The implications of the decision are significant,
because it shifts the onus of evaluating protections of personal data
for EU citizens from the 4,400 companies<a class="sdfootnoteanc" name="sdfootnote5anc" href="#sdfootnote5sym"><sup>5</sup></a>
subscribing to the system onto EU privacy watchdogs. Most
significantly, in addressing the rights of a citizen against an
established global brand, the judgement goes beyond political and
legal opinion to challenge the power imbalance that exists with
reference to US based firms.</p>
<p align="justify">
Today, the free movement of data
across borders is a critical factor in facilitating trade, financial
services, governance, manufacturing, health and development. However,
to consider the ruling as merely a clarification of transatlantic
mechanisms for data flows misstates the real issue. At the heart of
the judgment is the assessment whether US firms apply the tests of
‘necessity and proportionality’ in the collection and
surveillance of data for national security purposes. Application of
necessity and proportionality test to national security exceptions
under safe harbor has been a sticking point that has stalled the
renegotiation of the agreement that has been underway between the
Commission and the American data protection authorities.<a class="sdfootnoteanc" name="sdfootnote6anc" href="#sdfootnote6sym"><sup>6</sup></a></p>
<p align="justify">
For EU citizens the stake in the
case are even higher, as while their right to privacy is enshrined
under EU law, they have no administrative or judicial means of
redress, if their data is used for reasons they did not intend. In
the EU, citizens accessing and agreeing to use of US based firms are
presented with a false choice between accessing benefits and giving
up on their fundamental right to privacy. In other words, by seeking
that governments and private companies provide better data protection
for the EU citizens and in restricting collection of personal data on
a generalised basis without objective criteria, the ruling is
effectively an assertion of ‘data sovereignty’. The term ‘data
sovereignty’, while lacking a firm definition, refers to a spectrum
of approaches adopted by different states to control data generated
in or passing through national internet infrastructure.<a class="sdfootnoteanc" name="sdfootnote7anc" href="#sdfootnote7sym"><sup>7</sup></a>
Underlying the ruling is the growing policy divide between the US and
EU privacy and data protection standards, which may lead to what is
referred to as the balkanization<a class="sdfootnoteanc" name="sdfootnote8anc" href="#sdfootnote8sym"><sup>8</sup></a>
of the internet in the future.</p>
<p align="justify">
<em>US-EU Data Protection Regime </em></p>
<p align="justify">
The safe harbor pact between the
EU and US was negotiated in the late 1990s as an attempt to bridge
the different approaches to online privacy. Privacy is addressed in
the EU as a fundamental human right while in the US it is defined
under terms of consumer protection, which<em><strong>
</strong></em>allow trade-offs
and exceptions when national security seems to be under threat. In
order to address the lower standards of data protection prevalent in
the US, the pact facilitates data transfers from EU to US by
establishing certain safeguards equivalent to the requirements of the
EU data protection directive. The safe harbor provisions include
firms undertaking not to pass personal information to third parties
if the EU data protection standards are not met and giving users
right to opt out of data collection.<a class="sdfootnoteanc" name="sdfootnote9anc" href="#sdfootnote9sym"><sup>9</sup></a></p>
<p align="justify">
The agreement was due to be
renewed by May 2015<a class="sdfootnoteanc" name="sdfootnote10anc" href="#sdfootnote10sym"><sup>10</sup></a>
and while negotiations have been ongoing for two years, EU discontent
on safe harbour came to the fore following the Edward Snowden
revelations of collection and monitoring facilitated by large private
companies for the PRISM program and after the announcement of the
TransAtlantic Trade and Investment Partnership (TTIP).<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><sup>11</sup></a>
EU member states have mostly stayed silent as they run their own
surveillance programs often times, in cooperation with the NSA. EU
institutions cannot intervene in matters of national security
however, they do have authority on data protection matters. European
Union officials and Members of Parliament have expressed shock and
outrage at the surveillance programs unveiled by Snowden's 2013
revelations. Most recently, following the CJEU Advocate General’s
opinion, 50 Members of European Parliament (MEP) sent a strongly
worded letter the US Congress hitting back on claims of ‘digital
protectionism’ emanating from the US<a class="sdfootnoteanc" name="sdfootnote12anc" href="#sdfootnote12sym"><sup>12</sup></a>.
In no uncertain terms the letter clarified that the EU has different
ideas on privacy, platforms, net neutrality, encryption, Bitcoin,
zero-days, or copyright and will seek to improve and change any
proposal from the EC in the interest of our citizens and of all
people.</p>
<p align="justify">
<em>Towards Harmonization </em></p>
<p align="justify">
In November 2013, as an attempt
to minimize the loss of trust following the Snowden revelations, the
European Commission (EC) published recommendations in its report on
'Rebuilding Trust is EU-US Data Flows'.<a class="sdfootnoteanc" name="sdfootnote13anc" href="#sdfootnote13sym"><sup>13</sup></a>
The recommendations revealed two critical initiatives at the EU
level—first was the revision of the EU-US safe harbor agreement<a class="sdfootnoteanc" name="sdfootnote14anc" href="#sdfootnote14sym"><sup>14</sup></a>
and second the adoption of the 'EU-US Umbrella Agreement<a class="sdfootnoteanc" name="sdfootnote15anc" href="#sdfootnote15sym"><sup>15</sup></a>'—a
framework for data transfer for the purpose of investigating,
detecting, or prosecuting a crime, including terrorism. The Umbrella
Agreement was recently initialed by EU and US negotiators and it only
addresses the exchange of personal data between law enforcement
agencies.<a class="sdfootnoteanc" name="sdfootnote16anc" href="#sdfootnote16sym"><sup>16</sup></a>
The Agreement has gained momentum in the wake of recent cases around
issues of territorial duties of providers, enforcement jurisdictions
and data localisation.<a class="sdfootnoteanc" name="sdfootnote17anc" href="#sdfootnote17sym"><sup>17</sup></a>
However, the adoption of the Umbrella Act depends on US Congress
adoption of the<em><strong>
</strong></em>Judicial Redress
Act (JRA) as law.<a class="sdfootnoteanc" name="sdfootnote18anc" href="#sdfootnote18sym"><sup>18</sup></a></p>
<p align="justify">
<em>Judicial Redress Act </em></p>
<p align="justify">
The JRA is a key reform that the
EC is pushing for in an attempt to address the gap between privacy
rights and remedies available to US citizens and those extended to EU
citizens, including allowing EU citizens to sue in American courts.
The JRA seeks to extend certain protections under the Privacy Act to
records shared by EU and other designated countries with US law
enforcement agencies for the purpose of investigating, detecting, or
prosecuting criminal offenses. The JRA protections would extend to
records shared under the Umbrella Agreement and while it does include
civil remedies for violation of data protection, as noted by the
Center for Democracy and Technology, the present framework does not
provide citizens of EU countries with redress that is at par with
that which US persons enjoy under the Privacy Act.<a class="sdfootnoteanc" name="sdfootnote19anc" href="#sdfootnote19sym"><sup>19</sup></a></p>
<p align="justify">
For example, the measures
outlined under the JRA would only be applicable to countries that
have outlined appropriate privacy protections agreements for data
sharing for investigations and ‘efficiently share’ such
information with the US. Countries that do not have agreements with
US cannot seek these protections leaving the personal data of their
citizens open for collection and misuse by US agencies. Further, the
arrangement leaves determination of 'efficiently sharing' in the
hands of US authorities and countries could lose protection if they
do not comply with information sharing requests promptly. Finally,
JRA protections do not apply to non-US persons nor to records shared
for purposes other than law enforcement such as intelligence
gathering. JRA is also weakened by allowing heads of agencies to
exercise their discretion to seek exemption from the Act and opt out
of compliance.</p>
<p align="justify">
Taken together the JRA, the
Umbrella Act and the renegotiation of the Safe Harbor Agreement need
considerable improvements. It is worth noting that EU’s acceptance
of the redundancy of existing agreements and in establishing the
independence of national data protection authorities in investigating
and enforcing national laws as demonstrated in the Schrems and in the
Weltimmo<a class="sdfootnoteanc" name="sdfootnote20anc" href="#sdfootnote20sym"><sup>20</sup></a>
case point to accelerated developments in the broader EU privacy
landscape.</p>
<p align="justify">
<em>Consequences </em></p>
<p align="justify">
The ECJ Safe Harbor ruling will
have far-reaching consequences for the online industry. Often, costly
government rulings solidify the market dominance of big companies. As
high regulatory costs restrict the entrance of small and medium
businesses the market, competition is gradually wiped out. Further,
complying with high standards of data protection means that US firms
handling European data will need to consider alternative legal means
of transfer of personal data. This could include evolving 'model
contracts' binding them to EU data protection standards. As Schrems
points out, “Big companies don’t only rely on safe harbour: they
also rely on binding corporate rules and standard contractual
clauses.”<a class="sdfootnoteanc" name="sdfootnote21anc" href="#sdfootnote21sym"><sup>21</sup></a></p>
<p align="justify">
The ruling is good news for
European consumers, who can now approach a national regulator to
investigate suspicions of data mishandling. EU data protection
regulators may be be inundated with requests from companies seeking
authorization of new contracts and with consumer complaints. Some are
concerned that the ruling puts a dent in the globalized flow of
data<a class="sdfootnoteanc" name="sdfootnote22anc" href="#sdfootnote22sym"><sup>22</sup></a>,
effectively requiring data localization in Europe.<a class="sdfootnoteanc" name="sdfootnote23anc" href="#sdfootnote23sym"><sup>23</sup></a>
Others have pointed out that it is unclear how this decision sits
with other trade treaties such as the TPP that ban data
localisation.<a class="sdfootnoteanc" name="sdfootnote24anc" href="#sdfootnote24sym"><sup>24</sup></a>
While the implications of the decision will take some time in playing
out, what is certain is that US companies will be have to
restructure management, storage and use of data. The ruling has
created the impetus for India to push for reforms to protect its
citizens from harms by US firms and improve trade relations with EU.</p>
<p align="justify"><em>The Opportunity for India</em></p>
<p align="justify">
Multiple data flows taking place
over the internet simultaneously and that has led to ubiquity of data
transfers o ver the Internet, exposing individuals to privacy risks.
There has also been an enhanced economic importance of data
processing as businesses collect and correlate data using analytic
tools to create new demands, establish relationships and generate
revenue for their services. The primary concern of the Schrems case
may be the protection of the rights of EU citizens but by seeking to
extend these rights and ensure compliance in other jurisdictions, the
case touches upon many underlying contestations around data and
sovereignty.</p>
<p align="justify">
Last year, Mr Ram Narain, India
Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through
network functionality and global norms will go a long way in
increasing the trust and confidence in use of ICT.”<a class="sdfootnoteanc" name="sdfootnote25anc" href="#sdfootnote25sym"><sup>25</sup></a>
In the absence of the recognition of privacy as a right and
empowering citizens through measures or avenues to seek redressal
against misuse of data, the demand of data sovereignty rings empty.
The kind of framework which empowered an ordinary citizen in the EU
to approach the highest court seeking redressal based on presumed
overreach of a foreign government and from harms abetted by private
corporations simply does not exist in India. Securing citizen’s
data in other jurisdictions and from other governments begins with
establishing protection regimes within the country.</p>
<p align="justify">
The Indian government has also
stepped up efforts to restrict transfer of data from India including
pushing for private companies to open data centers in India.<a class="sdfootnoteanc" name="sdfootnote26anc" href="#sdfootnote26sym"><sup>26</sup></a>
Negotiating data localisation does not restrict the power of private
corporations from using data in a broad ways including tailoring ads
and promoting products. Also, data transfers impact any organisation
with international operations for example, global multinationals who
need to coordinate employee data and information. Companies like
Facebook, Google and Microsoft transfer and store data belonging to
Indian citizens and it is worth remembering that the National
Security Agency (NSA) would have access to this data through servers
of such private companies. With no existing measures to restrict such
indiscriminate access, the ruling purports to the need for India to
evolve strong protection mechanisms. Finally, the lack of such
measures also have an economic impact, as reported in a recent
Nasscom-Data Security Council of India (DSCI) survey<a class="sdfootnoteanc" name="sdfootnote27anc" href="#sdfootnote27sym"><sup>27</sup></a>
that pegs revenue losses incurred by the Indian IT-BPO industry at
$2-2.5 billion for a sample size of 15 companies. DSCI has further
estimated that outsourcing business can further grow by $50 billion
per annum once India is granted a “data secure” status by the
EU.<a class="sdfootnoteanc" name="sdfootnote28anc" href="#sdfootnote28sym"><sup>28</sup></a>
EU’s refusal to grant such a status is understandable given the
high standard of privacy as incorporated under the European Union
Data Protection Directive a standard to which India does not match
up, yet. The lack of this status prevents the flow of data which is
vital for Digital India vision and also affects the service industry
by restricting the flow of sensitive information to India such as
information about patient records.</p>
<p align="justify">
Data and information structures
are controlled and owned by private corporations and networks
transcend national borders, therefore the foremost emphasis needs to
be on improving national frameworks. While, enforcement mechanisms
such as the Mutual Legal Assistance Treaty (MLAT) process or other
methods of international cooperation may seem respectful of
international borders and principles of sovereignty,<a class="sdfootnoteanc" name="sdfootnote29anc" href="#sdfootnote29sym"><sup>29</sup></a>
for users that live in undemocratic or oppressive regimes such
agreements are a considerable risk. Data is also increasingly being
stored across multiple jurisdictions and therefore merely applying
data location lens to protection measures may be too narrow. Further
it should be noted that when companies begin taking data storage
decisions based on legal considerations it will impact the speed and
reliability of services.<a class="sdfootnoteanc" name="sdfootnote30anc" href="#sdfootnote30sym"><sup>30</sup></a>
Any future regime must reflect the challenges of data transfers
taking place in legal and economic spaces that are not identical and
may be in opposition. Fundamentally, the protection of privacy will
always act as a barrier to the free flow of information even so, as
the Schrems case ruling points out not having adequate privacy
protections could also restrict flow of data, as has been the case
for India.</p>
<p align="justify">
The time is right for India to
appoint a data controller and put in place national frameworks, based
on nuanced understanding of issues of applying jurisdiction to govern
users and their data. Establishing better protection measures will
not only establish trust and enhance the ability of users to control
data about themselves it is also essential for sustaining economic
and social value generated from data generation and collection.
Suggestions for such frameworks have been considered previously by
the Group of Experts on Privacy constituted by the Planning
Commission.<a class="sdfootnoteanc" name="sdfootnote31anc" href="#sdfootnote31sym"><sup>31</sup></a>
By incorporating transparency in mechanisms for data and access
requests and premising requests on established necessity and
proportionality Indian government can lead the way in data protection
standards. This will give the Indian government more teeth to
challenge and address both the dangers of theft of data stored on
servers located outside of India and restrain indiscriminate access
arising from terms and conditions of businesses that grant such
rights to third parties. </p>
<div id="sdfootnote1">
<p>
<a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC
of the European Parliament and of the Council on the adequacy of the
protection provided by the safe harbour privacy principles and
related frequently asked questions issued by the US Department of
Commerce (notified under document number C(2000) 2441) (Text with
EEA relevance.) <em>Official
Journal L 215 , 25/08/2000 P. 0007 -0047 </em>
2000/520/EC:
<u><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">http</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">://</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eur</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">-</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">lex</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">europa</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eu</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">do</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">?</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">uri</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">=</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">CELEX</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:32000</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">D</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">0520:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">EN</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">HTML</a></u></p>
</div>
<div id="sdfootnote2">
<p>
<a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>
Safe Harbour Privacy Principles Issued by the U.S. Department of
Commerce on July 21, 2000
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote3">
<p>
<a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>
Megan Graham, <a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Some</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">on</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">the</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">European</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Court</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">’</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">s</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">,
</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Just</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">security</a></p>
<p>
<u><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">https</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">://</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">www</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">justsecurity</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">org</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/26651/</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">ecj</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/</a></u></p>
</div>
<div id="sdfootnote4">
<p>
<a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>
Advocate
General’s Opinion in Case C-362/14 Maximillian Schrems v Data
Protection Commissioner Court of Justice of the European Union,
Press Release, No 106/15 Luxembourg, 23 September 2015
<u><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">http</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">://</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">curia</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">europa</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">eu</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">jcms</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">upload</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">docs</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">application</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/2015-09/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">cp</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">150106</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">en</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote5">
<p>
<a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour
alternatives’, The Register, October 7, 2015
<u><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">http</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">://</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">www</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">theregister</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">co</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">uk</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/2015/10/07/</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">eu</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">pushes</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">safe</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">harbour</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">alternatives</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/</a></u> </p>
</div>
<div id="sdfootnote6">
<p>
<a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
Draft Report, General Data Protection Regulation, Committee on Civil
Liberties, Justice and Home Affairs, European Parliament, 2009-2014
<a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">http</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">://</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">www</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europarl</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europa</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">eu</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">meetdocs</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/2009_2014/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">documents</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">libe</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pr</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/922/922387/922387</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">en</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pdf</a></p>
</div>
<div id="sdfootnote7">
<p>
<a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS
Characteristics: Data Sovereignty and the Balkanisation of the
Internet’, University of Oxford, July 7, 2014
<u><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">https</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">://</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">www</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">usenix</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">org</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">system</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">files</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">conference</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">polatin</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">reuben</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote8">
<p>
<a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
Sasha
Meinrath, The Future of the Internet: Balkanization and Borders,
Time, October 2013
<u><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">http</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">://</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">ideas</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">time</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">com</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/2013/10/11/</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">future</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">of</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">internet</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">balkanization</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">and</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">borders</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/</a></u></p>
</div>
<div id="sdfootnote9">
<p>
<a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
Safe Harbour Privacy Principles, Issued by the U.S. Department of
Commerce, July 2001
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote10">
<p>
<a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a>
Facebook
case may force European firms to change data storage practices, The
Guardian, September 23, 2015
<u><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">http</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">://</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">www</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">theguardian</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">com</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">news</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/2015/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">sep</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/23/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">intelligence</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">services</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">surveillance</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">privacy</a></u></p>
</div>
<div id="sdfootnote11">
<p>
<a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>
Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013
<u><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">https</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">://</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">iapp</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">.</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">org</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">news</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">a</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">us</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">eu</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">safe</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">harbor</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">under</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">pressure</a></u></p>
</div>
<div id="sdfootnote12">
<p>
<a class="sdfootnotesym" name="sdfootnote12sym" href="#sdfootnote12anc">12</a>
Kieren
McCarthy, Privacy, net neutrality, security, encryption ... Europe
tells Obama, US Congress to back off, The Register, 23 September,
2015
<u><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">http</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">://</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">www</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">theregister</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">co</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">uk</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/2015/09/23/</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">european</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">politicians</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">to</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">congress</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">back</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">off</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/</a></u></p>
</div>
<div id="sdfootnote13">
<p>
<a class="sdfootnotesym" name="sdfootnote13sym" href="#sdfootnote13anc">13</a>
Communication from the Commission to the European Parliament and the
Council, Rebuilding Trust in EU-US Data Flows, European Commission,
November 2013
<u><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">http</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">://</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">ec</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">europa</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">eu</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">justice</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">data</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">-</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">protection</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">files</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">com</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">_2013_846_</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">en</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote14">
<p>
<a class="sdfootnotesym" name="sdfootnote14sym" href="#sdfootnote14anc">14</a>
Safe
Harbor on trial in the European Union, Access Blog, September 2014
<u><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">https</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">://</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">www</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">accessnow</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">org</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">blog</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/2014/11/13/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">safe</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">harbor</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">on</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">trial</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">in</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">the</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">european</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">union</a></u></p>
</div>
<div id="sdfootnote15">
<p>
<a class="sdfootnotesym" name="sdfootnote15sym" href="#sdfootnote15anc">15</a>
European
Commission - Fact Sheet Questions and Answers on the EU-US data
protection "Umbrella agreement", September 8, 2015
<u><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">http</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">://</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">europa</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">eu</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">rapid</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">press</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">release</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">MEMO</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-15-5612_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">en</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">htm</a></u> </p>
</div>
<div id="sdfootnote16">
<p>
<a class="sdfootnotesym" name="sdfootnote16sym" href="#sdfootnote16anc">16</a>
McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data
transfers’, Lexology, September 14, 2015
<u><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">http</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">://</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">www</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">lexology</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">com</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">library</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">detail</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">aspx</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">?</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">g</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">=422</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">bca</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">41-2</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">54-4648-</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">ae</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">57-00</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">678515</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">e</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">1</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">f</a></u></p>
</div>
<div id="sdfootnote17">
<p>
<a class="sdfootnotesym" name="sdfootnote17sym" href="#sdfootnote17anc">17</a>
Andrew
Woods, Lowering the Temperature on the Microsoft-Ireland Case,
Lawfare September, 2015
<u><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">https</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">://</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">www</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lawfareblog</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">com</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">/</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lowering</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">temperature</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">microsoft</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">ireland</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">case</a></u></p>
</div>
<div id="sdfootnote18">
<p>
<a class="sdfootnotesym" name="sdfootnote18sym" href="#sdfootnote18anc">18</a>
Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement
and the Judicial Redress Act: Small Steps Forward for EU Citizens’
Privacy Rights’, October 5, 2015
<u><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">https</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">://</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">cdt</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">.</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">org</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">blog</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">us</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">umbrella</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">agreement</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">and</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">judicial</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">redress</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">act</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">small</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">steps</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">forward</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">for</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">citizens</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">privacy</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">rights</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a></u></p>
</div>
<div id="sdfootnote19">
<p>
<a class="sdfootnotesym" name="sdfootnote19sym" href="#sdfootnote19anc">19</a>
Ibid 18.</p>
</div>
<div id="sdfootnote20">
<p>
<a class="sdfootnotesym" name="sdfootnote20sym" href="#sdfootnote20anc">20</a>
Landmark ECJ data protection ruling could impact Facebook and
Google, The Guardian, 2 October, 2015
<u><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">http</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">://</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">www</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">com</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">technology</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">oct</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/02/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">landmark</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ecj</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">data</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">protection</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ruling</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">google</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">weltimmo</a></u></p>
</div>
<div id="sdfootnote21">
<p>
<a class="sdfootnotesym" name="sdfootnote21sym" href="#sdfootnote21anc">21</a>
Julia Powles, Tech companies like Facebook not above the law, says
Max Schrems, The Guardian, Octover 9, 2015
<a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">http</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">://</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">www</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">com</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">technology</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">oct</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/09/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">data</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">privacy</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">max</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">schrems</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">european</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">court</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">of</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">justice</a></p>
</div>
<div id="sdfootnote22">
<p>
<a class="sdfootnotesym" name="sdfootnote22sym" href="#sdfootnote22anc">22</a>
Adam
Thierer,
Unintended
Consequences of the EU Safe Harbor Ruling, The Technology Liberation
Front, October 6, 2015
<u><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">http</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">://</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">techliberation</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">.</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">com</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/2015/10/06/</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">unintended</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">consequenses</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">of</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">the</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">eu</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">safe</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">harbor</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">ruling</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/#</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">more</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-75831</a></u></p>
</div>
<div id="sdfootnote23">
<p>
<a class="sdfootnotesym" name="sdfootnote23sym" href="#sdfootnote23anc">23</a>
Anupam
Chander, Tweeted ECJ<a href="https://twitter.com/hashtag/schrems?src=hash">
#</a><a href="https://twitter.com/hashtag/schrems?src=hash">schrems</a>
ruling may effectively require data localization within Europe,
<u><a href="https://twitter.com/AnupamChander/status/651369730754801665">https</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">://</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">twitter</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">.</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">com</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">AnupamChander</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">status</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/651369730754801665</a></u></p>
</div>
<div id="sdfootnote24">
<p>
<a class="sdfootnotesym" name="sdfootnote24sym" href="#sdfootnote24anc">24</a>
Lokman Tsui, Tweeted, “If the TPP bans data localization, but the
ECJ ruling effectively mandates it, what does that mean for the
internet?”
<u><a href="https://twitter.com/lokmantsui/status/651393867376275456">https</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">://</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">twitter</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">.</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">com</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">lokmantsui</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">status</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/651393867376275456</a></u></p>
</div>
<div id="sdfootnote25">
<p>
<a class="sdfootnotesym" name="sdfootnote25sym" href="#sdfootnote25anc">25</a>
Statement from Indian Head of Delegation, Mr Ram Narain for WGPL,
<a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Indian</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">statement</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">on</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">ITU</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">and</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Internet</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">at</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">the</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Working</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Group</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Plenary</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">November</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">
4, 2014 </a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">https</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">://</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">ccgnludelhi</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">wordpress</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">com</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">author</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">asukum</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">87/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">page</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/2/</a></p>
</div>
<div id="sdfootnote26">
<p>
<a class="sdfootnotesym" name="sdfootnote26sym" href="#sdfootnote26anc">26</a>
Sounak
Mitra, Xiaomi bets big on India despite problems, Business Standard,
December 2014
<u><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">http</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">://</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">www</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">business</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">standard</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">com</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">article</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">companies</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">xiaomi</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">bets</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">big</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">on</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">india</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">despite</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">problems</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-114122201023_1.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">html</a></u></p>
</div>
<div id="sdfootnote27">
<p>
<a class="sdfootnotesym" name="sdfootnote27sym" href="#sdfootnote27anc">27</a>
Neha
Alawadi, Ruling on data flow between EU & US may impact India’s
IT sector, Economic Times,October 7, 2015
<a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">http</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49250738.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></p>
</div>
<div id="sdfootnote28">
<p>
<a class="sdfootnotesym" name="sdfootnote28sym" href="#sdfootnote28anc">28</a>
Pranav Menon, Data Protection Laws in India and Data Security-
Impact on India and Data Security-Impact on India - EU Free Trade
Agreement, CIS Access to Knowledge, 2011
<u><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">http</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">://</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">cis</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">org</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">a</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">2</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">k</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">blogs</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">data</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">security</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">laws</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote29">
<p>
<a class="sdfootnotesym" name="sdfootnote29sym" href="#sdfootnote29anc">29</a>
Surendra
Kumar Sinha, India wants Mutual Legal Assistance treaty with
Bangladesh, Economic Times, October 7, 2015
h<u><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">ttp</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49262294.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></u></p>
</div>
<div id="sdfootnote30">
<p>
<a class="sdfootnotesym" name="sdfootnote30sym" href="#sdfootnote30anc">30</a>
Pablo
Chavez, Director, Public Policy and Government Affairs, Testifying
before the U.S. Senate on transparency legislation, November 3,
2013
<u><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">http</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">://</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">googlepublicpolicy</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">blogspot</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">in</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">/2013/11/</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">testifying</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">before</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">us</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">senate</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">on</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">htm</a></u> </p>
</div>
<div id="sdfootnote31">
<p>
<a class="sdfootnotesym" name="sdfootnote31sym" href="#sdfootnote31anc">31</a>
Report
of the Group of Experts on Privacy (Chaired by Justice A P Shah,
Former Chief Justice, Delhi High Court), Planning Commission,
October 2012
<u><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">://</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">planningcommission</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">nic</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">in</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">reports</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">genrep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">rep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">_</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">privacy</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">pdf</a></u></p>
<p align="justify"> </p>
</div>
<div id="sdfootnote31">
<p align="justify"> </p>
</div>
<div id="sdfootnote30"> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india'>https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india</a>
</p>
No publisherjyotiAccess to KnowledgeDigital EconomyPublic AccountabilityPrivacyPlatform ResponsibilityData ProtectionAccountabilityDigital SecurityDigital IndiaInternet Governance2015-10-14T14:40:08ZBlog EntryCentre for Internet and Society joins the Dynamic Coalition for Platform Responsibility
https://cis-india.org/internet-governance/blog/cis-joins-dynamic-coalition-for-platform-responsibility
<b>The Centre for Internet and Society (CIS) has joined the multistakeholder cooperative engagement amidst stakeholders towards creating Due Diligence Recommendations for online platforms and Model Contractual Provisions to be enshrined in ToS. This blog provides a brief background of the role of dynamic coalitions within the IGF structure, establishes the need for the coalition and provides an update on the action plan and next steps for interested stakeholders.</b>
<p class="callout" style="text-align: justify; ">"Identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations."<br />Tunis Agenda (Para 72.g)</p>
<p style="text-align: justify; ">The first United Nations Internet Governance Forum (IGF), in 2006 saw the emergence of the concept of Dynamic Coalition and a number of coalitions have been established over the years. The IGF is structured to bring together multistakeholder groups to,</p>
<p class="callout" style="text-align: justify; ">"Discuss public policy issues related to key elements of Internet governance in order to foster the sustainability, robustness, security, stability and development of the Internet."<br />Tunis Agenda (Para 72.a)</p>
<p style="text-align: justify; ">While IGF workshops allow various stakeholders to jointly analyse "hot topics" or to examine progress that such issues have undertaken since the previous IGF, dynamic coalitions are informal, issue-specific groups comprising members of various stakeholder groups. With no strictures upon the objects, structure or processes of dynamic coalitions claiming association with the IGF, and no formal institutional affiliation, nor any access to the resources of the IGF Secretariat, IGF Dynamic Coalitions allow collaboration of anyone interested in contributing to their discussions. Currently, there are eleven active dynamic coalitions at the IGF and can be divided into three distinct types—networks, working groups and Birds of Feather (BOFs).</p>
<p style="text-align: justify; ">Workshops at the IGF are content specific events that, though valuable in informing participants, are limited in their impact by being confined to the launch of a report or by the issues raised within the conference room. The coalitions on the other hand are expected to have a broader function, acting as a coalescing point for interested stakeholders to gather and analyse progress around identified issues and plan next steps. The coalitions can also make recommendations around issues, however, no mechanism has been developed so far, by which the recommendations can be considered by the plenary body. The long-term nature of coalition is perhaps, most suited to engage stakeholders in heterogeneous groups, towards understanding and cooperating around emerging issues and to make recommendations to inform policy making.</p>
<h3 style="text-align: justify; ">Platform Responsibility</h3>
<p style="text-align: justify; ">Social networks and other interactive online services, give rise to 'cyber-spaces' where individuals gather, express their personalities and exchange information and ideas. The transnational and private nature of such platforms means that they are regulated through contractual provisions enshrined in the platforms' Terms of Service (ToS). The provisions delineated in the ToS not only extend to users in spite of their geographical location, the private decisions undertaken by platform providers in implementing the ToS are not subject to constitutional guarantees framed under national jurisdictions.</p>
<p style="text-align: justify; ">While ToS serve as binding agreement online, an absence of binding international rules in this area despite the universal nature of human rights represented is a real challenge, and makes it necessary to engage in a multistakeholder effort to produce model contractual provisions that can be incorporated in ToS. The concept of 'platform responsibility' aims to stimulate behaviour in platform providers to provide intelligible and solid mechanisms, in line with the principles laid out by the UN Guiding Principles on Business and Human Rights and equip platform users with common and easy-to-grasp tools to guarantee the full enjoyment of their human rights online. The utilisation of model contractual provisions in ToS may prove instrumental in fostering trust in online services for content production, use and dissemination, increasing demand of services and ultimately consumer demand may drive the market towards human rights compliant solutions.</p>
<h3 style="text-align: justify; ">The Dynamic Coalition on Platform Responsibility</h3>
<p style="text-align: justify; ">To nurture a multi-stakeholder endeavour aimed at the elaboration of model contractual-provisions, Mr. Luca Belli, Council of Europe / Université Paris II, Ms Primavera De Filippi, CNRS / Berkman Center for Internet and Society and Mr Nicolo Zingales, Tilburg University / Center for Technology and Society Rio, initiated and facilitated the creation of the Dynamic Coalition on Platform Responsibility (DCPR). DCPR has over fifty individual and organisational members from civil society organisations, academia, private sector organisations and intergovernmental organisations and held its first meeting at the IGF in Istanbul. The meeting began with an overview of the concept of platform responsibility, highlighting relevant initiatives from Council of Europe, Global Network Initiative, Ranking Digital Rights and the Center for Democracy and Technology have undertaken in this regard. Existing issues such as difficulty in comprehension and lack of standardization of redress across rights were raised along with the fundamental lack of due process in terms of transparency across existing mechanisms.</p>
<p style="text-align: justify; ">Online platforms compliance to human rights is often framed around the duty of States to protect human rights and often, Internet companies do not sufficient consideration of the effects of their business practices on users fundamental rights undermining trust.</p>
<p style="text-align: justify; ">The meeting focused it efforts with a call to identify issues of process and substance and specific rights and challenges to be addressed by the DCPR. The procedural issues raised concerned 'responsibility' in decision-making e.g., giving users the right to be heard and an effective remedy before an impartial decision-making body, and obtaining their consent for changes in the contractual terms. The concerns raised around substantive rights such as privacy and freedom of expression eg., disclosure of personal information and content removal and need to promote 'responsibility' through establishing concrete mechanisms to deal with such issues.</p>
<p style="text-align: justify; ">It was suggested that concept of responsibility including in case of conflict between different rights could be grounded in Human Rights case law eg., from European Court of Human Rights jurisprudence. It was also established that any framework that would evolve from this coalition would consider the distinction between users (eg., adults, children, and people with or without continuous access to the Internet) and platforms (eg., in terms of size and functionality).</p>
<h3 style="text-align: justify; ">Action Plan</h3>
<p style="text-align: justify; ">The participants at the DCPR meeting agreed to establish a multistakeholder cooperative engagement amidst stakeholders that will go beyond dialogue and produce concrete proposals. Particularly, participants suggested developing:</p>
<ol>
<li style="text-align: justify; ">Due Diligence Recommendations: Recommendations to online platforms with regard to processes of compliance with internationally agreed human rights standards.</li>
<li style="text-align: justify; ">Model Contractual Provisions: Elaboration of a set of principles and provisions protecting platform users’ rights and guaranteeing transparent mechanisms to seek redress in case of violations.</li>
</ol>
<p style="text-align: justify; ">DCPR will ground the development of these frameworks in the preliminary step of compilation of existing projects and initiatives dealing with the analysis of ToS compatibility with human rights standards. Members, participants and interested stakeholders are invited to highlight and share relevant initiatives by 10th October regarding:</p>
<ol>
<li>Processes of due diligence for human rights compliance;</li>
<li>The evaluation of ToS cocompliance with human rights standards;</li>
</ol>
<p style="text-align: justify; ">Further to this compilation, a first recommendation draft regarding online platforms' due diligence will be circulated on the mailing list by 30th October 2014. CIS will be contributing to the drafting which will be led and elaborated by the DCPR coordinators. This draft will be open for comments via the DCPR mailing list until 30th November 2014 and we encourage you to sign up to the mailing list (<a class="external-link" href="http://lists.platformresponsibility.info/listinfo/dcpr">http://lists.platformresponsibility.info/listinfo/dcpr</a>).<br /><br />A second draft will be developed compiling the comments expressed via the mailing-list and shared for comments by 10 December 2014. The final version of the recommendation will be drafted by 30 December. Subsequently, the first set of model contractual provisions will be elaborated building upon such recommendation. A call for inputs will be issued in order to gather suggestions on the content of these provisions.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-joins-dynamic-coalition-for-platform-responsibility'>https://cis-india.org/internet-governance/blog/cis-joins-dynamic-coalition-for-platform-responsibility</a>
</p>
No publisherjyotiHuman RightsPrivacyInternet Governance ForumData ProtectionTerms of ServiceInternet GovernancePlatform ResponsibilityIntermediary Liability2014-10-07T10:54:03ZBlog Entry