The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 45.
Divergence between the General Data Protection Regulation and the Personal Data Protection Bill, 2019
https://cis-india.org/internet-governance/blog/divergence-between-the-general-data-protection-regulation-and-the-personal-data-protection-bill-2019
<b></b>
<p>Our note on the divergence between the General Data Protection Regulation and the Personal Data Protection Bill can be downloaded as a PDF <a href="https://cis-india.org/internet-governance/divergence-between-the-gdpr-and-pdp-bill-2019" class="internal-link" title="Divergence between the GDPR and PDP Bill 2019">here</a>.</p>
<p>The European Union’s General Data
Protection Regulation (GDPR), replacing the 1995 EU Data Protection Directive
came into effect in May 2018. It harmonises the data protection regulations
across the European Union. In India, the Ministry of Electronics and
Information Technology had constituted a Committee of Experts (chaired by
Justice Srikrishna) to frame recommendations for a data protection framework in
India. The Committee submitted its report and a draft Personal Data Protection
Bill in July 2018 (2018 Bill). Public comments were sought on the bill till
October 2018. The Central Government revised the Bill and introduced the
revised version of the Personal Data Protection Bill (PDP Bill) on December 11,
2019 in the Lok Sabha.</p>
<p>The PDP Bill has incorporated certain
aspects of the GDPR, such as requirements for notice to be given to the data
principal, consent for processing of data, establishment of a data protection
authority, etc. However, there are some differences and in this note we have highlighted
the areas of divergence between the two. It only includes
provisions which are common to the GDPR and the PDP Bill. It does not include
the provisions on (i) Appellate Tribunal, (ii) Finance, Account and Audit; and
(iii) Non- Personal Data. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/divergence-between-the-general-data-protection-regulation-and-the-personal-data-protection-bill-2019'>https://cis-india.org/internet-governance/blog/divergence-between-the-general-data-protection-regulation-and-the-personal-data-protection-bill-2019</a>
</p>
No publisherPallavi BediInternet GovernanceData ProtectionPrivacy2020-02-21T11:08:50ZBlog EntryDeveloper team fixed vulnerabilities in Honorable PM's app and API
https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="https://cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog EntryDemystifying Data Breaches in India
https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india
<b>Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.
</b>
<p>Edited by Arindrajit Basu and Saumyaa Naidu</p>
<hr />
<p dir="ltr" style="text-align: justify; ">India saw a <a href="https://theprint.in/india/despite-62-drop-in-data-breaches-india-among-top-5-nations-targeted-by-hackers-study-finds/917197/">62% drop in data breaches in the first quarter of 2022</a>. Yet, it ranked fifth on the list of countries most hit by cyberattacks according to a 2022 <a href="https://surfshark.com/blog/data-breach-statistics-by-country">report by Surfshark</a>, a Netherlands-based VPN company. Another report <a href="https://analyticsindiamag.com/the-ridiculous-17-5-cr-for-a-data-breach/">on the cost of data breaches researched by the Ponemon Institute and published by IBM</a> reveals that the breach of about 29500 records between March 2021 and March 2022 resulted in a 25% increase in the average cost from INR 165 million in 2021 to INR 176 million in 2022.</p>
<p style="text-align: justify; "><span>These statistics are certainly a cause for concern, especially in the context of India’s rapidly burgeoning digital economy shaped by the pervasive platformization of private and public services such as welfare, banking, finance, health, and shopping among others. Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.</span></p>
<p style="text-align: justify; "><span>While expert articulations of cybersecurity in general and data breaches in particular tend to predominate the public discourse on data privacy, this post aims to situate broader understandings of data breaches within the historical context of India’s IT revolution and delve into specific concepts and terminology that have shaped the broader discourse on data protection. The late 1990s and early 2000s offer a useful point of entry into the genesis of the data security landscape in India.</span></p>
<h3><span></span><span>Data Breaches and their Predecessor Forms</span></h3>
<p style="text-align: justify; "><span></span><span>The articulation of data security concerns around the late 1990s and early 2000s isn’t always consistent in deploying the phrase, ‘data breach’ to signal cybersecurity concerns in India. The terms such as ‘data/ identity theft’ and ‘data leak’ figure prominently in the public articulation of concerns with the handling of personal information by IT systems, particularly in the context of business process outsourcing (BPO) and e-commerce activities. Other pertinent terms such as “security breach”, “data security”, and ‘“cyberfraud” also capture the specificity of growing concerns around outsourced data to India. At the time, i.e. around mid-2000s regulatory frameworks were still evolving to accommodate and address the complexities arising from a dynamic reconfiguration of the telecommunications and IT landscape in India.</span></p>
<p dir="ltr" style="text-align: justify; ">Some of the formative cases that instantiate the usage of the aforementioned terms are instructive to understand shifts in the reporting of such incidents over time. The earliest case during that period concerns<a href="https://www.stop-source-code-theft.com/source-code-theft-cases-in-india/"> a 2002 case concerning the theft and sale of source code</a> by an IIT Kharagpur student who intended to sell the code to two undercover FBI agents who worked with the CBI to catch the thief. A straightforward case of data theft was framed by media stories around the time as a <a href="https://timesofindia.indiatimes.com/iitian-held-for-stealing-software-source-code/articleshow/20389713.cms">cybercrime involving the illegal sale</a> of the source code of a software package, as <a href="https://economictimes.indiatimes.com/ip-laws-lax-but-us-firm-bets-on-india/articleshow/696197.cms?from=mdr">software theft of intellectual property in the context of outsourcing</a> and as an instance of <a href="https://www.computerworld.com/article/2573515/at-risk-offshore.html">industrial espionage in poor nations without laws protecting foreign companies</a>. This case became the basis of the earliest calls for the protection of data privacy and security in the context of the Indian BPO sector. The Indian IT Act, 2000 at the time only covered <a href="http://pavanduggal.com/wp-content/uploads/2016/01/India-Responds-to-Growing-Concerns-Over-Data-Security.pdf">unauthorized access and data theft from computers and networks without any provisions for data protection, interception or computer forgery</a>. The BPO boom in India brought with it <a href="https://blj.ucdavis.edu/archives/vol-6-no-2/offshore-outsourcing-to-india.html">employment opportunities for India’s English-speaking, educated youth but in the absence of concrete data privacy legislation</a>, the country was regarded as an unsafe destination for outsourcing aside from the political ramifications concerning the loss of American jobs.</p>
<p dir="ltr" style="text-align: justify; ">In a major 2005 incident, employees of the Mphasis BFL call centre in Pune extracted sensitive bank account information of Citibank’s American customers to divert INR 1.90 crore into new accounts set up in India. The media coverage of this incident calls it <a href="https://www.indiatoday.in/magazine/economy/story/20050502-pune-call-centre-fraud-rattles-india-booming-bpo-sector-787790-2005-05-01">India’s first outsourcing cyberfraud and a well planned scam</a>, a <a href="https://economictimes.indiatimes.com/mphasis-call-centre-fraud-net-widens/articleshow/1077097.cms">cybercrime in a globalized world</a>, and a case of <a href="https://timesofindia.indiatimes.com/home/sunday-times/deep-focus/indias-first-bpo-scam-unraveled/articleshow/1086438.cms">financial fraud and a scam</a> that required no hacking skills, and a <a href="https://www.infoworld.com/article/2668975/indian-call-center-workers-charged-with-citibank-fraud.html">case of data theft and misuse</a>. Within the ambit of cybercrime, media reports of these incidents refer to them as cases of “fraud”, “scam” and “theft''.</p>
<p dir="ltr" style="text-align: justify; ">Two other incidents in 2005 set the trend for a critical spotlight on data security practices in India. In a <a href="http://news.bbc.co.uk/2/hi/south_asia/4619859.stm">June 2005 incident, an employee of a Delhi-based BPO firm, Infinity e-systems, sold the account numbers and passwords of 1000 bank customers </a>to the British Tabloid, The Sun. The Indian newspaper, Telegraph India, carried an online story headlined, “<a href="https://www.telegraphindia.com/india/bpo-blot-in-british-backlash-indian-sells-secret-data/cid/873737">BPO Blot in British Backlash: Indian Sells Secret Data</a>,” which reported that the employee, Kkaran Bahree, 24, was set up by a British journalist, Oliver Harvey. Harvey filmed Bahree accepting wads of cash for the stolen data. Bahree’s theft of sensitive information is described both as a data fraud and a leak in the above 2005 BBC story by Soutik Biswar. Another story on the incident calls it a “<a href="https://www.rediff.com/money/2005/jun/24bpo3.htm">scam” involving the leakage of credit card information</a>. The use of the term ‘leak’ appears consistently across other media accounts such as a <a href="https://timesofindia.indiatimes.com/city/delhi/esearch-bpo-employee-sacked-still-missing/articleshow/1153017.cms">2005 story on Karan Bahree in the Times of India</a> and another story in the Economic Times about the Australian Broadcasting Corporation’s (ABC) sting operation similar to the one in Delhi, describing the scam by the <a href="https://economictimes.indiatimes.com/hot-links/bpo/karan-bahree-part-ii-shot-in-australia/articleshow/1201347.cms?from=mdr">fraudsters as a leak</a> of the online information of Australians. Another media account of the coverage describes the incident in more generic terms such as an “<a href="https://www.tribuneindia.com/2005/20050625/edit.htm">outsourcing crime</a>”.</p>
<p dir="ltr" style="text-align: justify; ">The other case concerned <a href="https://www.taylorfrancis.com/chapters/mono/10.4324/9781315610689-16/political-economy-data-security-bpo-industry-india-alan-chong-faizal-bin-yahya">four former employees of Parsec technologies who stole classified information and diverted calls from potential customers</a>, causing a sudden drop in the productivity of call centres managed by the company in November 2005. Another call centre <a href="http://news.bbc.co.uk/1/hi/uk/7953401.stm">fraud came to light in 2009 through a BBC sting operation in which British reporters went to Delhi </a>and secretly filmed a deal with a man selling credit card and debit card details obtained from Symantec call centres, which sold software made by Norton. This BBC story uses the term “breach” to refer to the incident.</p>
<p dir="ltr">In the broader framing of these cases generally understood as cybercrime, which received transnational media coverage, the terms “fraud”, “leak”, “scam”, and “theft” appear interchangeably. The term “data breach” does not seem to be a popular or common usage in these media accounts of the BPO-related incidents. A broader sense of breach (of confidentiality, privacy) figures in the media reportage in <a href="https://economictimes.indiatimes.com/hot-links/bpo/cyber-crimes-can-the-west-trust-indian-bpos/articleshow/1157115.cms?from=mdr">implicitly racial terms of cultural trust</a>, as a matter of <a href="https://www.news18.com/news/business/bpo-staff-need-ethical-training-poll-248442.html">ethics and professionalism</a> and in the <a href="https://www.news18.com/news/business/sting-op-may-spell-doom-for-bpos-248260.html">language of scandal </a>in some cases.</p>
<p dir="ltr" style="text-align: justify; ">These early cases typify a specific kind of cybercrime concerning the theft or misappropriation of outsourced personal data belonging to British or American residents. What’s remarkable about these cases is the utmost sensitivity of the stolen personal information including financial details, bank account and credit/debit card numbers, passwords, and in one case, source code. While these cases rang the alarm bells on the Indian BPO sector’s data security protocols, they also directed attention to concerns around <a href="https://economictimes.indiatimes.com/hot-links/bpo/cyber-crimes-can-the-west-trust-indian-bpos/articleshow/1157115.cms?from=mdr">the training of Indian employees on the ethics of data confidentiality and vetting through psychometric tests</a> for character assessment. In the wake of these incidents, the National Association of Software and Service Companies (NASSCOM), an Indian non-governmental trade and advocacy group,<a href="https://www.computerworld.com/article/2547959/outsourcing-to-india--dealing-with-data-theft-and-misuse.html"> launched a National Skills Registry for IT professionals to enable employers to conduct background checks</a> in 2006.</p>
<p dir="ltr" style="text-align: justify; ">These data theft incidents earned India a global reputation of an unsafe destination for business process outsourcing, seen to be lacking both, a culture of maintaining data confidentiality and concrete legislation for data protection at the time. Importantly, the incidents of data theft or misappropriation were also traceable back to a known source, a BPO employee or a group of malefactors, who often sold sensitive data belonging to foreign nationals to others in India.</p>
<p dir="ltr" style="text-align: justify; ">The phrase “data leak” also caught on in another register in the context of the widespread use of camera-equipped mobile phones in India. The 2004 Delhi MMS case offers an instance of a date leak, recapitulating the language of scandal in moralistic terms.</p>
<h3 dir="ltr">The Delhi MMS Case</h3>
<p dir="ltr" style="text-align: justify; ">The infamous 2004 incident involved two underage Delhi Public School (DPS) students who recorded themselves in a sexually explicit act on a cellular phone. After a fall out, the male student passed the low-resolution clip on to his friend in which his female friend’s face is seen. The clip, distributed far and wide in India, ended up on the famous e-shopping and auction website, bazee.com leading to <a href="https://indiancaselaw.in/avnish-bajaj-vs-state-dps-mms-scandal-case/">the arrest of the website’s CEO Avinash Bajaj for hosting the listing for sale</a>. Another similar case in 2004 mimicked the mechanics of visual capture through hand-held MMS-enabled mobile phones. A two-minute MMS of a top South-Indian actress <a href="https://timesofindia.indiatimes.com/india/web-of-sleaze-now-nude-video-of-top-actress/articleshow/966048.cms">taking a shower went viral on the Internet in 2004, the year when another MMS of two prominent Bollywood actors kissing</a> had already done the rounds. The <a href="https://www.journals.upd.edu.ph/index.php/plaridel/article/view/2392">MMS case also marked the onset of a national moral panic around the amateur uses of mobile phone technologies</a>, capable of corrupting young Indian minds under a sneaky regime of new media modernity. The MMS case, not strictly the classic case of a data breach - non-visual information generally stored in databases - became an iconic case of a data leak framed in the media as <a href="https://www.telegraphindia.com/india/scandal-in-school-shakes-up-delhi/cid/1667531">a scandal that shocked the country</a>, with calls for the regulation of mobile phone use in schools. The case continued its scandalous afterlife in a <a href="https://www.heraldgoa.in/Edit/dev-ds-leni-has-a-dps-mms-scandal-connection-/21344">2009 Bollywood film, Dev D</a> and another <a href="https://indianexpress.com/article/entertainment/entertainment-others/delhi-mms-scandal-inspires-dibakars-love-sex-aur-dhoka/">2010 film, Love, Sex and Dhokha</a>,</p>
<p dir="ltr" style="text-align: justify; ">Taken together, the BPO data thefts and frauds and the data leak scandals prefigure the contemporary discourse on data breaches in the second decade of the 21st century, or what may also be called the Decade of Datafication. The launch of the Indian biometric identity project, Aadhaar, in 2009, which linked access to public services and welfare delivery with biometric identification, resulted in large-scale data collection of the scheme’s subscribers. Such linking raised the spectre of state surveillance as alleged by the critics of Aadhaar, marking a watershed moment in the discourse on data privacy and protection.</p>
<h3 dir="ltr">Aadhaar Data Security and Other Data Breaches</h3>
<p dir="ltr" style="text-align: justify; ">Aadhaar was challenged in the Indian Supreme Court in 2012 when <a href="https://www.outlookindia.com/website/story/worries-about-the-aadhaar-monster/296790">it was made mandatory for welfare and other services such as banking, taxation and mobile telephony</a>. The national debate on the status of privacy as a cultural practice in Indian society and a fundamental right in the Indian Constitution led to two landmark judgments - the <a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf">2017 Puttaswamy ruling</a> holding privacy to be a constitutional right subject to limitations and <a href="https://indiankanoon.org/doc/127517806/">the 2018 Supreme Court judgment holding mandatory Aadhaar to be constitutional only for welfare and taxation but no other service</a>.</p>
<p dir="ltr" style="text-align: justify; ">While these judgments sought to rein in Aadhaar’s proliferating mandatory uses, biometric verification remained the most common mode of identity authentication with <a href="https://www.businesstoday.in/latest/trends/story/aadhaar-not-mandatory-yet-organisations-pose-it-as-a-mandatory-document-335550-2022-05-29">most organizations claiming it to be mandatory for various purposes</a>. During the same period from 2010 onwards, a range of data security events concerning Aadhaar came to light. These included <a href="https://www.firstpost.com/tech/news-analysis/aadhaar-security-breaches-here-are-the-major-untoward-incidents-that-have-happened-with-aadhaar-and-what-was-actually-affected-4300349.html">app-based flaws, government websites publishing Aadhaar details of subscribers, third party leaks of demographic data, duplicate and forged Aadhaar cards and other misuses</a>.</p>
<p dir="ltr" style="text-align: justify; ">In 2015, the Indian government launched its ambitious <a href="https://indiancc.mygov.in/wp-content/uploads/2021/08/mygov-10000000001596725005.pdf">Digital India Campaign to provide government services to Indian citizens</a> through online platforms. Yet, data security breach incidents continued to increase, particularly the trade in the sale and purchase of sensitive financial information related to bank accounts and credit card numbers. The online availability of <a href="https://www.livemint.com/Industry/l5WlBjdIDXWehaoKiuAP9J/India-unprepared-to-tackle-online-data-security-report.html">a rich trove of data, accessible via a simple Google search without the use of any extractive software or hacking skills </a>within a thriving shadow economy of data buyers and sellers makes India a particularly vulnerable digital economy, especially in the absence of robust legislation. The lack of awareness around digital crimes and low digital literacy further exacerbates the situation given that datafication via government portals, e-commerce, and online apps has outpaced the enforcement of legislative frameworks for data protection and cybersecurity.</p>
<p dir="ltr" style="text-align: justify; ">In the context of Aadhaar data security issues, the term “data leak” seems to have more traction in media stories followed by the term “security breach”. Given the complexity of the myriad ways in which Aadhaar data has been breached, terms such as <a href="https://techcrunch.com/2022/06/13/aadhaar-leak-pm-kisan/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAADvQXtC19Gj80LSKVc5jLwnRsREalvM2f6dV3N9KmCs8be6_1Zbvu3J6abPmBxhLlUooLiOjg4JktYDDCXr0OYYvOZ5XFlXa6DfCJk97TvMXM-cs3uJbCJBA-ePqvAC5K4qGZSyDB4OykMEOIKXJpB0CTOourPRc5dBxFFq5JXlB">data leak and exposure</a> (of <a href="https://zeenews.india.com/personal-finance/aadhaar-data-breach-over-110-crore-indian-farmers-aadhaar-card-data-compromised-2473666.html">11 crore Indian farmers’ sensitive information</a>) add to the specificity of the data security compromise. The term “fraud” also makes a comeback in the context of <a href="https://www.business-standard.com/article/economy-policy/india-s-aadhaar-id-system-delivers-benefits-but-at-risk-of-widespread-fraud-122062400124_1.html">Aadhaar-related data security incidents</a>. These cases represent a mix of data frauds involving<a href="https://economictimes.indiatimes.com/news/india/alarm-over-fake-id-printing-websites-using-customer-data-for-cyber-fraud/articleshow/94742646.cms"> fake identities</a>, <a href="https://indianexpress.com/article/cities/delhi/in-new-age-data-theft-fraudsters-steal-thumb-prints-from-land-registries-7914530/">theft of thumb prints </a>for instance from land registries and inadvertent data leaks in numerous incidents involving <a href="https://techcrunch.com/2019/01/31/aadhaar-data-leak/">government employees in Jharkhand</a>, v<a href="https://www.firstpost.com/india/aadhaar-data-leak-details-of-7-82-cr-indians-from-ap-and-telangana-found-on-it-grids-database-6448961.html">oter ID information of Indian citizens in Andhra Pradesh and Telangana</a> and <a href="https://www.thehindu.com/sci-tech/technology/major-aadhaar-data-leak-plugged-french-security-researcher/article26584981.ece">activist reports of Indian government websites leaking Aadhaar data</a>.</p>
<p dir="ltr" style="text-align: justify; ">Aadhaar-related data security events parallel the increase in corporate data breaches during the decade of datafication. The term “data leak” again alternates with the term “data breach” in most media accounts while other terms such as “theft” and “scam” all but disappear in the media coverage of corporate data breaches.</p>
<p dir="ltr" style="text-align: justify; ">From 2016 onwards, incidents of corporate data breaches in India continued to rise. A massive <a href="https://thewire.in/banking/debit-card-breach-india-banking">debit card data breach involving the YES Bank ATMs and point-of-sale (PoS) machines </a>compromised through malware between May and July of 2016 resulted in the exposure of ATM PINs and non-personal identifiable information of customers. It went <a href="https://www.livemint.com/Industry/Ope7B0jpjoLkemwz6QXirN/SBI-Yes-Bank-MasterCard-deny-data-breach-of-own-systems.html">undetected for nearly three</a> months. Another data leak in 2018 concerned a <a href="https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/">system run by Indane, a state-owned utility company, which allowed anyone to download private information on all Aadhaar holders </a>including their names, services they were connected to and the unique 12-digit Aadhaar number. Data breaches continued to be reported in India concurrent with the incidents of data mismanagement related to Aadhaar. Some <a href="https://www.csoonline.com/article/3541148/the-biggest-data-breaches-in-india.html">prominent data breaches included </a>a cyberattack on the systems of airline data service provider SITA resulting in the leak of Air India passenger data, leakage of the personal details of the Common Admission Test (CAT) applicants, details of credit card and order preferences of Domino’s pizza customers on the dark web, leakage of COVID-19 patients’ test results leaked by government websites, user data of Justpay and Big Basket for sale on the dark web and an SBI data breach among others between 2019 and 2021.</p>
<p dir="ltr" style="text-align: justify; ">The media reportage of these data breaches use the term “cyberattack” to describe the activities of hackers and cybercriminals operating within a<a href="https://www.thehindu.com/sci-tech/technology/internet/most-damaging-cybercrime-services-are-cheap-on-the-dark-web/article37004587.ece"> shadow economy or the dark web</a>. Recent examples of cyberattacks by hackers who leak user data for sale on the dark web include <a href="https://indianexpress.com/article/technology/tech-news-technology/mobikwik-database-leaked-on-dark-web-company-denies-any-data-breach-7251448/">8.2 terabytes of 110 million sensitive financial data (KYC details, Aadhaar, credit/debit cards and phone numbers) of the payments app MobiKwik users</a>, <a href="https://www.firstpost.com/tech/news-analysis/dominos-india-data-breach-name-location-mobile-number-email-of-18-crore-orders-up-for-sale-on-dark-web-9650591.html">180 million Domino’s pizza orders (name, location, emails, mobile numbers),</a> and <a href="https://techcrunch.com/2022/07/18/cleartrip-data-breach-dark-web/">Flipkart’s Cleartrip users’ data</a>. In these incidents again, three terms appear prominently in the media reportage - cyberattack, data breach, and leak. The term “data breach” remains the most frequently used epithet in the media coverage of the lapses of data security. While it alternates with the term “leak” in the stories, the term “data breach” appears consistently across most headlines in the news stories.</p>
<p dir="ltr">The exposure of sensitive, personal, and non-personal data by public and private entities in India is certainly a cause for concern, given the ongoing data protection legislative vacuum.</p>
<p dir="ltr" style="text-align: justify; ">The media coverage of data breaches tends to emphasize the quantum of compromised user data aside from the types of data exposed. The media framing of these breaches in <a href="https://www.livemint.com/technology/tech-news/indian-firms-lost-176-million-to-data-breaches-last-fiscal-11658914231530.html">quantitative terms of financial loss</a> as well as the <a href="https://www.indiatoday.in/technology/news/story/personal-data-of-3-4-million-paytm-mall-users-reportedly-exposed-in-2020-data-breach-1980690-2022-07-27">magnitude</a> and the <a href="https://www.moneycontrol.com/news/business/banks/indian-banks-reported-248-data-breaches-in-last-four-years-says-government-8940891.html">number of breaches</a> certainly highlights the gravity of these incidents but harm to individual users is often not addressed.</p>
<h3 dir="ltr">Evolving Terminology and the Source of Data Harms</h3>
<p dir="ltr" style="text-align: justify; ">The main difference in the media reportage of the BPO cybersecurity incidents during the early aughts and the contemporary context of datafication is the usage of the term, “data breach”, which figures prominently in contemporary reportage of data security incidents but not so much in the BPO-related cybercrimes.</p>
<p dir="ltr" style="text-align: justify; ">THe BPO incidents of data theft and the attendant fraud must be understood in the context of the anxieties brought on by a globalizing world of Internet-enabled systems and transnational communications. In most of these incidents regarded as cybercrimes, the language of fraud and scam ventures further to attribute such illegal actions of the identifiable malefactors to cultural factors such as lack of ethics and professionalism.The usage of the term “data leak” in these media reports functions more specifically to underscore a broader lapse in data security as well as a lack of robust cybersecurity laws. The broader term, “breach”, is occasionally used to refer to these incidents but the term, “data breach” doesn’t appear as such.</p>
<p dir="ltr" style="text-align: justify; ">The term “data breach” gains more prominence in media accounts from 2009 onwards in the context of Aadhaar and the online delivery of goods and services by public and private players. The term “data breach” is often used interchangeably with the term “leak” within the broader ambit of cyberattacks in the corporate sector. The media reportage frames Aadhaar-related security lapses as instances of security/data breaches, data leaks, fraud, and occasionally scam.</p>
<p dir="ltr" style="text-align: justify; ">In contrast to the handful of data security cases in the BPO sector, data breaches have abounded in the second decade of the twenty-first century. What further differentiates the BPO-related incidents to the contemporary data breaches is the source of the data security lapse. Most corporate data breaches remain attributable to the actions of hackers and cybercriminals while the BPO security lapses were traceable back to ex-employees or insiders with access to sensitive data. We also see in the coverage of the BPO-related incidents, the attribution of such data security lapses to cultural factors including a lack of ethics and professionalism often in racial overtones. The media reportage of the BBC and ABC sting operations suggests that the India BPOs lack of preparedness to handle and maintain personal data confidentiality of foreigners point to the absence of a privacy culture in India. Interestingly, this transnational attribution recurs in a different form in the national debate on <a href="https://huffpost.netblogpro.com/archive/in/entry/indians-don-t-care-about-privacy-but-thankfully-the-law-will-teach-them-what-it-means_a_23179031">Aadhaar and how Indians don’t care about their privacy</a>.</p>
<p dir="ltr" style="text-align: justify; ">The question of the harms of data breaches to individuals is also an important one. In the discourse on contemporary data breaches, the actual material harm to an individual user is rarely ever established in the media reportage and generally framed as potential harm that could be devastating given the sensitivity of the compromised data. The harm is reported to be predominantly a function of organizational cybersecurity weakness or attributed to hackers and cybercriminals.</p>
<p dir="ltr" style="text-align: justify; ">The reporting of harm in collective terms of the number of accounts breached, financial costs of a data breach, the sheer number of breaches and the global rankings of countries with the highest reported cases certainly suggests a problem with cybersecurity and the lack of organizational preparedness. However, this collective framing of a data breach’s impact usually elides an individual user’s experience of harm. Even in the case of Aadhaar-related breaches - a mix of leaking data on government websites and other online portals and breaches - the notion of harm owing to exposed data isn’t clearly established. This is, however, different from the <a href="https://scroll.in/article/1013700/six-types-of-problems-aadhaar-is-causing-and-safeguards-needed-immediately">extensively documented cases of Aadhaar-related issues</a> in which welfare benefits have been denied, identities stolen and legitimate beneficiaries erased from the system due to technological errors.</p>
<h3 dir="ltr">Future Directions of Research</h3>
<p dir="ltr" style="text-align: justify; ">This brief, qualitative foray into the media coverage of data breaches over two decades has aimed to trace the usage of various terms in two different contexts - the Indian BPO-related incidents and the contemporary context of datafication. It would be worth exploring at length, the relationship between frequent reports of data breaches, and the language used to convey harm in the contemporary context of a concrete data protection legislation vacuum. It would be instructive to examine the specific uses of the terms such as “fraud”, “leak”, “scam”, “theft” and “breach” in media reporting of such data security incidents more exhaustively. Such analysis would elucidate how media reportage shapes public perception towards the safety of user data and an anticipation of attendant harm as data protection legislation continues to evolve.</p>
<p dir="ltr" style="text-align: justify; ">Especially with Aadhaar, which represents a paradigm shift in identity verification through digital means, it would be useful to conduct a sentiment analysis of how biometric identity related frauds, scams, and leaks are reported by the mainstream news media. A study of user attitudes and behaviours in response to the specific terminology of data security lapses such as the terms “breach”, “leak”, “fraud”, “scam”, “cybercrime”, and “cyberattack” would further contribute to how lay users understand the gravity of a data security lapse. Such research would go beyond expert understandings of data security incidents that tend to dominate media reportage to elucidate the concerns of lay users and further clarify the cultural meanings of data privacy.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india'>https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india</a>
</p>
No publisherPawan SinghPrivacyInternet GovernanceData GovernanceData ProtectionData Management2022-10-17T16:14:03ZBlog EntryData Protection: We can innovate, leapfrog
https://cis-india.org/internet-governance/blog/deccan-herald-january-20-2018-sunil-abraham-data-protection-we-can-innovate-leapfrog
<b>About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent.</b>
<p>The article was published in the <a class="external-link" href="http://www.deccanherald.com/content/655018/data-protection-we-can-innovate.html">Deccan Herald</a> on January 20, 2018.</p>
<p style="text-align: justify; ">Even if we can read them, we may not have the necessary legal training to understand them. According to a tweet thread by Pat Walshe (@privacymatters), the Tetris app, a popular video game, has a privacy policy that details the third-party advertising companies that they share data with. These third-parties include "123 Ad Networks; 13 Online Analytics companies; 62 Mobile Advertising Networks; 14 Mobile Analytics companies. The linked privacy policies for Tetris run to 407,000 words, compared to 450,000 words for the entire 'Lord of the Rings trilogy'." The child aged four and above that plays the game and her parents need an intermediary to deal with the corporations hiding behind Tetris.</p>
<p style="text-align: justify; ">Unlike the European Union, which has more than 37 years of history when it comes to data protection law, India is starting with a near blank slate after the Supreme Court confirmed that privacy is a constitutionally-guaranteed fundamental right in the Puttaswamy case judgement. While we would want to maintain adequacy and compatibility with the EU General Data Protection Regulation (GDPR) because it has become the global standard, we must realise that there is an opportunity for leapfrogging. This article attempts to introduce the reader to three different visions for intermediaries that have emerged within the Indian data protection debate around the accountability principle. I will also provide a brief sketch of an idea that we are developing at the Centre for Internet and Society. This is an incomplete list as there must be more proposals for regulatory innovation around the accountability principle that I am currently unaware of.</p>
<p style="text-align: justify; ">n Account Aggregators: The 'India Stack' ecosystem that has been built around the Aadhaar programme first proposed intermediaries called Account Aggregators. Account Aggregators manage consent artifacts. India Stack has traditionally been described as having four layers -- presenceless, paperless, cashless and consent. The consent layer is supposed to feature Account Aggregators. If, for example, a data subject wanting an insurance policy visits an insurance portal, the portal would collect personal information and a consent artifact from her and pass it on to multiple insurance companies. These insurance companies would send personalised bids to the portal, which would be displayed on a comparative grid to enable empowered selection.</p>
<p style="text-align: justify; ">The data structure consent artifact has been provided in the Master Direction from RBI titled "Non-Banking Financial Company Account Aggregator Directions," published in September 2016. How does this work? The fields includes (i) identity and optional contact information; (ii) nature of the financial information requested; (iii) purpose; (iv) the identity of the recipients, if any; (v) URL/address for notifications when the consent artifact is used; (vi) consent artifact creation date, expiry date, identity and signature/digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI. While Account Aggregators make it frictionless for the grant of consent and also for the harvesting of consent by data controllers, it does not make it easy for you to manage and revoke your consent.</p>
<p style="text-align: justify; ">n Data Trusts: Most recently, Na.Vijayashankar, a Bengaluru-based cybersecurity and cyberlaw expert, has proposed intermediaries called 'Data Trusts' registered with the regulator and who (i) will work as escrow agents for the personal data (which would be classified by type for different degrees of protection); (ii) will make privacy notices accessible by translating them into accessible language and formats; (iii) disclose data minimally to different data controllers based on the purpose limitation; (iv) issue tokens or pseudonymous identifiers and monetise the data for the benefit of the data subject. To ensure that Data Trusts truly protect the interests of the data subject, Vijayashankar proposes three requirements: (a) public performance reviews (b) audits by the regulator and (c) "an arms-length relationship with the data collectors." In his proposal, Data Trusts are firms with "the ability to process a real-time request from the data subject to supply appropriate data to the data collector."</p>
<p style="text-align: justify; ">n Learned Intermediaries: The Takshashila Institution published a paper titled Beyond Consent: A New Paradigm for Data Protection, authored by Rahul Matthan, partner at the law firm Trilegal. Learned Intermediaries would perform mandatory audits on all data controllers above a particular threshold. Like Vijayashankar, Matthan also requires these intermediaries to be certified by an appropriate authority. The main harm that he focuses on is, bias or discrimination. He proposes three stages of audit which are designed for the age of Big Data and Artificial Intelligence: "(i) Database Query Review; (ii) Black Box Audits; and (iii) Algorithm Review". Matthan also tentatively considers a rating system. Learned Intermediaries are a means to address information asymmetry in the market by making data subjects more aware. The impact of churn on their bottom-lines, it is hoped, will force data controllers to behave in an accountable manner, protecting rights and mitigating harms.</p>
<p style="text-align: justify; ">n Consent Brokers: Finally, I have proposed the model of a 'Consent Broker' by modifying the concept of the Account Aggregator. Like the Account Aggregator proposal, we would want a competitive set of consent brokers who will manage consent artifacts for data subjects. However, I believe there should be a 1:1 relationship between data subjects and consent brokers so that the latter compete for the business of data subjects. Like Vijayashankar, I believe that the consent broker must have an "arms-length distance" from data controllers and must be prohibited from making any money from them. Consent brokers could also be trusted to take proactive actions for the data subjects, such as access and correction.</p>
<p style="text-align: justify; ">The need of the hour is the production of regulatory innovations and robust discussions around them for all the nine privacy principles in the Justice AP Shah committee report -- notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/deccan-herald-january-20-2018-sunil-abraham-data-protection-we-can-innovate-leapfrog'>https://cis-india.org/internet-governance/blog/deccan-herald-january-20-2018-sunil-abraham-data-protection-we-can-innovate-leapfrog</a>
</p>
No publishersunilInternet GovernanceData ProtectionPrivacy2018-01-22T01:45:46ZBlog EntryDanish Expert Group on Data Ethics
https://cis-india.org/internet-governance/news/danish-expert-group-on-data-ethics
<b>Amber Sinha was one of the stakeholders who provided inputs to the Danish Expert Group on Data Ethics in June 2018 during their visit to New Delhi. The Expert Group has prepared and submitted its final report.</b>
<p style="text-align: justify; "><span>In April the Danish Expert Group on Data Ethics commenced work on developing recommendations on Data Ethics for the Danish Government. The expert group have now handed over their recommendations to the Danish Minister of Industry, Business and Financial Affairs. <a class="external-link" href="http://cis-india.org/internet-governance/files/data-for-the-benefit-of-people">Read the report</a>.<br /></span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/danish-expert-group-on-data-ethics'>https://cis-india.org/internet-governance/news/danish-expert-group-on-data-ethics</a>
</p>
No publisherAdminInternet GovernanceData ProtectionData ManagementPrivacy2018-12-01T04:42:42ZNews ItemCoWIN Breach: What Makes India's Health Data an Easy Target for Bad Actors?
https://cis-india.org/internet-governance/blog/quint-shweta-mohandas-and-pallavi-bedi-june-19-2023-cowin-data-breach-health-sensitive-details-policies-solution
<b>Recent health data policies have failed to even mention the CoWIN platform.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="https://www.thequint.com/opinion/cowin-data-breach-health-sensitive-details-policies-solution#read-more">originally published in the Quint</a> on 19 June 2023.</p>
<hr />
<p style="text-align: justify; ">Last week, it was reported that due to an alleged breach of <a href="https://www.thequint.com/fit/cowin-data-breach-private-information-covid-vaccine-telegram-bot">the CoWIN platform</a>, details such as Aadhaar and passport numbers of Indians were made public via a Telegram bot.</p>
<p style="text-align: justify; ">While Minister of State for Information Technology <a href="https://www.thequint.com/fit/cowin-data-breach-telegram-bot-covid-19-vaccine-unanswered-questions">Rajeev Chandrashekar</a> put out information acknowledging that there was some form of a data breach, there is no information on how the breach took place or when a past breach may have taken place.</p>
<blockquote class="quoted" style="text-align: justify; ">This data leak is yet another example of <a href="https://www.thequint.com/opinion/cowin-breach-shows-us-the-structural-problem-with-digital-indias-infrastructure">our health records</a> being exposed in the recent past – during the pandemic, there were reports of COVID-19 test results being leaked online. The leaked information included patients’ full names, dates of birth, testing dates, and names of centres in which the tests were held.</blockquote>
<p style="text-align: justify; ">In December last year, five servers of the <a href="https://www.thequint.com/fit/aiims-ayushman-bharat-digital-mission-health-data">All India Institute of Medical Science</a> (AIIMS) in Delhi were under a cyberattack, leaving sensitive personal data of around 3-4 crore patients compromised.</p>
<p style="text-align: justify; ">In such cases, the Indian Computer Emergency Response Team (CERT-In) is the agency responsible for looking into the vulnerabilities that may have led to them. However, till date, CERT-In has not made its technical findings into such attacks <a href="https://www.thequint.com/topic/data-breach">publicly available</a>.</p>
<h3 style="text-align: justify; ">The COVID-19 Pandemic Created Opportunity</h3>
<p style="text-align: justify; ">The pandemic saw a number of digitisation policies being rolled out in the health sector; the most notable one being the National Digital Health Mission (or NDHM, later re-branded as the Ayushman Bharat Digital Mission).</p>
<p style="text-align: justify; ">Mobile phone apps and web portals launched by the central and state governments during the pandemic are also examples of this health digitisation push. The rollout of the COVID-19 vaccinations also saw the deployment of the CoWIN platform.</p>
<p style="text-align: justify; ">Initially, it was mandatory for individuals to register on CoWIN to get an appointment for vaccination, and there was no option for walk-in-registration or to book an appointment. But, the Centre subsequently modified this rule and walk-in appointments and registrations on CoWIN became permissible from June 2021.</p>
<blockquote>However, a study conducted by the Centre for Internet and Society (CIS) found that states such as Jharkhand and Chhattisgarh, which have low internet penetration, permitted on-site registration for vaccinations from the beginning.</blockquote>
<p>The rollout of the NDHM also saw Health IDs being generated for citizens.</p>
<p style="text-align: justify; ">In several reported cases across states, this rollout happened during the COVID-19 vaccination process – without the informed consent of the concerned person.</p>
<p style="text-align: justify; ">The <b>beneficiaries who have had their Health IDs created through the vaccination process had not been informed</b> about the creation of such an ID or their right to opt out of the digital health ecosystem.</p>
<h3>A Web of Health Data Policies</h3>
<p>Even before the pandemic, India was working towards a Health ID and a health data management system.</p>
<p style="text-align: justify; ">The components of the umbrella National Digital Health Ecosystem (NDHE) are the National Digital Health Blueprint published in 2019 (NDHB) and the NDHM.</p>
<p style="text-align: justify; ">The Blueprint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs. Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.</p>
<p>The National Health Authority (NHA), established in 2018, has been given the responsibility of implementing the National Digital Health Mission.</p>
<blockquote style="text-align: justify; ">2018 also saw the Digital Information Security in Healthcare Act (DISHA), which was to regulate the generation, collection, access, storage, transmission, and use of Digital Health Data ("DHD") and associated personal data.</blockquote>
<p>However, since its call for public consultation, <b>no progress has been made</b> on this front.</p>
<p style="text-align: justify; ">In addition to documents that chalk out the functioning and the ecosystem of a digitised healthcare system, the NHA has released policy documents such as:</p>
<ul>
<li>
<p>the Health Data Management Policy (which was revised three times; the latest version released in April 2022)</p>
</li>
<li>
<p>the Health Data Retention Policy (released in April 2021)</p>
</li>
<li>
<p>Consultation paper on the Unified Health Interface (UHI) (released in December 2022)</p>
</li>
</ul>
<p style="text-align: justify; ">Along with these policies, in 2022, the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) – India’s state health insurance policy.</p>
<blockquote style="text-align: justify; ">However these <b>draft guidelines repeat the pattern of earlier policies</b> <b>on health data</b>, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines, published in August 2022, did not even refer to the draft National Digital Health Data Management Policy (published in April 2022).</blockquote>
<p style="text-align: justify; "><b>Interestingly, the recent health data policies do not mention CoWIN.</b> Failing to cross-reference or mention preceding policies creates a lack of clarity on which documents are being used as guidelines by healthcare providers.</p>
<h3 style="text-align: justify; ">Can a Data Protection Bill Be the Solution?</h3>
<p>The draft Data Protection Bill, 2021, defined health data as “…the data related to the state of physical or mental health of the data principal and <b>includes records regarding the past, present or future state of the health of such data principal</b>, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services.”</p>
<p>However, this definition as well as the definition of sensitive personal data was removed from the current version of the Bill (Digital Personal Data Protection Bill, 2022).</p>
<blockquote>Omitting these definitions from the Bill removes a set of data which, if collected, warrants increased responsibility and increased liability. Handling of health data, financial data, government identifiers, etc, need to come with a higher level of responsibility as they are a list of sensitive details of a person.</blockquote>
<p style="text-align: justify; ">The threats posed as a result of this data being leaked are not limited to spam messages or fraud and impersonation, but also of companies that can get a hand on this coveted data and gather insights and train their systems and algorithms, without the need to seek consent from anyone, or without facing the consequences of harm caused.</p>
<p style="text-align: justify; ">While the current version of the draft DPDP Bill states that the data fiduciary shall notify the data principal of any breach, the draft Bill also states that the Data Protection Board “may” direct the data fiduciary to adopt measures that remedy the breach or mitigate harm caused to the data principal.</p>
<p style="text-align: justify; ">The Bill also prescribes penalties of upto Rs 250 crore if the data fiduciary fails to take reasonable security safeguards to prevent a personal data breach, and a penalty of upto Rs 200 crore if the fiduciary fails to notify the data protection board and the data principal of such breach.</p>
<p style="text-align: justify; ">While <b>these steps, if implemented through legislation, would make organisations processing data take their data security more seriously</b>, the removal of sensitive personal data from the definition of the Bill, would mean that data fiduciaries processing health data will not have to take additional steps other than reasonable security safeguards.</p>
<p>The <b>absence of a clear indication of security standards</b> will affect data principals and fiduciaries.</p>
<p style="text-align: justify; ">Looking to bring more efficiency to governance systems, the Centre launched the Digital India Mission in 2015. The press release by the central government reporting the approval of the programme by the Cabinet of Ministers speaks of ‘cradle to grave’ digital identity as one of its vision areas.</p>
<p>The ambitious Universal Health ID and health data management policies are an example of this digitisation mission.</p>
<blockquote>However breaches like this are reminders that without proper data security measures, and a system for having a person responsible for data security, the data is always vulnerable to an attack.</blockquote>
<p style="text-align: justify; ">While the UK and Australia have also seen massive data breaches in the past, India is at the start of its health data digitisation journey and has the ability to set up strong security measures, employ experienced professionals, and establish legal resources to ensure that data breaches are minimised and swift action can be taken in case of a breach.</p>
<p style="text-align: justify; "><b>The first step</b> to understand the vulnerabilities would be to present the CERT-In reports of this breach, and guide other institutions to check for the same so that they are better prepared for future breaches and attacks.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/quint-shweta-mohandas-and-pallavi-bedi-june-19-2023-cowin-data-breach-health-sensitive-details-policies-solution'>https://cis-india.org/internet-governance/blog/quint-shweta-mohandas-and-pallavi-bedi-june-19-2023-cowin-data-breach-health-sensitive-details-policies-solution</a>
</p>
No publisherShweta Mohandas and Pallavi BediInternet GovernanceData ProtectionPrivacy2023-07-04T09:39:03ZBlog EntryContestations of Data, ECJ Safe Harbor Ruling and Lessons for India
https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india
<b>The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse. </b>
<p align="justify">The European Court of Justice
(ECJ) has invalidated a European Commission (EC) decision<a class="sdfootnoteanc" name="sdfootnote1anc" href="#sdfootnote1sym"><sup>1</sup></a>
which had previously concluded that the 'Safe Harbor Privacy
Principles'<a class="sdfootnoteanc" name="sdfootnote2anc" href="#sdfootnote2sym"><sup>2</sup></a>
provide adequate protections for European citizens’ privacy rights<a class="sdfootnoteanc" name="sdfootnote3anc" href="#sdfootnote3sym"><sup>3</sup></a>
for the transfer of personal data between European Union and United
States. This challenge stems from the claim that public law
enforcement authorities in America obtain personal data from
organisations in safe harbour for incompatible and disproportionate
purposes in violation of the Safe Harbour Privacy Principles. The
court's judgment follows the advice of the Advocate General of the
Court of Justice of the European Union (CJEU) who recently opined<a class="sdfootnoteanc" name="sdfootnote4anc" href="#sdfootnote4sym"><sup>4</sup></a>
that US practices allow for large-scale collection and transfer of
personal data belonging to EU citizens without them benefiting from
or having access to judicial protection under US privacy laws. The
inadequacies of the framework is not news for the Commission and
action by ECJ has been a long time coming. The ruling raises
important questions about how increasingly the contestations of
personal data are being employed in asserting claims of citizenship
in context of the internet.</p>
<p align="justify">
As the highest court in Europe,
the ECJ's decisions are binding on all member states. With this
ruling the ECJ has effectively restrained US firms from
indiscriminate collection and sharing of European citizens’ data on
American soil. The implications of the decision are significant,
because it shifts the onus of evaluating protections of personal data
for EU citizens from the 4,400 companies<a class="sdfootnoteanc" name="sdfootnote5anc" href="#sdfootnote5sym"><sup>5</sup></a>
subscribing to the system onto EU privacy watchdogs. Most
significantly, in addressing the rights of a citizen against an
established global brand, the judgement goes beyond political and
legal opinion to challenge the power imbalance that exists with
reference to US based firms.</p>
<p align="justify">
Today, the free movement of data
across borders is a critical factor in facilitating trade, financial
services, governance, manufacturing, health and development. However,
to consider the ruling as merely a clarification of transatlantic
mechanisms for data flows misstates the real issue. At the heart of
the judgment is the assessment whether US firms apply the tests of
‘necessity and proportionality’ in the collection and
surveillance of data for national security purposes. Application of
necessity and proportionality test to national security exceptions
under safe harbor has been a sticking point that has stalled the
renegotiation of the agreement that has been underway between the
Commission and the American data protection authorities.<a class="sdfootnoteanc" name="sdfootnote6anc" href="#sdfootnote6sym"><sup>6</sup></a></p>
<p align="justify">
For EU citizens the stake in the
case are even higher, as while their right to privacy is enshrined
under EU law, they have no administrative or judicial means of
redress, if their data is used for reasons they did not intend. In
the EU, citizens accessing and agreeing to use of US based firms are
presented with a false choice between accessing benefits and giving
up on their fundamental right to privacy. In other words, by seeking
that governments and private companies provide better data protection
for the EU citizens and in restricting collection of personal data on
a generalised basis without objective criteria, the ruling is
effectively an assertion of ‘data sovereignty’. The term ‘data
sovereignty’, while lacking a firm definition, refers to a spectrum
of approaches adopted by different states to control data generated
in or passing through national internet infrastructure.<a class="sdfootnoteanc" name="sdfootnote7anc" href="#sdfootnote7sym"><sup>7</sup></a>
Underlying the ruling is the growing policy divide between the US and
EU privacy and data protection standards, which may lead to what is
referred to as the balkanization<a class="sdfootnoteanc" name="sdfootnote8anc" href="#sdfootnote8sym"><sup>8</sup></a>
of the internet in the future.</p>
<p align="justify">
<em>US-EU Data Protection Regime </em></p>
<p align="justify">
The safe harbor pact between the
EU and US was negotiated in the late 1990s as an attempt to bridge
the different approaches to online privacy. Privacy is addressed in
the EU as a fundamental human right while in the US it is defined
under terms of consumer protection, which<em><strong>
</strong></em>allow trade-offs
and exceptions when national security seems to be under threat. In
order to address the lower standards of data protection prevalent in
the US, the pact facilitates data transfers from EU to US by
establishing certain safeguards equivalent to the requirements of the
EU data protection directive. The safe harbor provisions include
firms undertaking not to pass personal information to third parties
if the EU data protection standards are not met and giving users
right to opt out of data collection.<a class="sdfootnoteanc" name="sdfootnote9anc" href="#sdfootnote9sym"><sup>9</sup></a></p>
<p align="justify">
The agreement was due to be
renewed by May 2015<a class="sdfootnoteanc" name="sdfootnote10anc" href="#sdfootnote10sym"><sup>10</sup></a>
and while negotiations have been ongoing for two years, EU discontent
on safe harbour came to the fore following the Edward Snowden
revelations of collection and monitoring facilitated by large private
companies for the PRISM program and after the announcement of the
TransAtlantic Trade and Investment Partnership (TTIP).<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><sup>11</sup></a>
EU member states have mostly stayed silent as they run their own
surveillance programs often times, in cooperation with the NSA. EU
institutions cannot intervene in matters of national security
however, they do have authority on data protection matters. European
Union officials and Members of Parliament have expressed shock and
outrage at the surveillance programs unveiled by Snowden's 2013
revelations. Most recently, following the CJEU Advocate General’s
opinion, 50 Members of European Parliament (MEP) sent a strongly
worded letter the US Congress hitting back on claims of ‘digital
protectionism’ emanating from the US<a class="sdfootnoteanc" name="sdfootnote12anc" href="#sdfootnote12sym"><sup>12</sup></a>.
In no uncertain terms the letter clarified that the EU has different
ideas on privacy, platforms, net neutrality, encryption, Bitcoin,
zero-days, or copyright and will seek to improve and change any
proposal from the EC in the interest of our citizens and of all
people.</p>
<p align="justify">
<em>Towards Harmonization </em></p>
<p align="justify">
In November 2013, as an attempt
to minimize the loss of trust following the Snowden revelations, the
European Commission (EC) published recommendations in its report on
'Rebuilding Trust is EU-US Data Flows'.<a class="sdfootnoteanc" name="sdfootnote13anc" href="#sdfootnote13sym"><sup>13</sup></a>
The recommendations revealed two critical initiatives at the EU
level—first was the revision of the EU-US safe harbor agreement<a class="sdfootnoteanc" name="sdfootnote14anc" href="#sdfootnote14sym"><sup>14</sup></a>
and second the adoption of the 'EU-US Umbrella Agreement<a class="sdfootnoteanc" name="sdfootnote15anc" href="#sdfootnote15sym"><sup>15</sup></a>'—a
framework for data transfer for the purpose of investigating,
detecting, or prosecuting a crime, including terrorism. The Umbrella
Agreement was recently initialed by EU and US negotiators and it only
addresses the exchange of personal data between law enforcement
agencies.<a class="sdfootnoteanc" name="sdfootnote16anc" href="#sdfootnote16sym"><sup>16</sup></a>
The Agreement has gained momentum in the wake of recent cases around
issues of territorial duties of providers, enforcement jurisdictions
and data localisation.<a class="sdfootnoteanc" name="sdfootnote17anc" href="#sdfootnote17sym"><sup>17</sup></a>
However, the adoption of the Umbrella Act depends on US Congress
adoption of the<em><strong>
</strong></em>Judicial Redress
Act (JRA) as law.<a class="sdfootnoteanc" name="sdfootnote18anc" href="#sdfootnote18sym"><sup>18</sup></a></p>
<p align="justify">
<em>Judicial Redress Act </em></p>
<p align="justify">
The JRA is a key reform that the
EC is pushing for in an attempt to address the gap between privacy
rights and remedies available to US citizens and those extended to EU
citizens, including allowing EU citizens to sue in American courts.
The JRA seeks to extend certain protections under the Privacy Act to
records shared by EU and other designated countries with US law
enforcement agencies for the purpose of investigating, detecting, or
prosecuting criminal offenses. The JRA protections would extend to
records shared under the Umbrella Agreement and while it does include
civil remedies for violation of data protection, as noted by the
Center for Democracy and Technology, the present framework does not
provide citizens of EU countries with redress that is at par with
that which US persons enjoy under the Privacy Act.<a class="sdfootnoteanc" name="sdfootnote19anc" href="#sdfootnote19sym"><sup>19</sup></a></p>
<p align="justify">
For example, the measures
outlined under the JRA would only be applicable to countries that
have outlined appropriate privacy protections agreements for data
sharing for investigations and ‘efficiently share’ such
information with the US. Countries that do not have agreements with
US cannot seek these protections leaving the personal data of their
citizens open for collection and misuse by US agencies. Further, the
arrangement leaves determination of 'efficiently sharing' in the
hands of US authorities and countries could lose protection if they
do not comply with information sharing requests promptly. Finally,
JRA protections do not apply to non-US persons nor to records shared
for purposes other than law enforcement such as intelligence
gathering. JRA is also weakened by allowing heads of agencies to
exercise their discretion to seek exemption from the Act and opt out
of compliance.</p>
<p align="justify">
Taken together the JRA, the
Umbrella Act and the renegotiation of the Safe Harbor Agreement need
considerable improvements. It is worth noting that EU’s acceptance
of the redundancy of existing agreements and in establishing the
independence of national data protection authorities in investigating
and enforcing national laws as demonstrated in the Schrems and in the
Weltimmo<a class="sdfootnoteanc" name="sdfootnote20anc" href="#sdfootnote20sym"><sup>20</sup></a>
case point to accelerated developments in the broader EU privacy
landscape.</p>
<p align="justify">
<em>Consequences </em></p>
<p align="justify">
The ECJ Safe Harbor ruling will
have far-reaching consequences for the online industry. Often, costly
government rulings solidify the market dominance of big companies. As
high regulatory costs restrict the entrance of small and medium
businesses the market, competition is gradually wiped out. Further,
complying with high standards of data protection means that US firms
handling European data will need to consider alternative legal means
of transfer of personal data. This could include evolving 'model
contracts' binding them to EU data protection standards. As Schrems
points out, “Big companies don’t only rely on safe harbour: they
also rely on binding corporate rules and standard contractual
clauses.”<a class="sdfootnoteanc" name="sdfootnote21anc" href="#sdfootnote21sym"><sup>21</sup></a></p>
<p align="justify">
The ruling is good news for
European consumers, who can now approach a national regulator to
investigate suspicions of data mishandling. EU data protection
regulators may be be inundated with requests from companies seeking
authorization of new contracts and with consumer complaints. Some are
concerned that the ruling puts a dent in the globalized flow of
data<a class="sdfootnoteanc" name="sdfootnote22anc" href="#sdfootnote22sym"><sup>22</sup></a>,
effectively requiring data localization in Europe.<a class="sdfootnoteanc" name="sdfootnote23anc" href="#sdfootnote23sym"><sup>23</sup></a>
Others have pointed out that it is unclear how this decision sits
with other trade treaties such as the TPP that ban data
localisation.<a class="sdfootnoteanc" name="sdfootnote24anc" href="#sdfootnote24sym"><sup>24</sup></a>
While the implications of the decision will take some time in playing
out, what is certain is that US companies will be have to
restructure management, storage and use of data. The ruling has
created the impetus for India to push for reforms to protect its
citizens from harms by US firms and improve trade relations with EU.</p>
<p align="justify"><em>The Opportunity for India</em></p>
<p align="justify">
Multiple data flows taking place
over the internet simultaneously and that has led to ubiquity of data
transfers o ver the Internet, exposing individuals to privacy risks.
There has also been an enhanced economic importance of data
processing as businesses collect and correlate data using analytic
tools to create new demands, establish relationships and generate
revenue for their services. The primary concern of the Schrems case
may be the protection of the rights of EU citizens but by seeking to
extend these rights and ensure compliance in other jurisdictions, the
case touches upon many underlying contestations around data and
sovereignty.</p>
<p align="justify">
Last year, Mr Ram Narain, India
Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through
network functionality and global norms will go a long way in
increasing the trust and confidence in use of ICT.”<a class="sdfootnoteanc" name="sdfootnote25anc" href="#sdfootnote25sym"><sup>25</sup></a>
In the absence of the recognition of privacy as a right and
empowering citizens through measures or avenues to seek redressal
against misuse of data, the demand of data sovereignty rings empty.
The kind of framework which empowered an ordinary citizen in the EU
to approach the highest court seeking redressal based on presumed
overreach of a foreign government and from harms abetted by private
corporations simply does not exist in India. Securing citizen’s
data in other jurisdictions and from other governments begins with
establishing protection regimes within the country.</p>
<p align="justify">
The Indian government has also
stepped up efforts to restrict transfer of data from India including
pushing for private companies to open data centers in India.<a class="sdfootnoteanc" name="sdfootnote26anc" href="#sdfootnote26sym"><sup>26</sup></a>
Negotiating data localisation does not restrict the power of private
corporations from using data in a broad ways including tailoring ads
and promoting products. Also, data transfers impact any organisation
with international operations for example, global multinationals who
need to coordinate employee data and information. Companies like
Facebook, Google and Microsoft transfer and store data belonging to
Indian citizens and it is worth remembering that the National
Security Agency (NSA) would have access to this data through servers
of such private companies. With no existing measures to restrict such
indiscriminate access, the ruling purports to the need for India to
evolve strong protection mechanisms. Finally, the lack of such
measures also have an economic impact, as reported in a recent
Nasscom-Data Security Council of India (DSCI) survey<a class="sdfootnoteanc" name="sdfootnote27anc" href="#sdfootnote27sym"><sup>27</sup></a>
that pegs revenue losses incurred by the Indian IT-BPO industry at
$2-2.5 billion for a sample size of 15 companies. DSCI has further
estimated that outsourcing business can further grow by $50 billion
per annum once India is granted a “data secure” status by the
EU.<a class="sdfootnoteanc" name="sdfootnote28anc" href="#sdfootnote28sym"><sup>28</sup></a>
EU’s refusal to grant such a status is understandable given the
high standard of privacy as incorporated under the European Union
Data Protection Directive a standard to which India does not match
up, yet. The lack of this status prevents the flow of data which is
vital for Digital India vision and also affects the service industry
by restricting the flow of sensitive information to India such as
information about patient records.</p>
<p align="justify">
Data and information structures
are controlled and owned by private corporations and networks
transcend national borders, therefore the foremost emphasis needs to
be on improving national frameworks. While, enforcement mechanisms
such as the Mutual Legal Assistance Treaty (MLAT) process or other
methods of international cooperation may seem respectful of
international borders and principles of sovereignty,<a class="sdfootnoteanc" name="sdfootnote29anc" href="#sdfootnote29sym"><sup>29</sup></a>
for users that live in undemocratic or oppressive regimes such
agreements are a considerable risk. Data is also increasingly being
stored across multiple jurisdictions and therefore merely applying
data location lens to protection measures may be too narrow. Further
it should be noted that when companies begin taking data storage
decisions based on legal considerations it will impact the speed and
reliability of services.<a class="sdfootnoteanc" name="sdfootnote30anc" href="#sdfootnote30sym"><sup>30</sup></a>
Any future regime must reflect the challenges of data transfers
taking place in legal and economic spaces that are not identical and
may be in opposition. Fundamentally, the protection of privacy will
always act as a barrier to the free flow of information even so, as
the Schrems case ruling points out not having adequate privacy
protections could also restrict flow of data, as has been the case
for India.</p>
<p align="justify">
The time is right for India to
appoint a data controller and put in place national frameworks, based
on nuanced understanding of issues of applying jurisdiction to govern
users and their data. Establishing better protection measures will
not only establish trust and enhance the ability of users to control
data about themselves it is also essential for sustaining economic
and social value generated from data generation and collection.
Suggestions for such frameworks have been considered previously by
the Group of Experts on Privacy constituted by the Planning
Commission.<a class="sdfootnoteanc" name="sdfootnote31anc" href="#sdfootnote31sym"><sup>31</sup></a>
By incorporating transparency in mechanisms for data and access
requests and premising requests on established necessity and
proportionality Indian government can lead the way in data protection
standards. This will give the Indian government more teeth to
challenge and address both the dangers of theft of data stored on
servers located outside of India and restrain indiscriminate access
arising from terms and conditions of businesses that grant such
rights to third parties. </p>
<div id="sdfootnote1">
<p>
<a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC
of the European Parliament and of the Council on the adequacy of the
protection provided by the safe harbour privacy principles and
related frequently asked questions issued by the US Department of
Commerce (notified under document number C(2000) 2441) (Text with
EEA relevance.) <em>Official
Journal L 215 , 25/08/2000 P. 0007 -0047 </em>
2000/520/EC:
<u><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">http</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">://</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eur</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">-</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">lex</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">europa</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eu</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">do</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">?</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">uri</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">=</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">CELEX</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:32000</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">D</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">0520:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">EN</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">HTML</a></u></p>
</div>
<div id="sdfootnote2">
<p>
<a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>
Safe Harbour Privacy Principles Issued by the U.S. Department of
Commerce on July 21, 2000
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote3">
<p>
<a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>
Megan Graham, <a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Some</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">on</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">the</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">European</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Court</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">’</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">s</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">,
</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Just</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">security</a></p>
<p>
<u><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">https</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">://</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">www</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">justsecurity</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">org</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/26651/</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">ecj</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/</a></u></p>
</div>
<div id="sdfootnote4">
<p>
<a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>
Advocate
General’s Opinion in Case C-362/14 Maximillian Schrems v Data
Protection Commissioner Court of Justice of the European Union,
Press Release, No 106/15 Luxembourg, 23 September 2015
<u><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">http</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">://</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">curia</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">europa</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">eu</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">jcms</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">upload</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">docs</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">application</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/2015-09/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">cp</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">150106</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">en</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote5">
<p>
<a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour
alternatives’, The Register, October 7, 2015
<u><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">http</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">://</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">www</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">theregister</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">co</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">uk</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/2015/10/07/</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">eu</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">pushes</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">safe</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">harbour</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">alternatives</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/</a></u> </p>
</div>
<div id="sdfootnote6">
<p>
<a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
Draft Report, General Data Protection Regulation, Committee on Civil
Liberties, Justice and Home Affairs, European Parliament, 2009-2014
<a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">http</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">://</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">www</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europarl</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europa</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">eu</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">meetdocs</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/2009_2014/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">documents</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">libe</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pr</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/922/922387/922387</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">en</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pdf</a></p>
</div>
<div id="sdfootnote7">
<p>
<a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS
Characteristics: Data Sovereignty and the Balkanisation of the
Internet’, University of Oxford, July 7, 2014
<u><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">https</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">://</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">www</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">usenix</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">org</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">system</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">files</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">conference</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">polatin</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">reuben</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote8">
<p>
<a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
Sasha
Meinrath, The Future of the Internet: Balkanization and Borders,
Time, October 2013
<u><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">http</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">://</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">ideas</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">time</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">com</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/2013/10/11/</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">future</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">of</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">internet</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">balkanization</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">and</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">borders</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/</a></u></p>
</div>
<div id="sdfootnote9">
<p>
<a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
Safe Harbour Privacy Principles, Issued by the U.S. Department of
Commerce, July 2001
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote10">
<p>
<a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a>
Facebook
case may force European firms to change data storage practices, The
Guardian, September 23, 2015
<u><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">http</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">://</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">www</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">theguardian</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">com</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">news</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/2015/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">sep</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/23/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">intelligence</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">services</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">surveillance</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">privacy</a></u></p>
</div>
<div id="sdfootnote11">
<p>
<a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>
Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013
<u><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">https</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">://</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">iapp</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">.</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">org</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">news</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">a</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">us</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">eu</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">safe</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">harbor</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">under</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">pressure</a></u></p>
</div>
<div id="sdfootnote12">
<p>
<a class="sdfootnotesym" name="sdfootnote12sym" href="#sdfootnote12anc">12</a>
Kieren
McCarthy, Privacy, net neutrality, security, encryption ... Europe
tells Obama, US Congress to back off, The Register, 23 September,
2015
<u><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">http</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">://</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">www</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">theregister</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">co</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">uk</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/2015/09/23/</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">european</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">politicians</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">to</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">congress</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">back</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">off</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/</a></u></p>
</div>
<div id="sdfootnote13">
<p>
<a class="sdfootnotesym" name="sdfootnote13sym" href="#sdfootnote13anc">13</a>
Communication from the Commission to the European Parliament and the
Council, Rebuilding Trust in EU-US Data Flows, European Commission,
November 2013
<u><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">http</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">://</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">ec</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">europa</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">eu</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">justice</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">data</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">-</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">protection</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">files</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">com</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">_2013_846_</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">en</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote14">
<p>
<a class="sdfootnotesym" name="sdfootnote14sym" href="#sdfootnote14anc">14</a>
Safe
Harbor on trial in the European Union, Access Blog, September 2014
<u><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">https</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">://</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">www</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">accessnow</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">org</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">blog</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/2014/11/13/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">safe</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">harbor</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">on</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">trial</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">in</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">the</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">european</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">union</a></u></p>
</div>
<div id="sdfootnote15">
<p>
<a class="sdfootnotesym" name="sdfootnote15sym" href="#sdfootnote15anc">15</a>
European
Commission - Fact Sheet Questions and Answers on the EU-US data
protection "Umbrella agreement", September 8, 2015
<u><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">http</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">://</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">europa</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">eu</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">rapid</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">press</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">release</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">MEMO</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-15-5612_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">en</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">htm</a></u> </p>
</div>
<div id="sdfootnote16">
<p>
<a class="sdfootnotesym" name="sdfootnote16sym" href="#sdfootnote16anc">16</a>
McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data
transfers’, Lexology, September 14, 2015
<u><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">http</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">://</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">www</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">lexology</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">com</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">library</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">detail</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">aspx</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">?</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">g</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">=422</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">bca</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">41-2</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">54-4648-</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">ae</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">57-00</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">678515</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">e</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">1</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">f</a></u></p>
</div>
<div id="sdfootnote17">
<p>
<a class="sdfootnotesym" name="sdfootnote17sym" href="#sdfootnote17anc">17</a>
Andrew
Woods, Lowering the Temperature on the Microsoft-Ireland Case,
Lawfare September, 2015
<u><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">https</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">://</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">www</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lawfareblog</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">com</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">/</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lowering</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">temperature</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">microsoft</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">ireland</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">case</a></u></p>
</div>
<div id="sdfootnote18">
<p>
<a class="sdfootnotesym" name="sdfootnote18sym" href="#sdfootnote18anc">18</a>
Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement
and the Judicial Redress Act: Small Steps Forward for EU Citizens’
Privacy Rights’, October 5, 2015
<u><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">https</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">://</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">cdt</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">.</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">org</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">blog</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">us</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">umbrella</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">agreement</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">and</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">judicial</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">redress</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">act</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">small</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">steps</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">forward</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">for</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">citizens</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">privacy</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">rights</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a></u></p>
</div>
<div id="sdfootnote19">
<p>
<a class="sdfootnotesym" name="sdfootnote19sym" href="#sdfootnote19anc">19</a>
Ibid 18.</p>
</div>
<div id="sdfootnote20">
<p>
<a class="sdfootnotesym" name="sdfootnote20sym" href="#sdfootnote20anc">20</a>
Landmark ECJ data protection ruling could impact Facebook and
Google, The Guardian, 2 October, 2015
<u><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">http</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">://</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">www</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">com</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">technology</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">oct</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/02/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">landmark</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ecj</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">data</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">protection</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ruling</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">google</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">weltimmo</a></u></p>
</div>
<div id="sdfootnote21">
<p>
<a class="sdfootnotesym" name="sdfootnote21sym" href="#sdfootnote21anc">21</a>
Julia Powles, Tech companies like Facebook not above the law, says
Max Schrems, The Guardian, Octover 9, 2015
<a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">http</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">://</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">www</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">com</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">technology</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">oct</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/09/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">data</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">privacy</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">max</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">schrems</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">european</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">court</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">of</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">justice</a></p>
</div>
<div id="sdfootnote22">
<p>
<a class="sdfootnotesym" name="sdfootnote22sym" href="#sdfootnote22anc">22</a>
Adam
Thierer,
Unintended
Consequences of the EU Safe Harbor Ruling, The Technology Liberation
Front, October 6, 2015
<u><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">http</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">://</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">techliberation</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">.</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">com</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/2015/10/06/</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">unintended</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">consequenses</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">of</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">the</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">eu</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">safe</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">harbor</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">ruling</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/#</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">more</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-75831</a></u></p>
</div>
<div id="sdfootnote23">
<p>
<a class="sdfootnotesym" name="sdfootnote23sym" href="#sdfootnote23anc">23</a>
Anupam
Chander, Tweeted ECJ<a href="https://twitter.com/hashtag/schrems?src=hash">
#</a><a href="https://twitter.com/hashtag/schrems?src=hash">schrems</a>
ruling may effectively require data localization within Europe,
<u><a href="https://twitter.com/AnupamChander/status/651369730754801665">https</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">://</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">twitter</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">.</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">com</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">AnupamChander</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">status</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/651369730754801665</a></u></p>
</div>
<div id="sdfootnote24">
<p>
<a class="sdfootnotesym" name="sdfootnote24sym" href="#sdfootnote24anc">24</a>
Lokman Tsui, Tweeted, “If the TPP bans data localization, but the
ECJ ruling effectively mandates it, what does that mean for the
internet?”
<u><a href="https://twitter.com/lokmantsui/status/651393867376275456">https</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">://</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">twitter</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">.</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">com</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">lokmantsui</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">status</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/651393867376275456</a></u></p>
</div>
<div id="sdfootnote25">
<p>
<a class="sdfootnotesym" name="sdfootnote25sym" href="#sdfootnote25anc">25</a>
Statement from Indian Head of Delegation, Mr Ram Narain for WGPL,
<a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Indian</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">statement</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">on</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">ITU</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">and</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Internet</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">at</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">the</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Working</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Group</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Plenary</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">November</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">
4, 2014 </a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">https</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">://</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">ccgnludelhi</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">wordpress</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">com</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">author</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">asukum</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">87/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">page</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/2/</a></p>
</div>
<div id="sdfootnote26">
<p>
<a class="sdfootnotesym" name="sdfootnote26sym" href="#sdfootnote26anc">26</a>
Sounak
Mitra, Xiaomi bets big on India despite problems, Business Standard,
December 2014
<u><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">http</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">://</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">www</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">business</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">standard</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">com</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">article</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">companies</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">xiaomi</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">bets</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">big</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">on</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">india</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">despite</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">problems</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-114122201023_1.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">html</a></u></p>
</div>
<div id="sdfootnote27">
<p>
<a class="sdfootnotesym" name="sdfootnote27sym" href="#sdfootnote27anc">27</a>
Neha
Alawadi, Ruling on data flow between EU & US may impact India’s
IT sector, Economic Times,October 7, 2015
<a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">http</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49250738.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></p>
</div>
<div id="sdfootnote28">
<p>
<a class="sdfootnotesym" name="sdfootnote28sym" href="#sdfootnote28anc">28</a>
Pranav Menon, Data Protection Laws in India and Data Security-
Impact on India and Data Security-Impact on India - EU Free Trade
Agreement, CIS Access to Knowledge, 2011
<u><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">http</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">://</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">cis</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">org</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">a</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">2</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">k</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">blogs</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">data</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">security</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">laws</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote29">
<p>
<a class="sdfootnotesym" name="sdfootnote29sym" href="#sdfootnote29anc">29</a>
Surendra
Kumar Sinha, India wants Mutual Legal Assistance treaty with
Bangladesh, Economic Times, October 7, 2015
h<u><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">ttp</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49262294.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></u></p>
</div>
<div id="sdfootnote30">
<p>
<a class="sdfootnotesym" name="sdfootnote30sym" href="#sdfootnote30anc">30</a>
Pablo
Chavez, Director, Public Policy and Government Affairs, Testifying
before the U.S. Senate on transparency legislation, November 3,
2013
<u><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">http</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">://</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">googlepublicpolicy</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">blogspot</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">in</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">/2013/11/</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">testifying</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">before</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">us</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">senate</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">on</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">htm</a></u> </p>
</div>
<div id="sdfootnote31">
<p>
<a class="sdfootnotesym" name="sdfootnote31sym" href="#sdfootnote31anc">31</a>
Report
of the Group of Experts on Privacy (Chaired by Justice A P Shah,
Former Chief Justice, Delhi High Court), Planning Commission,
October 2012
<u><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">://</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">planningcommission</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">nic</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">in</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">reports</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">genrep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">rep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">_</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">privacy</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">pdf</a></u></p>
<p align="justify"> </p>
</div>
<div id="sdfootnote31">
<p align="justify"> </p>
</div>
<div id="sdfootnote30"> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india'>https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india</a>
</p>
No publisherjyotiAccess to KnowledgeDigital EconomyPublic AccountabilityPrivacyPlatform ResponsibilityData ProtectionAccountabilityDigital SecurityDigital IndiaInternet Governance2015-10-14T14:40:08ZBlog EntryComparison of General Data Protection Regulation and Data Protection Directive
https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive
<b>Recently, the General Data Protection Regulation (REGULATION (EU) 2016/679) was passed. It shall replace the present Data Protection Directive (DPD 95/46/EC), which is a step that is likely to impact the workings of many organizations. This document intends to offer a clear comparison between the General Data Protection Regulation (GDPR) a the Data Protection Direction (DPD).
</b>
<p>Download the <a class="external-link" href="http://cis-india.org/internet-governance/files/comparison-table-gdpr-dpd">file here</a></p>
<hr />
<h1 style="text-align: justify; ">INTRODUCTION</h1>
<p style="text-align: justify; ">The GDPR i.e. General Data Protection Regulation (REGULATION (EU) 2016/679) was adopted on May 27th, 2016. It will come into force after a two-year transition period on May 25th, 2018 and will replace the Data Protection Directive (DPD 95/46/EC). The Regulation intends to empower data subjects in the European Union by giving them control over the processing of their personal data. This is not an enabling legislation. Unlike the previous regime under the DPD (Data Protection Directive), wherein different member States legislated their own data protection laws, the new regulation intends uniformity in application with some room for individual member states to legislate on procedural mechanisms. While this will ensure a predictable environment for doing business, a number of obligations will have to be undertaken by organizations, which might initially burden them financially and administratively.</p>
<h1 style="text-align: justify; "><a name="_s6hlmorxmhjt"></a> 2. SUMMARY</h1>
<p style="text-align: justify; ">The Regulation contains a number of new provisions as well as modified provisions that were under DPD and has removed certain requirements under the DPD. Some significant changes mentioned in the document have been summarized in this section.. These changes suggest that GDPR is a comprehensive law with detailed substantive and procedural provisions. Yet, some ambiguities remain with respect to its workability and interpretation. Clarifications will be required.</p>
<h2 style="text-align: justify; "><a name="_bx6wcm39fme2"></a> 2.1 Provisions from the DPD that were retained but altered in the GDPR include:</h2>
<h3 style="text-align: justify; "><a name="_dgj5eiqdp6rg"></a> 2.1.1 Scope:</h3>
<p style="text-align: justify; ">GDPR has an expanded territorial scope and is applicable under two scenarios; 1) when processor or controller is established in the Union, and 2) when processor or controller is not established in the Union. The conditions for applicability of the GDPR under the two are much wider than those provided for DPD. Also, the criteria under GDPR are more specific and clearer to demonstrate application.</p>
<h3 style="text-align: justify; "><a name="_xkff9yuwpdhu"></a> 2.1.2 Definitions:</h3>
<p style="text-align: justify; ">Six definitions have remained the same while those of personal data and consent have been expanded.</p>
<h3 style="text-align: justify; "><a name="_ubv6cbv0v00"></a> 2.1.3 Consent:</h3>
<p style="text-align: justify; ">GDPR mentions "unambiguous" consent and spells out in detail what constitutes a valid consent. Demonstration of valid consent is an important obligation of the controller. Further, the GDPR also explains situations in which child's consent will be valid. Such provisions are absent in DPD.</p>
<h3 style="text-align: justify; "><a name="_uqvt1qhmvy2p"></a> 2.1.4 Special categories of data:</h3>
<p style="text-align: justify; ">Two new categories, biometric and genetic data have been added under GDPR.</p>
<h3 style="text-align: justify; "><a name="_ap4k8hvlnia"></a> 2.1.5 Rights:</h3>
<p style="text-align: justify; ">The GDPR strengthens certain rights granted under the DPD. These include:</p>
<p style="text-align: justify; ">a. <b>Right to restrict processing: </b>Under DPD the data subject can block processing of data on the grounds of data inaccuracy or incomplete nature of data. GDPR, on the other hand , is more elaborate and defined in this respect. Many more grounds are listed together with consequences of enforcement of this right and obligations on controller.</p>
<p style="text-align: justify; ">b. <b>Right to erasure: </b> This is known as the "right to be forgotten". Here, the DPD merely mentions that the data subject has the right to request erasure of data on grounds of data inaccuracy or incomplete nature of data or in case of unlawful processing. The GDPR has strengthened this right by laying out 7 conditions for enforcing this right including 5 grounds on which the request for erasure shall not be processed. This means that the "right to erasure" is not an absolute right. GDPR provides that if data has been made public, controllers are under an obligation to inform other controllers processing the data about the request.</p>
<p style="text-align: justify; ">c. <b>Right to rectification: </b>This right is similar under GDPR and DPD.</p>
<p style="text-align: justify; ">d. <b>Right to access: </b>GDPR has broadened the amount of information data subject can have regarding his/her own data. For example, under the DPD the data subject could know about the purpose of processing, categories of processing, recipients or categories to whom data are disclosed and extent of automated decision involved. Now under GDPR, the data subject can also know about retention period, existence of certain rights, about source of data and consequences of processing. It specifically states controllers obligations in this regard.</p>
<p style="text-align: justify; ">e. <b>Automated individual decision making including profiling: </b> This is an interesting provision that applies solely to automate decision-making. This includes profiling, which is a process by which personal data is evaluated solely by automated means for the purpose of analyzing a person's personal aspect such as performance at work, health, location etc. The intent is that data subjects should have the right to obtain human intervention into their personal data. This upholds philosophy of data safeguard as the subject can get an opportunity to express himself, obtain explanation and challenge the decision. Under GDPR, such decision-making excludes data concerning a child.</p>
<h3 style="text-align: justify; "><a name="_mirhfotxo6sy"></a> 2.1.6 Code of conduct:</h3>
<p style="text-align: justify; ">A voluntary self-regulating mechanism has been provided under both GDPR and DPD.</p>
<h3 style="text-align: justify; "><a name="_7bkgvf7abyyr"></a> 2.1.7 Supervisory Authority:</h3>
<p style="text-align: justify; ">As compared to the DPD, the GDPR lays down detailed and elaborate provisions on Supervisory Authority.</p>
<h3 style="text-align: justify; "><a name="_khb6zs50ya84"></a> 2.1.8 Compensation and Liability:</h3>
<p style="text-align: justify; ">Although compensation and liability provisions under GDPR and DPD are similar, the GDPR specifically mentions this as a right with a wider scope. While the Directive enforces liability on the controller only, under the GDPR, compensation can be claimed from both, processor and controller.</p>
<h3 style="text-align: justify; "><a name="_bovy1ju2u8iv"></a> 2.1.9 Effective judicial remedies:</h3>
<p style="text-align: justify; ">Provisions in this area are also quite similar between the DPD and GDPR. The difference is that GDPR specifically mentions this as a "right" and the Directive does not. Use of such words is bound to bring legal clarity. It is interesting to note that in the DPD, recourse to remedy has been mentioned in the Recitals and it is the national law of individual member states, which shall regulate the enforceability. GDPR, on the other hand, mentions this under its Articles together with the jurisdiction of courts and exceptions to this right.</p>
<h3 style="text-align: justify; "><a name="_xndzim3hdxxa"></a> 2.1.10 Right to lodge complaint with supervisory authority:</h3>
<p style="text-align: justify; ">The right conferred to the data subject to seek remedy under unlawful processing has been strengthened under GDPR. Again, as mentioned above, GDRP specifically words this as a "right" while the DPD does not.</p>
<h2 style="text-align: justify; "><a name="_68pmqs7h2gvp"></a> 2.2 New provisions added to the GDPR include:</h2>
<h3 style="text-align: justify; "><a name="_pynrk1m03gga"></a> 2.2.1 Data Transfer to third countries:</h3>
<p style="text-align: justify; ">Provisions under Chapter V of GDPR regulate data transfers from EU to third countries and international organizations and data transfer onward. DPD only provides for data transfer to third countries without reference to international organizations.</p>
<p style="text-align: justify; ">A mechanism called adequacy decisions for such transfers remains the same under both laws. However, in situations where Commission does not take adequacy decisions, alternate and elaborate provisions on "Effective Safeguards" and "Binding Corporate Rules" have been mentioned under the GDPR. Other certain situations have been envisaged under both GDPR and DPD for data transfers in absence of adequacy decision. These are more or less similar with a only few modifications.</p>
<p style="text-align: justify; ">Significantly, GDPR brings clarity with respect to enforceability of judgments and orders of authorities that are outside of EU over their decision on such data transfer. Additionally, it provides for international cooperation for protection of personal data. These are not mentioned in the DPD.</p>
<h3 style="text-align: justify; "><a name="_ke5mhncq1f0n"></a> 2.2.2 Certification mechanism:</h3>
<p style="text-align: justify; ">Just like code of conduct, this is also a voluntary mechanism, which can aid in demonstrating compliance with Regulation.</p>
<h3 style="text-align: justify; "><a name="_f6377ap0044"></a> 2.2.3 Records of processing activities:</h3>
<p style="text-align: justify; ">This is a mandatory "compliance demonstration" mechanism under GDPR, which is not mentioned under DPD. Organizations are likely to face initial administrative and financial burdens in order to maintain records of processing activities.</p>
<h3 style="text-align: justify; "><a name="_k6sqaxd28am7"></a> 2.2.4 Obligations of processor:</h3>
<p style="text-align: justify; ">DPD fixes liability on controllers but leaves out processors. GDPR includes both. Consequently, GDPR specifies obligations of the processor, the kinds of processors the controller can use and what will govern processing.</p>
<h3 style="text-align: justify; "><a name="_ggx4qdqpvwl1"></a> 2.2.5 Data Protection officer:</h3>
<p style="text-align: justify; ">This finds no mention in the DPD. Under the GDPR, a data protection officer must be mandatorily appointed where the core business activity of the organization pertains to processing, which requires regular and systematic monitoring of data subjects on large scale, processing of large scale special categories of data and offences, or processing carried out by public authority or public body.</p>
<h3 style="text-align: justify; "><a name="_vmyb0dlytf7z"></a> 2.2.6 Data protection impact assessment:</h3>
<p style="text-align: justify; ">This is a Privacy Impact assessment for ensuring and demonstrating compliance with the Regulation. Such assessment can identify and minimize risks. GDPR mandates that such assessment must be carried out when processing is likely to result in high risk. The relevant Article mentions when to carry out processing, the type of information to be contained in assessment and a clause for prior consultation with supervisory authority prior to processing if assessment indicates high risk.</p>
<h3 style="text-align: justify; "><a name="_jsw1owqhhya3"></a> 2.2.7 Data Breach:</h3>
<p style="text-align: justify; ">Under this provision, the controller is responsible for two things: 1) reporting personal data breach to supervisory authority no later than 72 hours . Any delay in notifying the authority has to be accompanied by reasons for delay; and 2) communicating the breach to the data subject in case the breach is likely to cause high risk to right and freedoms of the person. As far as the processor is concerned, in the event of data breach, the processor must notify the controller. This provision is likely to push some major changes in the workings of various organizations. A number of detection and reporting mechanisms will have to be implemented. Above all, these mechanisms will have to be extremely efficient given the time limit.</p>
<h3 style="text-align: justify; "><a name="_ccc1t8kwx628"></a> 2.2.8 Data Protection by design and default:</h3>
<p style="text-align: justify; ">This entails a general obligation upon the controller to incorporate effective data protection in internal policies and implementation measures.</p>
<h3 style="text-align: justify; "><a name="_w5imfuxpb2ys"></a> 2.2.9 Rights:</h3>
<p style="text-align: justify; ">Under the GDPR, a new right called the " Right to data portability " has been conferred upon the data subjects. This right empowers the data subject to receive personal data from one controller and transfer it to another.</p>
<h3 style="text-align: justify; "><a name="_u0fpe4c3oxoo"></a> 2.2.10 New Definitions:</h3>
<p style="text-align: justify; ">Out of 26 definitions, 18 new definitions have been added. "Pseudonymisation" is one such new concept that can aid data privacy. This data processing technique encourages processing in a way that personal data can no longer be attributed to a specific data subject without using additional information. This additional information is to be stored separately in a way that it is not attributed to an identified or identifiable natural person.</p>
<h3 style="text-align: justify; "><a name="_lh2v66dwa6g5"></a> 2.2.11 Administrative fines:</h3>
<p style="text-align: justify; ">Perhaps much concern about GDPR is due to provisions on high fines for non-compliance of certain provisions. Organizations simply cannot afford to ignore it. Non-compliance can lead to imposition of very heavy fines up to 20,000,000 EUR or 4% of total worldwide turnover.</p>
<h2 style="text-align: justify; "><a name="_ad4hk9ac5g76"></a> 2.3 Deleted provisions under DPD include :</h2>
<h3 style="text-align: justify; "><a name="_f7qp3wle6y52"></a> 2.3.1 Working Party:</h3>
<p style="text-align: justify; ">Working party under the DPD has been replaced by the European Data Protection Board provided by the GDPR. The purpose of the Board is to ensure consistent application of the Regulation.</p>
<h3 style="text-align: justify; "><a name="_79qx7y3yed1o"></a> 2.3.2 Notification Requirement:</h3>
<p style="text-align: justify; ">The general obligation to notify processing supervisory authorities has been removed. It was observed that this requirement imposed unnecessary financial and administrative burden on organizations and was not successful in achieving the real purpose that is protection of personal data. Instead, now the GDPR focuses on procedures and mechanisms like Privacy Impact assessment to ensure compliance.</p>
<h1 style="text-align: justify; "><a name="_mpysf7lokshn"></a> 3. BRIEF OVERVIEW</h1>
<p style="text-align: justify; ">The GDPR is the new uniform law, which will now replace older laws. A brief overview has been given below:</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p><b>Topic</b></p>
</td>
<td>
<p><b>GDPR</b></p>
<p><b>(General Data Protection Regulation)</b></p>
</td>
<td>
<p><b>DPD </b></p>
<p><b>(Data Protection Directive)</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Name</p>
</td>
<td>
<p>REGULATION (EU) 2016/679</p>
</td>
<td>
<p>DPD 95/46/EC</p>
</td>
</tr>
<tr>
<td>
<p>Enforcement</p>
</td>
<td>
<p>Adopted on 27 May 2016</p>
<p>To be enforced on 25 May 2018</p>
</td>
<td>
<p>Adopted on 24 October 1995</p>
</td>
</tr>
<tr>
<td>
<p>Effect of legislation</p>
</td>
<td>
<p>It is a Regulation.</p>
<p>Is directly applicable to all EU member states without requiring a separate national legislation.</p>
</td>
<td>
<p>It is an enabling legislation.</p>
<p>Countries have to pass their own separate legislations.</p>
</td>
</tr>
<tr>
<td>
<p>Objective</p>
</td>
<td>
<p>To protect "natural persons" with regard to processing of personal data and on free movement of such data.</p>
<p>It repeals DPD 95/46/EC.</p>
</td>
<td>
<p>To protect "individuals" with regard to processing of personal data and on free movement of such data.</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: left; ">Number of Chapters</p>
</td>
<td>
<p>XI</p>
</td>
<td>
<p>VII</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: left; ">Number of Articles<a name="_3znysh7"></a></p>
</td>
<td>
<p>99</p>
</td>
<td>
<p>34</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: left; ">Number of Recitals</p>
</td>
<td>
<p>173</p>
</td>
<td>
<p>72</p>
</td>
</tr>
<tr>
<td>
<p>Applicability</p>
</td>
<td>
<p>To processors and controllers</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: justify; "><a name="_rpg4m5a4zaod"></a> 4. COMPARATIVE ANALYSIS OF GDPR AND DPD</h1>
<p style="text-align: justify; ">This section offers a comparative analysis through a set of tables and text analysing and comparing the provisions of General Data Protection Regulation (GDPR) with those of the Data Protection Direction (DPD). Spaces left blank in the tables imply lack of similar provisions under the respective data regime.</p>
<h2 style="text-align: justify; "><a name="_2et92p0"></a> 4.1 Territorial Scope</h2>
<p style="text-align: justify; ">GDPR has expanded territorial scope. The application of Regulation is independent of the place where processing of personal data takes places under certain conditions. The focus is the data subject and not the location. The DPD made application of national law, a criterion for determining the applicability of the Directive. Under the GDPR, the following conditions need to be satisfied for application of Regulation.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>3</p>
</td>
<td>
<p>4</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>When processor or controller is established in the Union, the Regulation/ Directive will apply if:</p>
<p><i>(DPD is silent on location of processors</i> )</p>
</td>
<td>
<p>1. Processing is of personal data</p>
<p>2. Processing is in "context of activities" of the establishment</p>
<p>3. Processing may or may not take place in the Union</p>
</td>
<td>
<p>Processing is of personal data.</p>
</td>
</tr>
<tr>
<td>
<p>When processor or controller is not established in Union, the Regulation/Directive will apply if:</p>
<p><i>(DPD is silent on location of processors</i> )</p>
</td>
<td>
<p>1. Data subjects are in the Union; and</p>
<p>2. Processing activity is related to:</p>
<p>I. Offering of goods or services; or</p>
<p>II. Monitoring their behavior within Union</p>
<p>3. Will apply when Member State law is applicable to that place by the virtue of public international law</p>
</td>
<td>
<p>1. Like GDPR the DPD mentions that national law should be applicable to that place by virtue of public international law;</p>
<p>Or</p>
<p>2. If the equipment for processing is situated on Member state territory unless it is used only for purpose of transit.</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_tyjcwt"></a> 4.2 Material Scope</h2>
<p style="text-align: justify; ">The Recital under GDPR explains that data protection is not an absolute right. Principle of proportionality has been adopted to respect other fundamental rights.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p style="text-align: left; ">Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>2</p>
</td>
<td>
<p>3</p>
</td>
</tr>
<tr>
<td>
<p>Applies to</p>
</td>
<td>
<p>Processing of personal data</p>
<p>Processing is by automated means, wholly or partially</p>
<p>When processing is not by automated means, the personal data should form or are intended to form a part of filing system</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Does not apply to</p>
</td>
<td>
<p>Processing of personal data:</p>
<p>1. For activities which lie outside scope of Union law</p>
<p>2. By Member State under Chapter 2 Title V of TEU</p>
<p>3. By natural person in course of purely personal or household activity</p>
<p>4. By competent authorities in relation to criminal offences and penalties and threats to public security</p>
<p>5. Under Regulation (EC) No 45/2001. This needs to be adapted for consistency with GDPR</p>
<p>6. Which should not prejudice the E commerce Directive 2000/31/EC especially the liability rules of intermediary service providers</p>
</td>
<td>
<p>The provisions in DPD are similar to GDPR.</p>
<p>In addition to Title V, the DPD did not apply to Title VI of TEU.</p>
<p>DPD doesn't mention Regulation (EC) No 45/2001 or the E commerce Directive 2000/31/EC.</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_3dy6vkm"></a> 4.3 Definitions</h2>
<p style="text-align: justify; ">GDPR incorporates 26 definitions as compared to 8 definitions under DPD. There are 18 new definitions in GDPR. Some definitions have been expanded.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>4</p>
</td>
<td>
<p>2</p>
</td>
</tr>
<tr>
<td>
<p>New Definitions under GDPR</p>
</td>
<td>
<p>1. Restriction of processing</p>
<p>2. Profiling</p>
<p>3. Pseudonymisation</p>
<p>4. Personal data breach</p>
<p>5. Genetic data</p>
<p>6. Biometric data</p>
<p>7. Data concerning health</p>
<p>8. Main establishment</p>
<p>9. Representative</p>
<p>10. Enterprise</p>
<p>11. Group of undertakings</p>
<p>12. Binding corporate rules</p>
<p>13. Supervisory authority</p>
<p>14. Supervisory authority concerned</p>
<p>15. Cross border processing</p>
<p>16. Relevant and reasoned objection</p>
<p>17. Information society service</p>
<p>18. International organizations</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>2 definitions that have been expanded under GDPR</p>
</td>
<td>
<p>1. Personal data</p>
<p>2. Consent</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>6 Definitions which have remained same in GDPR and DPD</p>
</td>
<td>
<p>1. Processing of personal data</p>
<p>2. Personal data filing system</p>
<p>3. Controller</p>
<p>4. Processor</p>
<p>5. Third party recipient</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_1t3h5sf"></a> 4.3.1 Expanded definition of personal data</h3>
<p style="text-align: justify; ">Both DPD and GDPR apply to 'personal data'. The GDPR gives an expanded definition of 'personal data'. Recital 30 gives example of an online identifier such as IP addresses.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>4(1)</p>
</td>
<td>
<p>2(a)</p>
</td>
</tr>
<tr>
<td>
<p>New term added in the definition</p>
</td>
<td>
<p>A new term " online identifier" has been added.</p>
<p>Example of online identifier is given under Recital 30. An IP address is one such example.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_tk0fv08fd3b8"></a></h3>
<h3 style="text-align: justify; "><a name="_4d34og8"></a> 4.3.2 Expanded definition of consent</h3>
<p style="text-align: justify; ">Valid consent must be given by the data subject. The definition of valid consent has been added under GDPR.<b> </b>Recital 32 further explains that consent can be given by "means of a written statement including electronic means or an oral statement". For example, ticking a box on websites signifies acceptance of processing while "pre ticked boxes, silence or inactivity" do not constitute consent.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>4(11)</p>
</td>
<td>
<p>2(h)</p>
</td>
</tr>
<tr>
<td>
<p>Term added in GDPR</p>
</td>
<td>
<p>Consent must be unambiguous, freely given, specific and informed.</p>
</td>
<td>
<p>The word "unambiguous" is not contained in DPD.</p>
</td>
</tr>
<tr>
<td>
<p>Means of signifying assent to processing own data</p>
</td>
<td>
<p>Assent can be given by a <i>statement or by clear affirmative action</i> signifying assent to processing.</p>
</td>
<td>
<p>DPD merely mentions that <i>freely given, specific and informed consent </i> signifies assent.</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_2s8eyo1"></a> 4.4 Conditions for consent</h2>
<p style="text-align: justify; ">GDPR lays down detailed provisions for valid consent. Such provisions are not given in DPD.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>7</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligation of controller</p>
</td>
<td>
<p>Must demonstrate consent has been given</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Presentation of written declaration of consent</p>
</td>
<td>
<p>It should be in a clearly distinguishable, intelligible and easily accessible form.</p>
<p>Language should be clear and plain.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>If declaration or any part of it infringes on Regulation</p>
</td>
<td>
<p>Declaration will be non-binding.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Right of data subject</p>
</td>
<td>
<p>To withdraw consent at any time.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>If consent is withdrawn, it will not make processing done earlier unlawful.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>For assessing whether consent is freely given</p>
</td>
<td>
<p>Must consider whether performance of contract or provision of service is made conditional on consent to processing of data not necessary for performance of contract.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_17dp8vu"></a> 4.5 Conditions applicable to child's consent in relation to information society services</h2>
<p style="text-align: justify; ">This article prescribes an age limit for making processing lawful when information society services (direct online service) are offered directly to a child.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>8</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions for valid consent in this case</p>
</td>
<td>
<p>If child is at least 16 years old his consent is valid.</p>
<p>If child is below 16 years consent must be obtained from holder of parental responsibility over the child.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Age relaxation can be given when</p>
</td>
<td>
<p>Member States provides a law lowering the age.</p>
<p>Age cannot be lowered below 13 years.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller's responsibility</p>
</td>
<td>
<p>Verify who has given the consent</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Exceptions</p>
</td>
<td>
<p>This law will not affect:</p>
<p>General contract law of member states;</p>
<p>Effect of contract law on a child;</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_3rdcrjn"></a> 4.6 Processing of special categories of personal data</h2>
<p style="text-align: justify; ">Like the DPD, the GDPR spells out the data that is considered sensitive and the conditions under which this data can be processed. Two new categories of special data, "genetic data" and "biometric data", have been added to the list in the GDPR.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>9</p>
</td>
<td>
<p>8</p>
</td>
</tr>
<tr>
<td rowspan="6">
<p>Categories of data considered sensitive</p>
</td>
<td>
<p>Racial or ethnic origin</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Political opinions</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Religious or philosophical beliefs</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Trade union membership</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Health or sex life or sexual orientation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Genetic data or</p>
<p>Biometric data uniquely identifying natural person</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="9">
<p>Circumstances in which processing of personal data may take place</p>
</td>
<td>
<p>If there is explicit consent of data subject provided Member State laws do not prohibit such processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Necessary for carrying out specific rights of controller or data subject</p>
</td>
<td>
<p>Under DPD these rights can be for employment.</p>
<p>The GDPR adds social security and social protection to this list.</p>
<p>These rights are to be authorized by Member state or Union. The GDPR adds "Collective agreements" to this.</p>
</td>
</tr>
<tr>
<td>
<p>In the vital interest of data subject who cannot give consent due to physical or legal causes.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>In the vital interest of a Natural person physically or legally incapable of giving consent</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>For legitimate activities carried on by not-for profit-bodies for political, philosophical or trade union aims subject to certain conditions.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>When personal data is made public by data subject</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>For establishment, exercise of defense of legal claims or for courts</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>For substantial public interest in accordance with Member State or Union law</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Is necessary for:</p>
<p>Preventive or occupational medicine</p>
<p>Assessing working capacity of employee</p>
<p>Medical diagnosis</p>
<p>Healthcare or social care services</p>
<p>Contract with health professional</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>Is necessary in Public interest in the area of public health</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>For public interest, scientific or historical research or statistical purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data for preventive or occupational medicine, medical diagnosis etc. can be processed when:</p>
</td>
<td>
<p>Data is processed by or under responsibility of a professional under obligation of professional secrecy as state in law</p>
</td>
<td>
<p>Here the processing is done by health professional under obligation of professional secrecy</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_26in1rg"></a> 4.7 Principles relating to processing of personal data</h2>
<p style="text-align: justify; ">The principles set out in GDPR are similar to the ones under DPD. Some changes have been introduced. Accountability of the controller has been specifically given under GDPR.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>5</p>
</td>
<td>
<p>6</p>
</td>
</tr>
<tr>
<td>
<p style="text-align: left; ">Lawfulness, fairness, transparency</p>
</td>
<td>
<p>Processing must be Lawful, fair and transparent</p>
</td>
<td>
<p>Does not mention transparent</p>
</td>
</tr>
<tr>
<td rowspan="2">
<p>Purpose limitation</p>
</td>
<td>
<p>Data must be specified, explicit and legitimate.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Processing for achieving public interest, scientific or historical research or statistical purpose is not to be considered incompatible with initial purpose.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Data minimization</p>
</td>
<td>
<p>Processing is adequate, relevant and limited to what is necessary</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Accuracy</p>
</td>
<td>
<p>Data is accurate, up to date, erased or rectified without delay</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td rowspan="3">
<p>Storage limitation</p>
</td>
<td>
<p>Data is to be stored in a way that data subject can be identified for no longer than is necessary for purpose of processing</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Data can be stored for longer periods when it is processed solely in public interest, scientific or historical research or statistical purpose</p>
</td>
<td>
<p>Same</p>
<p>However, public interest is not mentioned.</p>
</td>
</tr>
<tr>
<td>
<p>There must be appropriate technical and organizational measures to safeguard rights and freedoms</p>
</td>
<td>
<p>Same</p>
<p>Additionally, it specifically states that Member States must lay down appropriate safeguards</p>
</td>
</tr>
<tr>
<td>
<p>Integrity and confidentiality</p>
</td>
<td>
<p>Manner of processing must:</p>
<p>Ensure security of personal data,</p>
<p>Protection against unlawful processing and accidental loss, destruction or damage</p>
</td>
<td>
<p>Not mentioned</p>
</td>
</tr>
<tr>
<td>
<p>Accountability</p>
</td>
<td>
<p>Controller is responsible for and must demonstrate compliance with all of the above.</p>
</td>
<td>
<p>DPD states it is for the controller to ensure compliance with this Article.</p>
<p>Unlike GDPR, DPD doesn't specifically state the responsibility of controller for demonstrating compliance.</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_bezw6fia4pw1"></a> 4.8 Lawfulness of processing</h2>
<p style="text-align: justify; ">The conditions for "lawfulness of processing" under DPD have been retained in the GDPR with certain modifications allowing flexibility for member states to introduce specific provisions in public interest or under a legal obligation. It should be noted that protection given to child's data and rights and freedoms of data subject should not be prejudiced. Additionally, a non-exhaustive list has been laid down in the GDPR for determining if processing is permissible in situations where the new purpose of processing is different from original purpose.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>6</p>
</td>
<td>
<p>7</p>
</td>
</tr>
<tr>
<td>
<p>Processing is lawful when :</p>
</td>
<td>
<p>If at least one of the principles applies:</p>
<p>Data subject has given consent to processing for specific purpose(s).</p>
</td>
<td>
<p>Same</p>
<p>However it mentions "unambiguous" consent.</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Processing is necessary for performance of contract to which data subject is party or at request of data subject before entering into a contract</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Processing is necessary for controller's compliance with legal obligation.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Is necessary for legitimate interests pursued by controller or by third party subject to exceptions (should not override rights and freedoms of data subject and protections given to child's data.)</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>It is necessary for performance of task carried out in public interest or for exercise of official authority vested in controller</p>
</td>
<td>
<p>Same</p>
<p>It additionally mentions third party:</p>
<p>"…exercise of official authority vested in controller <i>or in a third party to whom data are disclosed"</i></p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>For protections of vital interest of data subject or another natural person</p>
</td>
<td>
<p>Same</p>
<p>Does not mention natural person.</p>
</td>
</tr>
<tr>
<td>
<p>Member States may introduce specific provisions when:</p>
</td>
<td>
<p>When processing is necessary for compliance with a legal obligation or to protect public interest</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>Basis for processing for shall be laid down by: Union law or Member State law</p>
</td>
<td></td>
</tr>
<tr>
<td colspan="3">
<p><b> If processing is done for purpose other than for which data is collected and is without data subject's consent or is not collected under law: </b></p>
</td>
</tr>
<tr>
<td rowspan="6">
<p>To determine if processing for another purpose is compatible with the original purpose</p>
</td>
<td>
<p>Controller shall take into account following factors:</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Link between purposes for which data was collected and the other purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Context in which personal data have been collected</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Nature of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Possible consequences of other purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Existence of appropriate safeguards</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_2ke3ydyw8r1i"></a> 4.9 Processing which does not require identification:</h2>
<p style="text-align: justify; ">This article lays down the conditions under which the controller is exempted from gathering additional data in order to identify a data subject for the purpose of complying with this Regulation. If the controller is able to demonstrate that identification is not possible, the data subject is to be informed if possible.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>11</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions under which the controller is not obliged to maintain process or acquire additional information to identify data subject</p>
</td>
<td>
<p>If purpose for processing doesn't not require identification of data subject by the controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Consequence of not maintaining the data</p>
</td>
<td>
<p>Art 15 to 20 shall not apply provided controller is able to demonstrate its inability to identify the data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Exception to above consequence will apply when :</p>
</td>
<td>
<p>Data subject provides additional information enabling identification</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_35nkun2"></a> 4.10 Rights of the data subject</h2>
<p style="text-align: justify; ">The General Data Protection Rules (GDPR) confers 8 rights upon the data subject.These rights are to be honored by the controller:-</p>
<p style="text-align: justify; ">1. Right to be informed</p>
<p style="text-align: justify; ">2. Right of access</p>
<p style="text-align: justify; ">3. Right to rectification</p>
<p style="text-align: justify; ">4. Right to erasure</p>
<p style="text-align: justify; ">5. Right to restrict processing</p>
<p style="text-align: justify; ">6. Right to data portability</p>
<p style="text-align: justify; ">7. Right to object</p>
<p style="text-align: justify; ">8. Rights in relation to automated decision making and profiling</p>
<h3 style="text-align: justify; "><a name="_4ln2v6w83qoy"></a> 4.10.1 Right to be informed</h3>
<p style="text-align: justify; ">The controller must provide information to the data subject in cases where personal data has not been obtained from the data subject. A number of exemptions have been listed. Additionally, GDPR lays down the time period within which the information has to be provided.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p align="left">Sub Topics in the Section</p>
</td>
<td>
<p align="center">GDPR</p>
</td>
<td>
<p align="center">DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Given in Article</p>
</td>
<td>
<p align="center">14</p>
</td>
<td>
<p>10</p>
</td>
</tr>
<tr>
<td rowspan="5">
<p align="left">Type of information to be provided</p>
</td>
<td>
<p align="left">Identity and contact details of the controller or controller's representative</p>
</td>
<td>
<p align="left">Same</p>
</td>
</tr>
<tr>
<td>
<p align="left">Contact details of the data protection officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Purpose and legal basis for processing</p>
</td>
<td>
<p align="left">Purpose of processing</p>
</td>
</tr>
<tr>
<td>
<p align="left">Recipients or categories of recipients of personal data</p>
</td>
<td>
<p align="left">Same</p>
</td>
</tr>
<tr>
<td>
<p align="left">Intention to transfer data to third country or international organization and Information regarding adequacy decision or suitable safeguards or Binding Corporate Rules or derogations. This includes means to obtain a copy of these as well as information on place of availability.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p align="left">Additional information to be provided by controller to ensure fair and transparent processing</p>
</td>
<td>
<p align="left">Storage period of personal data and criteria for determining the period</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Legitimate interests pursued by controller or third party</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Existence of data subject's rights with regard to access or rectification or erasure of personal data, automated decision making</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Where applicable, existence of right to withdraw consent</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p align="left">Time period within which information is to be provided</p>
</td>
<td>
<p align="left">Information to be given within a reasonable period, latest within one month.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">To be provided latest at the time of first communication to data subject, if personal data are to be used for communication with data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">In case of intended disclosure to another recipient , at the latest when personal data are first disclosed.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">If processing is intended for a new purpose other than original purpose, information to be provided prior to processing on new purpose.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p align="left">Situations in which exceptions are applicable</p>
</td>
<td>
<p align="left">Data subject already has information</p>
</td>
<td>
<p align="left">Same</p>
</td>
</tr>
<tr>
<td>
<p align="left">Provision of information involves disproportionate effort or is impossible or renders impossible or seriously impairs achievement of objective of processing.</p>
<p align="left">This is particularly with respect to processing for archiving purposes in public interest, scientific or historical research or statistical purpose.</p>
<p align="left">However controller must take measures to protect data subject's rights and freedom and legitimate interests including make information public.</p>
</td>
<td>
<p align="left">Provision involves impossible or disproportionate effort, in particular where processing is for historical or scientific research.</p>
<p align="left">However, appropriate safeguards must be provided by Member States.</p>
</td>
</tr>
<tr>
<td>
<p align="left">Obtaining or disclosure is mandatory under Union or member law and it provides protection to data subject's legitimate interests</p>
</td>
<td>
<p align="left">Where law expressly lays down recording or disclosure provided appropriate safeguards are provided by Member States.</p>
<p align="left">This is particularly applicable to processing for scientific or historical research.</p>
</td>
</tr>
<tr>
<td>
<p align="left">Confidentiality of data mandated by professional secrecy under Union or Member State law</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_unesl7gv52zg"></a> 4.10.2 Right to access</h3>
<p style="text-align: justify; ">Both Data Protection Directive (DPD) and General Data Protection Rules (GDPR) confer right to access information regarding personal data on the data subject.</p>
<p style="text-align: justify; ">CJEU in YS V. Minister voor Immigrate Integratie en Asiel stated that it is the data subject's right "to be aware of and verify the lawfulness of the processing".</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR </b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>15</p>
</td>
<td>
<p>12</p>
</td>
</tr>
<tr>
<td rowspan="9">
<p>Data subject has the right to know about:</p>
</td>
<td>
<p>Purpose of processing</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Categories of processing the data</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Recipients or categories to whom data are disclosed</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Retention period of the data and criteria for this</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Existence of right to request erasure, rectification or restriction of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Right to lodge complaint with supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Knowledge about source of data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>To know about any significant and envisaged consequences of processing for the data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Existence of automated decision making and logic involved</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>In case of data transfer to third country</p>
</td>
<td>
<p>Right to be informed about the safeguards</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller's obligation</p>
</td>
<td>
<p>To provide a copy of data undergoing processing. Reasonable fee based on administrative costs can be charged for this.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_d0woi8tt0i24"></a> 4.10.3 Right to rectification</h3>
<p style="text-align: justify; ">GDPR and DPD both give the data subject the right to rectify their personal data. Under the GDPR the data subject can complete the incomplete data by giving a supplementary statement.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>16</p>
</td>
<td>
<p>12(b)</p>
</td>
</tr>
<tr>
<td rowspan="2">
<p>Right can be exercised when:</p>
</td>
<td></td>
<td>
<p>Processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55)</p>
<p>OR</p>
</td>
</tr>
<tr>
<td>
<p>When data is incomplete</p>
</td>
<td>
<p>When data is incomplete or inaccurate</p>
</td>
</tr>
<tr>
<td>
<p>Obligations of controller</p>
</td>
<td>
<p>To enforce the right without undue delay</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Obligation of controller to give notification when data is disclosed to third party</p>
</td>
<td>
<p>Given under Art 19</p>
<p>Request of erasure of personal data to be communicated to each recipient of such data</p>
</td>
<td>
<p>Given under Article 12(c)</p>
<p>Request must be communicated to third parties</p>
</td>
</tr>
<tr>
<td>
<p>It should not involve an impossible or disproportionate effort</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_2jxsxqh"></a> 4.10.4 Right to erasure</h3>
<p style="text-align: justify; ">This is also referred to as the "right to be forgotten". It empowers the individual to erase personal data under certain circumstances. The data subject can request the controller to remove the data for attaining this purpose.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>17</p>
</td>
<td>
<p>12(b)</p>
</td>
</tr>
<tr>
<td>
<p>Obligation of the controller</p>
</td>
<td>
<p>To erase the data without undue delay</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="8">
<p>Conditions under which the right can be exercised</p>
</td>
<td></td>
<td>
<p>When processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55)</p>
<p>OR</p>
<p>When data is incomplete or inaccurate</p>
</td>
</tr>
<tr>
<td>
<p>Personal data is no longer necessary for the purpose for which it was collected or processed</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data Subject withdraws consent for processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data subject objects to processing and there are no overriding legitimate grounds for processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data subject objects to processing for direct marketing purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Personal data has been unlawfully processed</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When personal data has to be erased under a legal obligation of Union or member State law</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When personal data has been collected in offer of information society services to a child</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="5">
<p>Condition of processing under which request to erasure shall not be granted</p>
</td>
<td>
<p>For exercising right of freedom of expression and information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing is done under Union or Member State law in public interest or exercise of official authority vested in controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Done for public interest in public health</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>For public interest, scientific or historical research or statistical purpose.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>For establishment, exercise or defense of legal claims.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller's obligations when personal data has been made public</p>
</td>
<td>
<p>Controller to take reasonable steps to inform controllers who are processing the data, of the request of erasure.</p>
<p>All links, copy or replication of personal data to be erased.</p>
<p>Technology available and cost of implementation to be taken into account.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Notification when data is disclosed to third party</p>
</td>
<td>
<p>Given under obligation of controller under Art 19:</p>
<p>Request of erasure of personal data to be communicated to each recipient of such data</p>
</td>
<td>
<p>Given under obligation of controller under 12(c) :</p>
<p>Request must be communicated to third parties</p>
</td>
</tr>
<tr>
<td>
<p>It should not involve an impossible or disproportionate effort</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_z337ya"></a> 4.10.5 Right to restrict processing</h3>
<p style="text-align: justify; ">While DPD provided for "blocking", the GDPR strengthened this right by specifically conferring the " Right to Restrict Processing" upon the data subject. This Article gives data subject the right to restrict processing under certain conditions. Recital 67 explains that these methods could include steps like removing published data from website or temporarily moving the data to another processing system.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>18</p>
</td>
<td>
<p>12(b)</p>
</td>
</tr>
<tr>
<td>
<p>About this right</p>
</td>
<td>
<p>Data subject can restrict processing of data</p>
</td>
<td>
<p>Data subject is allowed to erase, rectify or block processing of personal data.</p>
</td>
</tr>
<tr>
<td rowspan="4">
<p>Conditions under which the right can be exercised</p>
</td>
<td>
<p>When accuracy of personal data is contested</p>
</td>
<td>
<p>Besides accuracy, the DPD also mentions "incomplete nature of data" as grounds for exercising this right.</p>
</td>
</tr>
<tr>
<td>
<p>When processing is unlawful and data subject opposes erasure and requests restriction of data use</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When data is no longer needed by controller but is required by data subject for establishment, exercise or defense of legal claims.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data subject objects to processing and the verification by controller of compelling legitimate grounds for processing is ongoing</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="5">
<p>Consequences of this enforcement of this right</p>
</td>
<td>
<p>Controller can store data but not process it</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing can be done only with the data subject's consent; or</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing can be done for establishment exercise or defense of legal claims; or</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing can be done for protecting rights of another natural or legal person ;or</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>It can be done in public interest of Union or Member State.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations of controller under Art 18</p>
</td>
<td>
<p>The controller must inform the data subject before the restrictions are lifted.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Obligations of controller under Art 19</p>
</td>
<td>
<p>Inform each recipient of personal data about the restriction.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>This obligation need not be performed if it is impossible to do so or it involved disproportionate effort.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Inform data subject about the recipients when requested by the data subject.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_spxapzomj6tn"></a> 4.10.6 Right to data portability</h3>
<p style="text-align: justify; ">This right empowers the data subject to receive personal data from one controller and transfer it to another. This gives the data subject more control over his or her own data. The controller cannot hinder this right when the following conditions are met.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in article</p>
</td>
<td>
<p>20</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Conditions for data transmission</p>
</td>
<td>
<p>The data must have been provided to the controller by data subject himself; and</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing is based on:</p>
<p>Consent; or</p>
<p>For performance of contract; and is carried out by automated means</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data transfer must be technically feasible</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Format of personal data</p>
</td>
<td>
<p>It should be in a:</p>
<p>Structured</p>
<p>Commonly-used</p>
<p>Machine readable format</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Time and cost for data transfer</p>
</td>
<td>
<p>Given in Art 12(3)</p>
<p>Should be free of charge</p>
<p>Information to be provided within one month. Further extension by two months permissible under certain circumstances.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Circumstance under which this Right cannot be exercised</p>
</td>
<td>
<p>When the exercise of the Right prejudices rights and freedom of another individual</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When processing is necessarily carried out in public interest</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When processing is necessarily done in exercise of official authority vested in controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When this Right adversely affects the "Right to be forgotten"</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_ksj4krgmokmt"></a> 4.10.7 Right to Object</h3>
<p style="text-align: justify; ">Both DPD and GDPR confer upon the data subject the right to object to processing on a number of grounds. The GDPR strengthens this right . Under GDPR, there is a visible shift from the data subject to the controller as far as the burden of showing " compelling legitimate grounds" is concerned. Under the DPD, when processing is undertaken in public interest or in exercise of official authority or in legitimate interests of third party or controller, the data subject not only has to show existence of compelling legitimate grounds but also that objection is justified. On the other hand, GDPR spares the data subject from this exercise and instead places the onus on the controller of demonstrating that "compelling legitimate grounds" exist such that these grounds override the interests, rights and freedom of the data subject.</p>
<p style="text-align: justify; ">GDPR also provides a new ground for objecting to processing. The data subject can object to processing when it is for scientific or historical research or statistical purpose unless such processing is necessary in public interest.</p>
<p style="text-align: justify; ">Under the GDPR the data subject must be informed of this right "clearly and separately" and "at the time of first communication with data subject" when processing is done in public interest/exercise of official authority/legitimate interest of third party or controller or for direct marketing purpose. This right can be exercised by automated means in case of information society service.</p>
<p style="text-align: justify; ">The DPD also provides that the data subject must be informed of this right if the controller anticipates processing for direct marketing or disclosure of data to third party. It specifically states that this right is to be offered "free of charge". Additionally, it places responsibility upon the Member States to ensure that data subjects are aware of this right.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p align="center">Sub-topics in the section</p>
</td>
<td>
<p align="center"><b>GDPR</b></p>
</td>
<td>
<p align="center"><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p align="left">Given in Article</p>
</td>
<td>
<p align="left">21</p>
</td>
<td>
<p align="left">14</p>
</td>
</tr>
<tr>
<td rowspan="4">
<p align="left">Conditions under which the right can be exercised during processing</p>
</td>
<td>
<p align="left">When performance of task is carried out in public interest or in exercise of official authority vested in controller. (Art 6(1)(e))</p>
<p align="left">Exception:</p>
<p>If controller demonstrates processing is for compelling legitimate grounds which override interests of data subject</p>
<p align="left">For establishment, exercise or defense of legal claims.</p>
</td>
<td>
<p align="left">Grounds are same but the data subject also has to show existence of compelling legitimate grounds. Processing will cease if objection is justified.</p>
<p align="left">Exceptions:</p>
<p align="left">Unless provided by national legislation the data subject can object on this ground.</p>
</td>
</tr>
<tr>
<td>
<p align="left">For legitimate interests of controller or third party (Art 6(1)(f))</p>
<p align="left">Exception:</p>
<p>1. If controller demonstrates processing is for compelling legitimate grounds that override interests of data subject.</p>
<p>2. For establishment, exercise or defense of legal claims.</p>
</td>
<td>
<p>Same as above</p>
</td>
</tr>
<tr>
<td>
<p align="left">When data is processed for scientific/historical research/ statistical purpose under Art 89(1)</p>
<p align="left">Exception:</p>
<p align="left">If processing is necessary for public interest</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p align="left">When personal data is used for marketing purpose.</p>
<p align="left">Can object at anytime.</p>
<p align="left">No exceptions</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_1y810tw"></a> 4.10.8 Rights in relation to automated individual decision making including profiling</h3>
<p style="text-align: justify; ">This Article empowers the data subject to challenge automated decisions under certain conditions. This is to protect individuals from decisions taken without human intervention.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR </b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>22</p>
</td>
<td>
<p>15</p>
</td>
</tr>
<tr>
<td>
<p>This right can be exercised when decisions are based:</p>
</td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="2"></td>
<td>
<p>Only on automated processing</p>
<p>Including profiling; and</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Produce legal effects or have similarly significant effects on data subject</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Conditions under which this right will not be guaranteed</p>
</td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="3"></td>
<td>
<p>For entering into or performance of contract;</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>If Member State or Union law authorizes the decision provided it lays down suitable measures for safeguarding data subject's rights, freedoms and legitimate interests; Or</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>When decision is based on data subject's explicit consent.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Controller's obligation</p>
</td>
<td>
<p>Enforce measures to safeguard rights and freedom and interests</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Ensure data subject can obtain human intervention, express his point of view, challenge decisions</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Automated decision making will not apply when:</p>
</td>
<td>
<p>"Special categories of personal data" are to be processed</p>
<p>However, if the data subject gives his explicit consent or such processing serves substantial public interest then the restriction can be waived.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Concerns a child</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_4i7ojhp"></a> 4.11 Security and Accountability</h2>
<h3 style="text-align: justify; "><a name="_2xcytpi"></a> 4.11.1 Data protection by design and default</h3>
<p style="text-align: justify; ">This is another new concept under GDPR. It is a general obligation on the controller to incorporate effective data protection in internal policies and implementation measures. Measures include: minimization of processing, pseudonymisation, transparency while processing, allowing data subjects to monitor data processing etc. The implementation of organizational and technical measures is essential to demonstrate compliance with Regulation.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>25</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="2">
<p>Responsibility of controller when determining means of processing and at the time of processing</p>
</td>
<td>
<p>Implementation of appropriate technical and organizational measures for data protection</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Ensure that by default only personal data necessary for purpose of processing is processed</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Means of demonstrating compliance with this Article</p>
</td>
<td>
<p>Approved certification mechanism may be used.</p>
<p>Data minimization</p>
<p>Transparency etc.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_1ci93xb"></a> 4.11.2 Security of personal data</h3>
<p style="text-align: justify; ">Security of processing is mentioned in the GDPR under Article 32. The controller and processor must implement technical and organizational measures to ensure data security. These may include pseudonymisation, encryption, ensuring confidentiality, restoring availability and access to personal data, regularly testing etc. Compliance with the code may be demonstrated by adherence to Code of conduct and certification mechanism. Further, all processing which is done by a natural person acting under authority of controller or processor can be done only under instructions from the controller.</p>
<h3 style="text-align: justify; "><a name="_tws6vuoa8tch"></a> 4.11.3 Notification of personal data breach</h3>
<p style="text-align: justify; ">This Article provides the procedure for communicating the personal data breach to supervisory authority. If the breach is not likely to result in risk to rights and freedoms of natural persons, then the controller is not required to notify the supervisory authority.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>33</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Responsibility of controller</p>
</td>
<td>
<p>Report personal data breach to supervisory authority after being aware of it</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Time limit for reporting data breach</p>
</td>
<td>
<p>Must be reported no later than 72 hours</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>In case of delay in reporting</p>
</td>
<td>
<p>Reasons to be stated</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Responsibility of processor</p>
</td>
<td>
<p>Notify the controller after being aware of breach</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Description of notification</p>
</td>
<td>
<p>Describe nature of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Name contact details of data protection officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Likely consequences of personal data breach</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When information cannot be provided at same time</p>
</td>
<td>
<p>Provide it in phases without further undue delay</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>For verification of compliance</p>
</td>
<td>
<p>Controller has to document any personal data breach. It must contain Facts , effects and remedial action taken</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_2bn6wsx"></a> 4.11.4 Communication of personal data breach to the data subject</h3>
<p style="text-align: justify; ">Not only is the supervisory authority to be notified, but data subjects are also to be informed about personal data breaches without undue delay under certain conditions.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>34</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions under which controller is to communicate the breach to data subject</p>
</td>
<td>
<p>When breach is likely to cause high risk to rights and freedoms of natural persons</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Nature of communication</p>
</td>
<td>
<p>Must be in a clear and plain language.</p>
<p>Must describe the nature of breach.</p>
<p>Must Contain at least:</p>
<p>Name contact details of data protection officer</p>
<p>Likely consequences of personal data breach</p>
<p>Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Condition under which communication will not be required</p>
</td>
<td>
<p>If controller has implemented appropriate technical and organizational measures and these were applied to the affected data.</p>
<p>E.g.: encryption</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Subsequent measures have been taken by controller to ensure there is no high risk</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>If communication involves disproportionate effort.</p>
<p>Public communication or similar measures can be undertaken under such circumstances.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Role of supervisory authority</p>
</td>
<td>
<p>In case of likelihood of high risk, the authority may require the controller to communicate the breach if the controller has not already done so.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_qsh70q"></a> 4.11.5 Data protection impact assessment</h3>
<p style="text-align: justify; ">This is also known as Privacy Impact Assessment. While DPD provides general obligation to notify the processing to supervisory authorities, the GDPR, taking into account the need for more protection of personal data, has replaced the notification process by different set of mechanisms.</p>
<p style="text-align: justify; ">To serve the above purpose, the data protection impact assessment (DPIA) has been provided under this Article.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>35</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>When to carry out assessment</p>
</td>
<td>
<p>When new technology is used; and</p>
<p>Processing is likely to result in high risk to rights and freedoms of natural persons</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Automated processing including profiling involving systematic and extensive evaluation of personal aspects of natural persons;</p>
<p>and</p>
<p>When decisions based on such processing produce legal effects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Large scale processing of special categories of data or personal data relating to criminal convictions and offences</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Large scale systematic monitoring of publicly accessible area</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Type of information contained in assessment</p>
</td>
<td>
<p>Description of processing operations and purpose</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Assessment of necessity and proportionality of processing operations</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Assessment of risks to individuals</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Measures to address risks and demonstration of compliance with Regulation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Sub-topics in the section</p>
</td>
<td>
<p><b>GDPR</b></p>
</td>
<td>
<p><b>DPD</b></p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Topic</p>
</td>
<td>
<p>Prior Consultation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>36</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When should controller consult supervisory authority</p>
</td>
<td>
<p>Prior to processing; and</p>
<p>DPIA indicates high risk; and</p>
<p>In absence of risk mitigation measures by controller</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><b>Data protection officer</b></p>
<p style="text-align: justify; ">GDPR mandates that a person with expert knowledge of data protection law and practice is appointed for helping the controller or processor to comply with the data protections laws. A single data protection officer (DPO) may be appointed by a group of undertakings or where controller or processor is a public authority or body.The DPO must be accessible from each establishment.</p>
<p style="text-align: justify; "><b><span> </span></b></p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>37</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Situations in which DPO must be appointed</p>
</td>
<td>
<p>When processing is carried out by public authority or body.</p>
<p>Note: Courts acting in judicial capacity are excluded.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Core activity involves processing which requires regular and systematic monitoring of data subjects on large scale; or</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Core activity involves processing of large scale special categories of data and criminal convictions and offences</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h4 style="text-align: justify; "><a name="_1pxezwc"></a> Position of Data Protection Officer</h4>
<p style="text-align: justify; ">The DPO must directly report to the highest management level of the controller or processor. Data subjects may contact the DPO in case of problems related to processing and exercise of rights.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>38</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Responsibility of controller and processor</p>
</td>
<td>
<p>Ensure DPO is involved properly and in timely manner</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Provide DPO with support, resources and access to personal data and processing operations</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Not dismiss or penalize DPO for performing his task.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Ensure independence of working and not give instruction to DPO</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h4 style="text-align: justify; "><a name="_ewk2mxb1q2ei"></a> Tasks of Data Protection officer</h4>
<p style="text-align: justify; ">The DPO must be involved in all matters concerning data protection. He is expected to act independently and advice the controllers and processors to facilitate the establishment's compliance with Regulations.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>39</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="5">
<p>Tasks</p>
</td>
<td>
<p>Inform and advise the controller or processor and employees over data protection laws</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Monitor compliance with data protection laws. Includes assigning responsibilities, awareness- raising, staff training and audits</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Advice and monitor performance</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Cooperate with supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Act as point of contact for supervisory authority for processing, prior consultation and consultation on other matter</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_2p2csry"></a> 4.11.6 European Data Protection Board</h3>
<p style="text-align: justify; ">For consistent application of the Regulation, the GDPR envisages a Board that would replace the Working Party on Protection of Individuals With Regard to Processing of Personal Data established under the DPD. This Regulation confers legal personality on the Board.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>68</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Represented by</p>
</td>
<td>
<p>Chair</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Composition of the Board</p>
</td>
<td>
<p>Head of one supervisory authority of each Member State and European Data Protection Supervisor or of their representatives.</p>
<p>Joint representative can be appointed where Member State has more than one supervisory authority.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Role of Commission</p>
</td>
<td>
<p>Right to participate in activities and meetings of the Board without voting rights.</p>
<p>Commission to designate a representative for this.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Functions of the Board</p>
</td>
<td>
<p>Consistent application of Regulation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Advise Commission of level of protection in third countries or international organizations</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Promote cooperation of supervisory authorities</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Board is to act independently</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_147n2zr"></a> 4.11.7 Supervisory Authority</h3>
<p style="text-align: justify; ">GDPR lays down detailed provisions on supervisory authorities, defining their functions, independence, appointment of members, establishment rules, competence, competence of lead supervisory authority, tasks, powers and activity reports. Such elaborate provisions are absent in DPD.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>Chapter VI, Article 51 -59</p>
</td>
<td>
<p>28</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_gdvxc914pgtx"></a></h2>
<h2 style="text-align: justify; "><a name="_3o7alnk"></a> 4.12 Processor</h2>
<p style="text-align: justify; ">The Article spells out the obligations of a processor and conditions under which other processors can be involved.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>28</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>What kind of processors can be used by controller</p>
</td>
<td>
<p>● Those which provide sufficient guarantees to implement appropriate technical and organizational measures</p>
<p>● Those which comply with Regulation and Rights</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations of processor in case of addition or replacement of processor</p>
</td>
<td>
<p>● Not engage another processor without controller's authorization</p>
<p>● In case of general written authorization inform the controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processing shall be governed by</p>
</td>
<td>
<p>Contract or legal act under Union or Member State law.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Elements of Contract</p>
</td>
<td>
<p>● Is binding on processor</p>
<p>● Sets out subject matter and duration of processing</p>
<p>● Nature of processing</p>
<p>● Type of personal data</p>
<p>● Categories of data subjects</p>
<p>● Obligations and Rights of the controller</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="8">
<p>Obligations of processor under contract or legal act</p>
</td>
<td>
<p>Processor shall process under instructions from controller unless permitted under law itself.</p>
<p>Controller is to be informed in the latter case.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Ensures that persons authorized to process have committed themselves to confidentiality</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Processor to undertake all data security measures (mentioned under Art 32)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Enforces conditions on engaging another processor</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Assists the controller by appropriate technical and organizational measures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Assists controller in compliance with Art 32 to 36</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Delete or return all personal data to controller at the choice of controller at the end of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Make information available to controller for demonstrating compliance with obligations.</p>
<p>Contribute to audits, inspections etc.</p>
<p>Inform the controller if it believes that an instruction infringes the regulation or law.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions under which a processor can engage another processor</p>
</td>
<td>
<p>● Same data protection obligations will be applicable to other processor.</p>
<p>● If other processor fails to fulfill data protection obligations, initial processor shall remain fully liable to controller for such performance.</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_23ckvvd"></a> 4.13 Records of processing activities</h2>
<p style="text-align: justify; ">The controller or processor must maintain records of processing activities to demonstrate compliance with the Regulation. They are obliged to cooperate with and make record available to the supervisory authority upon request. DPD does not contain similar obligations.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>30</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligation of controller or controller's representative</p>
</td>
<td>
<p>Maintain a record of processing activities</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="7">
<p>Information to be contained in the record</p>
</td>
<td>
<p>Name and contact details of:</p>
<p>● Controller /joint controller / controller's representatives</p>
<p>● Data protection officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Purpose of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Categories of data subjects and categories of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Categories of recipients to whom data has been or will be disclosed</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Transfers of personal data to third party, identification of third party, documentation of suitable safeguards</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Expected time duration for erasure of different categories of data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Technical and organizational security measures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligation of processor</p>
</td>
<td>
<p>Maintain a record of processing activities carried out on behalf of controller</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Record maintained by processor shall contain information such as:</p>
</td>
<td>
<p>Name and contact details of:</p>
<p>● Processor /processor's representative</p>
<p>● Controller /controller's representative</p>
<p>● Data protection officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Categories of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data transfer to third party</p>
<p>Identification of third party</p>
<p>Documentation of safeguards</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Technical and organizational security measures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Form in which record is to be maintained</p>
</td>
<td>
<p>In writing and electronic form</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Conditions under which exemption will apply</p>
</td>
<td>
<p>● Organizations employing fewer than 250 employees are exempted;</p>
<p>● Processing should not cause risk to rights and freedoms of data subjects</p>
<p>● Processing should not be occasional</p>
<p>● Processing should not include special categories of data</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_ihv636"></a> 4.14 Code of Conduct</h2>
<p style="text-align: justify; ">These mechanisms have been provided under GDPR to demonstrate compliance with the Regulation. This is important as the GDPR ( under Art 83 ) provides that adherence to code of conduct shall be one of the factors taken into account for calculating administrative fines. This is not an obligatory provision.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>40</p>
</td>
<td>
<p>27</p>
</td>
</tr>
<tr>
<td>
<p>Who will encourage drawing up of code of conduct</p>
</td>
<td>
<p>● Member States</p>
<p>● Supervisory Authorities</p>
<p>● Commission.</p>
<p>Specific needs of micro, small and medium enterprises to be taken into account.</p>
</td>
<td>
<p>● Member States</p>
<p>● Commissions</p>
<p>Does not mention the rest</p>
</td>
</tr>
<tr>
<td>
<p>Who may prepare amend or extend code of conduct</p>
</td>
<td>
<p>Associations and other bodies representing categories of controller or processors</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="12">
<p>Information contained in the code</p>
</td>
<td>
<p>Fair and transparent processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Legitimate interests of controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Collection of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Pseudonymisation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Information to public and data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Exercise of rights of data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Information provided to and protection of children and manner in which consent of holders of parental responsibility is obtained</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Measures under:</p>
<p>● Data protection by design and default</p>
<p>● Controller responsibilities</p>
<p>● Security of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Notification of data breach to authorities and communication of same to data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data transfer to third party</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Dispute resolution procedures between controllers and data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Mechanisms for mandatory monitoring</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Mandatory monitoring</p>
</td>
<td>
<p>Code of conduct containing the above information enables mandatory monitoring of compliance by body accredited by supervisory authority. (Art 41)</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_32hioqz"></a> 4.15 Certification</h2>
<p style="text-align: justify; ">Like the code of conduct, Certification is a voluntary mechanism that demonstrates compliance with the Regulation. Establishment of data protection certification mechanism and data protection seals and marks shall be encouraged by Member States, supervisory authorities, Boards and Commission. As in case of code of conduct, specific needs of micro, small and medium sized enterprise ought to be taken into account. DPD does not mention such mechanisms.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub Topics in the Section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>42</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who will issue the certificate</p>
</td>
<td>
<p>Certification bodies or competent supervisory authority on basis of approved criteria.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Time period during which certification shall be issued</p>
</td>
<td>
<p>Maximum period of three years.</p>
<p>Can be renewed under same conditions.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who accredits certification bodies</p>
</td>
<td>
<p>Competent Supervisory bodies or National accreditation body.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can accreditation be revoked</p>
</td>
<td>
<p>When conditions of accreditation are not or no longer met.</p>
<p>OR</p>
<p>Where actions taken by certification body infringe this Regulation.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who can revoke</p>
</td>
<td>
<p>Competent supervisory authority or national accreditation body</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_rmo0nrgdb8k6"></a> 4.16 Data Transfer</h2>
<h3 style="text-align: justify; "><a name="_1hmsyys"></a> 4.16.1 Transfers of personal data to third countries or international organizations</h3>
<p style="text-align: justify; ">Chapter V lays down the conditions with which the data controller must comply in order to transfer data for the purpose of processing outside of the EU to third countries or international organizations. The chapter also stipulates conditions that must be complied with for onward transfers from the third country or international organization.</p>
<h3 style="text-align: justify; "><a name="_2grqrue"></a> 4.16.2 Transfer on the basis of an adequacy decision</h3>
<p style="text-align: justify; ">Under GDPR, transfer of data can take place after the <i>Commission decides</i> whether the third country, territory, specified sector within that third country or international organization ensures adequate level of data protection. This is called adequacy decision. A list of countries or international organizations which ensure adequate data protection shall be published in the Official Journal of the European Union and on the website by the Commission. Once data transfer conditions are found to be compliant with the Regulation, no specific authorization would be required for data transfer from the supervisory authorities. The commission would decide this by means of an "Implementing Act" specifying a mechanism for periodic review, its territorial and sectoral application and identification of supervisory authorities. Decisions of Commission taken under Art 25(6) of DPD shall remain in force. DPD also provides parameters for the same.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in article</p>
</td>
<td>
<p>45</p>
</td>
<td>
<p>25</p>
</td>
</tr>
<tr>
<td>
<p>Conditions apply when transfers take place to</p>
</td>
<td>
<p>Third country or international organization</p>
</td>
<td>
<p>International organization not mentioned.</p>
</td>
</tr>
<tr>
<td rowspan="5">
<p>Functions of the commission</p>
</td>
<td>
<p>Take adequacy decisions</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Review the decision periodically every four years</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Monitor developments on ongoing basis</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Repeal, amend or suspend decision</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>Inform Member States if third country doesn't ensure adequate level of protection.</p>
<p>Similarly, member state has to inform the Commission.</p>
</td>
</tr>
<tr>
<td rowspan="3">
<p>Functions of Member State</p>
</td>
<td></td>
<td>
<p>Inform Commission if third country doesn't ensure adequate level of protection.</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Take measures to comply with Commission's decisions</p>
</td>
</tr>
<tr>
<td></td>
<td>
<p>Prevent data transfer if Commission finds absence of adequate level of protection.</p>
</td>
</tr>
<tr>
<td rowspan="3">
<p>Factors, with respect to third country or international organization, to be considered while deciding adequacy of safeguards</p>
</td>
<td>
<p>Rule of law,</p>
<p>human rights, fundamental freedoms, access of public authorities to personal data,</p>
<p>data protection rules, rules for onward transfer of personal data to third country or international organization etc.</p>
</td>
<td>
<p>Circumstances surrounding data transfer operations: nature of data; purpose and duration of processing operation; rule of law, professional rules and security measures in third country; country of origin and final destination; professional rules and security measures;</p>
</td>
</tr>
<tr>
<td>
<p>Functioning of independent supervisory authorities, their powers of enforcing compliance with data protection rules and powers to assist and advise data subject to exercise their rights.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>International commitments entered into.</p>
<p>Obligations under legally binding conventions.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td rowspan="2">
<p>When adequate level of protection no longer ensues</p>
</td>
<td>
<p>The Commission, to the extent necessary: repeal, amend or suspend the decision.</p>
<p>This is to be done by the means of an implementing act.</p>
<p>No retroactive effect to take place</p>
</td>
<td>
<p>The member state will have to suspend data transfer if Commission finds absence of adequate level of protection.</p>
</td>
</tr>
<tr>
<td>
<p>Commission to enter into consultation with the third country or international organization to remedy the situation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_vx1227"></a> 4.16.3 Transfers subject to appropriate safeguards</h3>
<p style="text-align: justify; ">This article provides for a situation when the Commission takes no decision. (Mentioned above under <b>Transfer on the basis of an adequacy decision</b>). In this case, the controller or processor can transfer data to third country or international organization subject to certain conditions. Specific authorization from supervisory authorities is not required in this context. Procedure for the same has been mentioned.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in article</p>
</td>
<td>
<p>46</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can data transfer take place</p>
</td>
<td>
<p>When <i>appropriate safeguards</i> are provided by the controller or processor;</p>
<p>AND</p>
<p>On condition that data subject enjoys enforceable rights and effective legal remedies for data safety.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="5">
<p>Conditions to be fulfilled for providing <i>appropriate safeguards</i> without specific authorization from supervisory authority</p>
</td>
<td>
<p>Existence of legally binding and enforceable instrument between public bodies or authorities</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Existence of Binding Corporate Rules</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Adoption of Standard Protection Clauses adopted by the Commission</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Adoption of Standard data protection clauses by supervisory authorities and approved by Commission.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Approved code of conduct along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights</p>
<p>OR</p>
<p>Approved certification mechanism along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights.</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Conditions to be fulfilled for providing appropriate safeguards subject to authorization from competent authority</p>
</td>
<td>
<p>Existence of contractual clauses between:</p>
<p>Controller or Processor and</p>
<p>Controller, Processor or recipient of personal data (third party)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Provisions inserted in administrative arrangements between public authorities or bodies. Provisions to contain enforceable and effective data subject rights.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Consistency mechanism to be applied by supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Unless amended, replaced or repealed, authorization to transfer given under DPD will remain valid when:</p>
</td>
<td>
<p>Third country doesn't ensure adequate level of protection but controller adduces adequate safeguards;</p>
<p>or</p>
<p>Commission decides that standard contractual clauses offer sufficient safeguards</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_3fwokq0"></a> 4.16.4 Binding Corporate Rules</h3>
<p style="text-align: justify; ">These are agreements that govern transfers between organizations within a corporate group</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>47</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="3">
<p>Elements of Binding Corporate Rules</p>
</td>
<td>
<p>Legally binding</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Apply to and are enforced by every member of group of undertakings or group of enterprises engaged in joint economic activity. Includes employees</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Expressly confer enforceable rights on data subject over processing of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="12">
<p>What do they specify</p>
</td>
<td>
<p>Structure and contact details of group of undertakings</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data transfers or set of transfers including categories of personal data , type of processing, type of data subjects affected, identification of third countries</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Legally binding nature</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Application of general data protection principles</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Rights of data subjects</p>
<p>Means to exercise those right</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>How the information on BCR is provided to data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Tasks of data protection officer etc.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Complaint procedure</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Mechanisms within the group of undertakings, group of enterprises for ensuring verification of compliance with BCR.</p>
<p>Eg. Data protection audits</p>
<p>Results of verification to be available to person in charge of monitoring compliance with BCR and to board of undertaking or Group of enterprises.</p>
<p>Should be available upon request to competent supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Mechanism for reporting and recording changes to rules and reporting changes to supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Cooperation mechanism with supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data protection training to personnel having access to personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Role of Commission</p>
</td>
<td>
<p>May specify format and procedures for exchange of information between controllers, processors and supervisory authorities for BCR</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_ior7p9ed8ake"></a> 4.16.5 Transfers or disclosures not authorized by Union law</h3>
<p style="text-align: justify; ">This Article lays down enforceability of decisions given by judicial and administrative authorities in third countries with regard to transfer or disclosure of personal data.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>48</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Article concerns</p>
</td>
<td>
<p>Transfer of personal data under judgments of courts, tribunals, decision of administrative authorities in third countries.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can data be transferred or disclosed</p>
</td>
<td>
<p>International agreement between requesting third country and member state or union.</p>
<p>E.g.: mutual legal assistance treaty</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><b> </b></p>
<h3 style="text-align: justify; "><a name="_4f1mdlm"></a> 4.16.6 Derogations for specific situations</h3>
<p style="text-align: justify; ">This Article comes into play in the absence of adequacy decision or appropriate safeguards or of binding corporate rules. Conditions for data transfer to a third country or international organization under such situations have been laid down.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>49</p>
</td>
<td>
<p>26</p>
</td>
</tr>
<tr>
<td rowspan="6">
<p>Conditions under which data transfer can take place</p>
</td>
<td>
<p>On obtaining Explicit consent of data subject after being informed of possible risks</p>
</td>
<td>
<p>On obtaining unambiguous consent of data subject to the proposed transfer</p>
</td>
</tr>
<tr>
<td>
<p>Transfer is necessary for conclusion or performance of contract.</p>
<p>The contract should be in the interest of data subject.</p>
<p>The contract is between the controller and another natural or legal person.</p>
</td>
<td>
<p>Contractual conditions are same.</p>
<p>DPD also includes implementation of pre contractual measures taken upon data subject's request.</p>
</td>
</tr>
<tr>
<td>
<p>Transfer is necessary in public interest</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Is necessary for establishment, exercise or defense of legal claims</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>To protect vital interest of data subject or of other persons where data subject is physically or legally incapable of giving consent</p>
</td>
<td>
<p>Includes vital interest of data subject but doesn't include "other person". Condition for consent is also not included.</p>
</td>
</tr>
<tr>
<td>
<p>Transfer made from register under Union or Member State law to provide information to public and is open to consultation by public or person demonstrating legitimate interest.</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td rowspan="8">
<p>Conditions for transfer when even the above specific situations are not applicable</p>
</td>
<td>
<p>Transfer is not repetitive</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Concerns limited number of data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Necessary for compelling legitimate interests pursued by controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Legitimate interests are not overridden by interests or rights and freedoms of data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller has provided suitable safeguards after assessing all circumstances surrounding data transfer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller to inform supervisory authority about the transfer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Controller to inform data subject of transfer and compelling legitimate interests pursued</p>
</td>
<td></td>
</tr>
<tr>
<td></td>
<td>
<p>Member may authorize transfer personal data to third country where controller adduces adequate safeguards for protection of privacy and fundamental rights and freedoms of individuals</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_2u6wntf"></a> 4.17 International cooperation for protection of personal data</h2>
<p style="text-align: justify; ">This Article lays down certain steps to be taken by Commissions and supervisory authorities for protection of personal data.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>50</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="4">
<p>Steps will include</p>
</td>
<td>
<p>Development of international cooperation mechanisms to facilitate enforcement of legislation for protection of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Provide international mutual assistance in enforcement of legislation for protection of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Engage relevant stakeholders for furthering international cooperation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Promote exchange and documentation of personal data protection legislation and practice</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_pn5fviodvkzf"></a> 4.18 Remedies, Liability and Compensation</h2>
<h3 style="text-align: justify; "><a name="_3tbugp1"></a> 4.18.1 Right to lodge complaint with a supervisory authority</h3>
<p style="text-align: justify; ">This article gives the data subject the right to seek remedy against unlawful processing of data. GDPR strengthens this right as compared to the one provided under DPD.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>77</p>
</td>
<td>
<p>28(4)</p>
</td>
</tr>
<tr>
<td>
<p>Right given</p>
</td>
<td>
<p>Right to lodge complaint</p>
</td>
<td>
<p>Under GDPR the data subject has been conferred the "right" specifically. This is not so in DPD.</p>
<p>DPD merely obliges the supervisory authority to hear claims concerning rights and freedoms.</p>
</td>
</tr>
<tr>
<td>
<p>Who can lodge complaint</p>
</td>
<td>
<p>Data subject</p>
</td>
<td>
<p>Any person or association representing that person</p>
</td>
</tr>
<tr>
<td>
<p>Complaint to be lodged before</p>
</td>
<td>
<p>Supervisory authority in the Member State of habitual residence, place of work or place of infringement</p>
</td>
<td>
<p>Supervisory authority</p>
</td>
</tr>
<tr>
<td>
<p>When can the complaint be lodged</p>
</td>
<td>
<p>When processing of personal data relating to data subject allegedly infringes on Regulation</p>
</td>
<td>
<p>When rights and freedom are to be protected while processing.</p>
<p>When national legislative measures to restrict scope of Regulations is adopted and processing is alleged to be unlawful.</p>
</td>
</tr>
<tr>
<td>
<p>Accountability</p>
</td>
<td>
<p>Complainant to be informed by Supervisory authority on progress and outcome of complaint and judicial remedy to be taken up</p>
</td>
<td>
<p>Complainant to be informed on outcome of claim or if check on unlawfulness has taken place</p>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_28h4qwu"></a> 4.18.2 Right to an effective judicial remedy against supervisory authority</h3>
<p style="text-align: justify; ">The concerned Article seeks to make supervisory authorities accountable by bringing proceedings against the authority before the courts. GDPR gives a specific right to the individual. DPD under Article 28(3) merely provides for appeal against decisions of supervisory authority in the courts.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>78 (1)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who has the right</p>
</td>
<td>
<p>Every natural or legal person</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can the right be exercised</p>
</td>
<td>
<p>Against legally binding decision of supervisory authorities concerning the complainant</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>78(2)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who has the right</p>
</td>
<td>
<p>Data subject</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When can the right be exercised</p>
</td>
<td>
<p>When the competent supervisory authority doesn't handle the complaint</p>
<p>Or</p>
<p>Doesn't inform data subject about progress / outcome of complaint within 3 months</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The jurisdiction of court will extend to the territory of the Member State in which the supervisory authority is established (GDPR Art 78(3)). The supervisory authority is required to forward proceedings to the court if the decision was preceded by the Board's decision in the consistency mechanism. (GDPR 78(4))</p>
<h3 style="text-align: justify; "><a name="_nmf14n"></a> 4.18.3 Right to effective judicial remedy against a controller or processor</h3>
<p style="text-align: justify; ">The data subject has been conferred with the right to approach the courts under certain circumstance. The GDPR confers the specific right while DPD provides for judicial remedy without using the word "right".</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in</p>
</td>
<td>
<p>Art 79</p>
</td>
<td>
<p>Recital 55</p>
</td>
</tr>
<tr>
<td>
<p>Right can be exercised when:</p>
</td>
<td>
<p>1. Data has been processed; and</p>
<p>2. Processing Results in infringement of rights; and</p>
<p>3. Infringement is due to non compliance of Regulation</p>
</td>
<td>
<p>Similar provisions provided under DPD:</p>
<p>When controller fails to respect the rights of data subjects and national legislation provides a judicial remedy.</p>
<p>Processors are not mentioned.</p>
</td>
</tr>
<tr>
<td>
<p>Jurisdiction of the courts</p>
</td>
<td>
<p>Proceedings can be brought before the courts of Member States wherein:</p>
<p>1. Controller or processor has an establishment</p>
<p>Or</p>
<p>2. Data Subject has habitual residence</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Right cannot be exercised when</p>
</td>
<td>
<p>1. The controller or processor is a public authority of Member State</p>
<p>And</p>
<p>2. Is exercising its public powers</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h3 style="text-align: justify; "><a name="_37m2jsg"></a> 4.18.4 Right to compensation and liability</h3>
<p style="text-align: justify; ">GDPR enables a person who has suffered damages to claim compensation as a specific right. DPD merely entitles the person to receive compensation. Although Liability provisions under GDPR and DPD are similar, the liability under GDPR is stricter as compared to DPD. This is because DPD exempts the processor from liability but GDPR does not. For example, DPD imposes liability on controllers only.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>82</p>
</td>
<td>
<p>23</p>
</td>
</tr>
<tr>
<td>
<p>Who can claim compensation</p>
</td>
<td>
<p>Any person who has</p>
<p>suffered material or non material damage</p>
</td>
<td>
<p>Similar provisions.</p>
<p>But DPD doesn't mention "material or non-material damage" specifically.</p>
</td>
</tr>
<tr>
<td>
<p>Right arises due to</p>
</td>
<td>
<p>Infringement of Regulation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Right granted</p>
</td>
<td>
<p>Right to receive compensation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Compensation has to be given by</p>
</td>
<td>
<p>Controller or processor</p>
</td>
<td>
<p>Compensation can be claimed only from controller</p>
</td>
</tr>
<tr>
<td>
<p>Liability of controller arises when</p>
</td>
<td>
<p>Damage is caused by processing due to infringement of regulation</p>
</td>
<td>
<p>Same</p>
</td>
</tr>
<tr>
<td>
<p>Liability of processor arises when</p>
</td>
<td>
<p>1. Processor has not complied with directions given to it under Regulation</p>
<p>OR</p>
<p>2. Processor has acted outside or contrary to lawful instructions of controller</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Exemptions to controller or processor from liability</p>
</td>
<td>
<p>If there is proof that they are not responsible</p>
</td>
<td>
<p>Exemption for controller is same</p>
</td>
</tr>
<tr>
<td>
<p>Liability when more than one controller or processor cause damage</p>
</td>
<td>
<p>Each controller or processor to be held liable for entire damage</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_1mrcu09"></a> 4.19 General conditions for imposing administrative fines</h2>
<p style="text-align: justify; ">GDPR makes provision for imposition of <i>administrative fines </i>by supervisory authorities in case of infringement of Regulation. Such fines should be effective, proportionate and dissuasive. In case of minor infringement, "reprimand may be issued instead of a fine" <a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a>. Means of enforcing accountability of supervisory authority have been provided. If Member state law does not provide for administrative fines, then the fine can be initiated by the supervisory authority and imposed by courts. However, by 25 May 2018, Member States have to adopt laws that comply with this Article.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>83</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who can impose fines</p>
</td>
<td>
<p>Supervisory Authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Fines to be issued against</p>
</td>
<td>
<p>Controllers or Processors</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="11">
<p>Parameters to be taken into account while determining administrative fines</p>
</td>
<td>
<p>Nature, gravity and duration of infringement</p>
<p>and</p>
<p>Nature scope or purpose of processing</p>
<p>and</p>
<p>Number of data subjects affected</p>
<p>and</p>
<p>Level of damage suffered</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Intentional or negligent character of infringement</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Action taken by controller or processor to mitigate damage suffered by data subjects</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Degree of responsibility of con controller or processor. Technical and organizational measures implemented to be taken into account.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Relevant previous infringement</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Degree of cooperation with supervisory authority</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Categories of personal data affected</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Manner in which supervisory authorities came to know of the infringement and</p>
<p>Extent to which the controller or processor notified the infringement</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether corrective orders of supervisory authority under Art 58(2) have been issue before and complied with</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Adherence to approved code of conduct under Art 40 or approved certification mechanisms under Art 42</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Other aggravating or mitigating factors like financial benefits gained losses avoided etc.</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>If infringement is intentional or due to negligence of processor or controller</p>
</td>
<td>
<p>Total amount of administrative fine to not exceed amount specified for gravest infringement</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Means checking power of supervisory authority to impose fines</p>
</td>
<td>
<p>Procedural safeguards under Member State or Union law.</p>
<p>Including judicial remedy and due process</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Article 83 splits the amount of administrative fines according to obligations infringed by controllers, processors or undertakings. The first set of infringements may lead to imposition of fines up to 10,000,000 EUR or 2% of total worldwide turnover.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>83(4)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Fine imposed</p>
</td>
<td>
<p>Up to 10,000,000 EUR</p>
<p>or</p>
<p>in case of undertaking,</p>
<p>2% of total worldwide turnover of preceding financial year, whichever is higher</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="8">
<p>Infringement of these provisions will cause imposition of fine (Provisions infringed)</p>
</td>
<td>
<p>Obligations of controller and processor under:</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 8</p>
<p>Conditions applicable to child's consent in relation to information society services</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 11</p>
<p>Processing which does not require identification</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 25 to 39</p>
<p>General obligations , Security of personal data , Data Protection impact assessment and prior consultation</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 42</p>
<p>Certification</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 43</p>
<p>Certification bodies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations of certification body under:</p>
<p>Art 42</p>
<p>Art 43</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations of monitoring body under:</p>
<p>Art 41(4)</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Second set of infringements may cause the authority to impose higher fines up to 20,000,000 EUR or 4% of total worldwide turnover.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Article</p>
</td>
<td>
<p>83(5)</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Fine imposed</p>
</td>
<td>
<p>Up to 20,000,000 EUR</p>
<p>or</p>
<p>in case of undertaking,</p>
<p>4% of total worldwide turnover of preceding financial year, whichever is higher</p>
</td>
<td></td>
</tr>
<tr>
<td rowspan="12">
<p>Infringement of provisions that will cause imposition of fine (Provisions infringed)</p>
</td>
<td>
<p>Basic principles for processing and conditions for consent under:</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 5</p>
<p>Principles relating to processing of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 6</p>
<p>Lawfulness of processing</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 7</p>
<p>Conditions for consent</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Art 9</p>
<p>Processing of special categories of personal data</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Data subject's rights under:</p>
<p>Art 12 to 22</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Transfer of personal data to third country or international organization under:</p>
<p>Art 44 to 49</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Obligations under Member State law adopted under Chapter IX</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Non Compliance with supervisory authority's powers under provisions of Art 58:</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Imposition of temporary or definitive limitation including ban on processing</p>
<p>(Art 58 (2)(f))</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Suspension of data flows to third countries or international organization</p>
<p>(Art 58(2) (j))</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Provide access to premises or data processing equipment and means (Art 58 (1) (f))</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_46r0co2"></a> 4.20 Penalties</h2>
<p style="text-align: justify; ">Article 84 makes provision for penalties in case of infringement of Regulation.</p>
<p style="text-align: justify; ">The penalties must be effective, proportionate and dissuasive.</p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p>Sub-topics in this section</p>
</td>
<td>
<p>GDPR</p>
</td>
<td>
<p>DPD</p>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>
<p>Given in Article</p>
</td>
<td>
<p>84</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>When will penalty be imposed</p>
</td>
<td>
<p>In case of infringements that are not subject to administrative fines</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Who imposes them</p>
</td>
<td>
<p>Member State</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Responsibility of Member State</p>
</td>
<td>
<p>To lay down the law and ensure implementation.</p>
<p>To notify to the Commission, the law adopted, by 25 May 2018</p>
</td>
<td></td>
</tr>
</tbody>
</table>
<div style="text-align: justify; "><br clear="all" />
<hr />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1"> <sup><sup>[1]</sup></sup> </a> Recital 148 , GDPR</p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive'>https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive</a>
</p>
No publisherAditi Chaturvedi and Edited by Leilah ElmokademInternet GovernanceData ProtectionPrivacy2017-02-07T14:08:35ZBlog Entry Comments to the Personal Data Protection Bill 2019
https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019
<b>The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019. </b>
<p> </p>
<h4>Please view our general comments below, or download as PDF <a href="https://cis-india.org/accessibility/blog/cis-general-comments-to-the-pdp-bill-2019" class="internal-link" title="CIS' General Comments to the PDP Bill 2019">here</a>.</h4>
<h4>Our comments and recommendations can be downloaded as PDF <a href="https://cis-india.org/accessibility/blog/cis-comments-pdp-bill-2019" class="internal-link" title="CIS Comments PDP Bill 2019">here</a>.</h4>
<h4>We have also prepared an annotated version of the Bill, where our detailed comments and recommendations can be viewed alongside the Bill, available as PDF <a href="https://cis-india.org/accessibility/blog/annotated-ver-pdp-bill-2019" class="internal-link" title="Annotated ver PDP Bill 2019">here</a>.</h4>
<hr />
<h2>General Comments</h2>
<h3>1. Executive notification cannot abrogate fundamental rights <br /></h3>
<p>In 2017, the Supreme Court in K.S. Puttaswamy v Union of India [1] held the right to privacy to be a fundamental right. While this right is subject to reasonable restrictions, the restrictions have to meet a three fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.Under the 2018 Bill, the exemption to government agencies for processing of personal data from the provisions of the Bill in the ‘interest of the security of the State’ [2] was subject to a law being passed by Parliament. However, under Clause 35 of the present Bill, the Central Government is merely required to pass a written order exempting the government agency from the provisions of the Bill.Any restriction on the right to privacy will have to comply with the conditions prescribed in Puttaswamy I. An executive order issued by the central government authorising any agency of the government to process personal data does not satisfy the first requirement laid down by the Supreme Court in Puttaswamy I — as it is not a law passed by Parliament. The Supreme Court while deciding upon the validity of Aadhar in K.S. Puttaswamy v Union of India [3] noted that “an executive notification does not satisfy the requirement of a valid law contemplated under Puttaswamy. A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”</p>
<p> </p>
<h3>2. Exemptions under Clause 35 do not comply with the legitimacy and proportionality test</h3>
<p>The lead judgement in Puttaswamy I while formulating the three fold test held that the restraint on privacy emanate from the procedural and content based mandate of Article 21 [4]. The Supreme Court in Maneka Gandhi v Union India [5] had clearly established that “mere prescription of some kind of procedure cannot ever meet the mandate of Article 21. The procedure prescribed by law has to be fair, just and reasonable, not fanciful, oppressive and arbitrary” [6]. The existence of a law is the first requirement; the second requirement is that of ‘legitimate state aim’. As per the lead judgement this requirement ensures that “the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action” [7]. It is established that for a provision which confers upon the executive or administrative authority discretionary powers to be regarded as non-arbitrary, the provision should lay down clear and specific guidelines for the executive to exercise the power [8]. The third test to be complied with is that the restriction should be ‘proportionate,’ i.e. the means that are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law. The Supreme Court in Modern Dental College & Research Centre v State of Madhya Pradesh [9] specified the components of proportionality standards —</p>
<ol><li>A measure restricting a right must have a legitimate goal;</li>
<li>It must be a suitable means of furthering this goal;</li>
<li>There must not be any less restrictive, but equally effective alternative; and</li>
<li>The measure must not have any disproportionate impact on the right holder</li></ol>
<p>Clause 35 provides extensive grounds for the Central Government to exempt any agency from the requirements of the bill but does not specify the procedure to be followed by the agency while processing personal data under this provision. It merely states that the ‘procedure, safeguards and oversight mechanism to be followed’ will be prescribed in the rules.The wide powers conferred on the central government without clearly specifying the procedure may be contrary to the three fold test laid down in Puttaswamy I, as it is difficult to ascertain whether a legitimate or proportionate objective is being fulfilled [10].</p>
<p> </p>
<h3>3. Limited powers of Data Protection Authority in comparison with the Central Government</h3>
<p>In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example:</p>
<ol><li>In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so.</li>
<li>Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.</li></ol>
<p>In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate and resources. The political nature of the personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Authority are independent of the Executive.</p>
<p> </p>
<h3>4. No clarity on data sandbox</h3>
<p>The Bill contemplates a sandbox for “ innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” A Data Sandbox is a non-operational environment where the analyst can model and manipulate data inside the data management system. Data sandboxes have been envisioned as a secure area where only a copy of the company’s or participant companies’ data is located [11]. In essence, it refers to the scalable and creation platform which can be used to explore an enterprise’s information sets. On the other hand, regulatory sandboxes are controlled environments where firms can introduce innovations to a limited customer base within a relaxed regulatory framework, after which they may be allowed entry into the larger market after meeting certain conditions. This purportedly encourages innovation through the lowering of entry barriers by protecting newer entrants from unnecessary and burdensome regulation. Regulatory sandboxes can be interpreted as a form of responsive regulation by governments that seek to encourage innovation – they allow selected companies to experiment with solutions within an environment that is relatively free of most of the cumbersome regulations that they would ordinarily be subject to, while still subject to some appropriate safeguards and regulatory requirements. Sandboxes are regulatory tools which may be used to permit companies to innovate in the absence of heavy regulatory burdens. However, these ordinarily refer to burdens related to high barriers to entry (such as capital requirements for financial and banking companies), or regulatory costs. In this Bill, however, the relaxing of data protection provisions for data fiduciaries would lead to restrictions of the privacy of individuals. Limitations to a fundamental rights on grounds of ‘fostering innovation’ is not a constitutional tenable position, and contradict the primary objectives of a data protection law.</p>
<p> </p>
<h3>5. The primacy of ‘harm’ in the Bill ought to be reconsidered</h3>
<p>While a harms based approach is necessary for data protection frameworks, such approaches should be restricted to the positive obligations, penal provisions and responsive regulation of the Authority. The Bill does not provide any guidance on either the interpretation of the term ‘harm,’ [12] or on the various activities covered within the definition of the term. Terms such as ‘loss of reputation or humiliation’ ‘any discriminatory treatment’ are a subjective standard and are open to varied interpretations. This ambiguity in the definition will make it difficult for the data principal to demonstrate harm and for the DPA to take necessary action as several provisions are based upon harm being caused or likely to be caused.Some of the significant provisions where ‘harm’ is a precondition for the provision to come into effect are —</p>
<ol><li>Clause 25: Data Fiduciary is required to notify the Authority about the breach of personal data processed by the data fiduciary, if such breach is likely to cause harm to any data principal. The Authority after taking into account the severity of the harm that may be caused to the data principal will determine whether the data principal should be notified about the breach.</li>
<li>Clause 32 (2): A data principal can file a complaint with the data fiduciary for a contravention of any of the provisions of the Act, which has caused or is likely to cause ‘harm’ to the data principal.</li><li>Clause 64 (1): A data principal who has suffered harm as a result of any violation of the provision of the Act by a data fiduciary, has the right to seek compensation from the data fiduciary.</li></ol>
<p>Clause 16 (5): The guardian data fiduciary is barred from profiling, tracking or undertaking targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.</p>
<p> </p>
<h3>6. Non personal data should be outside the scope of this Bill</h3>
<p>Clause 91 (1) states that the Act does not prevent the Central Government from framing a policy for the digital economy, in so far as such policy does not govern personal data. The Central Government can, in consultation with the Authority, direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence based policies in any manner as may be prescribed.It is concerning that the data protection bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymized and/or non-personal data that rests with any data fiduciary that falls under the ambit of the bill to support the digital economy including for its growth, security, integrity, and prevention of misuse. It is unclear how the government, in practice, will be able to compel organizations to share this data. Further, there is a lack of clarity on the contours of the definition of non-personal data and the Bill does not define the term. It is also unclear whether the Central Government can compel the data fiduciary to transfer/share all forms of non-personal data and the rights and obligations of the data fiduciaries and data principals over such forms of data. Anonymised data refers to data which has ‘ irreversibly’ been converted into a form in which the data principal cannot be identified. However, as several instances have shown ‘ irreversible’ anonymisation is not possible. In the United States, the home addresses of taxi drivers were uncovered and in Australia individual health records were mined from anonymised medical bills [13]. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee under the chairmanship of Kris Gopalkrishnan to study various issues relating to non-personal data and to deliberate over a data governance framework for the regulation of such data.The provision should be deleted and the scope of the bill should be limited to protection of personal data and to provide a framework for the protection of individual privacy. Until the report of the expert committee is published, the Central Government should not frame any law/regulation on the access and monetisation of non-personal/ anonymised data nor can they create a blanket provision allowing them to request such data from any data fiduciary that falls within the ambit of the bill. If the government wishes to use data resting with a data fiduciary; it must do so on a case to case basis and under formal and legal agreements with each data fiduciary.</p>
<p> </p>
<h3>7. Steps towards greater decentralisation of power</h3>
<p>We propose the following steps towards greater decentralisation of powers and devolved jurisdiction —</p>
<ol><li>Creation of State Data Protection Authorities: A single centralised body may not be the appropriate form of such a regulator. We propose that on the lines of central and state commissions under the Right to Information Act, 2005, state data protection authorities are set up which are in a position to respond to local complaints and exercise jurisdiction over entities within their territorial jurisdictions.</li>
<li>More involvement of industry bodies and civil society actors: In order to lessen the burden on the data protection authorities it is necessary that there is active engagement with industry bodies, sectoral regulators and civil society bodies engaged in privacy research. Currently, the Bill provides for involvement of industry or trade association, association representing the interests of data principals, sectoral regulator or statutory Authority, or an departments or ministries of the Central or State Government in the formulation of codes of practice. However, it would be useful to also have a more active participation of industry associations and civil society bodies in activities such as promoting awareness among data fiduciaries of their obligations under this Act, promoting measures and undertaking research for innovation in the field of protection of personal data.</li></ol>
<p> </p>
<h3>8. The Authority must be empowered to exercise responsive regulation</h3>
<p>In a country like India, the challenge is to move rapidly from a state of little or no data protection law, and consequently an abysmal state of data privacy practices to a strong data protection regulation and a powerful regulator capable of enabling a state of robust data privacy practices. This requires a system of supportive mechanisms to the stakeholders in the data ecosystem, as well as systemic measures which enable the proactive detection of breaches. Further, keeping in mind the limited regulatory capacity in India, there is a need for the Authority to make use of different kinds of inexpensive and innovative strategies.We recommend the following additional powers for the Authority to be clearly spelt out in the Bill —</p>
<ol><li>Informal Guidance: It would be useful for the Authority to set up a mechanism on the lines of the Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law. Given that this is the first omnibus data protection law in India, and there is very little jurisprudence on the subject from India, it would be extremely useful for regulated entities to get guidance from the regulator.</li>
<li>Power to name and shame: When a DPA makes public the names of organisations that have seriously contravened data protection legislation, this is a practice known as “naming and shaming.” The UK ICO and other DPAs recognise the power of publicity, as evidenced by their willingness to co-operate with the media. The ICO does not simply post monetary penalty notices (MPNs or fines) on its websites for journalists to find, but frequently issues press releases, briefs journalists and uses social media. The ICO’s publicity statement on communicating enforcement activities states that the “ICO aims to get media coverage for enforcement activities.”</li>
<li>Undertakings: The UK ICO has also leveraged the threats of fines into an alternative enforcement mechanism seeking contractual undertakings from data controllers to take certain remedial steps. Undertakings have significant advantages for the regulator. Since an undertaking is a more “co-operative”solution, it is less likely that a data controller will change it. An undertaking is simpler and easier to put in place. Furthermore, the Authority can put an undertaking in place quickly as opposed to legal proceedings which are longer.</li></ol>
<p> </p>
<h3>9. No clear roadmap for the implementation of the Bill</h3>
<p>The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified [14]. It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within within which the Authority shall be established and specific rules and regulations notified. Considering that 25 provisions have been deferred to rules that have to be framed by the Central Government and a further 19 provisions have been deferred to the regulations to be notified by the Authority the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill.The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Authority. This is important to give full and effective effect to the right of privacy of the <br />individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.For offences, we suggest a system of mail boxing where provisions and punishments are enforced in a staggered manner, for a period till the fiduciaries are aligned with the provisions of the Act. The Authority must ensure that data principals and fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment are brought into force. This will allow the data fiduciaries to align their practices with the provisions of this new legislation and the Authority will also have time to define and determine certain provisions that the Bill has left the Authority to define. Additionally enforcing penalties for offences initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders from paying a high price. This will relieve the fear of smaller companies and startups who might fear processing data for the fear of paying penalties for offences.</p>
<p> </p>
<h3>10. Lack of interoperability</h3>
<p>In its current form, a number of the provisions in the Bill will make it difficult for India’s framework to be interoperable with other frameworks globally and in the region. For example, differences between the draft Bill and the GDPR can be found in the grounds for processing, data localization frameworks, the framework for cross border transfers, definitions of sensitive personal data, inclusion of the undefined category of ‘critical data’, and the roles of the authority and the central government.</p>
<p> </p>
<h3>11. Legal Uncertainty</h3>
<p>In its current structure, there are a number of provisions in the Bill that, when implemented, run the risk of creating an environment of legal uncertainty. These include: lack of definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’, ability of the government to define further categories of sensitive personal data, inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’, framing of the requirements for data transfers, bar on processing of certain forms of biometric data as defined by the Central Government, the functioning between a consent manager and another data fiduciary, the inclusion of an AI sandbox and the definition of state. To ensure the greatest amount of protection of individual privacy rights and the protection of personal data while also enabling innovation, it is important that any data protection framework is structured and drafted in a way to provide as much legal certainty as possible.</p>
<p> </p>
<h3>Endnotes</h3>
<p>1. (2017) 10 SCC 641 (“Puttaswamy I”).</p>
<p>2. Clause 42(1) of the 2018 Bill states that “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to such interests being achieved.”</p>
<p>3. (2019) 1 SCC 1 (“Puttaswamy II”)</p>
<p>4. Puttaswamy I, supra, para 180.</p>
<p>5. (1978) 1 SCC 248.</p>
<p>6. Ibid para 48.</p>
<p>7. Puttaswamy I supra para 180.</p>
<p>8. State of W.B. v. Anwar Ali Sarkar, 1952 SCR 284; Satwant Singh Sawhney v A.P.O AIR 1967 SC1836.</p>
<p>9. (2016)7 SCC 353.</p>
<p>10. Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill, 2019 introduced in Lok Sabha on 11 December 2019”, January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).</p>
<p>11. “A Data Sandbox for Your Company”, Terrific Data, last accessed on January 31, 2019, http://terrificdata.com/2016/12/02/3221/.</p>
<p>12. Clause 3(20) — “harm” includes (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (ii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of service,benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal.</p>
<p>13. Alex Hern “Anonymised data can never be totally anonymous, says study”, July 23, 2019 https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds.</p>
<p>14. Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6)The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f ) security safeguards under section 31; (g) research purposes under section 45; (h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019'>https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019</a>
</p>
No publisherAmber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya RajwadeInternet GovernanceData ProtectionPrivacy2020-02-21T10:13:35ZBlog EntryComments on the Statistical Disclosure Control Report
https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report
<b>This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.
</b>
<p><strong id="docs-internal-guid-a12fe2b3-c746-4c1a-0287-1814414668af"><br /></strong></p>
<h3 style="text-align: justify;" dir="ltr">1. PRELIMINARY</h3>
<p style="text-align: justify;" dir="ltr">This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.</p>
<p style="text-align: justify;" dir="ltr">CIS is thankful for the opportunity to put forth its views.<br class="kix-line-break" />This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<h3 style="text-align: justify;" dir="ltr">2. ABOUT CIS</h3>
<p style="text-align: justify;" dir="ltr">CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.<br class="kix-line-break" /><br /></p>
<p style="text-align: justify;" dir="ltr">CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.</p>
<h3 style="text-align: justify;" dir="ltr">3. Comments</h3>
<h4 style="text-align: justify;" dir="ltr">3.1 General Comments</h4>
<p style="text-align: justify;" dir="ltr">As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.</p>
<p><span style="text-align: justify;">We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. </span><span style="text-align: justify;">While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. </span><span style="text-align: justify;">Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. </span><span style="text-align: justify;">At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.</span></p>
<h4 style="text-align: justify;" dir="ltr">3.2 Integrity of Information and Data</h4>
<p style="text-align: justify;" dir="ltr">We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.</p>
<h4 style="text-align: justify;" dir="ltr">3.3 Data Security</h4>
<p style="text-align: justify;" dir="ltr">One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.</p>
<p style="text-align: justify;" dir="ltr">We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.</p>
<h4 style="text-align: justify;" dir="ltr">3.4 Anonymization of microdata</h4>
<p style="text-align: justify;" dir="ltr">We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.</p>
<h4 style="text-align: justify;" dir="ltr">3.5 Data Dissemination</h4>
<p style="text-align: justify;" dir="ltr">Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.</p>
<p style="text-align: justify;" dir="ltr">We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,</p>
<p style="text-align: justify;" dir="ltr">The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">Thank you for this opportunity and we look forward to work with you in future.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report'>https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report</a>
</p>
No publisherSrinivs Kodali and Amber SinhaCall for CommentsDigital AccessOpen DataOpen Government DataData ProtectionData GovernanceAadhaarDigitisationInformation SecurityOpennessInternet GovernanceData Management2019-03-13T00:28:44ZBlog EntryComments on the RBI's Consultation Paper on Peer to Peer Lending
https://cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending
<b>The Reserve Bank of India published a Consultation Paper on Peer to Peer Lending on April 28, 2016, and invited comments from the public. CIS submitted the following response, authored by Elonnai Hickok, Pavishka Mittal, Sumandro Chattapadhyay, Vidushi Marda, and Vipul Kharbanda.</b>
<p> </p>
<h2>1. Preliminary</h2>
<p><strong>1.1.</strong> This submission presents comments and recommendations by the Centre for Internet and Society (<strong>“CIS”</strong>) on the Consultation Paper on Peer to Peer Lending (<strong>“the consultation paper”</strong>) by the Reserve Bank of India (<strong>“RBI”</strong>) <strong>[1]</strong>.</p>
<h2>2. The Centre for Internet and Society</h2>
<p><strong>2.1.</strong> The Centre for Internet and Society, CIS <strong>[2]</strong>, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.</p>
<p><strong>2.2.</strong> This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the concerns of citizens’ and users’ rights in the context of products, services, and transactions facilitated by digital media technologies, the , the principle that regulation should be defined around functions of the acts concerned, and not the technologies of delivery. Our comments are limited to the clauses that most directly have an impact on these concerns.</p>
<h2>3. Response</h2>
<h3>3.1. Whether there is a felt need for regulating peer to peer lending platforms?</h3>
<p><strong>3.1.1.</strong> Peer to peer (<strong>“P2P”</strong>) lenders are platforms serving as marketplaces for the lenders and the borrowers of funds to connect. Their very business model does not render them as a provider of finance, as they aspire to function as pure intermediaries to enable lending and borrowing.</p>
<p><strong>3.1.2.</strong> The Section 45I.(f)(iii) of the RBI Act, 1935 <strong>[3]</strong>, provides RBI the authority to classify any financial institution as a non-banking financial company (<strong>“NBFC”</strong>) “with the previous approval of the Central Government and by notification in the Official Gazette.” Since the P2P lending platforms do not provide any finance themselves, undertake acquisition of financial instruments, deliver financial and/or insurance services, or collect financial resources directly, the only ground for classifying such companies as “financial institutions” <strong>[4]</strong> appears to be their involvement in “managing, conducting or supervising, as foreman, agent or in any other capacity, of chits or kuries as defined in any law which is for the time being in force in any State, or any business, which is similar thereto” <strong>[5]</strong>. P2P lending platforms can be considered to be brokers and thus there are other aspects that merit scrutiny such as antitrust issues, obligations of either party, company activities and the transactional system involved, as we will discuss in this document.</p>
<p><strong>3.1.3.</strong> The consultation paper itself states that the balance sheet of the platform cannot indicate any borrowing / lending activity, which entails that the platform cannot itself provide finance or receive any funds for the provision of loans to others. Platforms are not allowed to determine the interest rates as they are not a party to the transaction. Neither would they be liable in cases of default by the borrower. These rules, standard for P2P platforms in other jurisdictions as well, confirm the assumption that the platform itself is not providing finance and thus, cannot be entrusted with any liability, obligation from the transaction.</p>
<p><strong>3.1.4.</strong> Further, with RBI raising the threshold asset size for an NBFC to be considered systemically important (NBFC-ND-SI) from Rs. 100 Crores to Rs. 500 Crores <strong>[6]</strong>, and Economic Times reporting that one of the biggest Indian P2P lending platform’s enterprise valuation (which can be taken as indicative of its net assets) is Rs 50 Crores <strong>[7]</strong>, we may assume that most P2P lending platforms will have net assets worth less than 500 crore, at least in the near future; although there is a possibility for exponential growth with some companies.</p>
<p><strong>3.1.5.</strong> Given the limited sphere of operation, restricted ability (by design) of these platforms to shape interest rates and other features of financial instruments, and their generally non-systemically-important nature, we would submit that the regulation of such P2P lending platforms are kept to an absolute minimum, so that their economic viability is not undermined, and at the same time the key risks associated with their operations are addressed by RBI.</p>
<h3>3.2. Is the assessment of P2P lending and risks associated with it adequate?</h3>
<p><strong>3.2.1.</strong> CIS observes that the following are the key risks involved with the operations of the P2P lending platforms, and these are being respectively addressed by, or can be addressed by RBI in the following manners.</p>
<ol type="A"><li><strong>Insufficient information about the conditions of lending, leading to defrauding of the borrower:</strong> The borrower may not receive appropriate information about the terms of the loan, and/or the P2P lending platform may not act in a “fair” manner (say, in case of collusion between the P2P lending platform and the lender, or the lending platform and the borrower), which may lead to defrauding and/or economic loss of either party. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Guidelines on Fair Practices Code for NBFCs <strong>[8]</strong>, which extensively addresses concerns related to this type of risks.<br /><br /></li>
<li><strong>Insufficient information about the borrower, or her/his ability to repay the loan, may lead to non-repayment and economic loss of the lender:</strong> If the P2P lending platform allows the lender to offer loans to borrowers without acquiring and/or providing sufficient information to the lender about the borrower’s credit history and/or ability to repay the loan, modes of formulating security for loans, this may heighten the risks of non-repayment of loans. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Master Circular – 'Know Your Customer' (KYC) Guidelines – Anti Money Laundering Standards (AML) - Prevention of Money Laundering Act, 2002 - Obligations of NBFCs <strong>[9]</strong>, which extensively addresses concerns related to this type of risks.<br /><br /></li>
<li><strong>Credit-related information of the lenders and the borrowers collected by P2P lending platforms may not be made available to other financial institutions and that will lead asymmetry in credit information available across various actors in the sector:</strong> Credit information, related to both lending and borrowing practices of entities using the platform concerned, is a key asset of the P2P lending platforms. Lack of sharing of such information with Credit Information Companies, for economic reasons or otherwise, may however, lead to information asymmetry within the financial sector, which will structurally weaken the entire sector (with pieces of credit information being distributed across actors and not being shared internally). By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Credit Information Companies (Regulation) Act, 2005 <strong>[10]</strong>, which extensively addresses concerns related to this type of risks.<br /><br /></li>
<li><strong>P2P lending platforms diversifying their financial operations without informing RBI and hence without appropriate regulatory control:</strong> It is possible that P2P lending platforms may decide to diversify their activities. There have been similar examples in other related sectors, say e-commerce marketplaces, that have started their own product re/selling companies that use the same online marketplace concerned. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies provide RBI with detailed and regular reports of their economic activities and investments, which is expected to address concerns related to this type of risks.</li></ol>
<h3>3.3. Are there any other risks which ought to be addressed?</h3>
<p><strong>3.3.1.</strong> CIS observes that as part of the usual transaction related activities of the P2P lending platforms, the companies will come into possession of what has been defined as “sensitive personal data or information” by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 <strong>[11]</strong>. The concerns related to this type of risk is directly addressed by the Rules concerned, and may not require additional attention from the RBI.</p>
<p><strong>3.3.2.</strong> CIS observes that as borrowers and lenders start using specific P2P lending platforms, the data regarding their credit histories and/or “financial reputation” will be owned by these companies. While such information might be shared internally within the financial sector through the Credit Information Companies, the borrowers and lenders themselves may not get direct access to such data. Hence, the borrowers and lenders will not be able to move easily and smoothly to a new P2P lending platform and make use of their existing credit information and/or “financial reputation” when accessing services offered via the new P2P lending platform. In other words, the borrowers and lenders may face a <em>service provider lock-in</em>, and inability to move between P2P lending platforms easily, without explicit access to their own credit history/reputation, and will not have the ability to migrate such information from one P2P lending platform to another (or to any other agency, for that matter). CIS submits that RBI must provide a mechanism to allow users to migrate between platforms as it has not been discussed in the consultation paper.</p>
<h3>3.4. Is the proposed approach to regulating these platforms adequate?</h3>
<p><strong>3.4.1.</strong> CIS observes that while classification of P2P lending platforms will appropriately address key risks associated with their operations (as listed in 3.2.1. A-D), it will not address a major risk emerging out of their operations that is unique to the technological basis of the business concerned (as mentioned in 3.3.2.), and further, it will impose substantial financial and management obligations that have a very high probability of undermining the economic viability of this emerging and niche sector of intermediated direct lending and borrowing.</p>
<p><strong>3.4.2.</strong> CIS observes that these financial and management obligations may involve the following topics among others discussed: 1) minimum net worth requirement for registration, 2) minimum investments required to be made government securities, 3) transferring of minimum percentage of net profits to RBI, 4) guidelines regarding corporate governance <strong>[12]</strong>, etc.</p>
<p><strong>3.4.3.</strong> Given this, CIS submits that instead of classifying P2P lending platforms as “Misc NBFCs,” a new sub-classification is created under the category of NBFC for such platforms, that directly addresses the key risks associated with businesses of P2P lending platforms, and protects lenders as well as borrowers while enhancing transparency in operations. This new sub-classification of P2P lending companies should also be divided into systemically-important and non-systemically-important like other NBFCs, and requirements regarding financial operations and corporate management should only be enforced for the former category of P2P lending companies.</p>
<h3>3.5. Any other relevant issues pertaining to P2P lending</h3>
<p>Beyond the issues already discussed above, CIS seek clarity from the RBI around the following aspects:</p>
<ol><li><strong>Transactional system pertaining to P2P lending:</strong>
<ol type="a">
<li>What are the requirements and prerequisites for mandating the collection of user identity?</li>
<li>Establishing a maximum sum that can be transferred per transaction.</li></ol>
</li>
<li><strong>Company activities:</strong>
<ol type="a"><li>Fees that can be charged by platforms.</li>
<li>How data security can be best addressed.</li>
<li>How the financial transactions are brokered.</li>
<li>Modes of redressal.</li>
<li>Restitution to users if something goes amiss in the transaction.</li>
<li>Insurance that the company has to buy or capital on hand to support.</li></ol>
</li></ol>
<p> </p>
<h2>Endnotes</h2>
<p><strong>[1]</strong> See: <a href="https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=3164">https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=3164</a>.</p>
<p><strong>[2]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[3]</strong> See: <a href="https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.pdf">https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.pdf</a>.</p>
<p><strong>[4]</strong> See Section 45I.(c) of RBI Act, 1923, last amended on January 07, 2013.</p>
<p><strong>[5]</strong> See Section 45I.(c)(v) of RBI Act, 1923, last amended on January 07, 2013.</p>
<p><strong>[6]</strong> See: <a href="https://rbidocs.rbi.org.in/rdocs/content/pdfs/PNNBFC200315.pdf">https://rbidocs.rbi.org.in/rdocs/content/pdfs/PNNBFC200315.pdf</a>.</p>
<p><strong>[7]</strong> See: <a href="http://economictimes.indiatimes.com/small-biz/startups/faircent-com-raises-pre-series-a-funding-of-250k/articleshow/47630279.cms">http://economictimes.indiatimes.com/small-biz/startups/faircent-com-raises-pre-series-a-funding-of-250k/articleshow/47630279.cms</a>.</p>
<p><strong>[8]</strong> See: <a href="https://rbi.org.in/scripts/NotificationUser.aspx?Id=7866">https://rbi.org.in/scripts/NotificationUser.aspx?Id=7866</a>.</p>
<p><strong>[9]</strong> See: <a href="https://rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=8168">https://rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=8168</a>.</p>
<p><strong>[10]</strong> See: <a href="http://www.incometaxindia.gov.in/Pages/acts/credit-information-companies-act.aspx">http://www.incometaxindia.gov.in/Pages/acts/credit-information-companies-act.aspx</a>.</p>
<p><strong>[11]</strong> See: <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf">http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf</a>.</p>
<p><strong>[12]</strong> See: <a href="https://www.rbi.org.in/scripts/BS_NBFCNotificationView.aspx?Id=3706">https://www.rbi.org.in/scripts/BS_NBFCNotificationView.aspx?Id=3706</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending'>https://cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending</a>
</p>
No publishersumandroPrivacyReserve Bank of IndiaData ProtectionResearchNetwork EconomiesP2P LendingResearchers at Work2016-06-01T20:21:13ZBlog EntryComments on the Report of the Committee on Digital Payments (December 2016)
https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016
<b>The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.</b>
<p> </p>
<h3><strong>1. Preliminary</strong></h3>
<p><strong>1.1.</strong> This submission presents comments by the Centre for Internet and Society (“CIS”) <strong>[1]</strong> in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) <strong>[2]</strong>.</p>
<h3><strong>2. The Centre for Internet and Society</strong></h3>
<p><strong>2.1.</strong> The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.</p>
<p><strong>2.2.</strong> CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.</p>
<h3><strong>3. Comments</strong></h3>
<p><strong>3.1.</strong> CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 <strong>[3]</strong>, have generated <strong>unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances</strong>. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider <strong>opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken</strong> towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.</p>
<p><strong>3.2.</strong> While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. <strong>CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services.</strong> Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.</p>
<p><strong>3.3.</strong> The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. <strong>We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders</strong>. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.</p>
<p><strong>3.4.</strong> The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. <strong>CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice</strong>.</p>
<p><strong>3.5.</strong> The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. <strong>We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise.</strong> Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). <strong>This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments</strong>.</p>
<p><strong>3.6.</strong> The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” <strong>CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has</strong>. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.</p>
<p><strong>3.7.</strong> CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” <strong>We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities</strong>.</p>
<p><strong>3.8.</strong> We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity <strong>[4]</strong>. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). <strong>The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report.</strong> The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.</p>
<p><strong>3.9.</strong> A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). <strong>This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic</strong>.</p>
<p><strong>3.10.</strong> The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). <strong>Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment.</strong> A mandate for <em>replacement</em> of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.</p>
<p><strong>3.11.</strong> The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. <strong>Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud</strong>.</p>
<p><strong>3.12.</strong> In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. <strong>We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats</strong>.</p>
<p><strong>3.13.</strong> The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. <strong>It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy</strong>. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.</p>
<p><strong>3.14.</strong> CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. <strong>We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities</strong>.</p>
<p><strong>3.15.</strong> The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. <strong>We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away</strong>. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.</p>
<p><strong>3.16.</strong> As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, <strong>it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days</strong>. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.</p>
<h3><strong>Endnotes</strong></h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[2]</strong> See: <a href="http://finmin.nic.in/reports/Note-watal-report.pdf">http://finmin.nic.in/reports/Note-watal-report.pdf</a> and <a href="http://finmin.nic.in/reports/watal_report271216.pdf">http://finmin.nic.in/reports/watal_report271216.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="http://finmin.nic.in/cancellation_high_denomination_notes.pdf">http://finmin.nic.in/cancellation_high_denomination_notes.pdf</a>.</p>
<p><strong>[4]</strong> Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: <a href="http://www.budapestopenaccessinitiative.org/read">http://www.budapestopenaccessinitiative.org/read</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016'>https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016</a>
</p>
No publisherSumandro Chattapadhyay and Amber SinhaUIDDigital IDBig DataDigital EconomyDigital AccessPrivacyDigital SecurityData RevolutionDigital PaymentInternet GovernanceDigital IndiaData ProtectionDemonetisationHomepageFeaturedAadhaar2017-01-12T12:32:22ZBlog EntryClause 12 Of The Data Protection Bill And Digital Healthcare: A Case Study
https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study
<b>In light of the state’s emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?</b>
<p>The blog post was <a class="external-link" href="https://www.medianama.com/2022/02/223-data-protection-bill-digital-healthcare-case-study/">published in Medianama</a> on February 21, 2022. This is the second in a two-part series by Amber Sinha.</p>
<hr />
<p style="text-align: justify; ">In the <a href="https://www.medianama.com/2022/02/223-data-protection-bill-consent-clause-state-function/">previous post</a>, I looked at provisions on non-consensual data processing for state functions under the most recent version of recommendations by the Joint Parliamentary Committee on India’s Data Protection Bill (DPB). The true impact of these provisions can only be appreciated in light of ongoing policy developments and real-life implications.</p>
<p style="text-align: justify; ">To appreciate the significance of the dilutions in Clause 12, let us consider the Indian state’s range of schemes promoting digital healthcare. In July 2018, NITI Aayog, a central government policy think tank in India released a strategy and approach paper (Strategy Paper) on the formulation of the National Health Stack which envisions the creation of a federated application programming interface (API)-enabled health information ecosystem. While the Ministry of Health and Family Welfare has focused on the creation of Electronic Health Records (EHR) Standards for India during the last few years and also identified a contractor for the creation of a centralised health information platform (IHIP), this Strategy Paper advocates a completely different approach, which is described as a Personal Health Records (PHR) framework. In 2021, the National Digital Health Mission (NDHM) was launched under which a citizen shall have the option to obtain a digital health ID. A digital health ID is a unique ID and will carry all health records of a person.</p>
<h2 style="text-align: justify; ">A Stack Model for Big Data Ecosystem in Healthcare</h2>
<p style="text-align: justify; ">A stack model as envisaged in the Strategy Paper, consists of several layers of open APIs connected to each other, often tied together by a unique health identifier. The open nature of APIs has the advantage that it allows public and private actors to build solutions on top of it, which are interoperable with all parts of the stack. It is however worth considering both the ‘openness’ and the role that the state plays in it.</p>
<p style="text-align: justify; ">Even though the APIs are themselves open, they are a part of a pre-decided technological paradigm, built by private actors and blessed by the state. Even though innovators can build on it, the options available to them are limited by the information architecture created by the stack model. When such a technological paradigm is created for healthcare reform and health data, the stack model poses additional challenges. By tying the stack model to the unique identity, without appropriate processes in place for access control, siloed information, and encrypted communication, the stack model poses tremendous privacy and security concerns. The broad language under Clause 12 of the DPB needs to be looked at in this context.</p>
<p>Clause 12 allows non-consensual processing of personal data where it is necessary “for the performance of any function of the state authorised by law” in order to provide a service or benefit from the State. In the previous post, I had highlighted the import of the use of only ‘necessity’ to the exclusion of ‘proportionality’. Now, we need to consider its significance in light of the emerging digital healthcare apparatus being created by the state.</p>
<p style="text-align: justify; ">The National Health Stack and National Digital Health Mission together envision an intricate system of data collection and exchange which in a regulatory vacuum would ensure unfettered access to sensitive healthcare data for both the state and private actors registered with the platforms. The Stack framework relies on repositories where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the health records for delivering services to the individual. The cast of characters involve the National Health Authority, health care providers and insurers who access the National Health Electronic Registries, unified data from different programmes such as National Health Resource Repository (NHRR), NIN database, NIC and the Registry of Hospitals in Network of Insurance (ROHINI), private actors such as Swasth, iSpirt who assist the Mission as volunteers. The currency that government and private actors are interested in is data.</p>
<p style="text-align: justify; ">The promised benefits of healthcare data in an anonymised and aggregate form range from Disease Surveillance to Pharmacovigilance as well as Health Schemes Management Systems and Nutrition Management, benefits which have only been more acutely emphasised during the pandemic. However, the pandemic has also normalised the sharing of sensitive healthcare data with a variety of actors, without much thinking on much-needed data minimisation practises.</p>
<p style="text-align: justify; ">The potential misuses of healthcare data include greater state surveillance and control, predatory and discriminatory practices by private actors which rely on Clause 12 to do away with even the pretense of informed consent so long as the processing of data is deemed necessary by the state and its private sector partners to provide any service or benefit.</p>
<p style="text-align: justify; ">Subclause (e) in Clause 12, which was added in the last version of the Bill drafted by MeitY and has been retained by the JPC, allows processing wherever it is necessary for ‘any measures’ to provide medical treatment or health services during an epidemic, outbreak or threat to public health. Yet again, the overly-broad language used here is designed to ensure that any annoyances of informed consent can be easily brushed aside wherever the state intends to take any measures under any scheme related to public health.</p>
<p style="text-align: justify; ">Effectively, how does the framework under Clause 12 alter the consent and purpose limitation model? Data protection laws introduce an element of control by tying purpose limitation to consent. Individuals provide consent to specified purposes, and data processors are required to respect that choice. Where there is no consent, the purposes of data processing are sought to be limited by the necessity principle in Clause 12. The state (or authorised parties) must be able to demonstrate necessity to the exercise of state function, and data must only be processed for those purposes which flow out of this necessity. However, unlike the consent model, this provides an opportunity to keep reinventing purposes for different state functions.</p>
<p style="text-align: justify; ">In the absence of a data protection law, data collected by one agency is shared indiscriminately with other agencies and used for multiple purposes beyond the purpose for which it was collected. The consent and purpose limitation model would have addressed this issue. But, by having a low threshold for non-consensual processing under Clause 12, this form of data processing is effectively being legitimised.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study'>https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study</a>
</p>
No publisheramberData GovernanceInternet GovernanceData ProtectionPrivacy2022-03-01T15:07:44ZBlog EntryCIS Submission to the Committee of Experts on a Data Protection Framework for India
https://cis-india.org/internet-governance/blog/cis-submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india
<b>This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ (“White Paper”) released by the Ministry of Electronics and Information Technology. The White paper was drafted by a Committee of Expert (“Committee”) constituted by the Ministry. CIS has conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. The submission was made on January 31, 2018.</b>
<p><span>The submission is divided into four parts — I. Preliminary, II. Scope and Exemption, III. Grounds of Processing, Obligations of Entities and Individual Rights and IV. Regulation and Enforcement. The submission follows the same the order as adopted by the White Paper.</span></p>
<h4></h4>
<p><b>Please access the <a class="external-link" href="http://cis-india.org/internet-governance/files/data-protection-submission">full submission here</a>.</b></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india'>https://cis-india.org/internet-governance/blog/cis-submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india</a>
</p>
No publisheramberInternet GovernanceData ProtectionPrivacy2018-04-18T16:39:11ZBlog EntryCIS Comments and Recommendations on the Data Protection Bill, 2021
https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill
<b>This document is a revised version of the comments we provided on the 2019 Bill on 20 February 2020, with updates based on the amendments in the 2021 Bill.</b>
<p style="text-align: justify; ">After nearly two years of deliberations and a few changes in its composition, the Joint Parliamentary Committee (JPC), on 17 December 2021, submitted its report on the Personal Data Protection Bill, 2019 (2019 Bill). The report also contains a new version of the law titled the Data Protection Bill, 2021 (2021 Bill). Although there were no major revisions from the previous version other than the inclusion of all data under the ambit of the bill, some provisions were amended.</p>
<p style="text-align: justify; ">This document is a revised version of the<a href="https://cis-india.org/accessibility/blog/cis-comments-pdp-bill-2019"> comments</a> we provided on the 2019 Bill on 20 February 2020, with updates based on the amendments in the 2021 Bill. Through this document we aim to shed light on the issues that we highlighted in our previous comments that have not yet been addressed, along with additional comments on sections that have become more relevant since the pandemic began. In several instances our previous comments have either not been addressed or only partially been addressed; in such instances, we reiterate them.</p>
<p style="text-align: justify; ">These general comments should be read in conjunction with our previous recommendations for the reader to get a comprehensive overview of what has changed from the previous version and what has remained the same. This document can also be read while referencing the new Data Protection Bill 2021 and the JPC’s report to understand some of the significant provisions of the bill.</p>
<hr />
<p style="text-align: justify; "><strong><a href="https://cis-india.org/internet-governance/general-comments-data-protection-bill.pdf" class="internal-link">Read on to access the comments</a> | </strong><span>Review and editing by Arindrajit Basu. Copy editing: The Clean Copy; Shared under Creative Commons Attribution 4.0 International license</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill'>https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill</a>
</p>
No publisherPallavi Bedi and Shweta MohandasInternet GovernanceData ProtectionPrivacy2022-02-14T16:07:44ZBlog Entry