Centre for Internet and Society

Electoral Databases – Privacy and Security Concerns

snehashish — 2014-01-16T11:07:21Z

In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.

The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.[i] After due consideration, the ECI has decided to drop the plan.[ii]

The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.

Publication of Electoral Rolls
The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.

The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document[iii] given that the roll is published and can be circulated on the direction of the ECI.

With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.[iv] In addition to that, the electoral rolls for the entire country are available on the ECI website.[v] However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.[vi]

Security Concerns
The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.

In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “With Great Computing Power Comes Great Surveillance”[vii] Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain

For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.

Current IT Laws does not mandate the protection of the electoral database
A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”[viii] However, the appropriate Government has not notified the electoral database as a protected system[ix]. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.

The Information Technology Rules (IT Rules) are also not applicable to electoral databases, per se. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (hereinafter Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”[x] and should arguably be made subject to the Rules.

The intent of the ECI for hosting the entire country’s electoral database online inter alia is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”[xi] However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.

The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.

Conclusion
Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.

It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.

[i] Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss

[ii] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

[iii] Section 74, Indian Evidence Act, 1872

[iv] eci.nic.in/eci_main1/the_function.aspx

[v] http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx

[vi] “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at eci.nic.in/eci_main/eroll&epic/ins06012010.pdf

[vii] http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/

[viii] Section 70, Information Technology Act, 2000

[ix] Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure

[x] Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[xi] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

For more details visit https://cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns

Does the Safe-Harbor Program Adequately Address Third Parties Online?

rebecca — 2011-08-02T07:19:34Z

While many citizens outside of the US and EU benefit from the data privacy provisions the Safe Harbor Program, it remains unclear how successfully the program can govern privacy practices when third-parties continue to gain more rights over personal data. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.

To date, the EU-US Safe Harbor Program leads in governing the complex and multi-directional flows of personal information online. As commerce began to thrive in the online context, the European Union was faced with the challenge of ensuring that personal information exchanged through online services were granted levels of protect on par with provisions set out in EU privacy law. This was important, notably as the piecemeal and sectoral approach to privacy legislation in the United states was deemed incompatible with the EU approach. While the Safe Harbor program did not aim to protect the privacy of citizens outside of the European Union per say, the program has in practice set minimum standards for online data privacy due to the international success of American online services.

While many citizens outside of the US and EU benefit from the Safe Harbor Program, it remains unclear how successful the program will be in an online ecosystem where third-parties are being granted increasingly more rights over the data they receive from first parties. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem. First, I will argue that the safe harbor program does not do enough to ensure that participants are held reasonably responsible third party privacy practices. Second, I will argue that the information asymmetries created between first party sites, citizens, and governance bodies vis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-US Safe-Harbor Agreement

In 1995, and based on earlier OECD guidelines, the EU Data Directive on the “protection of individuals with regard to the processing of personal data and the free movement of such data” was passed [1]. The original purpose of the EU Privacy Directive was not only to increase privacy protection within the European Union, but to also promote trade liberalization and a single integrated market in the EU. After the Data Directive was passed, each member state of the EU incorporated the principles of the directive into national laws accordingly.

While the Directive was successful in harmonizing data privacy in the European Union, it also embodied extraterritorial provisions, giving in reach beyond the EU. Article 25 of the Directive states that the EU commission may ban data transfers to third countries that do not ensure “an adequate level of protect’ of data privacy rights [2]. Also, Article 26 of the Directive, expanding on Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level of protection” if the data controller does not enter into a contract that adduces adequate privacy safeguards [3].

In light of the increased occurrence of cross-border information flows, the Data Directive itself was not effective enough to ensure that privacy principles were enforced outside of the EU. Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law. Therefor, the EU-US Safe-Harbor was established by the EU Council and the US Department of Commerce as a way of mending the variant levels of privacy protection set out in these jurisdictions, while also promoting online commerce.

Social Networking Sites and the Safe-Harbor Principles

The case of social networking sites exemplifies the ease with which data is transferred, processed, and stored between jurisdictionas. While many of the top social networking sites are registered American entities, they continue to attract users not only from the EU, but also internationally. In agreement to the EU law, many social networking sites, including LinkedIn, Facebook, Myspace, and Bebo, now adhere to the principles of the program. The enforcement of the Safe Harbor takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector. TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program among social networking sites.

Drawing broadly on the principles embodied within the EU Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor were developed. These principles include Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity and Enforcement. The principle of “Notice” sets out that organizations must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it disclosures the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

“Choice” ensures that individuals have the opportunity to choose to opt out whether their personal information is disclosed to a third party, and to ensure that information is not used for purposes incompatible with the purposes for which it was originally collected. The “Onward Transfer” principle ensures that third parties receiving information subscribes to the Safe Harbor principles, is subject to the Directive, or enters into a written agreement which requires that the third party provide at least the same level of privacy protection as is requires by the relevant principles.

The principles of “Security” and “Data Integrity” seek to ensure that reasonable precautions are taken to protect the loss or misuse of data, and that information is not used in a manner which is incompatible with the purposes for it is has been collected—minimizing the risk that personal information would be misused or abused. Individuals are also granted the right, through the access principle, to view the personal information about them that an organization holds, and to ensure that it is up-to-date and accurate. The “Enforcement” principle works to ensure that an effective mechanism for assuring compliance with the principles, and that there are consequences for the organization when the principles are not followed.

The principles of the program are rather quite clear and enforceable in the first party context, despite some prevailing ambiguities. The privacy policies of most social networking services have become increasingly clear and straightforward since their inception. Facebook, for example, has revamped its privacy regime several times, and gives explicit notice to users how their information is being used. The privacy policy also explains the relationship between third parties and your personal information—including how it may be used by advertisers, search engines, and fellow members.

With respect to third party advertisers, principles of “choice” are clearly granted by most social networking services. For example, the Network Advertising Initiative, a self-regulatory initiative of the online advertising industry, clearly lists its member websites and allows individuals to opt out of any targeted advertising conducted by its members. In Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s opt out features is given, allowing individuals to make somewhat informed choices about their participation in such programs. This point is, of course, in light of the fact that most users do not read or understand the privacy policies provided by social networking sites [4]. It is also important to note that Google—a major player in the online advertising business, does not grant users of Buzz and Orkut the same “opt-out” options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, the Safe Harbor Program has also successfully investigated and settled several privacy-related breaches which have taken place on social networking sites. Of the most famous cases is Lane et al. v. Facebook et al., which was a class action suit brought against Facebook’s Beacon Advertising program. The US Federal Trade Commission was quick to insight an investigation of the program after many privacy groups and individuals became critical of its questionable advertising practices. The Beacon program was designed to allow Facebook users to share information with their friends about actions taken on affiliated, third party sites. This had included, for example, the movie rentals a user had made through the Blockbuster website.

The Plaintiffs filed a suit, alleging that Facebook and its affiliates did not give users adequate notice and choice about Beacon and the collection and use of users’ personal information. The Beacon program was ultimately found to be in breach of US law, including the Video Privacy Protection Act, which bans the disclosure of personally identifiable rental information. Facebook has announced the settlement of the lawsuit, not bringing individual settlements, but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated to privacy and data-related issues. Other privacy related investigations of social networking sites launched by the FTC under the Safe Harbor Program include Facebook’s privacy changes in late 2009, and the Google’s recently released Buzz application.

Despite the headway the Safe Harbor is making, many privacy related questions remain ambiguous with respect to the responsibilities social networking sites through the program. For example, Bebo reserves the right to supplement a social profile with addition information collected from publicly available information and information from other companies. Bebo’s does adhere to the “notice principle”—as it makes know to users how their information will be used through their privacy policy. However, it remains unclear if appropriate disclosures are given by Bebo as required by Safe Harbor Framework, notably as the sources of “publicly available information” as a concept remains broad and obscured in the privacy policy. It is also unclear whether or not Bebo users are able to, under the “Choice” principle, refuse to having their profiles from being supplemented by other information sources. Also, under the “access principle”, do individuals have the right to review all information held about them as “Bebo users”? The right to review information held by a social networking site is an important one that should be upheld. This is most notable as supplementary information from outside social networking services is employed to profile individual users in ways which may work to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the Safe Harbor has improved, and most of these sites now have privacy policies which explicitly address the principles of the Program. It should also be noted that public interest groups, such as Epic, the Center for Digital Democracy, and The Electronic Frontier Foundation, have played a key role in ensuring that data privacy breaches are brought to the attention of the FTC under the program. While the program has somewhat adequately addressed the privacy practices of first party participants, the number of third parties on social networking sites calls into question the comprehensiveness and effectiveness of the Safe Harbor program. Facebook itself as a first party site may adhere to the Safe Harbor Program. However, its growing number third party platform members may not always adhere to best practices in the field, nor can Facebook or the Safe Harbor Program guarantee that they do so.

The Safe Harbor Program does require that all participants take certain security measures when transferring data to a third party. Third parties must either subscribe to the safe harbor principles, or be subject to the EU Data Directive. Alternatively, an organization can may also enter into a written agreement with a third party requiring that they provide at least the same level of privacy protection as is required by program principles. Therefore, third parties of participating program sites are, de facto, bound by the safe harbor principles by the way of entering into agreement with a first party participant of the program. This is the approach taken by most social networking sites and their third parties.

It is important to note, however, that third parties are not governed directly by the regulatory bodies, such as the FTC. The safe harbor website also explicitly notes that the program does not apply to third parties. Therefore, as per these provisions, Facebook must adhere to the principles of the program, while its third party platform members (such as social gaming companies), only must do so indirectly as per a separate contract with Facebook. The effectiveness of this indirect mode of governing of third party privacy practices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure that third parties use information from Facebook in a manner which is consistent to the safe harbor principles, the company explicitly waives any guarantee that third parties will “follow their rules”. Prior to allowing third parties to access any information about users, Facebook requires third parties to agree to terms that limit their use of information, and also use technical measures to ensure that they only obtain authorized information. Facebook also warns users to “always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information”. Not only are users required to read the privacy policies of every third party application, but are also expected to report applications which may be in violation of privacy principles. In this sense, Facebook not only waives responsibility for third party privacy breaches, but also places further regulatory onus upon the user.

As the program guidelines express, the safe harbor relies to a great degree on enforcement by the private sector. However, it is likely that a self-regulatory framework may lead the industry into a state of regulatory malaise. Under the safe harbor program, Facebook must ensure that the privacy practices of third parties are adequate. However, at the same time, the company may simultaneously waiver their responsibility for third party compliance with safe harbor principles. Therefore, it remains questionable as to where responsibility for third parties exactly lies. When third parties are not directly answerable to the governing bodies of safe harbor program, and when first parties can to waive responsibility for their practices, from where does the incentive to effectively regulate third parties to come from?

While Facbeook may in fact take reasonable legal and technical measures to ensure third party compliance, the room for potential dissonance between speech and deed is worrisome. Facebook is required to ensure that third parties provide “at least the same level of privacy protection” as they do. However, in practice, this has yet to become the case. A quick survey of twelve of the most popular Platform Applications in the gaming category showed that third parties are not granting their users the “same level of privacy protection”[5]. For example, section 9.2.3 of Facebooks “Rights and Responsibilities” for Developers/Operators of applications/sites states that they must “have a privacy policy or otherwise make it clear to users what user data you are going to use and how you will use, display, or share that data”.

However, out of the 12 gaming applications surveyed, four companies failed to make privacy policies available to users before they granted the application access to the personal information, including that of their friends [6]. After searching for the privacy policies on the websites of each of the four social gaming companies, two completely failed to post privacy policies on their central websites. This practice is in direct breach of the contract made between these companies and Facebook, as mentioned above. In addition to many applications failing to clearly post privacy policies, many of provisions set out in these policies were questionable vis-à-vis safe harbor principles.

For example Zynga, makes of popular games Mafia Wars and Farmville, reserve the right to “maintain copies of your content indefinitely”. This practice remains contrary to Safe Harbor principles which states that information should not be kept for longer than required to run a service. Electronic Arts also maintains similar provisions for data retention in its privacy policy. Such practices are rather worrisome also in light of the fact that both companies also reserve the right to collect information on users from other sources to supplement profiles held. This includes (but is not limited to) newspapers and Internet sources such as blogs, instant messaging services, and other games. It is also notable to mention that only one of the twelve social gaming companies surveyed directly participates in the safe harbor program.

In addition to the difficulties of ensuring that safe harbor principles are adhered to by third parties, the information asymmetries which exist between first party sites, citizens, and governance bodies vis-à-vis third parties complicate this model. Foremost, it is clear that Facebook, despite its resources, cannot keep tabs on the practices of all of their applications. This puts into question if industry self-regulation can really guarantee that privacy is respected by third parties in this context. Furthermore, the lack of knowledge or understanding held by citizens about how third parties user their information is particularly problematic when a system relies so heavily on users to report suspected privacy breaches. The same is likely to be true for governments, too. As one legal scholar, promoting a more laisse-fair approach to third party regulation, notes—multiple and invisible third party relationships presents challenges to traditional forms of legal regulation [7].

In an “open “social ecosystem, the sheer volume of data flows between users of social networking sites and third party players appears to have become increasingly difficult to effectively regulate. While the safe harbor program has been successful in establishing best practices and minimum standards for data privacy, it is also clear that governance bodies, and public interest groups, have focused most attention on large industry players such as Facebook. This has left smaller third party players on social networking sites in the shadows of any substantive regulatory concern. If one this has become clear, it is the fact that governments may no longer be able to effectively govern the flows of data in the burgeoning context of “open data”.

As I have demonstrated, it remains questionable whether or not Facebook can regulate third parties data collection practices effectively. Imposing more stringent responsibilities on safe harbor participants could be a positive step. It is reasonable to assume that it would be undue to impose liability on social networking sites for the data breaches of third parties. However, it is not unreasonable to require sites like Facebook go beyond setting “minimum standards” for data privacy, towards taking a more active enforcement, if even through TRUSTe or another regulatory body. If the safe harbor is to be effective, it cannot allow program participants to simply wave the liability for third party privacy practices. The indemnity granted to third parties on social networking sites may deem the safe harbor program more effective in sustaining the non-liability of third parties, rather than protecting the data privacy of citizens.

[1] Official Directive 95/46/EC

[2] 95/46/EC

[3] Ibid

[4] See Acquisit, A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacy on Facebook. PET 2006

[5] Of the Privacy Policy browsed include, Zynga, Rock You!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom, Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.

[6] By adding an application, users are also sharing with third parties the information of their friends if they do not specifically opt out of this practice.

[7]See Milina, S. (2003). Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach to Online Profiling. Cardozo Arts and Entertainment Law Journal .

For more details visit https://cis-india.org/internet-governance/blog/does-the-safe-harbor-program-adequately-address-third-parties-online

Divergence between the General Data Protection Regulation and the Personal Data Protection Bill, 2019

Pallavi Bedi — 2020-02-21T11:08:50Z

Our note on the divergence between the General Data Protection Regulation and the Personal Data Protection Bill can be downloaded as a PDF here.

The European Union’s General Data Protection Regulation (GDPR), replacing the 1995 EU Data Protection Directive came into effect in May 2018. It harmonises the data protection regulations across the European Union. In India, the Ministry of Electronics and Information Technology had constituted a Committee of Experts (chaired by Justice Srikrishna) to frame recommendations for a data protection framework in India. The Committee submitted its report and a draft Personal Data Protection Bill in July 2018 (2018 Bill). Public comments were sought on the bill till October 2018. The Central Government revised the Bill and introduced the revised version of the Personal Data Protection Bill (PDP Bill) on December 11, 2019 in the Lok Sabha.

The PDP Bill has incorporated certain aspects of the GDPR, such as requirements for notice to be given to the data principal, consent for processing of data, establishment of a data protection authority, etc. However, there are some differences and in this note we have highlighted the areas of divergence between the two. It only includes provisions which are common to the GDPR and the PDP Bill. It does not include the provisions on (i) Appellate Tribunal, (ii) Finance, Account and Audit; and (iii) Non- Personal Data.

For more details visit https://cis-india.org/internet-governance/blog/divergence-between-the-general-data-protection-regulation-and-the-personal-data-protection-bill-2019

Developer team fixed vulnerabilities in Honorable PM's app and API

pranesh — 2016-12-04T19:08:56Z

The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.

This blog post has been authored by Bhavyanshu Parasher. The original post can be read here.

What were the issues?

The main issue was how the app was communicating with the API served by narendramodi.in.

I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.
There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.
The API was still being served over HTTP instead of HTTPS.

Fixed

The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.
A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.
Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.

Detailed Vulnerability Disclosure

Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app, I would suggest you to change your password immediately. Can’t leave out a possibility of it being compromised.

Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.

The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).

Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,

They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.

Disclosure to officials

The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.

Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM

After about 30 hours of reporting the vulnerabillity

Proposed Solution

Consulted @pranesh_prakash as well regarding the issue.

After this, I mailed them a solution regarding the issues.

Discussion with developer

Received phone call from a developer. Discussed possible solutions to fix it.

The solution that I proposed could not be implemented since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that people don’t upgrade to latest versions leaving themselves vulnerable to security flaws. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.

On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. I can now confirm they have fixed all three issues.

Update 12/02/2016

This vulnerability in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.

Demystifying Data Breaches in India

Pawan Singh — 2022-10-17T16:14:03Z

Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.

Edited by Arindrajit Basu and Saumyaa Naidu

India saw a 62% drop in data breaches in the first quarter of 2022. Yet, it ranked fifth on the list of countries most hit by cyberattacks according to a 2022 report by Surfshark, a Netherlands-based VPN company. Another report on the cost of data breaches researched by the Ponemon Institute and published by IBM reveals that the breach of about 29500 records between March 2021 and March 2022 resulted in a 25% increase in the average cost from INR 165 million in 2021 to INR 176 million in 2022.

These statistics are certainly a cause for concern, especially in the context of India’s rapidly burgeoning digital economy shaped by the pervasive platformization of private and public services such as welfare, banking, finance, health, and shopping among others. Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.

While expert articulations of cybersecurity in general and data breaches in particular tend to predominate the public discourse on data privacy, this post aims to situate broader understandings of data breaches within the historical context of India’s IT revolution and delve into specific concepts and terminology that have shaped the broader discourse on data protection. The late 1990s and early 2000s offer a useful point of entry into the genesis of the data security landscape in India.

Data Breaches and their Predecessor Forms

The articulation of data security concerns around the late 1990s and early 2000s isn’t always consistent in deploying the phrase, ‘data breach’ to signal cybersecurity concerns in India. The terms such as ‘data/ identity theft’ and ‘data leak’ figure prominently in the public articulation of concerns with the handling of personal information by IT systems, particularly in the context of business process outsourcing (BPO) and e-commerce activities. Other pertinent terms such as “security breach”, “data security”, and ‘“cyberfraud” also capture the specificity of growing concerns around outsourced data to India. At the time, i.e. around mid-2000s regulatory frameworks were still evolving to accommodate and address the complexities arising from a dynamic reconfiguration of the telecommunications and IT landscape in India.

Some of the formative cases that instantiate the usage of the aforementioned terms are instructive to understand shifts in the reporting of such incidents over time. The earliest case during that period concerns a 2002 case concerning the theft and sale of source code by an IIT Kharagpur student who intended to sell the code to two undercover FBI agents who worked with the CBI to catch the thief. A straightforward case of data theft was framed by media stories around the time as a cybercrime involving the illegal sale of the source code of a software package, as software theft of intellectual property in the context of outsourcing and as an instance of industrial espionage in poor nations without laws protecting foreign companies. This case became the basis of the earliest calls for the protection of data privacy and security in the context of the Indian BPO sector. The Indian IT Act, 2000 at the time only covered unauthorized access and data theft from computers and networks without any provisions for data protection, interception or computer forgery. The BPO boom in India brought with it employment opportunities for India’s English-speaking, educated youth but in the absence of concrete data privacy legislation, the country was regarded as an unsafe destination for outsourcing aside from the political ramifications concerning the loss of American jobs.

In a major 2005 incident, employees of the Mphasis BFL call centre in Pune extracted sensitive bank account information of Citibank’s American customers to divert INR 1.90 crore into new accounts set up in India. The media coverage of this incident calls it India’s first outsourcing cyberfraud and a well planned scam, a cybercrime in a globalized world, and a case of financial fraud and a scam that required no hacking skills, and a case of data theft and misuse. Within the ambit of cybercrime, media reports of these incidents refer to them as cases of “fraud”, “scam” and “theft''.

Two other incidents in 2005 set the trend for a critical spotlight on data security practices in India. In a June 2005 incident, an employee of a Delhi-based BPO firm, Infinity e-systems, sold the account numbers and passwords of 1000 bank customers to the British Tabloid, The Sun. The Indian newspaper, Telegraph India, carried an online story headlined, “BPO Blot in British Backlash: Indian Sells Secret Data,” which reported that the employee, Kkaran Bahree, 24, was set up by a British journalist, Oliver Harvey. Harvey filmed Bahree accepting wads of cash for the stolen data. Bahree’s theft of sensitive information is described both as a data fraud and a leak in the above 2005 BBC story by Soutik Biswar. Another story on the incident calls it a “scam” involving the leakage of credit card information. The use of the term ‘leak’ appears consistently across other media accounts such as a 2005 story on Karan Bahree in the Times of India and another story in the Economic Times about the Australian Broadcasting Corporation’s (ABC) sting operation similar to the one in Delhi, describing the scam by the fraudsters as a leak of the online information of Australians. Another media account of the coverage describes the incident in more generic terms such as an “outsourcing crime”.

The other case concerned four former employees of Parsec technologies who stole classified information and diverted calls from potential customers, causing a sudden drop in the productivity of call centres managed by the company in November 2005. Another call centre fraud came to light in 2009 through a BBC sting operation in which British reporters went to Delhi and secretly filmed a deal with a man selling credit card and debit card details obtained from Symantec call centres, which sold software made by Norton. This BBC story uses the term “breach” to refer to the incident.

In the broader framing of these cases generally understood as cybercrime, which received transnational media coverage, the terms “fraud”, “leak”, “scam”, and “theft” appear interchangeably. The term “data breach” does not seem to be a popular or common usage in these media accounts of the BPO-related incidents. A broader sense of breach (of confidentiality, privacy) figures in the media reportage in implicitly racial terms of cultural trust, as a matter of ethics and professionalism and in the language of scandal in some cases.

These early cases typify a specific kind of cybercrime concerning the theft or misappropriation of outsourced personal data belonging to British or American residents. What’s remarkable about these cases is the utmost sensitivity of the stolen personal information including financial details, bank account and credit/debit card numbers, passwords, and in one case, source code. While these cases rang the alarm bells on the Indian BPO sector’s data security protocols, they also directed attention to concerns around the training of Indian employees on the ethics of data confidentiality and vetting through psychometric tests for character assessment. In the wake of these incidents, the National Association of Software and Service Companies (NASSCOM), an Indian non-governmental trade and advocacy group, launched a National Skills Registry for IT professionals to enable employers to conduct background checks in 2006.

These data theft incidents earned India a global reputation of an unsafe destination for business process outsourcing, seen to be lacking both, a culture of maintaining data confidentiality and concrete legislation for data protection at the time. Importantly, the incidents of data theft or misappropriation were also traceable back to a known source, a BPO employee or a group of malefactors, who often sold sensitive data belonging to foreign nationals to others in India.

The phrase “data leak” also caught on in another register in the context of the widespread use of camera-equipped mobile phones in India. The 2004 Delhi MMS case offers an instance of a date leak, recapitulating the language of scandal in moralistic terms.

The Delhi MMS Case

The infamous 2004 incident involved two underage Delhi Public School (DPS) students who recorded themselves in a sexually explicit act on a cellular phone. After a fall out, the male student passed the low-resolution clip on to his friend in which his female friend’s face is seen. The clip, distributed far and wide in India, ended up on the famous e-shopping and auction website, bazee.com leading to the arrest of the website’s CEO Avinash Bajaj for hosting the listing for sale. Another similar case in 2004 mimicked the mechanics of visual capture through hand-held MMS-enabled mobile phones. A two-minute MMS of a top South-Indian actress taking a shower went viral on the Internet in 2004, the year when another MMS of two prominent Bollywood actors kissing had already done the rounds. The MMS case also marked the onset of a national moral panic around the amateur uses of mobile phone technologies, capable of corrupting young Indian minds under a sneaky regime of new media modernity. The MMS case, not strictly the classic case of a data breach - non-visual information generally stored in databases - became an iconic case of a data leak framed in the media as a scandal that shocked the country, with calls for the regulation of mobile phone use in schools. The case continued its scandalous afterlife in a 2009 Bollywood film, Dev D and another 2010 film, Love, Sex and Dhokha,

Taken together, the BPO data thefts and frauds and the data leak scandals prefigure the contemporary discourse on data breaches in the second decade of the 21st century, or what may also be called the Decade of Datafication. The launch of the Indian biometric identity project, Aadhaar, in 2009, which linked access to public services and welfare delivery with biometric identification, resulted in large-scale data collection of the scheme’s subscribers. Such linking raised the spectre of state surveillance as alleged by the critics of Aadhaar, marking a watershed moment in the discourse on data privacy and protection.

Aadhaar Data Security and Other Data Breaches

Aadhaar was challenged in the Indian Supreme Court in 2012 when it was made mandatory for welfare and other services such as banking, taxation and mobile telephony. The national debate on the status of privacy as a cultural practice in Indian society and a fundamental right in the Indian Constitution led to two landmark judgments - the 2017 Puttaswamy ruling holding privacy to be a constitutional right subject to limitations and the 2018 Supreme Court judgment holding mandatory Aadhaar to be constitutional only for welfare and taxation but no other service.

While these judgments sought to rein in Aadhaar’s proliferating mandatory uses, biometric verification remained the most common mode of identity authentication with most organizations claiming it to be mandatory for various purposes. During the same period from 2010 onwards, a range of data security events concerning Aadhaar came to light. These included app-based flaws, government websites publishing Aadhaar details of subscribers, third party leaks of demographic data, duplicate and forged Aadhaar cards and other misuses.

In 2015, the Indian government launched its ambitious Digital India Campaign to provide government services to Indian citizens through online platforms. Yet, data security breach incidents continued to increase, particularly the trade in the sale and purchase of sensitive financial information related to bank accounts and credit card numbers. The online availability of a rich trove of data, accessible via a simple Google search without the use of any extractive software or hacking skills within a thriving shadow economy of data buyers and sellers makes India a particularly vulnerable digital economy, especially in the absence of robust legislation. The lack of awareness around digital crimes and low digital literacy further exacerbates the situation given that datafication via government portals, e-commerce, and online apps has outpaced the enforcement of legislative frameworks for data protection and cybersecurity.

In the context of Aadhaar data security issues, the term “data leak” seems to have more traction in media stories followed by the term “security breach”. Given the complexity of the myriad ways in which Aadhaar data has been breached, terms such as data leak and exposure (of 11 crore Indian farmers’ sensitive information) add to the specificity of the data security compromise. The term “fraud” also makes a comeback in the context of Aadhaar-related data security incidents. These cases represent a mix of data frauds involving fake identities, theft of thumb prints for instance from land registries and inadvertent data leaks in numerous incidents involving government employees in Jharkhand, voter ID information of Indian citizens in Andhra Pradesh and Telangana and activist reports of Indian government websites leaking Aadhaar data.

Aadhaar-related data security events parallel the increase in corporate data breaches during the decade of datafication. The term “data leak” again alternates with the term “data breach” in most media accounts while other terms such as “theft” and “scam” all but disappear in the media coverage of corporate data breaches.

From 2016 onwards, incidents of corporate data breaches in India continued to rise. A massive debit card data breach involving the YES Bank ATMs and point-of-sale (PoS) machines compromised through malware between May and July of 2016 resulted in the exposure of ATM PINs and non-personal identifiable information of customers. It went undetected for nearly three months. Another data leak in 2018 concerned a system run by Indane, a state-owned utility company, which allowed anyone to download private information on all Aadhaar holders including their names, services they were connected to and the unique 12-digit Aadhaar number. Data breaches continued to be reported in India concurrent with the incidents of data mismanagement related to Aadhaar. Some prominent data breaches included a cyberattack on the systems of airline data service provider SITA resulting in the leak of Air India passenger data, leakage of the personal details of the Common Admission Test (CAT) applicants, details of credit card and order preferences of Domino’s pizza customers on the dark web, leakage of COVID-19 patients’ test results leaked by government websites, user data of Justpay and Big Basket for sale on the dark web and an SBI data breach among others between 2019 and 2021.

The media reportage of these data breaches use the term “cyberattack” to describe the activities of hackers and cybercriminals operating within a shadow economy or the dark web. Recent examples of cyberattacks by hackers who leak user data for sale on the dark web include 8.2 terabytes of 110 million sensitive financial data (KYC details, Aadhaar, credit/debit cards and phone numbers) of the payments app MobiKwik users, 180 million Domino’s pizza orders (name, location, emails, mobile numbers), and Flipkart’s Cleartrip users’ data. In these incidents again, three terms appear prominently in the media reportage - cyberattack, data breach, and leak. The term “data breach” remains the most frequently used epithet in the media coverage of the lapses of data security. While it alternates with the term “leak” in the stories, the term “data breach” appears consistently across most headlines in the news stories.

The exposure of sensitive, personal, and non-personal data by public and private entities in India is certainly a cause for concern, given the ongoing data protection legislative vacuum.

The media coverage of data breaches tends to emphasize the quantum of compromised user data aside from the types of data exposed. The media framing of these breaches in quantitative terms of financial loss as well as the magnitude and the number of breaches certainly highlights the gravity of these incidents but harm to individual users is often not addressed.

Evolving Terminology and the Source of Data Harms

The main difference in the media reportage of the BPO cybersecurity incidents during the early aughts and the contemporary context of datafication is the usage of the term, “data breach”, which figures prominently in contemporary reportage of data security incidents but not so much in the BPO-related cybercrimes.

THe BPO incidents of data theft and the attendant fraud must be understood in the context of the anxieties brought on by a globalizing world of Internet-enabled systems and transnational communications. In most of these incidents regarded as cybercrimes, the language of fraud and scam ventures further to attribute such illegal actions of the identifiable malefactors to cultural factors such as lack of ethics and professionalism.The usage of the term “data leak” in these media reports functions more specifically to underscore a broader lapse in data security as well as a lack of robust cybersecurity laws. The broader term, “breach”, is occasionally used to refer to these incidents but the term, “data breach” doesn’t appear as such.

The term “data breach” gains more prominence in media accounts from 2009 onwards in the context of Aadhaar and the online delivery of goods and services by public and private players. The term “data breach” is often used interchangeably with the term “leak” within the broader ambit of cyberattacks in the corporate sector. The media reportage frames Aadhaar-related security lapses as instances of security/data breaches, data leaks, fraud, and occasionally scam.

In contrast to the handful of data security cases in the BPO sector, data breaches have abounded in the second decade of the twenty-first century. What further differentiates the BPO-related incidents to the contemporary data breaches is the source of the data security lapse. Most corporate data breaches remain attributable to the actions of hackers and cybercriminals while the BPO security lapses were traceable back to ex-employees or insiders with access to sensitive data. We also see in the coverage of the BPO-related incidents, the attribution of such data security lapses to cultural factors including a lack of ethics and professionalism often in racial overtones. The media reportage of the BBC and ABC sting operations suggests that the India BPOs lack of preparedness to handle and maintain personal data confidentiality of foreigners point to the absence of a privacy culture in India. Interestingly, this transnational attribution recurs in a different form in the national debate on Aadhaar and how Indians don’t care about their privacy.

The question of the harms of data breaches to individuals is also an important one. In the discourse on contemporary data breaches, the actual material harm to an individual user is rarely ever established in the media reportage and generally framed as potential harm that could be devastating given the sensitivity of the compromised data. The harm is reported to be predominantly a function of organizational cybersecurity weakness or attributed to hackers and cybercriminals.

The reporting of harm in collective terms of the number of accounts breached, financial costs of a data breach, the sheer number of breaches and the global rankings of countries with the highest reported cases certainly suggests a problem with cybersecurity and the lack of organizational preparedness. However, this collective framing of a data breach’s impact usually elides an individual user’s experience of harm. Even in the case of Aadhaar-related breaches - a mix of leaking data on government websites and other online portals and breaches - the notion of harm owing to exposed data isn’t clearly established. This is, however, different from the extensively documented cases of Aadhaar-related issues in which welfare benefits have been denied, identities stolen and legitimate beneficiaries erased from the system due to technological errors.

Future Directions of Research

This brief, qualitative foray into the media coverage of data breaches over two decades has aimed to trace the usage of various terms in two different contexts - the Indian BPO-related incidents and the contemporary context of datafication. It would be worth exploring at length, the relationship between frequent reports of data breaches, and the language used to convey harm in the contemporary context of a concrete data protection legislation vacuum. It would be instructive to examine the specific uses of the terms such as “fraud”, “leak”, “scam”, “theft” and “breach” in media reporting of such data security incidents more exhaustively. Such analysis would elucidate how media reportage shapes public perception towards the safety of user data and an anticipation of attendant harm as data protection legislation continues to evolve.

Especially with Aadhaar, which represents a paradigm shift in identity verification through digital means, it would be useful to conduct a sentiment analysis of how biometric identity related frauds, scams, and leaks are reported by the mainstream news media. A study of user attitudes and behaviours in response to the specific terminology of data security lapses such as the terms “breach”, “leak”, “fraud”, “scam”, “cybercrime”, and “cyberattack” would further contribute to how lay users understand the gravity of a data security lapse. Such research would go beyond expert understandings of data security incidents that tend to dominate media reportage to elucidate the concerns of lay users and further clarify the cultural meanings of data privacy.

For more details visit https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india

Data Protection: We can innovate, leapfrog

sunil — 2018-01-22T01:45:46Z

About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent.

The article was published in the Deccan Herald on January 20, 2018.

Even if we can read them, we may not have the necessary legal training to understand them. According to a tweet thread by Pat Walshe (@privacymatters), the Tetris app, a popular video game, has a privacy policy that details the third-party advertising companies that they share data with. These third-parties include "123 Ad Networks; 13 Online Analytics companies; 62 Mobile Advertising Networks; 14 Mobile Analytics companies. The linked privacy policies for Tetris run to 407,000 words, compared to 450,000 words for the entire 'Lord of the Rings trilogy'." The child aged four and above that plays the game and her parents need an intermediary to deal with the corporations hiding behind Tetris.

Unlike the European Union, which has more than 37 years of history when it comes to data protection law, India is starting with a near blank slate after the Supreme Court confirmed that privacy is a constitutionally-guaranteed fundamental right in the Puttaswamy case judgement. While we would want to maintain adequacy and compatibility with the EU General Data Protection Regulation (GDPR) because it has become the global standard, we must realise that there is an opportunity for leapfrogging. This article attempts to introduce the reader to three different visions for intermediaries that have emerged within the Indian data protection debate around the accountability principle. I will also provide a brief sketch of an idea that we are developing at the Centre for Internet and Society. This is an incomplete list as there must be more proposals for regulatory innovation around the accountability principle that I am currently unaware of.

n Account Aggregators: The 'India Stack' ecosystem that has been built around the Aadhaar programme first proposed intermediaries called Account Aggregators. Account Aggregators manage consent artifacts. India Stack has traditionally been described as having four layers -- presenceless, paperless, cashless and consent. The consent layer is supposed to feature Account Aggregators. If, for example, a data subject wanting an insurance policy visits an insurance portal, the portal would collect personal information and a consent artifact from her and pass it on to multiple insurance companies. These insurance companies would send personalised bids to the portal, which would be displayed on a comparative grid to enable empowered selection.

The data structure consent artifact has been provided in the Master Direction from RBI titled "Non-Banking Financial Company Account Aggregator Directions," published in September 2016. How does this work? The fields includes (i) identity and optional contact information; (ii) nature of the financial information requested; (iii) purpose; (iv) the identity of the recipients, if any; (v) URL/address for notifications when the consent artifact is used; (vi) consent artifact creation date, expiry date, identity and signature/digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI. While Account Aggregators make it frictionless for the grant of consent and also for the harvesting of consent by data controllers, it does not make it easy for you to manage and revoke your consent.

n Data Trusts: Most recently, Na.Vijayashankar, a Bengaluru-based cybersecurity and cyberlaw expert, has proposed intermediaries called 'Data Trusts' registered with the regulator and who (i) will work as escrow agents for the personal data (which would be classified by type for different degrees of protection); (ii) will make privacy notices accessible by translating them into accessible language and formats; (iii) disclose data minimally to different data controllers based on the purpose limitation; (iv) issue tokens or pseudonymous identifiers and monetise the data for the benefit of the data subject. To ensure that Data Trusts truly protect the interests of the data subject, Vijayashankar proposes three requirements: (a) public performance reviews (b) audits by the regulator and (c) "an arms-length relationship with the data collectors." In his proposal, Data Trusts are firms with "the ability to process a real-time request from the data subject to supply appropriate data to the data collector."

n Learned Intermediaries: The Takshashila Institution published a paper titled Beyond Consent: A New Paradigm for Data Protection, authored by Rahul Matthan, partner at the law firm Trilegal. Learned Intermediaries would perform mandatory audits on all data controllers above a particular threshold. Like Vijayashankar, Matthan also requires these intermediaries to be certified by an appropriate authority. The main harm that he focuses on is, bias or discrimination. He proposes three stages of audit which are designed for the age of Big Data and Artificial Intelligence: "(i) Database Query Review; (ii) Black Box Audits; and (iii) Algorithm Review". Matthan also tentatively considers a rating system. Learned Intermediaries are a means to address information asymmetry in the market by making data subjects more aware. The impact of churn on their bottom-lines, it is hoped, will force data controllers to behave in an accountable manner, protecting rights and mitigating harms.

n Consent Brokers: Finally, I have proposed the model of a 'Consent Broker' by modifying the concept of the Account Aggregator. Like the Account Aggregator proposal, we would want a competitive set of consent brokers who will manage consent artifacts for data subjects. However, I believe there should be a 1:1 relationship between data subjects and consent brokers so that the latter compete for the business of data subjects. Like Vijayashankar, I believe that the consent broker must have an "arms-length distance" from data controllers and must be prohibited from making any money from them. Consent brokers could also be trusted to take proactive actions for the data subjects, such as access and correction.

The need of the hour is the production of regulatory innovations and robust discussions around them for all the nine privacy principles in the Justice AP Shah committee report -- notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability.

For more details visit https://cis-india.org/internet-governance/blog/deccan-herald-january-20-2018-sunil-abraham-data-protection-we-can-innovate-leapfrog

Danish Expert Group on Data Ethics

Admin — 2018-12-01T04:42:42Z

Amber Sinha was one of the stakeholders who provided inputs to the Danish Expert Group on Data Ethics in June 2018 during their visit to New Delhi. The Expert Group has prepared and submitted its final report.

In April the Danish Expert Group on Data Ethics commenced work on developing recommendations on Data Ethics for the Danish Government. The expert group have now handed over their recommendations to the Danish Minister of Industry, Business and Financial Affairs. Read the report.

For more details visit https://cis-india.org/internet-governance/news/danish-expert-group-on-data-ethics

CoWIN Breach: What Makes India's Health Data an Easy Target for Bad Actors?

Shweta Mohandas and Pallavi Bedi — 2023-07-04T09:39:03Z

Recent health data policies have failed to even mention the CoWIN platform.

The article was originally published in the Quint on 19 June 2023.

Last week, it was reported that due to an alleged breach of the CoWIN platform, details such as Aadhaar and passport numbers of Indians were made public via a Telegram bot.

While Minister of State for Information Technology Rajeev Chandrashekar put out information acknowledging that there was some form of a data breach, there is no information on how the breach took place or when a past breach may have taken place.

This data leak is yet another example of our health records being exposed in the recent past – during the pandemic, there were reports of COVID-19 test results being leaked online. The leaked information included patients’ full names, dates of birth, testing dates, and names of centres in which the tests were held.

In December last year, five servers of the All India Institute of Medical Science (AIIMS) in Delhi were under a cyberattack, leaving sensitive personal data of around 3-4 crore patients compromised.

In such cases, the Indian Computer Emergency Response Team (CERT-In) is the agency responsible for looking into the vulnerabilities that may have led to them. However, till date, CERT-In has not made its technical findings into such attacks publicly available.

The COVID-19 Pandemic Created Opportunity

The pandemic saw a number of digitisation policies being rolled out in the health sector; the most notable one being the National Digital Health Mission (or NDHM, later re-branded as the Ayushman Bharat Digital Mission).

Mobile phone apps and web portals launched by the central and state governments during the pandemic are also examples of this health digitisation push. The rollout of the COVID-19 vaccinations also saw the deployment of the CoWIN platform.

Initially, it was mandatory for individuals to register on CoWIN to get an appointment for vaccination, and there was no option for walk-in-registration or to book an appointment. But, the Centre subsequently modified this rule and walk-in appointments and registrations on CoWIN became permissible from June 2021.

However, a study conducted by the Centre for Internet and Society (CIS) found that states such as Jharkhand and Chhattisgarh, which have low internet penetration, permitted on-site registration for vaccinations from the beginning.

The rollout of the NDHM also saw Health IDs being generated for citizens.

In several reported cases across states, this rollout happened during the COVID-19 vaccination process – without the informed consent of the concerned person.

The beneficiaries who have had their Health IDs created through the vaccination process had not been informed about the creation of such an ID or their right to opt out of the digital health ecosystem.

A Web of Health Data Policies

Even before the pandemic, India was working towards a Health ID and a health data management system.

The components of the umbrella National Digital Health Ecosystem (NDHE) are the National Digital Health Blueprint published in 2019 (NDHB) and the NDHM.

The Blueprint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs. Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.

The National Health Authority (NHA), established in 2018, has been given the responsibility of implementing the National Digital Health Mission.

2018 also saw the Digital Information Security in Healthcare Act (DISHA), which was to regulate the generation, collection, access, storage, transmission, and use of Digital Health Data ("DHD") and associated personal data.

However, since its call for public consultation, no progress has been made on this front.

In addition to documents that chalk out the functioning and the ecosystem of a digitised healthcare system, the NHA has released policy documents such as:

the Health Data Management Policy (which was revised three times; the latest version released in April 2022)
the Health Data Retention Policy (released in April 2021)
Consultation paper on the Unified Health Interface (UHI) (released in December 2022)

Along with these policies, in 2022, the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) – India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines, published in August 2022, did not even refer to the draft National Digital Health Data Management Policy (published in April 2022).

Interestingly, the recent health data policies do not mention CoWIN. Failing to cross-reference or mention preceding policies creates a lack of clarity on which documents are being used as guidelines by healthcare providers.

Can a Data Protection Bill Be the Solution?

The draft Data Protection Bill, 2021, defined health data as “…the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services.”

However, this definition as well as the definition of sensitive personal data was removed from the current version of the Bill (Digital Personal Data Protection Bill, 2022).

Omitting these definitions from the Bill removes a set of data which, if collected, warrants increased responsibility and increased liability. Handling of health data, financial data, government identifiers, etc, need to come with a higher level of responsibility as they are a list of sensitive details of a person.

The threats posed as a result of this data being leaked are not limited to spam messages or fraud and impersonation, but also of companies that can get a hand on this coveted data and gather insights and train their systems and algorithms, without the need to seek consent from anyone, or without facing the consequences of harm caused.

While the current version of the draft DPDP Bill states that the data fiduciary shall notify the data principal of any breach, the draft Bill also states that the Data Protection Board “may” direct the data fiduciary to adopt measures that remedy the breach or mitigate harm caused to the data principal.

The Bill also prescribes penalties of upto Rs 250 crore if the data fiduciary fails to take reasonable security safeguards to prevent a personal data breach, and a penalty of upto Rs 200 crore if the fiduciary fails to notify the data protection board and the data principal of such breach.

While these steps, if implemented through legislation, would make organisations processing data take their data security more seriously, the removal of sensitive personal data from the definition of the Bill, would mean that data fiduciaries processing health data will not have to take additional steps other than reasonable security safeguards.

The absence of a clear indication of security standards will affect data principals and fiduciaries.

Looking to bring more efficiency to governance systems, the Centre launched the Digital India Mission in 2015. The press release by the central government reporting the approval of the programme by the Cabinet of Ministers speaks of ‘cradle to grave’ digital identity as one of its vision areas.

The ambitious Universal Health ID and health data management policies are an example of this digitisation mission.

However breaches like this are reminders that without proper data security measures, and a system for having a person responsible for data security, the data is always vulnerable to an attack.

While the UK and Australia have also seen massive data breaches in the past, India is at the start of its health data digitisation journey and has the ability to set up strong security measures, employ experienced professionals, and establish legal resources to ensure that data breaches are minimised and swift action can be taken in case of a breach.

The first step to understand the vulnerabilities would be to present the CERT-In reports of this breach, and guide other institutions to check for the same so that they are better prepared for future breaches and attacks.

For more details visit https://cis-india.org/internet-governance/blog/quint-shweta-mohandas-and-pallavi-bedi-june-19-2023-cowin-data-breach-health-sensitive-details-policies-solution

Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India

jyoti — 2015-10-14T14:40:08Z

The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse.

The European Court of Justice (ECJ) has invalidated a European Commission (EC) decision¹ which had previously concluded that the 'Safe Harbor Privacy Principles'² provide adequate protections for European citizens’ privacy rights³ for the transfer of personal data between European Union and United States. This challenge stems from the claim that public law enforcement authorities in America obtain personal data from organisations in safe harbour for incompatible and disproportionate purposes in violation of the Safe Harbour Privacy Principles. The court's judgment follows the advice of the Advocate General of the Court of Justice of the European Union (CJEU) who recently opined⁴ that US practices allow for large-scale collection and transfer of personal data belonging to EU citizens without them benefiting from or having access to judicial protection under US privacy laws. The inadequacies of the framework is not news for the Commission and action by ECJ has been a long time coming. The ruling raises important questions about how increasingly the contestations of personal data are being employed in asserting claims of citizenship in context of the internet.

As the highest court in Europe, the ECJ's decisions are binding on all member states. With this ruling the ECJ has effectively restrained US firms from indiscriminate collection and sharing of European citizens’ data on American soil. The implications of the decision are significant, because it shifts the onus of evaluating protections of personal data for EU citizens from the 4,400 companies⁵ subscribing to the system onto EU privacy watchdogs. Most significantly, in addressing the rights of a citizen against an established global brand, the judgement goes beyond political and legal opinion to challenge the power imbalance that exists with reference to US based firms.

Today, the free movement of data across borders is a critical factor in facilitating trade, financial services, governance, manufacturing, health and development. However, to consider the ruling as merely a clarification of transatlantic mechanisms for data flows misstates the real issue. At the heart of the judgment is the assessment whether US firms apply the tests of ‘necessity and proportionality’ in the collection and surveillance of data for national security purposes. Application of necessity and proportionality test to national security exceptions under safe harbor has been a sticking point that has stalled the renegotiation of the agreement that has been underway between the Commission and the American data protection authorities.⁶

For EU citizens the stake in the case are even higher, as while their right to privacy is enshrined under EU law, they have no administrative or judicial means of redress, if their data is used for reasons they did not intend. In the EU, citizens accessing and agreeing to use of US based firms are presented with a false choice between accessing benefits and giving up on their fundamental right to privacy. In other words, by seeking that governments and private companies provide better data protection for the EU citizens and in restricting collection of personal data on a generalised basis without objective criteria, the ruling is effectively an assertion of ‘data sovereignty’. The term ‘data sovereignty’, while lacking a firm definition, refers to a spectrum of approaches adopted by different states to control data generated in or passing through national internet infrastructure.⁷ Underlying the ruling is the growing policy divide between the US and EU privacy and data protection standards, which may lead to what is referred to as the balkanization⁸ of the internet in the future.

US-EU Data Protection Regime

The safe harbor pact between the EU and US was negotiated in the late 1990s as an attempt to bridge the different approaches to online privacy. Privacy is addressed in the EU as a fundamental human right while in the US it is defined under terms of consumer protection, which allow trade-offs and exceptions when national security seems to be under threat. In order to address the lower standards of data protection prevalent in the US, the pact facilitates data transfers from EU to US by establishing certain safeguards equivalent to the requirements of the EU data protection directive. The safe harbor provisions include firms undertaking not to pass personal information to third parties if the EU data protection standards are not met and giving users right to opt out of data collection.⁹

The agreement was due to be renewed by May 2015¹⁰ and while negotiations have been ongoing for two years, EU discontent on safe harbour came to the fore following the Edward Snowden revelations of collection and monitoring facilitated by large private companies for the PRISM program and after the announcement of the TransAtlantic Trade and Investment Partnership (TTIP).¹¹ EU member states have mostly stayed silent as they run their own surveillance programs often times, in cooperation with the NSA. EU institutions cannot intervene in matters of national security however, they do have authority on data protection matters. European Union officials and Members of Parliament have expressed shock and outrage at the surveillance programs unveiled by Snowden's 2013 revelations. Most recently, following the CJEU Advocate General’s opinion, 50 Members of European Parliament (MEP) sent a strongly worded letter the US Congress hitting back on claims of ‘digital protectionism’ emanating from the US¹². In no uncertain terms the letter clarified that the EU has different ideas on privacy, platforms, net neutrality, encryption, Bitcoin, zero-days, or copyright and will seek to improve and change any proposal from the EC in the interest of our citizens and of all people.

Towards Harmonization

In November 2013, as an attempt to minimize the loss of trust following the Snowden revelations, the European Commission (EC) published recommendations in its report on 'Rebuilding Trust is EU-US Data Flows'.¹³ The recommendations revealed two critical initiatives at the EU level—first was the revision of the EU-US safe harbor agreement¹⁴ and second the adoption of the 'EU-US Umbrella Agreement¹⁵'—a framework for data transfer for the purpose of investigating, detecting, or prosecuting a crime, including terrorism. The Umbrella Agreement was recently initialed by EU and US negotiators and it only addresses the exchange of personal data between law enforcement agencies.¹⁶ The Agreement has gained momentum in the wake of recent cases around issues of territorial duties of providers, enforcement jurisdictions and data localisation.¹⁷ However, the adoption of the Umbrella Act depends on US Congress adoption of the Judicial Redress Act (JRA) as law.¹⁸

Judicial Redress Act

The JRA is a key reform that the EC is pushing for in an attempt to address the gap between privacy rights and remedies available to US citizens and those extended to EU citizens, including allowing EU citizens to sue in American courts. The JRA seeks to extend certain protections under the Privacy Act to records shared by EU and other designated countries with US law enforcement agencies for the purpose of investigating, detecting, or prosecuting criminal offenses. The JRA protections would extend to records shared under the Umbrella Agreement and while it does include civil remedies for violation of data protection, as noted by the Center for Democracy and Technology, the present framework does not provide citizens of EU countries with redress that is at par with that which US persons enjoy under the Privacy Act.¹⁹

For example, the measures outlined under the JRA would only be applicable to countries that have outlined appropriate privacy protections agreements for data sharing for investigations and ‘efficiently share’ such information with the US. Countries that do not have agreements with US cannot seek these protections leaving the personal data of their citizens open for collection and misuse by US agencies. Further, the arrangement leaves determination of 'efficiently sharing' in the hands of US authorities and countries could lose protection if they do not comply with information sharing requests promptly. Finally, JRA protections do not apply to non-US persons nor to records shared for purposes other than law enforcement such as intelligence gathering. JRA is also weakened by allowing heads of agencies to exercise their discretion to seek exemption from the Act and opt out of compliance.

Taken together the JRA, the Umbrella Act and the renegotiation of the Safe Harbor Agreement need considerable improvements. It is worth noting that EU’s acceptance of the redundancy of existing agreements and in establishing the independence of national data protection authorities in investigating and enforcing national laws as demonstrated in the Schrems and in the Weltimmo²⁰ case point to accelerated developments in the broader EU privacy landscape.

Consequences

The ECJ Safe Harbor ruling will have far-reaching consequences for the online industry. Often, costly government rulings solidify the market dominance of big companies. As high regulatory costs restrict the entrance of small and medium businesses the market, competition is gradually wiped out. Further, complying with high standards of data protection means that US firms handling European data will need to consider alternative legal means of transfer of personal data. This could include evolving 'model contracts' binding them to EU data protection standards. As Schrems points out, “Big companies don’t only rely on safe harbour: they also rely on binding corporate rules and standard contractual clauses.”²¹

The ruling is good news for European consumers, who can now approach a national regulator to investigate suspicions of data mishandling. EU data protection regulators may be be inundated with requests from companies seeking authorization of new contracts and with consumer complaints. Some are concerned that the ruling puts a dent in the globalized flow of data²², effectively requiring data localization in Europe.²³ Others have pointed out that it is unclear how this decision sits with other trade treaties such as the TPP that ban data localisation.²⁴ While the implications of the decision will take some time in playing out, what is certain is that US companies will be have to restructure management, storage and use of data. The ruling has created the impetus for India to push for reforms to protect its citizens from harms by US firms and improve trade relations with EU.

The Opportunity for India

Multiple data flows taking place over the internet simultaneously and that has led to ubiquity of data transfers o ver the Internet, exposing individuals to privacy risks. There has also been an enhanced economic importance of data processing as businesses collect and correlate data using analytic tools to create new demands, establish relationships and generate revenue for their services. The primary concern of the Schrems case may be the protection of the rights of EU citizens but by seeking to extend these rights and ensure compliance in other jurisdictions, the case touches upon many underlying contestations around data and sovereignty.

Last year, Mr Ram Narain, India Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through network functionality and global norms will go a long way in increasing the trust and confidence in use of ICT.”²⁵ In the absence of the recognition of privacy as a right and empowering citizens through measures or avenues to seek redressal against misuse of data, the demand of data sovereignty rings empty. The kind of framework which empowered an ordinary citizen in the EU to approach the highest court seeking redressal based on presumed overreach of a foreign government and from harms abetted by private corporations simply does not exist in India. Securing citizen’s data in other jurisdictions and from other governments begins with establishing protection regimes within the country.

The Indian government has also stepped up efforts to restrict transfer of data from India including pushing for private companies to open data centers in India.²⁶ Negotiating data localisation does not restrict the power of private corporations from using data in a broad ways including tailoring ads and promoting products. Also, data transfers impact any organisation with international operations for example, global multinationals who need to coordinate employee data and information. Companies like Facebook, Google and Microsoft transfer and store data belonging to Indian citizens and it is worth remembering that the National Security Agency (NSA) would have access to this data through servers of such private companies. With no existing measures to restrict such indiscriminate access, the ruling purports to the need for India to evolve strong protection mechanisms. Finally, the lack of such measures also have an economic impact, as reported in a recent Nasscom-Data Security Council of India (DSCI) survey²⁷ that pegs revenue losses incurred by the Indian IT-BPO industry at $2-2.5 billion for a sample size of 15 companies. DSCI has further estimated that outsourcing business can further grow by $50 billion per annum once India is granted a “data secure” status by the EU.²⁸ EU’s refusal to grant such a status is understandable given the high standard of privacy as incorporated under the European Union Data Protection Directive a standard to which India does not match up, yet. The lack of this status prevents the flow of data which is vital for Digital India vision and also affects the service industry by restricting the flow of sensitive information to India such as information about patient records.

Data and information structures are controlled and owned by private corporations and networks transcend national borders, therefore the foremost emphasis needs to be on improving national frameworks. While, enforcement mechanisms such as the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation may seem respectful of international borders and principles of sovereignty,²⁹ for users that live in undemocratic or oppressive regimes such agreements are a considerable risk. Data is also increasingly being stored across multiple jurisdictions and therefore merely applying data location lens to protection measures may be too narrow. Further it should be noted that when companies begin taking data storage decisions based on legal considerations it will impact the speed and reliability of services.³⁰ Any future regime must reflect the challenges of data transfers taking place in legal and economic spaces that are not identical and may be in opposition. Fundamentally, the protection of privacy will always act as a barrier to the free flow of information even so, as the Schrems case ruling points out not having adequate privacy protections could also restrict flow of data, as has been the case for India.

The time is right for India to appoint a data controller and put in place national frameworks, based on nuanced understanding of issues of applying jurisdiction to govern users and their data. Establishing better protection measures will not only establish trust and enhance the ability of users to control data about themselves it is also essential for sustaining economic and social value generated from data generation and collection. Suggestions for such frameworks have been considered previously by the Group of Experts on Privacy constituted by the Planning Commission.³¹ By incorporating transparency in mechanisms for data and access requests and premising requests on established necessity and proportionality Indian government can lead the way in data protection standards. This will give the Indian government more teeth to challenge and address both the dangers of theft of data stored on servers located outside of India and restrain indiscriminate access arising from terms and conditions of businesses that grant such rights to third parties.

1 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) Official Journal L 215 , 25/08/2000 P. 0007 -0047 2000/520/EC: http ://eur -lex .europa .eu /LexUriServ /LexUriServ .do ?uri =CELEX :32000 D 0520:EN :HTML

2 Safe Harbour Privacy Principles Issued by the U.S. Department of Commerce on July 21, 2000 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

3 Megan Graham, Adding Some Nuance on the European Court ’s Safe Harbor Decision , Just security

https ://www .justsecurity .org /26651/adding -nuance -ecj -safe -harbor -decision /

4 Advocate General’s Opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner Court of Justice of the European Union, Press Release, No 106/15 Luxembourg, 23 September 2015 http ://curia .europa .eu /jcms /upload /docs /application /pdf /2015-09/cp 150106 en .pdf

5 Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour alternatives’, The Register, October 7, 2015 http ://www .theregister .co .uk /2015/10/07/eu _pushes _safe _harbour _alternatives /

6 Draft Report, General Data Protection Regulation, Committee on Civil Liberties, Justice and Home Affairs, European Parliament, 2009-2014 http ://www .europarl .europa .eu /meetdocs /2009_2014/documents /libe /pr /922/922387/922387 en .pdf

7 Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS Characteristics: Data Sovereignty and the Balkanisation of the Internet’, University of Oxford, July 7, 2014 https ://www .usenix .org /system /files /conference /foci 14/foci 14-polatin -reuben .pdf

8 Sasha Meinrath, The Future of the Internet: Balkanization and Borders, Time, October 2013 http ://ideas .time .com /2013/10/11/the -future -of -the -internet -balkanization -and -borders /

9 Safe Harbour Privacy Principles, Issued by the U.S. Department of Commerce, July 2001 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

10 Facebook case may force European firms to change data storage practices, The Guardian, September 23, 2015 http ://www .theguardian .com /us -news /2015/sep /23/us -intelligence -services -surveillance -privacy

11 Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013 https ://iapp .org /news /a /us -eu -safe -harbor -under -pressure

12 Kieren McCarthy, Privacy, net neutrality, security, encryption ... Europe tells Obama, US Congress to back off, The Register, 23 September, 2015 http ://www .theregister .co .uk /2015/09/23/european _politicians _to _congress _back _off /

13 Communication from the Commission to the European Parliament and the Council, Rebuilding Trust in EU-US Data Flows, European Commission, November 2013 http ://ec .europa .eu /justice /data -protection /files /com _2013_846_en .pdf

14 Safe Harbor on trial in the European Union, Access Blog, September 2014 https ://www .accessnow .org /blog /2014/11/13/safe -harbor -on -trial -in -the -european -union

15 European Commission - Fact Sheet Questions and Answers on the EU-US data protection "Umbrella agreement", September 8, 2015 http ://europa .eu /rapid /press -release _MEMO -15-5612_en .htm

16 McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data transfers’, Lexology, September 14, 2015 http ://www .lexology .com /library /detail .aspx ?g =422 bca 41-2 d 54-4648-ae 57-00 d 678515 e 1 f

17 Andrew Woods, Lowering the Temperature on the Microsoft-Ireland Case, Lawfare September, 2015 https ://www .lawfareblog .com /lowering -temperature -microsoft -ireland -case

18 Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement and the Judicial Redress Act: Small Steps Forward for EU Citizens’ Privacy Rights’, October 5, 2015 https ://cdt .org /blog /the -eu -us -umbrella -agreement -and -the -judicial -redress -act -small -steps -forward -for -eu -citizens -privacy -rights /

19 Ibid 18.

20 Landmark ECJ data protection ruling could impact Facebook and Google, The Guardian, 2 October, 2015 http ://www .theguardian .com /technology /2015/oct /02/landmark -ecj -data -protection -ruling -facebook -google -weltimmo

21 Julia Powles, Tech companies like Facebook not above the law, says Max Schrems, The Guardian, Octover 9, 2015 http ://www .theguardian .com /technology /2015/oct /09/facebook -data -privacy -max -schrems -european -court -of -justice

22 Adam Thierer, Unintended Consequences of the EU Safe Harbor Ruling, The Technology Liberation Front, October 6, 2015 http ://techliberation .com /2015/10/06/unintended -consequenses -of -the -eu -safe -harbor -ruling /#more -75831

23 Anupam Chander, Tweeted ECJ #schrems ruling may effectively require data localization within Europe, https ://twitter .com /AnupamChander /status /651369730754801665

24 Lokman Tsui, Tweeted, “If the TPP bans data localization, but the ECJ ruling effectively mandates it, what does that mean for the internet?” https ://twitter .com /lokmantsui /status /651393867376275456

25 Statement from Indian Head of Delegation, Mr Ram Narain for WGPL, Indian statement on ITU and Internet at the Working Group Plenary November 4, 2014 https ://ccgnludelhi .wordpress .com /author /asukum 87/page /2/

26 Sounak Mitra, Xiaomi bets big on India despite problems, Business Standard, December 2014 http ://www .business -standard .com /article /companies /xiaomi -bets -big -on -india -despite -problems -114122201023_1.html

27 Neha Alawadi, Ruling on data flow between EU & US may impact India’s IT sector, Economic Times,October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49250738.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

28 Pranav Menon, Data Protection Laws in India and Data Security- Impact on India and Data Security-Impact on India - EU Free Trade Agreement, CIS Access to Knowledge, 2011 http ://cis -india .org /a 2 k /blogs /data -security -laws -india .pdf

29 Surendra Kumar Sinha, India wants Mutual Legal Assistance treaty with Bangladesh, Economic Times, October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49262294.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

30 Pablo Chavez, Director, Public Policy and Government Affairs, Testifying before the U.S. Senate on transparency legislation, November 3, 2013 http ://googlepublicpolicy .blogspot .in /2013/11/testifying -before -us -senate -on .htm

31 Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief Justice, Delhi High Court), Planning Commission, October 2012 http ://planningcommission .nic .in /reports /genrep /rep _privacy .pdf

For more details visit https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india

Comparison of General Data Protection Regulation and Data Protection Directive

Aditi Chaturvedi and Edited by Leilah Elmokadem — 2017-02-07T14:08:35Z

Recently, the General Data Protection Regulation (REGULATION (EU) 2016/679) was passed. It shall replace the present Data Protection Directive (DPD 95/46/EC), which is a step that is likely to impact the workings of many organizations. This document intends to offer a clear comparison between the General Data Protection Regulation (GDPR) a the Data Protection Direction (DPD).

Download the file here

INTRODUCTION

The GDPR i.e. General Data Protection Regulation (REGULATION (EU) 2016/679) was adopted on May 27th, 2016. It will come into force after a two-year transition period on May 25th, 2018 and will replace the Data Protection Directive (DPD 95/46/EC). The Regulation intends to empower data subjects in the European Union by giving them control over the processing of their personal data. This is not an enabling legislation. Unlike the previous regime under the DPD (Data Protection Directive), wherein different member States legislated their own data protection laws, the new regulation intends uniformity in application with some room for individual member states to legislate on procedural mechanisms. While this will ensure a predictable environment for doing business, a number of obligations will have to be undertaken by organizations, which might initially burden them financially and administratively.

2. SUMMARY

The Regulation contains a number of new provisions as well as modified provisions that were under DPD and has removed certain requirements under the DPD. Some significant changes mentioned in the document have been summarized in this section.. These changes suggest that GDPR is a comprehensive law with detailed substantive and procedural provisions. Yet, some ambiguities remain with respect to its workability and interpretation. Clarifications will be required.

2.1 Provisions from the DPD that were retained but altered in the GDPR include:

2.1.1 Scope:

GDPR has an expanded territorial scope and is applicable under two scenarios; 1) when processor or controller is established in the Union, and 2) when processor or controller is not established in the Union. The conditions for applicability of the GDPR under the two are much wider than those provided for DPD. Also, the criteria under GDPR are more specific and clearer to demonstrate application.

2.1.2 Definitions:

Six definitions have remained the same while those of personal data and consent have been expanded.

2.1.3 Consent:

GDPR mentions "unambiguous" consent and spells out in detail what constitutes a valid consent. Demonstration of valid consent is an important obligation of the controller. Further, the GDPR also explains situations in which child's consent will be valid. Such provisions are absent in DPD.

2.1.4 Special categories of data:

Two new categories, biometric and genetic data have been added under GDPR.

2.1.5 Rights:

The GDPR strengthens certain rights granted under the DPD. These include:

a. Right to restrict processing: Under DPD the data subject can block processing of data on the grounds of data inaccuracy or incomplete nature of data. GDPR, on the other hand , is more elaborate and defined in this respect. Many more grounds are listed together with consequences of enforcement of this right and obligations on controller.

b. Right to erasure: This is known as the "right to be forgotten". Here, the DPD merely mentions that the data subject has the right to request erasure of data on grounds of data inaccuracy or incomplete nature of data or in case of unlawful processing. The GDPR has strengthened this right by laying out 7 conditions for enforcing this right including 5 grounds on which the request for erasure shall not be processed. This means that the "right to erasure" is not an absolute right. GDPR provides that if data has been made public, controllers are under an obligation to inform other controllers processing the data about the request.

c. Right to rectification: This right is similar under GDPR and DPD.

d. Right to access: GDPR has broadened the amount of information data subject can have regarding his/her own data. For example, under the DPD the data subject could know about the purpose of processing, categories of processing, recipients or categories to whom data are disclosed and extent of automated decision involved. Now under GDPR, the data subject can also know about retention period, existence of certain rights, about source of data and consequences of processing. It specifically states controllers obligations in this regard.

e. Automated individual decision making including profiling: This is an interesting provision that applies solely to automate decision-making. This includes profiling, which is a process by which personal data is evaluated solely by automated means for the purpose of analyzing a person's personal aspect such as performance at work, health, location etc. The intent is that data subjects should have the right to obtain human intervention into their personal data. This upholds philosophy of data safeguard as the subject can get an opportunity to express himself, obtain explanation and challenge the decision. Under GDPR, such decision-making excludes data concerning a child.

2.1.6 Code of conduct:

A voluntary self-regulating mechanism has been provided under both GDPR and DPD.

2.1.7 Supervisory Authority:

As compared to the DPD, the GDPR lays down detailed and elaborate provisions on Supervisory Authority.

2.1.8 Compensation and Liability:

Although compensation and liability provisions under GDPR and DPD are similar, the GDPR specifically mentions this as a right with a wider scope. While the Directive enforces liability on the controller only, under the GDPR, compensation can be claimed from both, processor and controller.

2.1.9 Effective judicial remedies:

Provisions in this area are also quite similar between the DPD and GDPR. The difference is that GDPR specifically mentions this as a "right" and the Directive does not. Use of such words is bound to bring legal clarity. It is interesting to note that in the DPD, recourse to remedy has been mentioned in the Recitals and it is the national law of individual member states, which shall regulate the enforceability. GDPR, on the other hand, mentions this under its Articles together with the jurisdiction of courts and exceptions to this right.

2.1.10 Right to lodge complaint with supervisory authority:

The right conferred to the data subject to seek remedy under unlawful processing has been strengthened under GDPR. Again, as mentioned above, GDRP specifically words this as a "right" while the DPD does not.

2.2 New provisions added to the GDPR include:

2.2.1 Data Transfer to third countries:

Provisions under Chapter V of GDPR regulate data transfers from EU to third countries and international organizations and data transfer onward. DPD only provides for data transfer to third countries without reference to international organizations.

A mechanism called adequacy decisions for such transfers remains the same under both laws. However, in situations where Commission does not take adequacy decisions, alternate and elaborate provisions on "Effective Safeguards" and "Binding Corporate Rules" have been mentioned under the GDPR. Other certain situations have been envisaged under both GDPR and DPD for data transfers in absence of adequacy decision. These are more or less similar with a only few modifications.

Significantly, GDPR brings clarity with respect to enforceability of judgments and orders of authorities that are outside of EU over their decision on such data transfer. Additionally, it provides for international cooperation for protection of personal data. These are not mentioned in the DPD.

2.2.2 Certification mechanism:

Just like code of conduct, this is also a voluntary mechanism, which can aid in demonstrating compliance with Regulation.

2.2.3 Records of processing activities:

This is a mandatory "compliance demonstration" mechanism under GDPR, which is not mentioned under DPD. Organizations are likely to face initial administrative and financial burdens in order to maintain records of processing activities.

2.2.4 Obligations of processor:

DPD fixes liability on controllers but leaves out processors. GDPR includes both. Consequently, GDPR specifies obligations of the processor, the kinds of processors the controller can use and what will govern processing.

2.2.5 Data Protection officer:

This finds no mention in the DPD. Under the GDPR, a data protection officer must be mandatorily appointed where the core business activity of the organization pertains to processing, which requires regular and systematic monitoring of data subjects on large scale, processing of large scale special categories of data and offences, or processing carried out by public authority or public body.

2.2.6 Data protection impact assessment:

This is a Privacy Impact assessment for ensuring and demonstrating compliance with the Regulation. Such assessment can identify and minimize risks. GDPR mandates that such assessment must be carried out when processing is likely to result in high risk. The relevant Article mentions when to carry out processing, the type of information to be contained in assessment and a clause for prior consultation with supervisory authority prior to processing if assessment indicates high risk.

2.2.7 Data Breach:

Under this provision, the controller is responsible for two things: 1) reporting personal data breach to supervisory authority no later than 72 hours . Any delay in notifying the authority has to be accompanied by reasons for delay; and 2) communicating the breach to the data subject in case the breach is likely to cause high risk to right and freedoms of the person. As far as the processor is concerned, in the event of data breach, the processor must notify the controller. This provision is likely to push some major changes in the workings of various organizations. A number of detection and reporting mechanisms will have to be implemented. Above all, these mechanisms will have to be extremely efficient given the time limit.

2.2.8 Data Protection by design and default:

This entails a general obligation upon the controller to incorporate effective data protection in internal policies and implementation measures.

2.2.9 Rights:

Under the GDPR, a new right called the " Right to data portability " has been conferred upon the data subjects. This right empowers the data subject to receive personal data from one controller and transfer it to another.

2.2.10 New Definitions:

Out of 26 definitions, 18 new definitions have been added. "Pseudonymisation" is one such new concept that can aid data privacy. This data processing technique encourages processing in a way that personal data can no longer be attributed to a specific data subject without using additional information. This additional information is to be stored separately in a way that it is not attributed to an identified or identifiable natural person.

2.2.11 Administrative fines:

Perhaps much concern about GDPR is due to provisions on high fines for non-compliance of certain provisions. Organizations simply cannot afford to ignore it. Non-compliance can lead to imposition of very heavy fines up to 20,000,000 EUR or 4% of total worldwide turnover.

2.3 Deleted provisions under DPD include :

2.3.1 Working Party:

Working party under the DPD has been replaced by the European Data Protection Board provided by the GDPR. The purpose of the Board is to ensure consistent application of the Regulation.

2.3.2 Notification Requirement:

The general obligation to notify processing supervisory authorities has been removed. It was observed that this requirement imposed unnecessary financial and administrative burden on organizations and was not successful in achieving the real purpose that is protection of personal data. Instead, now the GDPR focuses on procedures and mechanisms like Privacy Impact assessment to ensure compliance.

3. BRIEF OVERVIEW

The GDPR is the new uniform law, which will now replace older laws. A brief overview has been given below:

Topic	GDPR (General Data Protection Regulation)	DPD (Data Protection Directive)

Name	REGULATION (EU) 2016/679	DPD 95/46/EC
Enforcement	Adopted on 27 May 2016 To be enforced on 25 May 2018	Adopted on 24 October 1995
Effect of legislation	It is a Regulation. Is directly applicable to all EU member states without requiring a separate national legislation.	It is an enabling legislation. Countries have to pass their own separate legislations.
Objective	To protect "natural persons" with regard to processing of personal data and on free movement of such data. It repeals DPD 95/46/EC.	To protect "individuals" with regard to processing of personal data and on free movement of such data.
Number of Chapters	XI	VII
Number of Articles	99	34
Number of Recitals	173	72
Applicability	To processors and controllers	Same

4. COMPARATIVE ANALYSIS OF GDPR AND DPD

This section offers a comparative analysis through a set of tables and text analysing and comparing the provisions of General Data Protection Regulation (GDPR) with those of the Data Protection Direction (DPD). Spaces left blank in the tables imply lack of similar provisions under the respective data regime.

4.1 Territorial Scope

GDPR has expanded territorial scope. The application of Regulation is independent of the place where processing of personal data takes places under certain conditions. The focus is the data subject and not the location. The DPD made application of national law, a criterion for determining the applicability of the Directive. Under the GDPR, the following conditions need to be satisfied for application of Regulation.

Sub-topics in the section	GDPR	DPD

Given in Article	3	4

When processor or controller is established in the Union, the Regulation/ Directive will apply if: (DPD is silent on location of processors )	1. Processing is of personal data 2. Processing is in "context of activities" of the establishment 3. Processing may or may not take place in the Union	Processing is of personal data.
When processor or controller is not established in Union, the Regulation/Directive will apply if: (DPD is silent on location of processors )	1. Data subjects are in the Union; and 2. Processing activity is related to: I. Offering of goods or services; or II. Monitoring their behavior within Union 3. Will apply when Member State law is applicable to that place by the virtue of public international law	1. Like GDPR the DPD mentions that national law should be applicable to that place by virtue of public international law; Or 2. If the equipment for processing is situated on Member state territory unless it is used only for purpose of transit.

4.2 Material Scope

The Recital under GDPR explains that data protection is not an absolute right. Principle of proportionality has been adopted to respect other fundamental rights.

Sub-topics in the section	GDPR	DPD

Given in Article	2	3
Applies to	Processing of personal data Processing is by automated means, wholly or partially When processing is not by automated means, the personal data should form or are intended to form a part of filing system	Same
Does not apply to	Processing of personal data: 1. For activities which lie outside scope of Union law 2. By Member State under Chapter 2 Title V of TEU 3. By natural person in course of purely personal or household activity 4. By competent authorities in relation to criminal offences and penalties and threats to public security 5. Under Regulation (EC) No 45/2001. This needs to be adapted for consistency with GDPR 6. Which should not prejudice the E commerce Directive 2000/31/EC especially the liability rules of intermediary service providers	The provisions in DPD are similar to GDPR. In addition to Title V, the DPD did not apply to Title VI of TEU. DPD doesn't mention Regulation (EC) No 45/2001 or the E commerce Directive 2000/31/EC.

4.3 Definitions

GDPR incorporates 26 definitions as compared to 8 definitions under DPD. There are 18 new definitions in GDPR. Some definitions have been expanded.

Sub-topics in the section	GDPR	DPD

Given in Article	4	2
New Definitions under GDPR	1. Restriction of processing 2. Profiling 3. Pseudonymisation 4. Personal data breach 5. Genetic data 6. Biometric data 7. Data concerning health 8. Main establishment 9. Representative 10. Enterprise 11. Group of undertakings 12. Binding corporate rules 13. Supervisory authority 14. Supervisory authority concerned 15. Cross border processing 16. Relevant and reasoned objection 17. Information society service 18. International organizations
2 definitions that have been expanded under GDPR	1. Personal data 2. Consent
6 Definitions which have remained same in GDPR and DPD	1. Processing of personal data 2. Personal data filing system 3. Controller 4. Processor 5. Third party recipient

4.3.1 Expanded definition of personal data

Both DPD and GDPR apply to 'personal data'. The GDPR gives an expanded definition of 'personal data'. Recital 30 gives example of an online identifier such as IP addresses.

Sub-topics in the section	GDPR	DPD

Given in Article	4(1)	2(a)
New term added in the definition	A new term " online identifier" has been added. Example of online identifier is given under Recital 30. An IP address is one such example.

4.3.2 Expanded definition of consent

Valid consent must be given by the data subject. The definition of valid consent has been added under GDPR. Recital 32 further explains that consent can be given by "means of a written statement including electronic means or an oral statement". For example, ticking a box on websites signifies acceptance of processing while "pre ticked boxes, silence or inactivity" do not constitute consent.

Sub-topics in the section	GDPR	DPD

Given in Article	4(11)	2(h)
Term added in GDPR	Consent must be unambiguous, freely given, specific and informed.	The word "unambiguous" is not contained in DPD.
Means of signifying assent to processing own data	Assent can be given by a statement or by clear affirmative action signifying assent to processing.	DPD merely mentions that freely given, specific and informed consent signifies assent.

4.4 Conditions for consent

GDPR lays down detailed provisions for valid consent. Such provisions are not given in DPD.

Sub-topics in the section	GDPR	DPD

Article	7
Obligation of controller	Must demonstrate consent has been given
Presentation of written declaration of consent	It should be in a clearly distinguishable, intelligible and easily accessible form. Language should be clear and plain.
If declaration or any part of it infringes on Regulation	Declaration will be non-binding.
Right of data subject	To withdraw consent at any time.
Right of data subject	If consent is withdrawn, it will not make processing done earlier unlawful.
For assessing whether consent is freely given	Must consider whether performance of contract or provision of service is made conditional on consent to processing of data not necessary for performance of contract.

4.5 Conditions applicable to child's consent in relation to information society services

This article prescribes an age limit for making processing lawful when information society services (direct online service) are offered directly to a child.

Sub Topics in the Section	GDPR	DPD

Given in Article	8
Conditions for valid consent in this case	If child is at least 16 years old his consent is valid. If child is below 16 years consent must be obtained from holder of parental responsibility over the child.
Age relaxation can be given when	Member States provides a law lowering the age. Age cannot be lowered below 13 years.
Controller's responsibility	Verify who has given the consent
Exceptions	This law will not affect: General contract law of member states; Effect of contract law on a child;

4.6 Processing of special categories of personal data

Like the DPD, the GDPR spells out the data that is considered sensitive and the conditions under which this data can be processed. Two new categories of special data, "genetic data" and "biometric data", have been added to the list in the GDPR.

Sub Topics in the Section	GDPR	DPD

Article	9	8
Categories of data considered sensitive	Racial or ethnic origin	Same
	Political opinions	Same
	Religious or philosophical beliefs	Same
	Trade union membership	Same
	Health or sex life or sexual orientation	Same
	Genetic data or Biometric data uniquely identifying natural person
Circumstances in which processing of personal data may take place	If there is explicit consent of data subject provided Member State laws do not prohibit such processing
	Necessary for carrying out specific rights of controller or data subject	Under DPD these rights can be for employment. The GDPR adds social security and social protection to this list. These rights are to be authorized by Member state or Union. The GDPR adds "Collective agreements" to this.
	In the vital interest of data subject who cannot give consent due to physical or legal causes.	Same
	In the vital interest of a Natural person physically or legally incapable of giving consent	Same
	For legitimate activities carried on by not-for profit-bodies for political, philosophical or trade union aims subject to certain conditions.	Same
	When personal data is made public by data subject	Same
	For establishment, exercise of defense of legal claims or for courts	Same
	For substantial public interest in accordance with Member State or Union law
	Is necessary for: Preventive or occupational medicine Assessing working capacity of employee Medical diagnosis Healthcare or social care services Contract with health professional
	Is necessary in Public interest in the area of public health
	For public interest, scientific or historical research or statistical purpose
Data for preventive or occupational medicine, medical diagnosis etc. can be processed when:	Data is processed by or under responsibility of a professional under obligation of professional secrecy as state in law	Here the processing is done by health professional under obligation of professional secrecy

4.7 Principles relating to processing of personal data

The principles set out in GDPR are similar to the ones under DPD. Some changes have been introduced. Accountability of the controller has been specifically given under GDPR.

Sub-topics in this section	GDPR	DPD

Given in Article	5	6
Lawfulness, fairness, transparency	Processing must be Lawful, fair and transparent	Does not mention transparent
Purpose limitation	Data must be specified, explicit and legitimate.	Same
Purpose limitation	Processing for achieving public interest, scientific or historical research or statistical purpose is not to be considered incompatible with initial purpose.	Same
Data minimization	Processing is adequate, relevant and limited to what is necessary	Same
Accuracy	Data is accurate, up to date, erased or rectified without delay	Same
Storage limitation	Data is to be stored in a way that data subject can be identified for no longer than is necessary for purpose of processing	Same
	Data can be stored for longer periods when it is processed solely in public interest, scientific or historical research or statistical purpose	Same However, public interest is not mentioned.
	There must be appropriate technical and organizational measures to safeguard rights and freedoms	Same Additionally, it specifically states that Member States must lay down appropriate safeguards
Integrity and confidentiality	Manner of processing must: Ensure security of personal data, Protection against unlawful processing and accidental loss, destruction or damage	Not mentioned
Accountability	Controller is responsible for and must demonstrate compliance with all of the above.	DPD states it is for the controller to ensure compliance with this Article. Unlike GDPR, DPD doesn't specifically state the responsibility of controller for demonstrating compliance.

4.8 Lawfulness of processing

The conditions for "lawfulness of processing" under DPD have been retained in the GDPR with certain modifications allowing flexibility for member states to introduce specific provisions in public interest or under a legal obligation. It should be noted that protection given to child's data and rights and freedoms of data subject should not be prejudiced. Additionally, a non-exhaustive list has been laid down in the GDPR for determining if processing is permissible in situations where the new purpose of processing is different from original purpose.

Sub Topics in the Section	GDPR	DPD

Given in Article	6	7
Processing is lawful when :	If at least one of the principles applies: Data subject has given consent to processing for specific purpose(s).	Same However it mentions "unambiguous" consent.
	Processing is necessary for performance of contract to which data subject is party or at request of data subject before entering into a contract	Same
	Processing is necessary for controller's compliance with legal obligation.	Same
	Is necessary for legitimate interests pursued by controller or by third party subject to exceptions (should not override rights and freedoms of data subject and protections given to child's data.)	Same
	It is necessary for performance of task carried out in public interest or for exercise of official authority vested in controller	Same It additionally mentions third party: "…exercise of official authority vested in controller or in a third party to whom data are disclosed"
	For protections of vital interest of data subject or another natural person	Same Does not mention natural person.
Member States may introduce specific provisions when:	When processing is necessary for compliance with a legal obligation or to protect public interest
	Basis for processing for shall be laid down by: Union law or Member State law
If processing is done for purpose other than for which data is collected and is without data subject's consent or is not collected under law:
To determine if processing for another purpose is compatible with the original purpose	Controller shall take into account following factors:
	Link between purposes for which data was collected and the other purpose
	Context in which personal data have been collected
	Nature of personal data
	Possible consequences of other purpose
	Existence of appropriate safeguards

4.9 Processing which does not require identification:

This article lays down the conditions under which the controller is exempted from gathering additional data in order to identify a data subject for the purpose of complying with this Regulation. If the controller is able to demonstrate that identification is not possible, the data subject is to be informed if possible.

Sub Topics in the Section	GDPR	DPD

Given in Article	11
Conditions under which the controller is not obliged to maintain process or acquire additional information to identify data subject	If purpose for processing doesn't not require identification of data subject by the controller
Consequence of not maintaining the data	Art 15 to 20 shall not apply provided controller is able to demonstrate its inability to identify the data subject
Exception to above consequence will apply when :	Data subject provides additional information enabling identification

4.10 Rights of the data subject

The General Data Protection Rules (GDPR) confers 8 rights upon the data subject.These rights are to be honored by the controller:-

1. Right to be informed

2. Right of access

3. Right to rectification

4. Right to erasure

5. Right to restrict processing

6. Right to data portability

7. Right to object

8. Rights in relation to automated decision making and profiling

4.10.1 Right to be informed

The controller must provide information to the data subject in cases where personal data has not been obtained from the data subject. A number of exemptions have been listed. Additionally, GDPR lays down the time period within which the information has to be provided.

Sub Topics in the Section	GDPR	DPD

Given in Article	14	10
Type of information to be provided	Identity and contact details of the controller or controller's representative	Same
	Contact details of the data protection officer
	Purpose and legal basis for processing	Purpose of processing
	Recipients or categories of recipients of personal data	Same
	Intention to transfer data to third country or international organization and Information regarding adequacy decision or suitable safeguards or Binding Corporate Rules or derogations. This includes means to obtain a copy of these as well as information on place of availability.
Additional information to be provided by controller to ensure fair and transparent processing	Storage period of personal data and criteria for determining the period
	Legitimate interests pursued by controller or third party
	Existence of data subject's rights with regard to access or rectification or erasure of personal data, automated decision making
	Where applicable, existence of right to withdraw consent
Time period within which information is to be provided	Information to be given within a reasonable period, latest within one month.
	To be provided latest at the time of first communication to data subject, if personal data are to be used for communication with data subject
	In case of intended disclosure to another recipient , at the latest when personal data are first disclosed.
	If processing is intended for a new purpose other than original purpose, information to be provided prior to processing on new purpose.
Situations in which exceptions are applicable	Data subject already has information	Same
	Provision of information involves disproportionate effort or is impossible or renders impossible or seriously impairs achievement of objective of processing. This is particularly with respect to processing for archiving purposes in public interest, scientific or historical research or statistical purpose. However controller must take measures to protect data subject's rights and freedom and legitimate interests including make information public.	Provision involves impossible or disproportionate effort, in particular where processing is for historical or scientific research. However, appropriate safeguards must be provided by Member States.
	Obtaining or disclosure is mandatory under Union or member law and it provides protection to data subject's legitimate interests	Where law expressly lays down recording or disclosure provided appropriate safeguards are provided by Member States. This is particularly applicable to processing for scientific or historical research.
	Confidentiality of data mandated by professional secrecy under Union or Member State law

4.10.2 Right to access

Both Data Protection Directive (DPD) and General Data Protection Rules (GDPR) confer right to access information regarding personal data on the data subject.

CJEU in YS V. Minister voor Immigrate Integratie en Asiel stated that it is the data subject's right "to be aware of and verify the lawfulness of the processing".

Sub-topics in the section	GDPR	DPD

Given in Article	15	12
Data subject has the right to know about:	Purpose of processing	Same
	Categories of processing the data	Same
	Recipients or categories to whom data are disclosed	Same
	Retention period of the data and criteria for this
	Existence of right to request erasure, rectification or restriction of processing
	Right to lodge complaint with supervisory authority
	Knowledge about source of data
	To know about any significant and envisaged consequences of processing for the data subject
	Existence of automated decision making and logic involved	Same
In case of data transfer to third country	Right to be informed about the safeguards
Controller's obligation	To provide a copy of data undergoing processing. Reasonable fee based on administrative costs can be charged for this.

4.10.3 Right to rectification

GDPR and DPD both give the data subject the right to rectify their personal data. Under the GDPR the data subject can complete the incomplete data by giving a supplementary statement.

Sub-topics in the section	GDPR	DPD

Given in Article	16	12(b)
Right can be exercised when:		Processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55) OR
Right can be exercised when:	When data is incomplete	When data is incomplete or inaccurate
Obligations of controller	To enforce the right without undue delay
Obligation of controller to give notification when data is disclosed to third party	Given under Art 19 Request of erasure of personal data to be communicated to each recipient of such data	Given under Article 12(c) Request must be communicated to third parties
	It should not involve an impossible or disproportionate effort	Same

4.10.4 Right to erasure

This is also referred to as the "right to be forgotten". It empowers the individual to erase personal data under certain circumstances. The data subject can request the controller to remove the data for attaining this purpose.

Sub-topics in the section	GDPR	DPD

Given in Article	17	12(b)
Obligation of the controller	To erase the data without undue delay
Conditions under which the right can be exercised		When processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55) OR When data is incomplete or inaccurate
	Personal data is no longer necessary for the purpose for which it was collected or processed
	Data Subject withdraws consent for processing
	Data subject objects to processing and there are no overriding legitimate grounds for processing
	Data subject objects to processing for direct marketing purpose
	Personal data has been unlawfully processed
	When personal data has to be erased under a legal obligation of Union or member State law
	When personal data has been collected in offer of information society services to a child
Condition of processing under which request to erasure shall not be granted	For exercising right of freedom of expression and information
	Processing is done under Union or Member State law in public interest or exercise of official authority vested in controller
	Done for public interest in public health
	For public interest, scientific or historical research or statistical purpose.
	For establishment, exercise or defense of legal claims.
Controller's obligations when personal data has been made public	Controller to take reasonable steps to inform controllers who are processing the data, of the request of erasure. All links, copy or replication of personal data to be erased. Technology available and cost of implementation to be taken into account.
Notification when data is disclosed to third party	Given under obligation of controller under Art 19: Request of erasure of personal data to be communicated to each recipient of such data	Given under obligation of controller under 12(c) : Request must be communicated to third parties
Notification when data is disclosed to third party	It should not involve an impossible or disproportionate effort	Same

4.10.5 Right to restrict processing

While DPD provided for "blocking", the GDPR strengthened this right by specifically conferring the " Right to Restrict Processing" upon the data subject. This Article gives data subject the right to restrict processing under certain conditions. Recital 67 explains that these methods could include steps like removing published data from website or temporarily moving the data to another processing system.

Sub-topics in the section	GDPR	DPD

Given in Article	18	12(b)
About this right	Data subject can restrict processing of data	Data subject is allowed to erase, rectify or block processing of personal data.
Conditions under which the right can be exercised	When accuracy of personal data is contested	Besides accuracy, the DPD also mentions "incomplete nature of data" as grounds for exercising this right.
	When processing is unlawful and data subject opposes erasure and requests restriction of data use
	When data is no longer needed by controller but is required by data subject for establishment, exercise or defense of legal claims.
	Data subject objects to processing and the verification by controller of compelling legitimate grounds for processing is ongoing
Consequences of this enforcement of this right	Controller can store data but not process it
	Processing can be done only with the data subject's consent; or
	Processing can be done for establishment exercise or defense of legal claims; or
	Processing can be done for protecting rights of another natural or legal person ;or
	It can be done in public interest of Union or Member State.
Obligations of controller under Art 18	The controller must inform the data subject before the restrictions are lifted.
Obligations of controller under Art 19	Inform each recipient of personal data about the restriction.
	This obligation need not be performed if it is impossible to do so or it involved disproportionate effort.
	Inform data subject about the recipients when requested by the data subject.

4.10.6 Right to data portability

This right empowers the data subject to receive personal data from one controller and transfer it to another. This gives the data subject more control over his or her own data. The controller cannot hinder this right when the following conditions are met.

Sub-topics in the section	GDPR	DPD

Given in article	20
Conditions for data transmission	The data must have been provided to the controller by data subject himself; and
	Processing is based on: Consent; or For performance of contract; and is carried out by automated means
	Data transfer must be technically feasible
Format of personal data	It should be in a: Structured Commonly-used Machine readable format
Time and cost for data transfer	Given in Art 12(3) Should be free of charge Information to be provided within one month. Further extension by two months permissible under certain circumstances.
Circumstance under which this Right cannot be exercised	When the exercise of the Right prejudices rights and freedom of another individual
	When processing is necessarily carried out in public interest
	When processing is necessarily done in exercise of official authority vested in controller
	When this Right adversely affects the "Right to be forgotten"

4.10.7 Right to Object

Both DPD and GDPR confer upon the data subject the right to object to processing on a number of grounds. The GDPR strengthens this right . Under GDPR, there is a visible shift from the data subject to the controller as far as the burden of showing " compelling legitimate grounds" is concerned. Under the DPD, when processing is undertaken in public interest or in exercise of official authority or in legitimate interests of third party or controller, the data subject not only has to show existence of compelling legitimate grounds but also that objection is justified. On the other hand, GDPR spares the data subject from this exercise and instead places the onus on the controller of demonstrating that "compelling legitimate grounds" exist such that these grounds override the interests, rights and freedom of the data subject.

GDPR also provides a new ground for objecting to processing. The data subject can object to processing when it is for scientific or historical research or statistical purpose unless such processing is necessary in public interest.

Under the GDPR the data subject must be informed of this right "clearly and separately" and "at the time of first communication with data subject" when processing is done in public interest/exercise of official authority/legitimate interest of third party or controller or for direct marketing purpose. This right can be exercised by automated means in case of information society service.

The DPD also provides that the data subject must be informed of this right if the controller anticipates processing for direct marketing or disclosure of data to third party. It specifically states that this right is to be offered "free of charge". Additionally, it places responsibility upon the Member States to ensure that data subjects are aware of this right.

Sub-topics in the section	GDPR	DPD

Given in Article	21	14
Conditions under which the right can be exercised during processing	When performance of task is carried out in public interest or in exercise of official authority vested in controller. (Art 6(1)(e)) Exception: If controller demonstrates processing is for compelling legitimate grounds which override interests of data subject For establishment, exercise or defense of legal claims.	Grounds are same but the data subject also has to show existence of compelling legitimate grounds. Processing will cease if objection is justified. Exceptions: Unless provided by national legislation the data subject can object on this ground.
	For legitimate interests of controller or third party (Art 6(1)(f)) Exception: 1. If controller demonstrates processing is for compelling legitimate grounds that override interests of data subject. 2. For establishment, exercise or defense of legal claims.	Same as above
	When data is processed for scientific/historical research/ statistical purpose under Art 89(1) Exception: If processing is necessary for public interest
	When personal data is used for marketing purpose. Can object at anytime. No exceptions	Same

4.10.8 Rights in relation to automated individual decision making including profiling

This Article empowers the data subject to challenge automated decisions under certain conditions. This is to protect individuals from decisions taken without human intervention.

Sub-topics in the section	GDPR	DPD

Given in Article	22	15
This right can be exercised when decisions are based:
	Only on automated processing Including profiling; and	Same
	Produce legal effects or have similarly significant effects on data subject	Same
Conditions under which this right will not be guaranteed
	For entering into or performance of contract;	Same
	If Member State or Union law authorizes the decision provided it lays down suitable measures for safeguarding data subject's rights, freedoms and legitimate interests; Or	Same
	When decision is based on data subject's explicit consent.
Controller's obligation	Enforce measures to safeguard rights and freedom and interests
Controller's obligation	Ensure data subject can obtain human intervention, express his point of view, challenge decisions
Automated decision making will not apply when:	"Special categories of personal data" are to be processed However, if the data subject gives his explicit consent or such processing serves substantial public interest then the restriction can be waived.
Automated decision making will not apply when:	Concerns a child

4.11 Security and Accountability

4.11.1 Data protection by design and default

This is another new concept under GDPR. It is a general obligation on the controller to incorporate effective data protection in internal policies and implementation measures. Measures include: minimization of processing, pseudonymisation, transparency while processing, allowing data subjects to monitor data processing etc. The implementation of organizational and technical measures is essential to demonstrate compliance with Regulation.

Sub-topics in the section	GDPR	DPD

Article	25
Responsibility of controller when determining means of processing and at the time of processing	Implementation of appropriate technical and organizational measures for data protection
	Ensure that by default only personal data necessary for purpose of processing is processed
Means of demonstrating compliance with this Article	Approved certification mechanism may be used. Data minimization Transparency etc.

4.11.2 Security of personal data

Security of processing is mentioned in the GDPR under Article 32. The controller and processor must implement technical and organizational measures to ensure data security. These may include pseudonymisation, encryption, ensuring confidentiality, restoring availability and access to personal data, regularly testing etc. Compliance with the code may be demonstrated by adherence to Code of conduct and certification mechanism. Further, all processing which is done by a natural person acting under authority of controller or processor can be done only under instructions from the controller.

4.11.3 Notification of personal data breach

This Article provides the procedure for communicating the personal data breach to supervisory authority. If the breach is not likely to result in risk to rights and freedoms of natural persons, then the controller is not required to notify the supervisory authority.

Sub-topics in the section	GDPR	DPD

Given in Article	33
Responsibility of controller	Report personal data breach to supervisory authority after being aware of it
Time limit for reporting data breach	Must be reported no later than 72 hours
In case of delay in reporting	Reasons to be stated
Responsibility of processor	Notify the controller after being aware of breach
Description of notification	Describe nature of personal data
	Name contact details of data protection officer
	Likely consequences of personal data breach
	Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect
When information cannot be provided at same time	Provide it in phases without further undue delay
For verification of compliance	Controller has to document any personal data breach. It must contain Facts , effects and remedial action taken

4.11.4 Communication of personal data breach to the data subject

Not only is the supervisory authority to be notified, but data subjects are also to be informed about personal data breaches without undue delay under certain conditions.

Sub-topics in the section	GDPR	DPD

Given in Article	34
Conditions under which controller is to communicate the breach to data subject	When breach is likely to cause high risk to rights and freedoms of natural persons
Nature of communication	Must be in a clear and plain language. Must describe the nature of breach. Must Contain at least: Name contact details of data protection officer Likely consequences of personal data breach Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect
Condition under which communication will not be required	If controller has implemented appropriate technical and organizational measures and these were applied to the affected data. E.g.: encryption
	Subsequent measures have been taken by controller to ensure there is no high risk
	If communication involves disproportionate effort. Public communication or similar measures can be undertaken under such circumstances.
Role of supervisory authority	In case of likelihood of high risk, the authority may require the controller to communicate the breach if the controller has not already done so.

4.11.5 Data protection impact assessment

This is also known as Privacy Impact Assessment. While DPD provides general obligation to notify the processing to supervisory authorities, the GDPR, taking into account the need for more protection of personal data, has replaced the notification process by different set of mechanisms.

To serve the above purpose, the data protection impact assessment (DPIA) has been provided under this Article.

Sub-topics in the section	GDPR	DPD

Given in Article	35
When to carry out assessment	When new technology is used; and Processing is likely to result in high risk to rights and freedoms of natural persons
	Automated processing including profiling involving systematic and extensive evaluation of personal aspects of natural persons; and When decisions based on such processing produce legal effects
	Large scale processing of special categories of data or personal data relating to criminal convictions and offences
	Large scale systematic monitoring of publicly accessible area
Type of information contained in assessment	Description of processing operations and purpose
	Assessment of necessity and proportionality of processing operations
	Assessment of risks to individuals
	Measures to address risks and demonstration of compliance with Regulation
Sub-topics in the section	GDPR	DPD

Topic	Prior Consultation
Given in Article	36
When should controller consult supervisory authority	Prior to processing; and DPIA indicates high risk; and In absence of risk mitigation measures by controller

Data protection officer

GDPR mandates that a person with expert knowledge of data protection law and practice is appointed for helping the controller or processor to comply with the data protections laws. A single data protection officer (DPO) may be appointed by a group of undertakings or where controller or processor is a public authority or body.The DPO must be accessible from each establishment.

Sub Topics in the Section	GDPR	DPD

Article	37
Situations in which DPO must be appointed	When processing is carried out by public authority or body. Note: Courts acting in judicial capacity are excluded.
	Core activity involves processing which requires regular and systematic monitoring of data subjects on large scale; or
	Core activity involves processing of large scale special categories of data and criminal convictions and offences

Position of Data Protection Officer

The DPO must directly report to the highest management level of the controller or processor. Data subjects may contact the DPO in case of problems related to processing and exercise of rights.

Sub Topics in the Section	GDPR	DPD

Article	38
Responsibility of controller and processor	Ensure DPO is involved properly and in timely manner
	Provide DPO with support, resources and access to personal data and processing operations
	Not dismiss or penalize DPO for performing his task.
	Ensure independence of working and not give instruction to DPO

Tasks of Data Protection officer

The DPO must be involved in all matters concerning data protection. He is expected to act independently and advice the controllers and processors to facilitate the establishment's compliance with Regulations.


Sub Topics in the Section	GDPR	DPD

Article	39
Tasks	Inform and advise the controller or processor and employees over data protection laws
	Monitor compliance with data protection laws. Includes assigning responsibilities, awareness- raising, staff training and audits
	Advice and monitor performance
	Cooperate with supervisory authority
	Act as point of contact for supervisory authority for processing, prior consultation and consultation on other matter

4.11.6 European Data Protection Board

For consistent application of the Regulation, the GDPR envisages a Board that would replace the Working Party on Protection of Individuals With Regard to Processing of Personal Data established under the DPD. This Regulation confers legal personality on the Board.

Sub Topics in the Section	GDPR	DPD

Article	68
Represented by	Chair
Composition of the Board	Head of one supervisory authority of each Member State and European Data Protection Supervisor or of their representatives. Joint representative can be appointed where Member State has more than one supervisory authority.
Role of Commission	Right to participate in activities and meetings of the Board without voting rights. Commission to designate a representative for this.
Functions of the Board	Consistent application of Regulation
	Advise Commission of level of protection in third countries or international organizations
	Promote cooperation of supervisory authorities
	Board is to act independently

4.11.7 Supervisory Authority

GDPR lays down detailed provisions on supervisory authorities, defining their functions, independence, appointment of members, establishment rules, competence, competence of lead supervisory authority, tasks, powers and activity reports. Such elaborate provisions are absent in DPD.

Sub-topics in this section	GDPR	DPD

Given in Article	Chapter VI, Article 51 -59	28

4.12 Processor

The Article spells out the obligations of a processor and conditions under which other processors can be involved.

Sub Topics in the Section	GDPR	DPD

Article	28
What kind of processors can be used by controller	● Those which provide sufficient guarantees to implement appropriate technical and organizational measures ● Those which comply with Regulation and Rights
Obligations of processor in case of addition or replacement of processor	● Not engage another processor without controller's authorization ● In case of general written authorization inform the controller
Processing shall be governed by	Contract or legal act under Union or Member State law.
Elements of Contract	● Is binding on processor ● Sets out subject matter and duration of processing ● Nature of processing ● Type of personal data ● Categories of data subjects ● Obligations and Rights of the controller
Obligations of processor under contract or legal act	Processor shall process under instructions from controller unless permitted under law itself. Controller is to be informed in the latter case.
	Ensures that persons authorized to process have committed themselves to confidentiality
	Processor to undertake all data security measures (mentioned under Art 32)
	Enforces conditions on engaging another processor
	Assists the controller by appropriate technical and organizational measures
	Assists controller in compliance with Art 32 to 36
	Delete or return all personal data to controller at the choice of controller at the end of processing
	Make information available to controller for demonstrating compliance with obligations. Contribute to audits, inspections etc. Inform the controller if it believes that an instruction infringes the regulation or law.
Conditions under which a processor can engage another processor	● Same data protection obligations will be applicable to other processor. ● If other processor fails to fulfill data protection obligations, initial processor shall remain fully liable to controller for such performance.

4.13 Records of processing activities

The controller or processor must maintain records of processing activities to demonstrate compliance with the Regulation. They are obliged to cooperate with and make record available to the supervisory authority upon request. DPD does not contain similar obligations.

Sub Topics in the Section	GDPR	DPD

Article	30
Obligation of controller or controller's representative	Maintain a record of processing activities
Information to be contained in the record	Name and contact details of: ● Controller /joint controller / controller's representatives ● Data protection officer
	Purpose of processing
	Categories of data subjects and categories of personal data
	Categories of recipients to whom data has been or will be disclosed
	Transfers of personal data to third party, identification of third party, documentation of suitable safeguards
	Expected time duration for erasure of different categories of data
	Technical and organizational security measures
Obligation of processor	Maintain a record of processing activities carried out on behalf of controller
Record maintained by processor shall contain information such as:	Name and contact details of: ● Processor /processor's representative ● Controller /controller's representative ● Data protection officer
	Categories of processing
	Data transfer to third party Identification of third party Documentation of safeguards
	Technical and organizational security measures
Form in which record is to be maintained	In writing and electronic form
Conditions under which exemption will apply	● Organizations employing fewer than 250 employees are exempted; ● Processing should not cause risk to rights and freedoms of data subjects ● Processing should not be occasional ● Processing should not include special categories of data

4.14 Code of Conduct

These mechanisms have been provided under GDPR to demonstrate compliance with the Regulation. This is important as the GDPR ( under Art 83 ) provides that adherence to code of conduct shall be one of the factors taken into account for calculating administrative fines. This is not an obligatory provision.

Sub Topics in the Section	GDPR	DPD

Article	40	27
Who will encourage drawing up of code of conduct	● Member States ● Supervisory Authorities ● Commission. Specific needs of micro, small and medium enterprises to be taken into account.	● Member States ● Commissions Does not mention the rest
Who may prepare amend or extend code of conduct	Associations and other bodies representing categories of controller or processors
Information contained in the code	Fair and transparent processing
	Legitimate interests of controller
	Collection of personal data
	Pseudonymisation
	Information to public and data subjects
	Exercise of rights of data subject
	Information provided to and protection of children and manner in which consent of holders of parental responsibility is obtained
	Measures under: ● Data protection by design and default ● Controller responsibilities ● Security of processing
	Notification of data breach to authorities and communication of same to data subjects
	Data transfer to third party
	Dispute resolution procedures between controllers and data subjects
	Mechanisms for mandatory monitoring
Mandatory monitoring	Code of conduct containing the above information enables mandatory monitoring of compliance by body accredited by supervisory authority. (Art 41)

4.15 Certification

Like the code of conduct, Certification is a voluntary mechanism that demonstrates compliance with the Regulation. Establishment of data protection certification mechanism and data protection seals and marks shall be encouraged by Member States, supervisory authorities, Boards and Commission. As in case of code of conduct, specific needs of micro, small and medium sized enterprise ought to be taken into account. DPD does not mention such mechanisms.

Sub Topics in the Section	GDPR	DPD

Article	42
Who will issue the certificate	Certification bodies or competent supervisory authority on basis of approved criteria.
Time period during which certification shall be issued	Maximum period of three years. Can be renewed under same conditions.
Who accredits certification bodies	Competent Supervisory bodies or National accreditation body.
When can accreditation be revoked	When conditions of accreditation are not or no longer met. OR Where actions taken by certification body infringe this Regulation.
Who can revoke	Competent supervisory authority or national accreditation body

4.16 Data Transfer

4.16.1 Transfers of personal data to third countries or international organizations

Chapter V lays down the conditions with which the data controller must comply in order to transfer data for the purpose of processing outside of the EU to third countries or international organizations. The chapter also stipulates conditions that must be complied with for onward transfers from the third country or international organization.

4.16.2 Transfer on the basis of an adequacy decision

Under GDPR, transfer of data can take place after the Commission decides whether the third country, territory, specified sector within that third country or international organization ensures adequate level of data protection. This is called adequacy decision. A list of countries or international organizations which ensure adequate data protection shall be published in the Official Journal of the European Union and on the website by the Commission. Once data transfer conditions are found to be compliant with the Regulation, no specific authorization would be required for data transfer from the supervisory authorities. The commission would decide this by means of an "Implementing Act" specifying a mechanism for periodic review, its territorial and sectoral application and identification of supervisory authorities. Decisions of Commission taken under Art 25(6) of DPD shall remain in force. DPD also provides parameters for the same.

Sub-topics in this section	GDPR	DPD

Given in article	45	25
Conditions apply when transfers take place to	Third country or international organization	International organization not mentioned.
Functions of the commission	Take adequacy decisions	Same
	Review the decision periodically every four years
	Monitor developments on ongoing basis
	Repeal, amend or suspend decision
		Inform Member States if third country doesn't ensure adequate level of protection. Similarly, member state has to inform the Commission.
Functions of Member State		Inform Commission if third country doesn't ensure adequate level of protection.
		Take measures to comply with Commission's decisions
		Prevent data transfer if Commission finds absence of adequate level of protection.
Factors, with respect to third country or international organization, to be considered while deciding adequacy of safeguards	Rule of law, human rights, fundamental freedoms, access of public authorities to personal data, data protection rules, rules for onward transfer of personal data to third country or international organization etc.	Circumstances surrounding data transfer operations: nature of data; purpose and duration of processing operation; rule of law, professional rules and security measures in third country; country of origin and final destination; professional rules and security measures;
	Functioning of independent supervisory authorities, their powers of enforcing compliance with data protection rules and powers to assist and advise data subject to exercise their rights.
	International commitments entered into. Obligations under legally binding conventions.	Same
When adequate level of protection no longer ensues	The Commission, to the extent necessary: repeal, amend or suspend the decision. This is to be done by the means of an implementing act. No retroactive effect to take place	The member state will have to suspend data transfer if Commission finds absence of adequate level of protection.
When adequate level of protection no longer ensues	Commission to enter into consultation with the third country or international organization to remedy the situation	Same

4.16.3 Transfers subject to appropriate safeguards

This article provides for a situation when the Commission takes no decision. (Mentioned above under Transfer on the basis of an adequacy decision). In this case, the controller or processor can transfer data to third country or international organization subject to certain conditions. Specific authorization from supervisory authorities is not required in this context. Procedure for the same has been mentioned.

Sub-topics in this section	GDPR	DPD

Given in article	46
When can data transfer take place	When appropriate safeguards are provided by the controller or processor; AND On condition that data subject enjoys enforceable rights and effective legal remedies for data safety.
Conditions to be fulfilled for providing appropriate safeguards without specific authorization from supervisory authority	Existence of legally binding and enforceable instrument between public bodies or authorities
	Existence of Binding Corporate Rules
	Adoption of Standard Protection Clauses adopted by the Commission
	Adoption of Standard data protection clauses by supervisory authorities and approved by Commission.
	Approved code of conduct along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights OR Approved certification mechanism along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights.
Conditions to be fulfilled for providing appropriate safeguards subject to authorization from competent authority	Existence of contractual clauses between: Controller or Processor and Controller, Processor or recipient of personal data (third party)
	Provisions inserted in administrative arrangements between public authorities or bodies. Provisions to contain enforceable and effective data subject rights.
	Consistency mechanism to be applied by supervisory authority
Unless amended, replaced or repealed, authorization to transfer given under DPD will remain valid when:	Third country doesn't ensure adequate level of protection but controller adduces adequate safeguards; or Commission decides that standard contractual clauses offer sufficient safeguards

4.16.4 Binding Corporate Rules

These are agreements that govern transfers between organizations within a corporate group

Sub-topics in this section	GDPR	DPD

Given in Article	47
Elements of Binding Corporate Rules	Legally binding
	Apply to and are enforced by every member of group of undertakings or group of enterprises engaged in joint economic activity. Includes employees
	Expressly confer enforceable rights on data subject over processing of personal data
What do they specify	Structure and contact details of group of undertakings
	Data transfers or set of transfers including categories of personal data , type of processing, type of data subjects affected, identification of third countries
	Legally binding nature
	Application of general data protection principles
	Rights of data subjects Means to exercise those right
	How the information on BCR is provided to data subjects
	Tasks of data protection officer etc.
	Complaint procedure
	Mechanisms within the group of undertakings, group of enterprises for ensuring verification of compliance with BCR. Eg. Data protection audits Results of verification to be available to person in charge of monitoring compliance with BCR and to board of undertaking or Group of enterprises. Should be available upon request to competent supervisory authority
	Mechanism for reporting and recording changes to rules and reporting changes to supervisory authority
	Cooperation mechanism with supervisory authority
	Data protection training to personnel having access to personal data
Role of Commission	May specify format and procedures for exchange of information between controllers, processors and supervisory authorities for BCR

4.16.5 Transfers or disclosures not authorized by Union law

This Article lays down enforceability of decisions given by judicial and administrative authorities in third countries with regard to transfer or disclosure of personal data.

Sub-topics in this section	GDPR	DPD

Given in Article	48
Article concerns	Transfer of personal data under judgments of courts, tribunals, decision of administrative authorities in third countries.
When can data be transferred or disclosed	International agreement between requesting third country and member state or union. E.g.: mutual legal assistance treaty

4.16.6 Derogations for specific situations

This Article comes into play in the absence of adequacy decision or appropriate safeguards or of binding corporate rules. Conditions for data transfer to a third country or international organization under such situations have been laid down.

Sub-topics in this section	GDPR	DPD

Given in Article	49	26
Conditions under which data transfer can take place	On obtaining Explicit consent of data subject after being informed of possible risks	On obtaining unambiguous consent of data subject to the proposed transfer
	Transfer is necessary for conclusion or performance of contract. The contract should be in the interest of data subject. The contract is between the controller and another natural or legal person.	Contractual conditions are same. DPD also includes implementation of pre contractual measures taken upon data subject's request.
	Transfer is necessary in public interest	Same
	Is necessary for establishment, exercise or defense of legal claims	Same
	To protect vital interest of data subject or of other persons where data subject is physically or legally incapable of giving consent	Includes vital interest of data subject but doesn't include "other person". Condition for consent is also not included.
	Transfer made from register under Union or Member State law to provide information to public and is open to consultation by public or person demonstrating legitimate interest.	Same
Conditions for transfer when even the above specific situations are not applicable	Transfer is not repetitive
	Concerns limited number of data subjects
	Necessary for compelling legitimate interests pursued by controller
	Legitimate interests are not overridden by interests or rights and freedoms of data subject
	Controller has provided suitable safeguards after assessing all circumstances surrounding data transfer
	Controller to inform supervisory authority about the transfer
	Controller to inform data subject of transfer and compelling legitimate interests pursued
		Member may authorize transfer personal data to third country where controller adduces adequate safeguards for protection of privacy and fundamental rights and freedoms of individuals

4.17 International cooperation for protection of personal data

This Article lays down certain steps to be taken by Commissions and supervisory authorities for protection of personal data.

Sub-topics in this section	GDPR	DPD

Given in Article	50
Steps will include	Development of international cooperation mechanisms to facilitate enforcement of legislation for protection of personal data
	Provide international mutual assistance in enforcement of legislation for protection of personal data
	Engage relevant stakeholders for furthering international cooperation
	Promote exchange and documentation of personal data protection legislation and practice

4.18 Remedies, Liability and Compensation

4.18.1 Right to lodge complaint with a supervisory authority

This article gives the data subject the right to seek remedy against unlawful processing of data. GDPR strengthens this right as compared to the one provided under DPD.

Sub-topics in this section	GDPR	DPD

Given in Article	77	28(4)
Right given	Right to lodge complaint	Under GDPR the data subject has been conferred the "right" specifically. This is not so in DPD. DPD merely obliges the supervisory authority to hear claims concerning rights and freedoms.
Who can lodge complaint	Data subject	Any person or association representing that person
Complaint to be lodged before	Supervisory authority in the Member State of habitual residence, place of work or place of infringement	Supervisory authority
When can the complaint be lodged	When processing of personal data relating to data subject allegedly infringes on Regulation	When rights and freedom are to be protected while processing. When national legislative measures to restrict scope of Regulations is adopted and processing is alleged to be unlawful.
Accountability	Complainant to be informed by Supervisory authority on progress and outcome of complaint and judicial remedy to be taken up	Complainant to be informed on outcome of claim or if check on unlawfulness has taken place

4.18.2 Right to an effective judicial remedy against supervisory authority

The concerned Article seeks to make supervisory authorities accountable by bringing proceedings against the authority before the courts. GDPR gives a specific right to the individual. DPD under Article 28(3) merely provides for appeal against decisions of supervisory authority in the courts.

Sub-topics in this section	GDPR	DPD

Given in Article	78 (1)
Who has the right	Every natural or legal person
When can the right be exercised	Against legally binding decision of supervisory authorities concerning the complainant

Sub-topics in this section	GDPR	DPD

Given in Article	78(2)
Who has the right	Data subject
When can the right be exercised	When the competent supervisory authority doesn't handle the complaint Or Doesn't inform data subject about progress / outcome of complaint within 3 months

The jurisdiction of court will extend to the territory of the Member State in which the supervisory authority is established (GDPR Art 78(3)). The supervisory authority is required to forward proceedings to the court if the decision was preceded by the Board's decision in the consistency mechanism. (GDPR 78(4))

4.18.3 Right to effective judicial remedy against a controller or processor

The data subject has been conferred with the right to approach the courts under certain circumstance. The GDPR confers the specific right while DPD provides for judicial remedy without using the word "right".

Sub-topics in this section	GDPR	DPD

Given in	Art 79	Recital 55
Right can be exercised when:	1. Data has been processed; and 2. Processing Results in infringement of rights; and 3. Infringement is due to non compliance of Regulation	Similar provisions provided under DPD: When controller fails to respect the rights of data subjects and national legislation provides a judicial remedy. Processors are not mentioned.
Jurisdiction of the courts	Proceedings can be brought before the courts of Member States wherein: 1. Controller or processor has an establishment Or 2. Data Subject has habitual residence
Right cannot be exercised when	1. The controller or processor is a public authority of Member State And 2. Is exercising its public powers

4.18.4 Right to compensation and liability

GDPR enables a person who has suffered damages to claim compensation as a specific right. DPD merely entitles the person to receive compensation. Although Liability provisions under GDPR and DPD are similar, the liability under GDPR is stricter as compared to DPD. This is because DPD exempts the processor from liability but GDPR does not. For example, DPD imposes liability on controllers only.

Sub-topics in this section	GDPR	DPD

Given in Article	82	23
Who can claim compensation	Any person who has suffered material or non material damage	Similar provisions. But DPD doesn't mention "material or non-material damage" specifically.
Right arises due to	Infringement of Regulation	Same
Right granted	Right to receive compensation	Same
Compensation has to be given by	Controller or processor	Compensation can be claimed only from controller
Liability of controller arises when	Damage is caused by processing due to infringement of regulation	Same
Liability of processor arises when	1. Processor has not complied with directions given to it under Regulation OR 2. Processor has acted outside or contrary to lawful instructions of controller
Exemptions to controller or processor from liability	If there is proof that they are not responsible	Exemption for controller is same
Liability when more than one controller or processor cause damage	Each controller or processor to be held liable for entire damage

4.19 General conditions for imposing administrative fines

GDPR makes provision for imposition of administrative fines by supervisory authorities in case of infringement of Regulation. Such fines should be effective, proportionate and dissuasive. In case of minor infringement, "reprimand may be issued instead of a fine" ^{^[1]}. Means of enforcing accountability of supervisory authority have been provided. If Member state law does not provide for administrative fines, then the fine can be initiated by the supervisory authority and imposed by courts. However, by 25 May 2018, Member States have to adopt laws that comply with this Article.

Sub-topics in this section	GDPR	DPD

Given in Article	83
Who can impose fines	Supervisory Authority
Fines to be issued against	Controllers or Processors
Parameters to be taken into account while determining administrative fines	Nature, gravity and duration of infringement and Nature scope or purpose of processing and Number of data subjects affected and Level of damage suffered
	Intentional or negligent character of infringement
	Action taken by controller or processor to mitigate damage suffered by data subjects
	Degree of responsibility of con controller or processor. Technical and organizational measures implemented to be taken into account.
	Relevant previous infringement
	Degree of cooperation with supervisory authority
	Categories of personal data affected
	Manner in which supervisory authorities came to know of the infringement and Extent to which the controller or processor notified the infringement
	Whether corrective orders of supervisory authority under Art 58(2) have been issue before and complied with
	Adherence to approved code of conduct under Art 40 or approved certification mechanisms under Art 42
	Other aggravating or mitigating factors like financial benefits gained losses avoided etc.
If infringement is intentional or due to negligence of processor or controller	Total amount of administrative fine to not exceed amount specified for gravest infringement
Means checking power of supervisory authority to impose fines	Procedural safeguards under Member State or Union law. Including judicial remedy and due process

Article 83 splits the amount of administrative fines according to obligations infringed by controllers, processors or undertakings. The first set of infringements may lead to imposition of fines up to 10,000,000 EUR or 2% of total worldwide turnover.

Sub-topics in this section	GDPR	DPD

Article	83(4)
Fine imposed	Up to 10,000,000 EUR or in case of undertaking, 2% of total worldwide turnover of preceding financial year, whichever is higher
Infringement of these provisions will cause imposition of fine (Provisions infringed)	Obligations of controller and processor under:
	Art 8 Conditions applicable to child's consent in relation to information society services
	Art 11 Processing which does not require identification
	Art 25 to 39 General obligations , Security of personal data , Data Protection impact assessment and prior consultation
	Art 42 Certification
	Art 43 Certification bodies
	Obligations of certification body under: Art 42 Art 43
	Obligations of monitoring body under: Art 41(4)

Second set of infringements may cause the authority to impose higher fines up to 20,000,000 EUR or 4% of total worldwide turnover.

Sub-topics in this section	GDPR	DPD

Article	83(5)
Fine imposed	Up to 20,000,000 EUR or in case of undertaking, 4% of total worldwide turnover of preceding financial year, whichever is higher
Infringement of provisions that will cause imposition of fine (Provisions infringed)	Basic principles for processing and conditions for consent under:
	Art 5 Principles relating to processing of personal data
	Art 6 Lawfulness of processing
	Art 7 Conditions for consent
	Art 9 Processing of special categories of personal data
	Data subject's rights under: Art 12 to 22
	Transfer of personal data to third country or international organization under: Art 44 to 49
	Obligations under Member State law adopted under Chapter IX
	Non Compliance with supervisory authority's powers under provisions of Art 58:
	Imposition of temporary or definitive limitation including ban on processing (Art 58 (2)(f))
	Suspension of data flows to third countries or international organization (Art 58(2) (j))
	Provide access to premises or data processing equipment and means (Art 58 (1) (f))

4.20 Penalties

Article 84 makes provision for penalties in case of infringement of Regulation.

The penalties must be effective, proportionate and dissuasive.

Sub-topics in this section	GDPR	DPD

Given in Article	84
When will penalty be imposed	In case of infringements that are not subject to administrative fines
Who imposes them	Member State
Responsibility of Member State	To lay down the law and ensure implementation. To notify to the Commission, the law adopted, by 25 May 2018

^{^[1]} Recital 148 , GDPR

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive

Comments to the Personal Data Protection Bill 2019

Amber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya Rajwade — 2020-02-21T10:13:35Z

The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019.

Please view our general comments below, or download as PDF here.

Our comments and recommendations can be downloaded as PDF here.

We have also prepared an annotated version of the Bill, where our detailed comments and recommendations can be viewed alongside the Bill, available as PDF here.

General Comments

1. Executive notification cannot abrogate fundamental rights

In 2017, the Supreme Court in K.S. Puttaswamy v Union of India [1] held the right to privacy to be a fundamental right. While this right is subject to reasonable restrictions, the restrictions have to meet a three fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.Under the 2018 Bill, the exemption to government agencies for processing of personal data from the provisions of the Bill in the ‘interest of the security of the State’ [2] was subject to a law being passed by Parliament. However, under Clause 35 of the present Bill, the Central Government is merely required to pass a written order exempting the government agency from the provisions of the Bill.Any restriction on the right to privacy will have to comply with the conditions prescribed in Puttaswamy I. An executive order issued by the central government authorising any agency of the government to process personal data does not satisfy the first requirement laid down by the Supreme Court in Puttaswamy I — as it is not a law passed by Parliament. The Supreme Court while deciding upon the validity of Aadhar in K.S. Puttaswamy v Union of India [3] noted that “an executive notification does not satisfy the requirement of a valid law contemplated under Puttaswamy. A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”

2. Exemptions under Clause 35 do not comply with the legitimacy and proportionality test

The lead judgement in Puttaswamy I while formulating the three fold test held that the restraint on privacy emanate from the procedural and content based mandate of Article 21 [4]. The Supreme Court in Maneka Gandhi v Union India [5] had clearly established that “mere prescription of some kind of procedure cannot ever meet the mandate of Article 21. The procedure prescribed by law has to be fair, just and reasonable, not fanciful, oppressive and arbitrary” [6]. The existence of a law is the first requirement; the second requirement is that of ‘legitimate state aim’. As per the lead judgement this requirement ensures that “the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action” [7]. It is established that for a provision which confers upon the executive or administrative authority discretionary powers to be regarded as non-arbitrary, the provision should lay down clear and specific guidelines for the executive to exercise the power [8]. The third test to be complied with is that the restriction should be ‘proportionate,’ i.e. the means that are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law. The Supreme Court in Modern Dental College & Research Centre v State of Madhya Pradesh [9] specified the components of proportionality standards —

A measure restricting a right must have a legitimate goal;
It must be a suitable means of furthering this goal;
There must not be any less restrictive, but equally effective alternative; and
The measure must not have any disproportionate impact on the right holder

Clause 35 provides extensive grounds for the Central Government to exempt any agency from the requirements of the bill but does not specify the procedure to be followed by the agency while processing personal data under this provision. It merely states that the ‘procedure, safeguards and oversight mechanism to be followed’ will be prescribed in the rules.The wide powers conferred on the central government without clearly specifying the procedure may be contrary to the three fold test laid down in Puttaswamy I, as it is difficult to ascertain whether a legitimate or proportionate objective is being fulfilled [10].

3. Limited powers of Data Protection Authority in comparison with the Central Government

In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example:

In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so.
Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.

In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate and resources. The political nature of the personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Authority are independent of the Executive.

4. No clarity on data sandbox

The Bill contemplates a sandbox for “ innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” A Data Sandbox is a non-operational environment where the analyst can model and manipulate data inside the data management system. Data sandboxes have been envisioned as a secure area where only a copy of the company’s or participant companies’ data is located [11]. In essence, it refers to the scalable and creation platform which can be used to explore an enterprise’s information sets. On the other hand, regulatory sandboxes are controlled environments where firms can introduce innovations to a limited customer base within a relaxed regulatory framework, after which they may be allowed entry into the larger market after meeting certain conditions. This purportedly encourages innovation through the lowering of entry barriers by protecting newer entrants from unnecessary and burdensome regulation. Regulatory sandboxes can be interpreted as a form of responsive regulation by governments that seek to encourage innovation – they allow selected companies to experiment with solutions within an environment that is relatively free of most of the cumbersome regulations that they would ordinarily be subject to, while still subject to some appropriate safeguards and regulatory requirements. Sandboxes are regulatory tools which may be used to permit companies to innovate in the absence of heavy regulatory burdens. However, these ordinarily refer to burdens related to high barriers to entry (such as capital requirements for financial and banking companies), or regulatory costs. In this Bill, however, the relaxing of data protection provisions for data fiduciaries would lead to restrictions of the privacy of individuals. Limitations to a fundamental rights on grounds of ‘fostering innovation’ is not a constitutional tenable position, and contradict the primary objectives of a data protection law.

5. The primacy of ‘harm’ in the Bill ought to be reconsidered

While a harms based approach is necessary for data protection frameworks, such approaches should be restricted to the positive obligations, penal provisions and responsive regulation of the Authority. The Bill does not provide any guidance on either the interpretation of the term ‘harm,’ [12] or on the various activities covered within the definition of the term. Terms such as ‘loss of reputation or humiliation’ ‘any discriminatory treatment’ are a subjective standard and are open to varied interpretations. This ambiguity in the definition will make it difficult for the data principal to demonstrate harm and for the DPA to take necessary action as several provisions are based upon harm being caused or likely to be caused.Some of the significant provisions where ‘harm’ is a precondition for the provision to come into effect are —

Clause 25: Data Fiduciary is required to notify the Authority about the breach of personal data processed by the data fiduciary, if such breach is likely to cause harm to any data principal. The Authority after taking into account the severity of the harm that may be caused to the data principal will determine whether the data principal should be notified about the breach.
Clause 32 (2): A data principal can file a complaint with the data fiduciary for a contravention of any of the provisions of the Act, which has caused or is likely to cause ‘harm’ to the data principal.
Clause 64 (1): A data principal who has suffered harm as a result of any violation of the provision of the Act by a data fiduciary, has the right to seek compensation from the data fiduciary.

Clause 16 (5): The guardian data fiduciary is barred from profiling, tracking or undertaking targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.

6. Non personal data should be outside the scope of this Bill

Clause 91 (1) states that the Act does not prevent the Central Government from framing a policy for the digital economy, in so far as such policy does not govern personal data. The Central Government can, in consultation with the Authority, direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence based policies in any manner as may be prescribed.It is concerning that the data protection bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymized and/or non-personal data that rests with any data fiduciary that falls under the ambit of the bill to support the digital economy including for its growth, security, integrity, and prevention of misuse. It is unclear how the government, in practice, will be able to compel organizations to share this data. Further, there is a lack of clarity on the contours of the definition of non-personal data and the Bill does not define the term. It is also unclear whether the Central Government can compel the data fiduciary to transfer/share all forms of non-personal data and the rights and obligations of the data fiduciaries and data principals over such forms of data. Anonymised data refers to data which has ‘ irreversibly’ been converted into a form in which the data principal cannot be identified. However, as several instances have shown ‘ irreversible’ anonymisation is not possible. In the United States, the home addresses of taxi drivers were uncovered and in Australia individual health records were mined from anonymised medical bills [13]. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee under the chairmanship of Kris Gopalkrishnan to study various issues relating to non-personal data and to deliberate over a data governance framework for the regulation of such data.The provision should be deleted and the scope of the bill should be limited to protection of personal data and to provide a framework for the protection of individual privacy. Until the report of the expert committee is published, the Central Government should not frame any law/regulation on the access and monetisation of non-personal/ anonymised data nor can they create a blanket provision allowing them to request such data from any data fiduciary that falls within the ambit of the bill. If the government wishes to use data resting with a data fiduciary; it must do so on a case to case basis and under formal and legal agreements with each data fiduciary.

7. Steps towards greater decentralisation of power

We propose the following steps towards greater decentralisation of powers and devolved jurisdiction —

Creation of State Data Protection Authorities: A single centralised body may not be the appropriate form of such a regulator. We propose that on the lines of central and state commissions under the Right to Information Act, 2005, state data protection authorities are set up which are in a position to respond to local complaints and exercise jurisdiction over entities within their territorial jurisdictions.
More involvement of industry bodies and civil society actors: In order to lessen the burden on the data protection authorities it is necessary that there is active engagement with industry bodies, sectoral regulators and civil society bodies engaged in privacy research. Currently, the Bill provides for involvement of industry or trade association, association representing the interests of data principals, sectoral regulator or statutory Authority, or an departments or ministries of the Central or State Government in the formulation of codes of practice. However, it would be useful to also have a more active participation of industry associations and civil society bodies in activities such as promoting awareness among data fiduciaries of their obligations under this Act, promoting measures and undertaking research for innovation in the field of protection of personal data.

8. The Authority must be empowered to exercise responsive regulation

In a country like India, the challenge is to move rapidly from a state of little or no data protection law, and consequently an abysmal state of data privacy practices to a strong data protection regulation and a powerful regulator capable of enabling a state of robust data privacy practices. This requires a system of supportive mechanisms to the stakeholders in the data ecosystem, as well as systemic measures which enable the proactive detection of breaches. Further, keeping in mind the limited regulatory capacity in India, there is a need for the Authority to make use of different kinds of inexpensive and innovative strategies.We recommend the following additional powers for the Authority to be clearly spelt out in the Bill —

Informal Guidance: It would be useful for the Authority to set up a mechanism on the lines of the Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law. Given that this is the first omnibus data protection law in India, and there is very little jurisprudence on the subject from India, it would be extremely useful for regulated entities to get guidance from the regulator.
Power to name and shame: When a DPA makes public the names of organisations that have seriously contravened data protection legislation, this is a practice known as “naming and shaming.” The UK ICO and other DPAs recognise the power of publicity, as evidenced by their willingness to co-operate with the media. The ICO does not simply post monetary penalty notices (MPNs or fines) on its websites for journalists to find, but frequently issues press releases, briefs journalists and uses social media. The ICO’s publicity statement on communicating enforcement activities states that the “ICO aims to get media coverage for enforcement activities.”
Undertakings: The UK ICO has also leveraged the threats of fines into an alternative enforcement mechanism seeking contractual undertakings from data controllers to take certain remedial steps. Undertakings have significant advantages for the regulator. Since an undertaking is a more “co-operative”solution, it is less likely that a data controller will change it. An undertaking is simpler and easier to put in place. Furthermore, the Authority can put an undertaking in place quickly as opposed to legal proceedings which are longer.

9. No clear roadmap for the implementation of the Bill

The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified [14]. It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within within which the Authority shall be established and specific rules and regulations notified. Considering that 25 provisions have been deferred to rules that have to be framed by the Central Government and a further 19 provisions have been deferred to the regulations to be notified by the Authority the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill.The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Authority. This is important to give full and effective effect to the right of privacy of the
individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.For offences, we suggest a system of mail boxing where provisions and punishments are enforced in a staggered manner, for a period till the fiduciaries are aligned with the provisions of the Act. The Authority must ensure that data principals and fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment are brought into force. This will allow the data fiduciaries to align their practices with the provisions of this new legislation and the Authority will also have time to define and determine certain provisions that the Bill has left the Authority to define. Additionally enforcing penalties for offences initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders from paying a high price. This will relieve the fear of smaller companies and startups who might fear processing data for the fear of paying penalties for offences.

10. Lack of interoperability

In its current form, a number of the provisions in the Bill will make it difficult for India’s framework to be interoperable with other frameworks globally and in the region. For example, differences between the draft Bill and the GDPR can be found in the grounds for processing, data localization frameworks, the framework for cross border transfers, definitions of sensitive personal data, inclusion of the undefined category of ‘critical data’, and the roles of the authority and the central government.

11. Legal Uncertainty

In its current structure, there are a number of provisions in the Bill that, when implemented, run the risk of creating an environment of legal uncertainty. These include: lack of definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’, ability of the government to define further categories of sensitive personal data, inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’, framing of the requirements for data transfers, bar on processing of certain forms of biometric data as defined by the Central Government, the functioning between a consent manager and another data fiduciary, the inclusion of an AI sandbox and the definition of state. To ensure the greatest amount of protection of individual privacy rights and the protection of personal data while also enabling innovation, it is important that any data protection framework is structured and drafted in a way to provide as much legal certainty as possible.

Endnotes

1. (2017) 10 SCC 641 (“Puttaswamy I”).

2. Clause 42(1) of the 2018 Bill states that “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to such interests being achieved.”

3. (2019) 1 SCC 1 (“Puttaswamy II”)

4. Puttaswamy I, supra, para 180.

5. (1978) 1 SCC 248.

6. Ibid para 48.

7. Puttaswamy I supra para 180.

8. State of W.B. v. Anwar Ali Sarkar, 1952 SCR 284; Satwant Singh Sawhney v A.P.O AIR 1967 SC1836.

9. (2016)7 SCC 353.

10. Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill, 2019 introduced in Lok Sabha on 11 December 2019”, January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).

11. “A Data Sandbox for Your Company”, Terrific Data, last accessed on January 31, 2019, http://terrificdata.com/2016/12/02/3221/.

12. Clause 3(20) — “harm” includes (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (ii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of service,benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal.

13. Alex Hern “Anonymised data can never be totally anonymous, says study”, July 23, 2019 https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds.

14. Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6)The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f ) security safeguards under section 31; (g) research purposes under section 45; (h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”

For more details visit https://cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019

Comments on the Statistical Disclosure Control Report

Srinivs Kodali and Amber Sinha — 2019-03-13T00:28:44Z

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.

1. PRELIMINARY

CIS is thankful for the opportunity to put forth its views.
This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.

2. ABOUT CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.

CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

3. Comments

3.1 General Comments

As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.

We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.

3.2 Integrity of Information and Data

We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.

3.3 Data Security

One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.

We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.

3.4 Anonymization of microdata

We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.

3.5 Data Dissemination

Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.

We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,

The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.

Thank you for this opportunity and we look forward to work with you in future.

For more details visit https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report

Comments on the RBI's Consultation Paper on Peer to Peer Lending

sumandro — 2016-06-01T20:21:13Z

The Reserve Bank of India published a Consultation Paper on Peer to Peer Lending on April 28, 2016, and invited comments from the public. CIS submitted the following response, authored by Elonnai Hickok, Pavishka Mittal, Sumandro Chattapadhyay, Vidushi Marda, and Vipul Kharbanda.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) on the Consultation Paper on Peer to Peer Lending (“the consultation paper”) by the Reserve Bank of India (“RBI”) [1].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS [2], is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the concerns of citizens’ and users’ rights in the context of products, services, and transactions facilitated by digital media technologies, the , the principle that regulation should be defined around functions of the acts concerned, and not the technologies of delivery. Our comments are limited to the clauses that most directly have an impact on these concerns.

3. Response

3.1. Whether there is a felt need for regulating peer to peer lending platforms?

3.1.1. Peer to peer (“P2P”) lenders are platforms serving as marketplaces for the lenders and the borrowers of funds to connect. Their very business model does not render them as a provider of finance, as they aspire to function as pure intermediaries to enable lending and borrowing.

3.1.2. The Section 45I.(f)(iii) of the RBI Act, 1935 [3], provides RBI the authority to classify any financial institution as a non-banking financial company (“NBFC”) “with the previous approval of the Central Government and by notification in the Official Gazette.” Since the P2P lending platforms do not provide any finance themselves, undertake acquisition of financial instruments, deliver financial and/or insurance services, or collect financial resources directly, the only ground for classifying such companies as “financial institutions” [4] appears to be their involvement in “managing, conducting or supervising, as foreman, agent or in any other capacity, of chits or kuries as defined in any law which is for the time being in force in any State, or any business, which is similar thereto” [5]. P2P lending platforms can be considered to be brokers and thus there are other aspects that merit scrutiny such as antitrust issues, obligations of either party, company activities and the transactional system involved, as we will discuss in this document.

3.1.3. The consultation paper itself states that the balance sheet of the platform cannot indicate any borrowing / lending activity, which entails that the platform cannot itself provide finance or receive any funds for the provision of loans to others. Platforms are not allowed to determine the interest rates as they are not a party to the transaction. Neither would they be liable in cases of default by the borrower. These rules, standard for P2P platforms in other jurisdictions as well, confirm the assumption that the platform itself is not providing finance and thus, cannot be entrusted with any liability, obligation from the transaction.

3.1.4. Further, with RBI raising the threshold asset size for an NBFC to be considered systemically important (NBFC-ND-SI) from Rs. 100 Crores to Rs. 500 Crores [6], and Economic Times reporting that one of the biggest Indian P2P lending platform’s enterprise valuation (which can be taken as indicative of its net assets) is Rs 50 Crores [7], we may assume that most P2P lending platforms will have net assets worth less than 500 crore, at least in the near future; although there is a possibility for exponential growth with some companies.

3.1.5. Given the limited sphere of operation, restricted ability (by design) of these platforms to shape interest rates and other features of financial instruments, and their generally non-systemically-important nature, we would submit that the regulation of such P2P lending platforms are kept to an absolute minimum, so that their economic viability is not undermined, and at the same time the key risks associated with their operations are addressed by RBI.

3.2. Is the assessment of P2P lending and risks associated with it adequate?

3.2.1. CIS observes that the following are the key risks involved with the operations of the P2P lending platforms, and these are being respectively addressed by, or can be addressed by RBI in the following manners.

Insufficient information about the conditions of lending, leading to defrauding of the borrower: The borrower may not receive appropriate information about the terms of the loan, and/or the P2P lending platform may not act in a “fair” manner (say, in case of collusion between the P2P lending platform and the lender, or the lending platform and the borrower), which may lead to defrauding and/or economic loss of either party. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Guidelines on Fair Practices Code for NBFCs [8], which extensively addresses concerns related to this type of risks.
Insufficient information about the borrower, or her/his ability to repay the loan, may lead to non-repayment and economic loss of the lender: If the P2P lending platform allows the lender to offer loans to borrowers without acquiring and/or providing sufficient information to the lender about the borrower’s credit history and/or ability to repay the loan, modes of formulating security for loans, this may heighten the risks of non-repayment of loans. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Master Circular – 'Know Your Customer' (KYC) Guidelines – Anti Money Laundering Standards (AML) - Prevention of Money Laundering Act, 2002 - Obligations of NBFCs [9], which extensively addresses concerns related to this type of risks.
Credit-related information of the lenders and the borrowers collected by P2P lending platforms may not be made available to other financial institutions and that will lead asymmetry in credit information available across various actors in the sector: Credit information, related to both lending and borrowing practices of entities using the platform concerned, is a key asset of the P2P lending platforms. Lack of sharing of such information with Credit Information Companies, for economic reasons or otherwise, may however, lead to information asymmetry within the financial sector, which will structurally weaken the entire sector (with pieces of credit information being distributed across actors and not being shared internally). By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Credit Information Companies (Regulation) Act, 2005 [10], which extensively addresses concerns related to this type of risks.
P2P lending platforms diversifying their financial operations without informing RBI and hence without appropriate regulatory control: It is possible that P2P lending platforms may decide to diversify their activities. There have been similar examples in other related sectors, say e-commerce marketplaces, that have started their own product re/selling companies that use the same online marketplace concerned. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies provide RBI with detailed and regular reports of their economic activities and investments, which is expected to address concerns related to this type of risks.

3.3. Are there any other risks which ought to be addressed?

3.3.1. CIS observes that as part of the usual transaction related activities of the P2P lending platforms, the companies will come into possession of what has been defined as “sensitive personal data or information” by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 [11]. The concerns related to this type of risk is directly addressed by the Rules concerned, and may not require additional attention from the RBI.

3.3.2. CIS observes that as borrowers and lenders start using specific P2P lending platforms, the data regarding their credit histories and/or “financial reputation” will be owned by these companies. While such information might be shared internally within the financial sector through the Credit Information Companies, the borrowers and lenders themselves may not get direct access to such data. Hence, the borrowers and lenders will not be able to move easily and smoothly to a new P2P lending platform and make use of their existing credit information and/or “financial reputation” when accessing services offered via the new P2P lending platform. In other words, the borrowers and lenders may face a service provider lock-in, and inability to move between P2P lending platforms easily, without explicit access to their own credit history/reputation, and will not have the ability to migrate such information from one P2P lending platform to another (or to any other agency, for that matter). CIS submits that RBI must provide a mechanism to allow users to migrate between platforms as it has not been discussed in the consultation paper.

3.4. Is the proposed approach to regulating these platforms adequate?

3.4.1. CIS observes that while classification of P2P lending platforms will appropriately address key risks associated with their operations (as listed in 3.2.1. A-D), it will not address a major risk emerging out of their operations that is unique to the technological basis of the business concerned (as mentioned in 3.3.2.), and further, it will impose substantial financial and management obligations that have a very high probability of undermining the economic viability of this emerging and niche sector of intermediated direct lending and borrowing.

3.4.2. CIS observes that these financial and management obligations may involve the following topics among others discussed: 1) minimum net worth requirement for registration, 2) minimum investments required to be made government securities, 3) transferring of minimum percentage of net profits to RBI, 4) guidelines regarding corporate governance [12], etc.

3.4.3. Given this, CIS submits that instead of classifying P2P lending platforms as “Misc NBFCs,” a new sub-classification is created under the category of NBFC for such platforms, that directly addresses the key risks associated with businesses of P2P lending platforms, and protects lenders as well as borrowers while enhancing transparency in operations. This new sub-classification of P2P lending companies should also be divided into systemically-important and non-systemically-important like other NBFCs, and requirements regarding financial operations and corporate management should only be enforced for the former category of P2P lending companies.

3.5. Any other relevant issues pertaining to P2P lending

Beyond the issues already discussed above, CIS seek clarity from the RBI around the following aspects:

Transactional system pertaining to P2P lending:
1. What are the requirements and prerequisites for mandating the collection of user identity?
2. Establishing a maximum sum that can be transferred per transaction.
Company activities:
1. Fees that can be charged by platforms.
2. How data security can be best addressed.
3. How the financial transactions are brokered.
4. Modes of redressal.
5. Restitution to users if something goes amiss in the transaction.
6. Insurance that the company has to buy or capital on hand to support.

Endnotes

[1] See: https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=3164.

[2] See: http://cis-india.org/.

[3] See: https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.pdf.

[4] See Section 45I.(c) of RBI Act, 1923, last amended on January 07, 2013.

[5] See Section 45I.(c)(v) of RBI Act, 1923, last amended on January 07, 2013.

[6] See: https://rbidocs.rbi.org.in/rdocs/content/pdfs/PNNBFC200315.pdf.

[7] See: http://economictimes.indiatimes.com/small-biz/startups/faircent-com-raises-pre-series-a-funding-of-250k/articleshow/47630279.cms.

[8] See: https://rbi.org.in/scripts/NotificationUser.aspx?Id=7866.

[9] See: https://rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=8168.

[10] See: http://www.incometaxindia.gov.in/Pages/acts/credit-information-companies-act.aspx.

[11] See: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf.

[12] See: https://www.rbi.org.in/scripts/BS_NBFCNotificationView.aspx?Id=3706.

For more details visit https://cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending

Comments on the Report of the Committee on Digital Payments (December 2016)

Sumandro Chattapadhyay and Amber Sinha — 2017-01-12T12:32:22Z

The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.

1. Preliminary

1.1. This submission presents comments by the Centre for Internet and Society (“CIS”) [1] in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) [2].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

2.2. CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.

3. Comments

3.1. CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 [3], have generated unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.

3.2. While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services. Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.

3.3. The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.

3.4. The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice.

3.5. The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise. Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments.

3.6. The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.

3.7. CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities.

3.8. We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity [4]. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report. The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.

3.9. A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic.

3.10. The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment. A mandate for replacement of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.

3.11. The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud.

3.12. In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats.

3.13. The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.

3.14. CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities.

3.15. The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.

3.16. As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://finmin.nic.in/reports/Note-watal-report.pdf and http://finmin.nic.in/reports/watal_report271216.pdf.

[3] See: http://finmin.nic.in/cancellation_high_denomination_notes.pdf.

[4] Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: http://www.budapestopenaccessinitiative.org/read.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016

Clause 12 Of The Data Protection Bill And Digital Healthcare: A Case Study

amber — 2022-03-01T15:07:44Z

In light of the state’s emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?

The blog post was published in Medianama on February 21, 2022. This is the second in a two-part series by Amber Sinha.

In the previous post, I looked at provisions on non-consensual data processing for state functions under the most recent version of recommendations by the Joint Parliamentary Committee on India’s Data Protection Bill (DPB). The true impact of these provisions can only be appreciated in light of ongoing policy developments and real-life implications.

To appreciate the significance of the dilutions in Clause 12, let us consider the Indian state’s range of schemes promoting digital healthcare. In July 2018, NITI Aayog, a central government policy think tank in India released a strategy and approach paper (Strategy Paper) on the formulation of the National Health Stack which envisions the creation of a federated application programming interface (API)-enabled health information ecosystem. While the Ministry of Health and Family Welfare has focused on the creation of Electronic Health Records (EHR) Standards for India during the last few years and also identified a contractor for the creation of a centralised health information platform (IHIP), this Strategy Paper advocates a completely different approach, which is described as a Personal Health Records (PHR) framework. In 2021, the National Digital Health Mission (NDHM) was launched under which a citizen shall have the option to obtain a digital health ID. A digital health ID is a unique ID and will carry all health records of a person.

A Stack Model for Big Data Ecosystem in Healthcare

A stack model as envisaged in the Strategy Paper, consists of several layers of open APIs connected to each other, often tied together by a unique health identifier. The open nature of APIs has the advantage that it allows public and private actors to build solutions on top of it, which are interoperable with all parts of the stack. It is however worth considering both the ‘openness’ and the role that the state plays in it.

Even though the APIs are themselves open, they are a part of a pre-decided technological paradigm, built by private actors and blessed by the state. Even though innovators can build on it, the options available to them are limited by the information architecture created by the stack model. When such a technological paradigm is created for healthcare reform and health data, the stack model poses additional challenges. By tying the stack model to the unique identity, without appropriate processes in place for access control, siloed information, and encrypted communication, the stack model poses tremendous privacy and security concerns. The broad language under Clause 12 of the DPB needs to be looked at in this context.

Clause 12 allows non-consensual processing of personal data where it is necessary “for the performance of any function of the state authorised by law” in order to provide a service or benefit from the State. In the previous post, I had highlighted the import of the use of only ‘necessity’ to the exclusion of ‘proportionality’. Now, we need to consider its significance in light of the emerging digital healthcare apparatus being created by the state.

The National Health Stack and National Digital Health Mission together envision an intricate system of data collection and exchange which in a regulatory vacuum would ensure unfettered access to sensitive healthcare data for both the state and private actors registered with the platforms. The Stack framework relies on repositories where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the health records for delivering services to the individual. The cast of characters involve the National Health Authority, health care providers and insurers who access the National Health Electronic Registries, unified data from different programmes such as National Health Resource Repository (NHRR), NIN database, NIC and the Registry of Hospitals in Network of Insurance (ROHINI), private actors such as Swasth, iSpirt who assist the Mission as volunteers. The currency that government and private actors are interested in is data.

The promised benefits of healthcare data in an anonymised and aggregate form range from Disease Surveillance to Pharmacovigilance as well as Health Schemes Management Systems and Nutrition Management, benefits which have only been more acutely emphasised during the pandemic. However, the pandemic has also normalised the sharing of sensitive healthcare data with a variety of actors, without much thinking on much-needed data minimisation practises.

The potential misuses of healthcare data include greater state surveillance and control, predatory and discriminatory practices by private actors which rely on Clause 12 to do away with even the pretense of informed consent so long as the processing of data is deemed necessary by the state and its private sector partners to provide any service or benefit.

Subclause (e) in Clause 12, which was added in the last version of the Bill drafted by MeitY and has been retained by the JPC, allows processing wherever it is necessary for ‘any measures’ to provide medical treatment or health services during an epidemic, outbreak or threat to public health. Yet again, the overly-broad language used here is designed to ensure that any annoyances of informed consent can be easily brushed aside wherever the state intends to take any measures under any scheme related to public health.

Effectively, how does the framework under Clause 12 alter the consent and purpose limitation model? Data protection laws introduce an element of control by tying purpose limitation to consent. Individuals provide consent to specified purposes, and data processors are required to respect that choice. Where there is no consent, the purposes of data processing are sought to be limited by the necessity principle in Clause 12. The state (or authorised parties) must be able to demonstrate necessity to the exercise of state function, and data must only be processed for those purposes which flow out of this necessity. However, unlike the consent model, this provides an opportunity to keep reinventing purposes for different state functions.

In the absence of a data protection law, data collected by one agency is shared indiscriminately with other agencies and used for multiple purposes beyond the purpose for which it was collected. The consent and purpose limitation model would have addressed this issue. But, by having a low threshold for non-consensual processing under Clause 12, this form of data processing is effectively being legitimised.

For more details visit https://cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study