Centre for Internet and Society

Conference on Data Protection

Admin — 2018-09-20T14:47:17Z

Sunil Abraham and Amber Sinha participated in a conference on data protection at NIPFP in New Delhi on September 4, 2018. The event was organized by National Institute of Public Finance and Policy.

Sunil Abraham and Amber Sinha were discussant in the session Disclosures in Privacy Policies: Does Consent Work?

Click to see the agenda

For more details visit http://editors.cis-india.org/internet-governance/news/conference-on-data-protection

Concerns Regarding DNA Law

bhairav — 2013-10-29T10:09:26Z

Recently, a long government process to draft a law to permit the collection, processing, profiling, use and storage of human DNA is nearing conclusion. There are several concerns with this government effort. Below, we present broad-level issues to be kept in mind while dealing with DNA law.

Background

The Department of Biotechnology released, in 29 April 2012, a working draft of a proposed Human DNA Profiling Bill, 2012 ("DBT Bill") for public comments. The draft reveals an effort to (i) permit the collection of human blood, tissue and other samples for the purpose of creating DNA profiles, (ii) license private laboratories that create and store the profiles, (iii) store the DNA samples and profiles in various large databanks in a number of indices, and (iv) permit the use of the completed DNA profiles in scientific research and law enforcement. The regulation of human DNA profiling is of significant importance to the efficacy of law enforcement and the criminal justice system and correspondingly has a deep impact on the freedoms of ordinary citizens from profiling and monitoring. Below, we highlight five important concerns to bear in mind before drafting and implementing DNA legislation.

Primary Issues

Purpose of DNA Profiling

DNA profiling serves two broad purposes – (i) forensic – to establish unique identity of a person in the criminal justice system; and, (ii) research – to understand human genetics and its contribution to anthropology, biology and other sciences. These two purposes have very different approaches to DNA profiling and the issues and concerns attendant on them vary accordingly. Forensic DNA profiling is undertaken to afford either party in a criminal trial a better possibility of adducing corroborative evidence to prosecute, or to defend, an alleged offence. DNA, like fingerprints, is a biometric estimation of the individuality of a person. By itself, in the same manner that fingerprint evidence is only proof of the presence of a person at a particular place and not proof of the commission of a crime, DNA is merely corroborative evidence and cannot, on its own strength, result in a conviction or acquittal of an offence. Therefore, DNA and fingerprints, and the process by which they are collected and used as evidence, should be broadly similar.

Procedural Integrity

Forensic DNA profiling results from biological source material that is usually collected from crime scenes or forcibly from offenders and convicts. Biological source material found at a crime scene is very rarely non-contaminated and the procedure by which it is collected and its integrity ensured is of primary legislative importance. To avoid the danger of contaminated crime scene evidence being introduced in the criminal justice system to pervert the course of justice, it is crucial to ensure that DNA is collected only from intact human cells and not from compromised genetic material. Therefore, if the biological source material found at a crime scene does not contain at least one intact human cell, the whole of the biological source material should be destroyed to prevent the possibility of compromised genetic material being collected to yield inconclusive results. Adherence to this basic principle will obviate the possibility of partial matches of DNA profiles and the resulting controversy and confusion that ensues.

Conditions of Collection

In India, the taking of fingerprints is chiefly governed by the Identification of Prisoners Act, 1920 ("Prisoners Act") and section 73 of the Indian Evidence Act, 1872 ("Evidence Act"). The Prisoners Act permits the forcible taking of fingerprints from convicts and suspects in certain conditions. The Evidence Act, in addition, permits courts to require the taking of fingerprints for the forensic purpose of establishing unique identity in a criminal trial. No
provisions exist for consensual taking of fingerprints, presumably because of the danger of self-incrimination and general privacy concerns. Since, as discussed earlier, fingerprints and DNA are biometric measurements that should be treated equally to the extent possible, the conditions for the collection of DNA should be similar to those for the taking of fingerprints.Accordingly, there should be no legal provisions that enable other kinds of collection, including from volunteers and innocent people.

Retention of DNA

As a general rule applicable in India, the retention of biometric measurements must be supported by a clear purpose that is legitimate, judicially sanctioned and transparent. The Prisoners Act, which permits the forcible taking of fingerprints from convicts, also mandates the destruction of these fingerprints when the person is acquitted or discharged. The indefinite collection of biometric measurements of people is dangerous, susceptible to abuse and invasive of civil rights. Therefore, once lawfully collected from crime scenes and offenders, their DNA profiles must be retained in strictly controlled databases with highly restricted access for the forensic purpose of law enforcement only. DNA should not be held in databases that allow non-forensic use. Further, the indices within these databases should be watertight and exclusive of each other.

DNA Laboratories

The process by which DNA profiles are created from biological source material is of critical importance. Because of the evidentiary value of DNA profiles, the laboratories in which these profiles are created must be properly licensed, professionally managed and manned by competent and impartial personnel. Therefore, the process by which DNA laboratories are licensed and permitted to operate is significant.

For more details visit http://editors.cis-india.org/internet-governance/blog/concerns-regarding-dna-law

Concerns over central snoop

praskrishna — 2013-07-01T09:33:27Z

Eyebrows have been raised at the Centre’s single-window system to intercept phone calls and internet exchanges — the desi version of the US’s surveillance programme, PRISM — that is expected to roll out this year-end.

The article by Aloke Tikku was published in the Hindustan Times on June 28, 2013. Sunil Abraham is quoted.

The Rs. 400-crore project — tentatively called the Central Monitoring System (CMS) — will not only allow the government to listen to a target’s phone conversation but also track down a caller’s precise location, match his voice against known suspects’ before the call is completed and see what people have been up to on the internet.

And then, it can also use analytics to discover possible links — between suspected terrorists, criminals or just about anybody — from the internet and phone data. All this will be done from one place without keeping the internet or phone service provider in the loop — something the telecom and home ministries insist will enhance citizens’ privacy.

Both ministries also insist that the CMS won’t change the rules of the game. “The process to seek authorisation for interception will not be diluted,” a home ministry official promised.

So is everything hunky dory?

Hardly. But technology — in this case, the CMS — is a smaller part of the problem.

The bigger chunk is the process of approving “lawful interception” orders and the lack of transparency around it.

It was in December 1996 that the Supreme Court held that the State could spy on its citizens in extraordinary circumstances but, as an interim measure, made it mandatory for the home secretary to approve each and every such request. Telecom minister Kapil Sibal, who appeared in this case in the mid-1990s, convinced the court that it didn’t have the powers to order that a judge decide each phone-tapping case. Instead, Sibal suggested that this power remain with the executive on lines of the law in the UK. A former home secretary, however, conceded that they hardly have the time to apply their mind before signing a wiretap order.

That isn’t surprising. The home secretary approves around 7,500-9,000 interception orders every month. That means he or she has to sign an average of 300 orders every day without a break.

If he were to spend just 30 seconds on each case, he would have to keep aside four-and-a-half hours just approving interception orders every day.

An official said the ministry was considering a suggestion to pick up a fixed number of cases at random for closer scrutiny before approval.

Many believe this might not be enough. It is argued that the government — which was trying to replicate surveillance technology from the west — needs to adopt their safeguards and transparency norms too.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, said he didn’t have a problem with CMS as long as it didn’t go for blanket surveillance.

“But there is no reason why the executive — and not a judge — should have the powers to decide on phone-tapping requests,” he said. Or for that matter, why shouldn’t there be an independent audit of phone-tapping decisions, their implementation and outcome?

“The aggregated data should be put in the public domain,” Abraham said. The US has such provisions. So does Britain, which inspired Sibal to argue for retaining interception powers with the executive in the mid-1990s. It is time to follow-up on that model.

For more details visit http://editors.cis-india.org/news/hindustan-times-aloke-tikku-june-28-2013-concerns-over-central-snoop

Comparison of Section 35(1) of the Draft Human DNA Profiling Bill and Section 4 of the Identification Act Revised Statute of Canada

elonnai — 2014-03-03T08:20:55Z

A comparison of section 35(1) of the Draft Human DNA Profiling Bill, section 4 of the Identification Act, Revised Statute of Canada, and a review of international best practices.

In continuance of research around the Draft Human DNA Profiling Bill that has been drafted the Department of Biotechnology, this blog entry reviews best practices for the communication of DNA profiles from the DNA Bank Manager to law enforcement and the police, compares the section 35(1) of the Draft Human DNA Profiling Bill and section 4 of the Identification Act Revised Statute of Canada, and recommends a revision of the present provision in the Draft Human DNA Profiling Bill.

Indian Provision

35 (1) “On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank in order to determine whether it is already contained in the DNA Data Bank and shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely –

(a) As to whether the DNA profile received is already contained in the Data Bank; and

(b) Any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.

(2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.”

Canadian Provision vs. Indian Provision

According to the Draft Human DNA Profiling Bill 35(1) was adopted from the DNA Identification Act Revised Statute of Canada section 4. The provision found in the Draft Human DNA Profiling Bill is different in three ways:

The Canadian statute limits the communication of whether a DNA profile is contained in the Data Bank or not to law enforcement agencies or other DNA laboratories, where as the provision in the Draft Human DNA Profiling Bill allows the communication to law enforcement agencies, other DNA data banks, and courts and tribunals.
The Canadian statute limits the comparison of any DNA profile to that as entered in the convicted offenders index or the crime scene index with those DNA profiles that are already contained in the databank, where as the Draft Human DNA Profiling Bill allows for any received profile to be compared with the other profiles in the DNA Data Bank.
The Canadian statute defines four types of information that may be communicated to law enforcement or another DNA databank including:

(a) if the DNA profile is not already contained in the data bank, the fact that it is not;
(b) if the DNA profile is already contained in the data bank, the information contained in the data bank in relation to that DNA profile;
(c) if the DNA profile is, in the opinion of the Commissioner, similar to one that is already contained in the data bank, the similar DNA profile; and
(d) if a law enforcement agency or laboratory advises the Commissioner that their comparison of a DNA profile communicated under paragraph (c) with one that is connected to the commission of a criminal offence has not excluded the former as a possible match, the information contained in the data bank in relation to that profile.

While the Draft Human DNA Profiling Bill provides for communication of only (a) and (b) by the DNA Data Bank Manager.

Concerns with 35(1) and Best Practices

The Centre for Internet and Society finds 35(1) problematic because a DNA profile is never a complete match, and is instead a scientific and statistical based probability. There are a number of steps that go into the analysis of a DNA profile. According to the US National Institute of Justice, these include: “1) the isolation of the DNA from an evidence sample containing DNA of unknown origin, and generally at a later time, the isolation of DNA from a sample (e.g., blood) from a known individual; 2) the processing of the DNA so that test results may be obtained; 3) the determination of the DNA test results (or types), from specific regions of the DNA; and 4) the comparison and interpretation of the test results from the unknown and known samples to determine whether the known individual is not the source of the DNA or is included as a possible source of the DNA.”

Though it is common for DNA Banks to communicate responses such as “match”, “no match”, or “partial match” or “inclusion”, “exclusion”, or “inconclusive” to inquiries received from law enforcement and other DNA Banks, this is not the case for communications to courts and tribunals. For example in England and Wales guidelines for presenting DNA evidence in court were laid out in the rule Rv. Dohemy and Adams (1997) 1 Cr. App. R. 396. Along with comprehensive guidelines on how experts should conduct themselves in court to prevent bias, the guidelines require the following information to be presented when DNA material is used as evidence in a case:

“The scientist should adduce the evidence of the DNA comparisons between the crime stain and the defendant’s sample together with the calculations of the Random Match Probability.
Whenever DNA evidence is adduced the Crown should serve on the defence details as to how the calculations have been carried out which are sufficient to enable the defence to scrutinize the basis of the calculations.
The Forensic Science Service should make available to a defence expert, if requested, the databases upon which the calculations have been made.
The expert will, on the basis of empirical statistical data, five the jury the random occurrence rations - the frequency with which the matching DNA characteristics are likely to be found in the population at large.
Provided that the expert has the necessary data, it may then be appropriate for him to indicate how many people with the matching characteristics are likely to be found in the United Kingdom...”

Recommendations

Given the influential weight that DNA evidence can have in a case, it is critical that the evidence is accurately presented to the court and other key stakeholders. The Centre for Internet and Society recommends that the Bill should distinguish the DNA Bank Manager’s response to law enforcement and other DNA Laboratory’s and the DNA Bank Manger’s response to courts and tribunals as below:

Response to Law enforcement agency and DNA Laboratory: The DNA Bank Manger should respond to a request from law enforcement or a DNA laboratory with either: "match" or "partial match" .
Response to Court and tribunal: When DNA evidence is used in a court of law, the Bill should provide that the presentation should include:

The random match probability: The probability that the profile is in the sample from the individual tested if the individual tested has been selected at random.
The frequency with which the matching DNA characteristics are likely to be found in the population at large.
The probability of contamination.

The Bill should also provide for the database upon which the calculations were based to be made available when requested. In addition, the Bill should provide for rules to be made prescribing the procedure for presentation.

[]. http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx

[2]. http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf

For more details visit http://editors.cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions

Comparison of General Data Protection Regulation and Data Protection Directive

Aditi Chaturvedi and Edited by Leilah Elmokadem — 2017-02-07T14:08:35Z

Recently, the General Data Protection Regulation (REGULATION (EU) 2016/679) was passed. It shall replace the present Data Protection Directive (DPD 95/46/EC), which is a step that is likely to impact the workings of many organizations. This document intends to offer a clear comparison between the General Data Protection Regulation (GDPR) a the Data Protection Direction (DPD).

Download the file here

INTRODUCTION

The GDPR i.e. General Data Protection Regulation (REGULATION (EU) 2016/679) was adopted on May 27th, 2016. It will come into force after a two-year transition period on May 25th, 2018 and will replace the Data Protection Directive (DPD 95/46/EC). The Regulation intends to empower data subjects in the European Union by giving them control over the processing of their personal data. This is not an enabling legislation. Unlike the previous regime under the DPD (Data Protection Directive), wherein different member States legislated their own data protection laws, the new regulation intends uniformity in application with some room for individual member states to legislate on procedural mechanisms. While this will ensure a predictable environment for doing business, a number of obligations will have to be undertaken by organizations, which might initially burden them financially and administratively.

2. SUMMARY

The Regulation contains a number of new provisions as well as modified provisions that were under DPD and has removed certain requirements under the DPD. Some significant changes mentioned in the document have been summarized in this section.. These changes suggest that GDPR is a comprehensive law with detailed substantive and procedural provisions. Yet, some ambiguities remain with respect to its workability and interpretation. Clarifications will be required.

2.1 Provisions from the DPD that were retained but altered in the GDPR include:

2.1.1 Scope:

GDPR has an expanded territorial scope and is applicable under two scenarios; 1) when processor or controller is established in the Union, and 2) when processor or controller is not established in the Union. The conditions for applicability of the GDPR under the two are much wider than those provided for DPD. Also, the criteria under GDPR are more specific and clearer to demonstrate application.

2.1.2 Definitions:

Six definitions have remained the same while those of personal data and consent have been expanded.

2.1.3 Consent:

GDPR mentions "unambiguous" consent and spells out in detail what constitutes a valid consent. Demonstration of valid consent is an important obligation of the controller. Further, the GDPR also explains situations in which child's consent will be valid. Such provisions are absent in DPD.

2.1.4 Special categories of data:

Two new categories, biometric and genetic data have been added under GDPR.

2.1.5 Rights:

The GDPR strengthens certain rights granted under the DPD. These include:

a. Right to restrict processing: Under DPD the data subject can block processing of data on the grounds of data inaccuracy or incomplete nature of data. GDPR, on the other hand , is more elaborate and defined in this respect. Many more grounds are listed together with consequences of enforcement of this right and obligations on controller.

b. Right to erasure: This is known as the "right to be forgotten". Here, the DPD merely mentions that the data subject has the right to request erasure of data on grounds of data inaccuracy or incomplete nature of data or in case of unlawful processing. The GDPR has strengthened this right by laying out 7 conditions for enforcing this right including 5 grounds on which the request for erasure shall not be processed. This means that the "right to erasure" is not an absolute right. GDPR provides that if data has been made public, controllers are under an obligation to inform other controllers processing the data about the request.

c. Right to rectification: This right is similar under GDPR and DPD.

d. Right to access: GDPR has broadened the amount of information data subject can have regarding his/her own data. For example, under the DPD the data subject could know about the purpose of processing, categories of processing, recipients or categories to whom data are disclosed and extent of automated decision involved. Now under GDPR, the data subject can also know about retention period, existence of certain rights, about source of data and consequences of processing. It specifically states controllers obligations in this regard.

e. Automated individual decision making including profiling: This is an interesting provision that applies solely to automate decision-making. This includes profiling, which is a process by which personal data is evaluated solely by automated means for the purpose of analyzing a person's personal aspect such as performance at work, health, location etc. The intent is that data subjects should have the right to obtain human intervention into their personal data. This upholds philosophy of data safeguard as the subject can get an opportunity to express himself, obtain explanation and challenge the decision. Under GDPR, such decision-making excludes data concerning a child.

2.1.6 Code of conduct:

A voluntary self-regulating mechanism has been provided under both GDPR and DPD.

2.1.7 Supervisory Authority:

As compared to the DPD, the GDPR lays down detailed and elaborate provisions on Supervisory Authority.

2.1.8 Compensation and Liability:

Although compensation and liability provisions under GDPR and DPD are similar, the GDPR specifically mentions this as a right with a wider scope. While the Directive enforces liability on the controller only, under the GDPR, compensation can be claimed from both, processor and controller.

2.1.9 Effective judicial remedies:

Provisions in this area are also quite similar between the DPD and GDPR. The difference is that GDPR specifically mentions this as a "right" and the Directive does not. Use of such words is bound to bring legal clarity. It is interesting to note that in the DPD, recourse to remedy has been mentioned in the Recitals and it is the national law of individual member states, which shall regulate the enforceability. GDPR, on the other hand, mentions this under its Articles together with the jurisdiction of courts and exceptions to this right.

2.1.10 Right to lodge complaint with supervisory authority:

The right conferred to the data subject to seek remedy under unlawful processing has been strengthened under GDPR. Again, as mentioned above, GDRP specifically words this as a "right" while the DPD does not.

2.2 New provisions added to the GDPR include:

2.2.1 Data Transfer to third countries:

Provisions under Chapter V of GDPR regulate data transfers from EU to third countries and international organizations and data transfer onward. DPD only provides for data transfer to third countries without reference to international organizations.

A mechanism called adequacy decisions for such transfers remains the same under both laws. However, in situations where Commission does not take adequacy decisions, alternate and elaborate provisions on "Effective Safeguards" and "Binding Corporate Rules" have been mentioned under the GDPR. Other certain situations have been envisaged under both GDPR and DPD for data transfers in absence of adequacy decision. These are more or less similar with a only few modifications.

Significantly, GDPR brings clarity with respect to enforceability of judgments and orders of authorities that are outside of EU over their decision on such data transfer. Additionally, it provides for international cooperation for protection of personal data. These are not mentioned in the DPD.

2.2.2 Certification mechanism:

Just like code of conduct, this is also a voluntary mechanism, which can aid in demonstrating compliance with Regulation.

2.2.3 Records of processing activities:

This is a mandatory "compliance demonstration" mechanism under GDPR, which is not mentioned under DPD. Organizations are likely to face initial administrative and financial burdens in order to maintain records of processing activities.

2.2.4 Obligations of processor:

DPD fixes liability on controllers but leaves out processors. GDPR includes both. Consequently, GDPR specifies obligations of the processor, the kinds of processors the controller can use and what will govern processing.

2.2.5 Data Protection officer:

This finds no mention in the DPD. Under the GDPR, a data protection officer must be mandatorily appointed where the core business activity of the organization pertains to processing, which requires regular and systematic monitoring of data subjects on large scale, processing of large scale special categories of data and offences, or processing carried out by public authority or public body.

2.2.6 Data protection impact assessment:

This is a Privacy Impact assessment for ensuring and demonstrating compliance with the Regulation. Such assessment can identify and minimize risks. GDPR mandates that such assessment must be carried out when processing is likely to result in high risk. The relevant Article mentions when to carry out processing, the type of information to be contained in assessment and a clause for prior consultation with supervisory authority prior to processing if assessment indicates high risk.

2.2.7 Data Breach:

Under this provision, the controller is responsible for two things: 1) reporting personal data breach to supervisory authority no later than 72 hours . Any delay in notifying the authority has to be accompanied by reasons for delay; and 2) communicating the breach to the data subject in case the breach is likely to cause high risk to right and freedoms of the person. As far as the processor is concerned, in the event of data breach, the processor must notify the controller. This provision is likely to push some major changes in the workings of various organizations. A number of detection and reporting mechanisms will have to be implemented. Above all, these mechanisms will have to be extremely efficient given the time limit.

2.2.8 Data Protection by design and default:

This entails a general obligation upon the controller to incorporate effective data protection in internal policies and implementation measures.

2.2.9 Rights:

Under the GDPR, a new right called the " Right to data portability " has been conferred upon the data subjects. This right empowers the data subject to receive personal data from one controller and transfer it to another.

2.2.10 New Definitions:

Out of 26 definitions, 18 new definitions have been added. "Pseudonymisation" is one such new concept that can aid data privacy. This data processing technique encourages processing in a way that personal data can no longer be attributed to a specific data subject without using additional information. This additional information is to be stored separately in a way that it is not attributed to an identified or identifiable natural person.

2.2.11 Administrative fines:

Perhaps much concern about GDPR is due to provisions on high fines for non-compliance of certain provisions. Organizations simply cannot afford to ignore it. Non-compliance can lead to imposition of very heavy fines up to 20,000,000 EUR or 4% of total worldwide turnover.

2.3 Deleted provisions under DPD include :

2.3.1 Working Party:

Working party under the DPD has been replaced by the European Data Protection Board provided by the GDPR. The purpose of the Board is to ensure consistent application of the Regulation.

2.3.2 Notification Requirement:

The general obligation to notify processing supervisory authorities has been removed. It was observed that this requirement imposed unnecessary financial and administrative burden on organizations and was not successful in achieving the real purpose that is protection of personal data. Instead, now the GDPR focuses on procedures and mechanisms like Privacy Impact assessment to ensure compliance.

3. BRIEF OVERVIEW

The GDPR is the new uniform law, which will now replace older laws. A brief overview has been given below:

Topic	GDPR (General Data Protection Regulation)	DPD (Data Protection Directive)

Name	REGULATION (EU) 2016/679	DPD 95/46/EC
Enforcement	Adopted on 27 May 2016 To be enforced on 25 May 2018	Adopted on 24 October 1995
Effect of legislation	It is a Regulation. Is directly applicable to all EU member states without requiring a separate national legislation.	It is an enabling legislation. Countries have to pass their own separate legislations.
Objective	To protect "natural persons" with regard to processing of personal data and on free movement of such data. It repeals DPD 95/46/EC.	To protect "individuals" with regard to processing of personal data and on free movement of such data.
Number of Chapters	XI	VII
Number of Articles	99	34
Number of Recitals	173	72
Applicability	To processors and controllers	Same

4. COMPARATIVE ANALYSIS OF GDPR AND DPD

This section offers a comparative analysis through a set of tables and text analysing and comparing the provisions of General Data Protection Regulation (GDPR) with those of the Data Protection Direction (DPD). Spaces left blank in the tables imply lack of similar provisions under the respective data regime.

4.1 Territorial Scope

GDPR has expanded territorial scope. The application of Regulation is independent of the place where processing of personal data takes places under certain conditions. The focus is the data subject and not the location. The DPD made application of national law, a criterion for determining the applicability of the Directive. Under the GDPR, the following conditions need to be satisfied for application of Regulation.

Sub-topics in the section	GDPR	DPD

Given in Article	3	4

When processor or controller is established in the Union, the Regulation/ Directive will apply if: (DPD is silent on location of processors )	1. Processing is of personal data 2. Processing is in "context of activities" of the establishment 3. Processing may or may not take place in the Union	Processing is of personal data.
When processor or controller is not established in Union, the Regulation/Directive will apply if: (DPD is silent on location of processors )	1. Data subjects are in the Union; and 2. Processing activity is related to: I. Offering of goods or services; or II. Monitoring their behavior within Union 3. Will apply when Member State law is applicable to that place by the virtue of public international law	1. Like GDPR the DPD mentions that national law should be applicable to that place by virtue of public international law; Or 2. If the equipment for processing is situated on Member state territory unless it is used only for purpose of transit.

4.2 Material Scope

The Recital under GDPR explains that data protection is not an absolute right. Principle of proportionality has been adopted to respect other fundamental rights.

Sub-topics in the section	GDPR	DPD

Given in Article	2	3
Applies to	Processing of personal data Processing is by automated means, wholly or partially When processing is not by automated means, the personal data should form or are intended to form a part of filing system	Same
Does not apply to	Processing of personal data: 1. For activities which lie outside scope of Union law 2. By Member State under Chapter 2 Title V of TEU 3. By natural person in course of purely personal or household activity 4. By competent authorities in relation to criminal offences and penalties and threats to public security 5. Under Regulation (EC) No 45/2001. This needs to be adapted for consistency with GDPR 6. Which should not prejudice the E commerce Directive 2000/31/EC especially the liability rules of intermediary service providers	The provisions in DPD are similar to GDPR. In addition to Title V, the DPD did not apply to Title VI of TEU. DPD doesn't mention Regulation (EC) No 45/2001 or the E commerce Directive 2000/31/EC.

4.3 Definitions

GDPR incorporates 26 definitions as compared to 8 definitions under DPD. There are 18 new definitions in GDPR. Some definitions have been expanded.

Sub-topics in the section	GDPR	DPD

Given in Article	4	2
New Definitions under GDPR	1. Restriction of processing 2. Profiling 3. Pseudonymisation 4. Personal data breach 5. Genetic data 6. Biometric data 7. Data concerning health 8. Main establishment 9. Representative 10. Enterprise 11. Group of undertakings 12. Binding corporate rules 13. Supervisory authority 14. Supervisory authority concerned 15. Cross border processing 16. Relevant and reasoned objection 17. Information society service 18. International organizations
2 definitions that have been expanded under GDPR	1. Personal data 2. Consent
6 Definitions which have remained same in GDPR and DPD	1. Processing of personal data 2. Personal data filing system 3. Controller 4. Processor 5. Third party recipient

4.3.1 Expanded definition of personal data

Both DPD and GDPR apply to 'personal data'. The GDPR gives an expanded definition of 'personal data'. Recital 30 gives example of an online identifier such as IP addresses.

Sub-topics in the section	GDPR	DPD

Given in Article	4(1)	2(a)
New term added in the definition	A new term " online identifier" has been added. Example of online identifier is given under Recital 30. An IP address is one such example.

4.3.2 Expanded definition of consent

Valid consent must be given by the data subject. The definition of valid consent has been added under GDPR. Recital 32 further explains that consent can be given by "means of a written statement including electronic means or an oral statement". For example, ticking a box on websites signifies acceptance of processing while "pre ticked boxes, silence or inactivity" do not constitute consent.

Sub-topics in the section	GDPR	DPD

Given in Article	4(11)	2(h)
Term added in GDPR	Consent must be unambiguous, freely given, specific and informed.	The word "unambiguous" is not contained in DPD.
Means of signifying assent to processing own data	Assent can be given by a statement or by clear affirmative action signifying assent to processing.	DPD merely mentions that freely given, specific and informed consent signifies assent.

4.4 Conditions for consent

GDPR lays down detailed provisions for valid consent. Such provisions are not given in DPD.

Sub-topics in the section	GDPR	DPD

Article	7
Obligation of controller	Must demonstrate consent has been given
Presentation of written declaration of consent	It should be in a clearly distinguishable, intelligible and easily accessible form. Language should be clear and plain.
If declaration or any part of it infringes on Regulation	Declaration will be non-binding.
Right of data subject	To withdraw consent at any time.
Right of data subject	If consent is withdrawn, it will not make processing done earlier unlawful.
For assessing whether consent is freely given	Must consider whether performance of contract or provision of service is made conditional on consent to processing of data not necessary for performance of contract.

4.5 Conditions applicable to child's consent in relation to information society services

This article prescribes an age limit for making processing lawful when information society services (direct online service) are offered directly to a child.

Sub Topics in the Section	GDPR	DPD

Given in Article	8
Conditions for valid consent in this case	If child is at least 16 years old his consent is valid. If child is below 16 years consent must be obtained from holder of parental responsibility over the child.
Age relaxation can be given when	Member States provides a law lowering the age. Age cannot be lowered below 13 years.
Controller's responsibility	Verify who has given the consent
Exceptions	This law will not affect: General contract law of member states; Effect of contract law on a child;

4.6 Processing of special categories of personal data

Like the DPD, the GDPR spells out the data that is considered sensitive and the conditions under which this data can be processed. Two new categories of special data, "genetic data" and "biometric data", have been added to the list in the GDPR.

Sub Topics in the Section	GDPR	DPD

Article	9	8
Categories of data considered sensitive	Racial or ethnic origin	Same
	Political opinions	Same
	Religious or philosophical beliefs	Same
	Trade union membership	Same
	Health or sex life or sexual orientation	Same
	Genetic data or Biometric data uniquely identifying natural person
Circumstances in which processing of personal data may take place	If there is explicit consent of data subject provided Member State laws do not prohibit such processing
	Necessary for carrying out specific rights of controller or data subject	Under DPD these rights can be for employment. The GDPR adds social security and social protection to this list. These rights are to be authorized by Member state or Union. The GDPR adds "Collective agreements" to this.
	In the vital interest of data subject who cannot give consent due to physical or legal causes.	Same
	In the vital interest of a Natural person physically or legally incapable of giving consent	Same
	For legitimate activities carried on by not-for profit-bodies for political, philosophical or trade union aims subject to certain conditions.	Same
	When personal data is made public by data subject	Same
	For establishment, exercise of defense of legal claims or for courts	Same
	For substantial public interest in accordance with Member State or Union law
	Is necessary for: Preventive or occupational medicine Assessing working capacity of employee Medical diagnosis Healthcare or social care services Contract with health professional
	Is necessary in Public interest in the area of public health
	For public interest, scientific or historical research or statistical purpose
Data for preventive or occupational medicine, medical diagnosis etc. can be processed when:	Data is processed by or under responsibility of a professional under obligation of professional secrecy as state in law	Here the processing is done by health professional under obligation of professional secrecy

4.7 Principles relating to processing of personal data

The principles set out in GDPR are similar to the ones under DPD. Some changes have been introduced. Accountability of the controller has been specifically given under GDPR.

Sub-topics in this section	GDPR	DPD

Given in Article	5	6
Lawfulness, fairness, transparency	Processing must be Lawful, fair and transparent	Does not mention transparent
Purpose limitation	Data must be specified, explicit and legitimate.	Same
Purpose limitation	Processing for achieving public interest, scientific or historical research or statistical purpose is not to be considered incompatible with initial purpose.	Same
Data minimization	Processing is adequate, relevant and limited to what is necessary	Same
Accuracy	Data is accurate, up to date, erased or rectified without delay	Same
Storage limitation	Data is to be stored in a way that data subject can be identified for no longer than is necessary for purpose of processing	Same
	Data can be stored for longer periods when it is processed solely in public interest, scientific or historical research or statistical purpose	Same However, public interest is not mentioned.
	There must be appropriate technical and organizational measures to safeguard rights and freedoms	Same Additionally, it specifically states that Member States must lay down appropriate safeguards
Integrity and confidentiality	Manner of processing must: Ensure security of personal data, Protection against unlawful processing and accidental loss, destruction or damage	Not mentioned
Accountability	Controller is responsible for and must demonstrate compliance with all of the above.	DPD states it is for the controller to ensure compliance with this Article. Unlike GDPR, DPD doesn't specifically state the responsibility of controller for demonstrating compliance.

4.8 Lawfulness of processing

The conditions for "lawfulness of processing" under DPD have been retained in the GDPR with certain modifications allowing flexibility for member states to introduce specific provisions in public interest or under a legal obligation. It should be noted that protection given to child's data and rights and freedoms of data subject should not be prejudiced. Additionally, a non-exhaustive list has been laid down in the GDPR for determining if processing is permissible in situations where the new purpose of processing is different from original purpose.

Sub Topics in the Section	GDPR	DPD

Given in Article	6	7
Processing is lawful when :	If at least one of the principles applies: Data subject has given consent to processing for specific purpose(s).	Same However it mentions "unambiguous" consent.
	Processing is necessary for performance of contract to which data subject is party or at request of data subject before entering into a contract	Same
	Processing is necessary for controller's compliance with legal obligation.	Same
	Is necessary for legitimate interests pursued by controller or by third party subject to exceptions (should not override rights and freedoms of data subject and protections given to child's data.)	Same
	It is necessary for performance of task carried out in public interest or for exercise of official authority vested in controller	Same It additionally mentions third party: "…exercise of official authority vested in controller or in a third party to whom data are disclosed"
	For protections of vital interest of data subject or another natural person	Same Does not mention natural person.
Member States may introduce specific provisions when:	When processing is necessary for compliance with a legal obligation or to protect public interest
	Basis for processing for shall be laid down by: Union law or Member State law
If processing is done for purpose other than for which data is collected and is without data subject's consent or is not collected under law:
To determine if processing for another purpose is compatible with the original purpose	Controller shall take into account following factors:
	Link between purposes for which data was collected and the other purpose
	Context in which personal data have been collected
	Nature of personal data
	Possible consequences of other purpose
	Existence of appropriate safeguards

4.9 Processing which does not require identification:

This article lays down the conditions under which the controller is exempted from gathering additional data in order to identify a data subject for the purpose of complying with this Regulation. If the controller is able to demonstrate that identification is not possible, the data subject is to be informed if possible.

Sub Topics in the Section	GDPR	DPD

Given in Article	11
Conditions under which the controller is not obliged to maintain process or acquire additional information to identify data subject	If purpose for processing doesn't not require identification of data subject by the controller
Consequence of not maintaining the data	Art 15 to 20 shall not apply provided controller is able to demonstrate its inability to identify the data subject
Exception to above consequence will apply when :	Data subject provides additional information enabling identification

4.10 Rights of the data subject

The General Data Protection Rules (GDPR) confers 8 rights upon the data subject.These rights are to be honored by the controller:-

1. Right to be informed

2. Right of access

3. Right to rectification

4. Right to erasure

5. Right to restrict processing

6. Right to data portability

7. Right to object

8. Rights in relation to automated decision making and profiling

4.10.1 Right to be informed

The controller must provide information to the data subject in cases where personal data has not been obtained from the data subject. A number of exemptions have been listed. Additionally, GDPR lays down the time period within which the information has to be provided.

Sub Topics in the Section	GDPR	DPD

Given in Article	14	10
Type of information to be provided	Identity and contact details of the controller or controller's representative	Same
	Contact details of the data protection officer
	Purpose and legal basis for processing	Purpose of processing
	Recipients or categories of recipients of personal data	Same
	Intention to transfer data to third country or international organization and Information regarding adequacy decision or suitable safeguards or Binding Corporate Rules or derogations. This includes means to obtain a copy of these as well as information on place of availability.
Additional information to be provided by controller to ensure fair and transparent processing	Storage period of personal data and criteria for determining the period
	Legitimate interests pursued by controller or third party
	Existence of data subject's rights with regard to access or rectification or erasure of personal data, automated decision making
	Where applicable, existence of right to withdraw consent
Time period within which information is to be provided	Information to be given within a reasonable period, latest within one month.
	To be provided latest at the time of first communication to data subject, if personal data are to be used for communication with data subject
	In case of intended disclosure to another recipient , at the latest when personal data are first disclosed.
	If processing is intended for a new purpose other than original purpose, information to be provided prior to processing on new purpose.
Situations in which exceptions are applicable	Data subject already has information	Same
	Provision of information involves disproportionate effort or is impossible or renders impossible or seriously impairs achievement of objective of processing. This is particularly with respect to processing for archiving purposes in public interest, scientific or historical research or statistical purpose. However controller must take measures to protect data subject's rights and freedom and legitimate interests including make information public.	Provision involves impossible or disproportionate effort, in particular where processing is for historical or scientific research. However, appropriate safeguards must be provided by Member States.
	Obtaining or disclosure is mandatory under Union or member law and it provides protection to data subject's legitimate interests	Where law expressly lays down recording or disclosure provided appropriate safeguards are provided by Member States. This is particularly applicable to processing for scientific or historical research.
	Confidentiality of data mandated by professional secrecy under Union or Member State law

4.10.2 Right to access

Both Data Protection Directive (DPD) and General Data Protection Rules (GDPR) confer right to access information regarding personal data on the data subject.

CJEU in YS V. Minister voor Immigrate Integratie en Asiel stated that it is the data subject's right "to be aware of and verify the lawfulness of the processing".

Sub-topics in the section	GDPR	DPD

Given in Article	15	12
Data subject has the right to know about:	Purpose of processing	Same
	Categories of processing the data	Same
	Recipients or categories to whom data are disclosed	Same
	Retention period of the data and criteria for this
	Existence of right to request erasure, rectification or restriction of processing
	Right to lodge complaint with supervisory authority
	Knowledge about source of data
	To know about any significant and envisaged consequences of processing for the data subject
	Existence of automated decision making and logic involved	Same
In case of data transfer to third country	Right to be informed about the safeguards
Controller's obligation	To provide a copy of data undergoing processing. Reasonable fee based on administrative costs can be charged for this.

4.10.3 Right to rectification

GDPR and DPD both give the data subject the right to rectify their personal data. Under the GDPR the data subject can complete the incomplete data by giving a supplementary statement.

Sub-topics in the section	GDPR	DPD

Given in Article	16	12(b)
Right can be exercised when:		Processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55) OR
Right can be exercised when:	When data is incomplete	When data is incomplete or inaccurate
Obligations of controller	To enforce the right without undue delay
Obligation of controller to give notification when data is disclosed to third party	Given under Art 19 Request of erasure of personal data to be communicated to each recipient of such data	Given under Article 12(c) Request must be communicated to third parties
	It should not involve an impossible or disproportionate effort	Same

4.10.4 Right to erasure

This is also referred to as the "right to be forgotten". It empowers the individual to erase personal data under certain circumstances. The data subject can request the controller to remove the data for attaining this purpose.

Sub-topics in the section	GDPR	DPD

Given in Article	17	12(b)
Obligation of the controller	To erase the data without undue delay
Conditions under which the right can be exercised		When processing does not comply with the Directive i.e. damage is caused due to unlawful processing (Recital 55) OR When data is incomplete or inaccurate
	Personal data is no longer necessary for the purpose for which it was collected or processed
	Data Subject withdraws consent for processing
	Data subject objects to processing and there are no overriding legitimate grounds for processing
	Data subject objects to processing for direct marketing purpose
	Personal data has been unlawfully processed
	When personal data has to be erased under a legal obligation of Union or member State law
	When personal data has been collected in offer of information society services to a child
Condition of processing under which request to erasure shall not be granted	For exercising right of freedom of expression and information
	Processing is done under Union or Member State law in public interest or exercise of official authority vested in controller
	Done for public interest in public health
	For public interest, scientific or historical research or statistical purpose.
	For establishment, exercise or defense of legal claims.
Controller's obligations when personal data has been made public	Controller to take reasonable steps to inform controllers who are processing the data, of the request of erasure. All links, copy or replication of personal data to be erased. Technology available and cost of implementation to be taken into account.
Notification when data is disclosed to third party	Given under obligation of controller under Art 19: Request of erasure of personal data to be communicated to each recipient of such data	Given under obligation of controller under 12(c) : Request must be communicated to third parties
Notification when data is disclosed to third party	It should not involve an impossible or disproportionate effort	Same

4.10.5 Right to restrict processing

While DPD provided for "blocking", the GDPR strengthened this right by specifically conferring the " Right to Restrict Processing" upon the data subject. This Article gives data subject the right to restrict processing under certain conditions. Recital 67 explains that these methods could include steps like removing published data from website or temporarily moving the data to another processing system.

Sub-topics in the section	GDPR	DPD

Given in Article	18	12(b)
About this right	Data subject can restrict processing of data	Data subject is allowed to erase, rectify or block processing of personal data.
Conditions under which the right can be exercised	When accuracy of personal data is contested	Besides accuracy, the DPD also mentions "incomplete nature of data" as grounds for exercising this right.
	When processing is unlawful and data subject opposes erasure and requests restriction of data use
	When data is no longer needed by controller but is required by data subject for establishment, exercise or defense of legal claims.
	Data subject objects to processing and the verification by controller of compelling legitimate grounds for processing is ongoing
Consequences of this enforcement of this right	Controller can store data but not process it
	Processing can be done only with the data subject's consent; or
	Processing can be done for establishment exercise or defense of legal claims; or
	Processing can be done for protecting rights of another natural or legal person ;or
	It can be done in public interest of Union or Member State.
Obligations of controller under Art 18	The controller must inform the data subject before the restrictions are lifted.
Obligations of controller under Art 19	Inform each recipient of personal data about the restriction.
	This obligation need not be performed if it is impossible to do so or it involved disproportionate effort.
	Inform data subject about the recipients when requested by the data subject.

4.10.6 Right to data portability

This right empowers the data subject to receive personal data from one controller and transfer it to another. This gives the data subject more control over his or her own data. The controller cannot hinder this right when the following conditions are met.

Sub-topics in the section	GDPR	DPD

Given in article	20
Conditions for data transmission	The data must have been provided to the controller by data subject himself; and
	Processing is based on: Consent; or For performance of contract; and is carried out by automated means
	Data transfer must be technically feasible
Format of personal data	It should be in a: Structured Commonly-used Machine readable format
Time and cost for data transfer	Given in Art 12(3) Should be free of charge Information to be provided within one month. Further extension by two months permissible under certain circumstances.
Circumstance under which this Right cannot be exercised	When the exercise of the Right prejudices rights and freedom of another individual
	When processing is necessarily carried out in public interest
	When processing is necessarily done in exercise of official authority vested in controller
	When this Right adversely affects the "Right to be forgotten"

4.10.7 Right to Object

Both DPD and GDPR confer upon the data subject the right to object to processing on a number of grounds. The GDPR strengthens this right . Under GDPR, there is a visible shift from the data subject to the controller as far as the burden of showing " compelling legitimate grounds" is concerned. Under the DPD, when processing is undertaken in public interest or in exercise of official authority or in legitimate interests of third party or controller, the data subject not only has to show existence of compelling legitimate grounds but also that objection is justified. On the other hand, GDPR spares the data subject from this exercise and instead places the onus on the controller of demonstrating that "compelling legitimate grounds" exist such that these grounds override the interests, rights and freedom of the data subject.

GDPR also provides a new ground for objecting to processing. The data subject can object to processing when it is for scientific or historical research or statistical purpose unless such processing is necessary in public interest.

Under the GDPR the data subject must be informed of this right "clearly and separately" and "at the time of first communication with data subject" when processing is done in public interest/exercise of official authority/legitimate interest of third party or controller or for direct marketing purpose. This right can be exercised by automated means in case of information society service.

The DPD also provides that the data subject must be informed of this right if the controller anticipates processing for direct marketing or disclosure of data to third party. It specifically states that this right is to be offered "free of charge". Additionally, it places responsibility upon the Member States to ensure that data subjects are aware of this right.

Sub-topics in the section	GDPR	DPD

Given in Article	21	14
Conditions under which the right can be exercised during processing	When performance of task is carried out in public interest or in exercise of official authority vested in controller. (Art 6(1)(e)) Exception: If controller demonstrates processing is for compelling legitimate grounds which override interests of data subject For establishment, exercise or defense of legal claims.	Grounds are same but the data subject also has to show existence of compelling legitimate grounds. Processing will cease if objection is justified. Exceptions: Unless provided by national legislation the data subject can object on this ground.
	For legitimate interests of controller or third party (Art 6(1)(f)) Exception: 1. If controller demonstrates processing is for compelling legitimate grounds that override interests of data subject. 2. For establishment, exercise or defense of legal claims.	Same as above
	When data is processed for scientific/historical research/ statistical purpose under Art 89(1) Exception: If processing is necessary for public interest
	When personal data is used for marketing purpose. Can object at anytime. No exceptions	Same

4.10.8 Rights in relation to automated individual decision making including profiling

This Article empowers the data subject to challenge automated decisions under certain conditions. This is to protect individuals from decisions taken without human intervention.

Sub-topics in the section	GDPR	DPD

Given in Article	22	15
This right can be exercised when decisions are based:
	Only on automated processing Including profiling; and	Same
	Produce legal effects or have similarly significant effects on data subject	Same
Conditions under which this right will not be guaranteed
	For entering into or performance of contract;	Same
	If Member State or Union law authorizes the decision provided it lays down suitable measures for safeguarding data subject's rights, freedoms and legitimate interests; Or	Same
	When decision is based on data subject's explicit consent.
Controller's obligation	Enforce measures to safeguard rights and freedom and interests
Controller's obligation	Ensure data subject can obtain human intervention, express his point of view, challenge decisions
Automated decision making will not apply when:	"Special categories of personal data" are to be processed However, if the data subject gives his explicit consent or such processing serves substantial public interest then the restriction can be waived.
Automated decision making will not apply when:	Concerns a child

4.11 Security and Accountability

4.11.1 Data protection by design and default

This is another new concept under GDPR. It is a general obligation on the controller to incorporate effective data protection in internal policies and implementation measures. Measures include: minimization of processing, pseudonymisation, transparency while processing, allowing data subjects to monitor data processing etc. The implementation of organizational and technical measures is essential to demonstrate compliance with Regulation.

Sub-topics in the section	GDPR	DPD

Article	25
Responsibility of controller when determining means of processing and at the time of processing	Implementation of appropriate technical and organizational measures for data protection
	Ensure that by default only personal data necessary for purpose of processing is processed
Means of demonstrating compliance with this Article	Approved certification mechanism may be used. Data minimization Transparency etc.

4.11.2 Security of personal data

Security of processing is mentioned in the GDPR under Article 32. The controller and processor must implement technical and organizational measures to ensure data security. These may include pseudonymisation, encryption, ensuring confidentiality, restoring availability and access to personal data, regularly testing etc. Compliance with the code may be demonstrated by adherence to Code of conduct and certification mechanism. Further, all processing which is done by a natural person acting under authority of controller or processor can be done only under instructions from the controller.

4.11.3 Notification of personal data breach

This Article provides the procedure for communicating the personal data breach to supervisory authority. If the breach is not likely to result in risk to rights and freedoms of natural persons, then the controller is not required to notify the supervisory authority.

Sub-topics in the section	GDPR	DPD

Given in Article	33
Responsibility of controller	Report personal data breach to supervisory authority after being aware of it
Time limit for reporting data breach	Must be reported no later than 72 hours
In case of delay in reporting	Reasons to be stated
Responsibility of processor	Notify the controller after being aware of breach
Description of notification	Describe nature of personal data
	Name contact details of data protection officer
	Likely consequences of personal data breach
	Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect
When information cannot be provided at same time	Provide it in phases without further undue delay
For verification of compliance	Controller has to document any personal data breach. It must contain Facts , effects and remedial action taken

4.11.4 Communication of personal data breach to the data subject

Not only is the supervisory authority to be notified, but data subjects are also to be informed about personal data breaches without undue delay under certain conditions.

Sub-topics in the section	GDPR	DPD

Given in Article	34
Conditions under which controller is to communicate the breach to data subject	When breach is likely to cause high risk to rights and freedoms of natural persons
Nature of communication	Must be in a clear and plain language. Must describe the nature of breach. Must Contain at least: Name contact details of data protection officer Likely consequences of personal data breach Measures to be taken or proposed to be taken by controller to address the breach or mitigate its possible effect
Condition under which communication will not be required	If controller has implemented appropriate technical and organizational measures and these were applied to the affected data. E.g.: encryption
	Subsequent measures have been taken by controller to ensure there is no high risk
	If communication involves disproportionate effort. Public communication or similar measures can be undertaken under such circumstances.
Role of supervisory authority	In case of likelihood of high risk, the authority may require the controller to communicate the breach if the controller has not already done so.

4.11.5 Data protection impact assessment

This is also known as Privacy Impact Assessment. While DPD provides general obligation to notify the processing to supervisory authorities, the GDPR, taking into account the need for more protection of personal data, has replaced the notification process by different set of mechanisms.

To serve the above purpose, the data protection impact assessment (DPIA) has been provided under this Article.

Sub-topics in the section	GDPR	DPD

Given in Article	35
When to carry out assessment	When new technology is used; and Processing is likely to result in high risk to rights and freedoms of natural persons
	Automated processing including profiling involving systematic and extensive evaluation of personal aspects of natural persons; and When decisions based on such processing produce legal effects
	Large scale processing of special categories of data or personal data relating to criminal convictions and offences
	Large scale systematic monitoring of publicly accessible area
Type of information contained in assessment	Description of processing operations and purpose
	Assessment of necessity and proportionality of processing operations
	Assessment of risks to individuals
	Measures to address risks and demonstration of compliance with Regulation
Sub-topics in the section	GDPR	DPD

Topic	Prior Consultation
Given in Article	36
When should controller consult supervisory authority	Prior to processing; and DPIA indicates high risk; and In absence of risk mitigation measures by controller

Data protection officer

GDPR mandates that a person with expert knowledge of data protection law and practice is appointed for helping the controller or processor to comply with the data protections laws. A single data protection officer (DPO) may be appointed by a group of undertakings or where controller or processor is a public authority or body.The DPO must be accessible from each establishment.

Sub Topics in the Section	GDPR	DPD

Article	37
Situations in which DPO must be appointed	When processing is carried out by public authority or body. Note: Courts acting in judicial capacity are excluded.
	Core activity involves processing which requires regular and systematic monitoring of data subjects on large scale; or
	Core activity involves processing of large scale special categories of data and criminal convictions and offences

Position of Data Protection Officer

The DPO must directly report to the highest management level of the controller or processor. Data subjects may contact the DPO in case of problems related to processing and exercise of rights.

Sub Topics in the Section	GDPR	DPD

Article	38
Responsibility of controller and processor	Ensure DPO is involved properly and in timely manner
	Provide DPO with support, resources and access to personal data and processing operations
	Not dismiss or penalize DPO for performing his task.
	Ensure independence of working and not give instruction to DPO

Tasks of Data Protection officer

The DPO must be involved in all matters concerning data protection. He is expected to act independently and advice the controllers and processors to facilitate the establishment's compliance with Regulations.


Sub Topics in the Section	GDPR	DPD

Article	39
Tasks	Inform and advise the controller or processor and employees over data protection laws
	Monitor compliance with data protection laws. Includes assigning responsibilities, awareness- raising, staff training and audits
	Advice and monitor performance
	Cooperate with supervisory authority
	Act as point of contact for supervisory authority for processing, prior consultation and consultation on other matter

4.11.6 European Data Protection Board

For consistent application of the Regulation, the GDPR envisages a Board that would replace the Working Party on Protection of Individuals With Regard to Processing of Personal Data established under the DPD. This Regulation confers legal personality on the Board.

Sub Topics in the Section	GDPR	DPD

Article	68
Represented by	Chair
Composition of the Board	Head of one supervisory authority of each Member State and European Data Protection Supervisor or of their representatives. Joint representative can be appointed where Member State has more than one supervisory authority.
Role of Commission	Right to participate in activities and meetings of the Board without voting rights. Commission to designate a representative for this.
Functions of the Board	Consistent application of Regulation
	Advise Commission of level of protection in third countries or international organizations
	Promote cooperation of supervisory authorities
	Board is to act independently

4.11.7 Supervisory Authority

GDPR lays down detailed provisions on supervisory authorities, defining their functions, independence, appointment of members, establishment rules, competence, competence of lead supervisory authority, tasks, powers and activity reports. Such elaborate provisions are absent in DPD.

Sub-topics in this section	GDPR	DPD

Given in Article	Chapter VI, Article 51 -59	28

4.12 Processor

The Article spells out the obligations of a processor and conditions under which other processors can be involved.

Sub Topics in the Section	GDPR	DPD

Article	28
What kind of processors can be used by controller	● Those which provide sufficient guarantees to implement appropriate technical and organizational measures ● Those which comply with Regulation and Rights
Obligations of processor in case of addition or replacement of processor	● Not engage another processor without controller's authorization ● In case of general written authorization inform the controller
Processing shall be governed by	Contract or legal act under Union or Member State law.
Elements of Contract	● Is binding on processor ● Sets out subject matter and duration of processing ● Nature of processing ● Type of personal data ● Categories of data subjects ● Obligations and Rights of the controller
Obligations of processor under contract or legal act	Processor shall process under instructions from controller unless permitted under law itself. Controller is to be informed in the latter case.
	Ensures that persons authorized to process have committed themselves to confidentiality
	Processor to undertake all data security measures (mentioned under Art 32)
	Enforces conditions on engaging another processor
	Assists the controller by appropriate technical and organizational measures
	Assists controller in compliance with Art 32 to 36
	Delete or return all personal data to controller at the choice of controller at the end of processing
	Make information available to controller for demonstrating compliance with obligations. Contribute to audits, inspections etc. Inform the controller if it believes that an instruction infringes the regulation or law.
Conditions under which a processor can engage another processor	● Same data protection obligations will be applicable to other processor. ● If other processor fails to fulfill data protection obligations, initial processor shall remain fully liable to controller for such performance.

4.13 Records of processing activities

The controller or processor must maintain records of processing activities to demonstrate compliance with the Regulation. They are obliged to cooperate with and make record available to the supervisory authority upon request. DPD does not contain similar obligations.

Sub Topics in the Section	GDPR	DPD

Article	30
Obligation of controller or controller's representative	Maintain a record of processing activities
Information to be contained in the record	Name and contact details of: ● Controller /joint controller / controller's representatives ● Data protection officer
	Purpose of processing
	Categories of data subjects and categories of personal data
	Categories of recipients to whom data has been or will be disclosed
	Transfers of personal data to third party, identification of third party, documentation of suitable safeguards
	Expected time duration for erasure of different categories of data
	Technical and organizational security measures
Obligation of processor	Maintain a record of processing activities carried out on behalf of controller
Record maintained by processor shall contain information such as:	Name and contact details of: ● Processor /processor's representative ● Controller /controller's representative ● Data protection officer
	Categories of processing
	Data transfer to third party Identification of third party Documentation of safeguards
	Technical and organizational security measures
Form in which record is to be maintained	In writing and electronic form
Conditions under which exemption will apply	● Organizations employing fewer than 250 employees are exempted; ● Processing should not cause risk to rights and freedoms of data subjects ● Processing should not be occasional ● Processing should not include special categories of data

4.14 Code of Conduct

These mechanisms have been provided under GDPR to demonstrate compliance with the Regulation. This is important as the GDPR ( under Art 83 ) provides that adherence to code of conduct shall be one of the factors taken into account for calculating administrative fines. This is not an obligatory provision.

Sub Topics in the Section	GDPR	DPD

Article	40	27
Who will encourage drawing up of code of conduct	● Member States ● Supervisory Authorities ● Commission. Specific needs of micro, small and medium enterprises to be taken into account.	● Member States ● Commissions Does not mention the rest
Who may prepare amend or extend code of conduct	Associations and other bodies representing categories of controller or processors
Information contained in the code	Fair and transparent processing
	Legitimate interests of controller
	Collection of personal data
	Pseudonymisation
	Information to public and data subjects
	Exercise of rights of data subject
	Information provided to and protection of children and manner in which consent of holders of parental responsibility is obtained
	Measures under: ● Data protection by design and default ● Controller responsibilities ● Security of processing
	Notification of data breach to authorities and communication of same to data subjects
	Data transfer to third party
	Dispute resolution procedures between controllers and data subjects
	Mechanisms for mandatory monitoring
Mandatory monitoring	Code of conduct containing the above information enables mandatory monitoring of compliance by body accredited by supervisory authority. (Art 41)

4.15 Certification

Like the code of conduct, Certification is a voluntary mechanism that demonstrates compliance with the Regulation. Establishment of data protection certification mechanism and data protection seals and marks shall be encouraged by Member States, supervisory authorities, Boards and Commission. As in case of code of conduct, specific needs of micro, small and medium sized enterprise ought to be taken into account. DPD does not mention such mechanisms.

Sub Topics in the Section	GDPR	DPD

Article	42
Who will issue the certificate	Certification bodies or competent supervisory authority on basis of approved criteria.
Time period during which certification shall be issued	Maximum period of three years. Can be renewed under same conditions.
Who accredits certification bodies	Competent Supervisory bodies or National accreditation body.
When can accreditation be revoked	When conditions of accreditation are not or no longer met. OR Where actions taken by certification body infringe this Regulation.
Who can revoke	Competent supervisory authority or national accreditation body

4.16 Data Transfer

4.16.1 Transfers of personal data to third countries or international organizations

Chapter V lays down the conditions with which the data controller must comply in order to transfer data for the purpose of processing outside of the EU to third countries or international organizations. The chapter also stipulates conditions that must be complied with for onward transfers from the third country or international organization.

4.16.2 Transfer on the basis of an adequacy decision

Under GDPR, transfer of data can take place after the Commission decides whether the third country, territory, specified sector within that third country or international organization ensures adequate level of data protection. This is called adequacy decision. A list of countries or international organizations which ensure adequate data protection shall be published in the Official Journal of the European Union and on the website by the Commission. Once data transfer conditions are found to be compliant with the Regulation, no specific authorization would be required for data transfer from the supervisory authorities. The commission would decide this by means of an "Implementing Act" specifying a mechanism for periodic review, its territorial and sectoral application and identification of supervisory authorities. Decisions of Commission taken under Art 25(6) of DPD shall remain in force. DPD also provides parameters for the same.

Sub-topics in this section	GDPR	DPD

Given in article	45	25
Conditions apply when transfers take place to	Third country or international organization	International organization not mentioned.
Functions of the commission	Take adequacy decisions	Same
	Review the decision periodically every four years
	Monitor developments on ongoing basis
	Repeal, amend or suspend decision
		Inform Member States if third country doesn't ensure adequate level of protection. Similarly, member state has to inform the Commission.
Functions of Member State		Inform Commission if third country doesn't ensure adequate level of protection.
		Take measures to comply with Commission's decisions
		Prevent data transfer if Commission finds absence of adequate level of protection.
Factors, with respect to third country or international organization, to be considered while deciding adequacy of safeguards	Rule of law, human rights, fundamental freedoms, access of public authorities to personal data, data protection rules, rules for onward transfer of personal data to third country or international organization etc.	Circumstances surrounding data transfer operations: nature of data; purpose and duration of processing operation; rule of law, professional rules and security measures in third country; country of origin and final destination; professional rules and security measures;
	Functioning of independent supervisory authorities, their powers of enforcing compliance with data protection rules and powers to assist and advise data subject to exercise their rights.
	International commitments entered into. Obligations under legally binding conventions.	Same
When adequate level of protection no longer ensues	The Commission, to the extent necessary: repeal, amend or suspend the decision. This is to be done by the means of an implementing act. No retroactive effect to take place	The member state will have to suspend data transfer if Commission finds absence of adequate level of protection.
When adequate level of protection no longer ensues	Commission to enter into consultation with the third country or international organization to remedy the situation	Same

4.16.3 Transfers subject to appropriate safeguards

This article provides for a situation when the Commission takes no decision. (Mentioned above under Transfer on the basis of an adequacy decision). In this case, the controller or processor can transfer data to third country or international organization subject to certain conditions. Specific authorization from supervisory authorities is not required in this context. Procedure for the same has been mentioned.

Sub-topics in this section	GDPR	DPD

Given in article	46
When can data transfer take place	When appropriate safeguards are provided by the controller or processor; AND On condition that data subject enjoys enforceable rights and effective legal remedies for data safety.
Conditions to be fulfilled for providing appropriate safeguards without specific authorization from supervisory authority	Existence of legally binding and enforceable instrument between public bodies or authorities
	Existence of Binding Corporate Rules
	Adoption of Standard Protection Clauses adopted by the Commission
	Adoption of Standard data protection clauses by supervisory authorities and approved by Commission.
	Approved code of conduct along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights OR Approved certification mechanism along with binding and enforceable commitments of controller or processor in third country to apply appropriate safeguards and data subject's rights.
Conditions to be fulfilled for providing appropriate safeguards subject to authorization from competent authority	Existence of contractual clauses between: Controller or Processor and Controller, Processor or recipient of personal data (third party)
	Provisions inserted in administrative arrangements between public authorities or bodies. Provisions to contain enforceable and effective data subject rights.
	Consistency mechanism to be applied by supervisory authority
Unless amended, replaced or repealed, authorization to transfer given under DPD will remain valid when:	Third country doesn't ensure adequate level of protection but controller adduces adequate safeguards; or Commission decides that standard contractual clauses offer sufficient safeguards

4.16.4 Binding Corporate Rules

These are agreements that govern transfers between organizations within a corporate group

Sub-topics in this section	GDPR	DPD

Given in Article	47
Elements of Binding Corporate Rules	Legally binding
	Apply to and are enforced by every member of group of undertakings or group of enterprises engaged in joint economic activity. Includes employees
	Expressly confer enforceable rights on data subject over processing of personal data
What do they specify	Structure and contact details of group of undertakings
	Data transfers or set of transfers including categories of personal data , type of processing, type of data subjects affected, identification of third countries
	Legally binding nature
	Application of general data protection principles
	Rights of data subjects Means to exercise those right
	How the information on BCR is provided to data subjects
	Tasks of data protection officer etc.
	Complaint procedure
	Mechanisms within the group of undertakings, group of enterprises for ensuring verification of compliance with BCR. Eg. Data protection audits Results of verification to be available to person in charge of monitoring compliance with BCR and to board of undertaking or Group of enterprises. Should be available upon request to competent supervisory authority
	Mechanism for reporting and recording changes to rules and reporting changes to supervisory authority
	Cooperation mechanism with supervisory authority
	Data protection training to personnel having access to personal data
Role of Commission	May specify format and procedures for exchange of information between controllers, processors and supervisory authorities for BCR

4.16.5 Transfers or disclosures not authorized by Union law

This Article lays down enforceability of decisions given by judicial and administrative authorities in third countries with regard to transfer or disclosure of personal data.

Sub-topics in this section	GDPR	DPD

Given in Article	48
Article concerns	Transfer of personal data under judgments of courts, tribunals, decision of administrative authorities in third countries.
When can data be transferred or disclosed	International agreement between requesting third country and member state or union. E.g.: mutual legal assistance treaty

4.16.6 Derogations for specific situations

This Article comes into play in the absence of adequacy decision or appropriate safeguards or of binding corporate rules. Conditions for data transfer to a third country or international organization under such situations have been laid down.

Sub-topics in this section	GDPR	DPD

Given in Article	49	26
Conditions under which data transfer can take place	On obtaining Explicit consent of data subject after being informed of possible risks	On obtaining unambiguous consent of data subject to the proposed transfer
	Transfer is necessary for conclusion or performance of contract. The contract should be in the interest of data subject. The contract is between the controller and another natural or legal person.	Contractual conditions are same. DPD also includes implementation of pre contractual measures taken upon data subject's request.
	Transfer is necessary in public interest	Same
	Is necessary for establishment, exercise or defense of legal claims	Same
	To protect vital interest of data subject or of other persons where data subject is physically or legally incapable of giving consent	Includes vital interest of data subject but doesn't include "other person". Condition for consent is also not included.
	Transfer made from register under Union or Member State law to provide information to public and is open to consultation by public or person demonstrating legitimate interest.	Same
Conditions for transfer when even the above specific situations are not applicable	Transfer is not repetitive
	Concerns limited number of data subjects
	Necessary for compelling legitimate interests pursued by controller
	Legitimate interests are not overridden by interests or rights and freedoms of data subject
	Controller has provided suitable safeguards after assessing all circumstances surrounding data transfer
	Controller to inform supervisory authority about the transfer
	Controller to inform data subject of transfer and compelling legitimate interests pursued
		Member may authorize transfer personal data to third country where controller adduces adequate safeguards for protection of privacy and fundamental rights and freedoms of individuals

4.17 International cooperation for protection of personal data

This Article lays down certain steps to be taken by Commissions and supervisory authorities for protection of personal data.

Sub-topics in this section	GDPR	DPD

Given in Article	50
Steps will include	Development of international cooperation mechanisms to facilitate enforcement of legislation for protection of personal data
	Provide international mutual assistance in enforcement of legislation for protection of personal data
	Engage relevant stakeholders for furthering international cooperation
	Promote exchange and documentation of personal data protection legislation and practice

4.18 Remedies, Liability and Compensation

4.18.1 Right to lodge complaint with a supervisory authority

This article gives the data subject the right to seek remedy against unlawful processing of data. GDPR strengthens this right as compared to the one provided under DPD.

Sub-topics in this section	GDPR	DPD

Given in Article	77	28(4)
Right given	Right to lodge complaint	Under GDPR the data subject has been conferred the "right" specifically. This is not so in DPD. DPD merely obliges the supervisory authority to hear claims concerning rights and freedoms.
Who can lodge complaint	Data subject	Any person or association representing that person
Complaint to be lodged before	Supervisory authority in the Member State of habitual residence, place of work or place of infringement	Supervisory authority
When can the complaint be lodged	When processing of personal data relating to data subject allegedly infringes on Regulation	When rights and freedom are to be protected while processing. When national legislative measures to restrict scope of Regulations is adopted and processing is alleged to be unlawful.
Accountability	Complainant to be informed by Supervisory authority on progress and outcome of complaint and judicial remedy to be taken up	Complainant to be informed on outcome of claim or if check on unlawfulness has taken place

4.18.2 Right to an effective judicial remedy against supervisory authority

The concerned Article seeks to make supervisory authorities accountable by bringing proceedings against the authority before the courts. GDPR gives a specific right to the individual. DPD under Article 28(3) merely provides for appeal against decisions of supervisory authority in the courts.

Sub-topics in this section	GDPR	DPD

Given in Article	78 (1)
Who has the right	Every natural or legal person
When can the right be exercised	Against legally binding decision of supervisory authorities concerning the complainant

Sub-topics in this section	GDPR	DPD

Given in Article	78(2)
Who has the right	Data subject
When can the right be exercised	When the competent supervisory authority doesn't handle the complaint Or Doesn't inform data subject about progress / outcome of complaint within 3 months

The jurisdiction of court will extend to the territory of the Member State in which the supervisory authority is established (GDPR Art 78(3)). The supervisory authority is required to forward proceedings to the court if the decision was preceded by the Board's decision in the consistency mechanism. (GDPR 78(4))

4.18.3 Right to effective judicial remedy against a controller or processor

The data subject has been conferred with the right to approach the courts under certain circumstance. The GDPR confers the specific right while DPD provides for judicial remedy without using the word "right".

Sub-topics in this section	GDPR	DPD

Given in	Art 79	Recital 55
Right can be exercised when:	1. Data has been processed; and 2. Processing Results in infringement of rights; and 3. Infringement is due to non compliance of Regulation	Similar provisions provided under DPD: When controller fails to respect the rights of data subjects and national legislation provides a judicial remedy. Processors are not mentioned.
Jurisdiction of the courts	Proceedings can be brought before the courts of Member States wherein: 1. Controller or processor has an establishment Or 2. Data Subject has habitual residence
Right cannot be exercised when	1. The controller or processor is a public authority of Member State And 2. Is exercising its public powers

4.18.4 Right to compensation and liability

GDPR enables a person who has suffered damages to claim compensation as a specific right. DPD merely entitles the person to receive compensation. Although Liability provisions under GDPR and DPD are similar, the liability under GDPR is stricter as compared to DPD. This is because DPD exempts the processor from liability but GDPR does not. For example, DPD imposes liability on controllers only.

Sub-topics in this section	GDPR	DPD

Given in Article	82	23
Who can claim compensation	Any person who has suffered material or non material damage	Similar provisions. But DPD doesn't mention "material or non-material damage" specifically.
Right arises due to	Infringement of Regulation	Same
Right granted	Right to receive compensation	Same
Compensation has to be given by	Controller or processor	Compensation can be claimed only from controller
Liability of controller arises when	Damage is caused by processing due to infringement of regulation	Same
Liability of processor arises when	1. Processor has not complied with directions given to it under Regulation OR 2. Processor has acted outside or contrary to lawful instructions of controller
Exemptions to controller or processor from liability	If there is proof that they are not responsible	Exemption for controller is same
Liability when more than one controller or processor cause damage	Each controller or processor to be held liable for entire damage

4.19 General conditions for imposing administrative fines

GDPR makes provision for imposition of administrative fines by supervisory authorities in case of infringement of Regulation. Such fines should be effective, proportionate and dissuasive. In case of minor infringement, "reprimand may be issued instead of a fine" ^{^[1]}. Means of enforcing accountability of supervisory authority have been provided. If Member state law does not provide for administrative fines, then the fine can be initiated by the supervisory authority and imposed by courts. However, by 25 May 2018, Member States have to adopt laws that comply with this Article.

Sub-topics in this section	GDPR	DPD

Given in Article	83
Who can impose fines	Supervisory Authority
Fines to be issued against	Controllers or Processors
Parameters to be taken into account while determining administrative fines	Nature, gravity and duration of infringement and Nature scope or purpose of processing and Number of data subjects affected and Level of damage suffered
	Intentional or negligent character of infringement
	Action taken by controller or processor to mitigate damage suffered by data subjects
	Degree of responsibility of con controller or processor. Technical and organizational measures implemented to be taken into account.
	Relevant previous infringement
	Degree of cooperation with supervisory authority
	Categories of personal data affected
	Manner in which supervisory authorities came to know of the infringement and Extent to which the controller or processor notified the infringement
	Whether corrective orders of supervisory authority under Art 58(2) have been issue before and complied with
	Adherence to approved code of conduct under Art 40 or approved certification mechanisms under Art 42
	Other aggravating or mitigating factors like financial benefits gained losses avoided etc.
If infringement is intentional or due to negligence of processor or controller	Total amount of administrative fine to not exceed amount specified for gravest infringement
Means checking power of supervisory authority to impose fines	Procedural safeguards under Member State or Union law. Including judicial remedy and due process

Article 83 splits the amount of administrative fines according to obligations infringed by controllers, processors or undertakings. The first set of infringements may lead to imposition of fines up to 10,000,000 EUR or 2% of total worldwide turnover.

Sub-topics in this section	GDPR	DPD

Article	83(4)
Fine imposed	Up to 10,000,000 EUR or in case of undertaking, 2% of total worldwide turnover of preceding financial year, whichever is higher
Infringement of these provisions will cause imposition of fine (Provisions infringed)	Obligations of controller and processor under:
	Art 8 Conditions applicable to child's consent in relation to information society services
	Art 11 Processing which does not require identification
	Art 25 to 39 General obligations , Security of personal data , Data Protection impact assessment and prior consultation
	Art 42 Certification
	Art 43 Certification bodies
	Obligations of certification body under: Art 42 Art 43
	Obligations of monitoring body under: Art 41(4)

Second set of infringements may cause the authority to impose higher fines up to 20,000,000 EUR or 4% of total worldwide turnover.

Sub-topics in this section	GDPR	DPD

Article	83(5)
Fine imposed	Up to 20,000,000 EUR or in case of undertaking, 4% of total worldwide turnover of preceding financial year, whichever is higher
Infringement of provisions that will cause imposition of fine (Provisions infringed)	Basic principles for processing and conditions for consent under:
	Art 5 Principles relating to processing of personal data
	Art 6 Lawfulness of processing
	Art 7 Conditions for consent
	Art 9 Processing of special categories of personal data
	Data subject's rights under: Art 12 to 22
	Transfer of personal data to third country or international organization under: Art 44 to 49
	Obligations under Member State law adopted under Chapter IX
	Non Compliance with supervisory authority's powers under provisions of Art 58:
	Imposition of temporary or definitive limitation including ban on processing (Art 58 (2)(f))
	Suspension of data flows to third countries or international organization (Art 58(2) (j))
	Provide access to premises or data processing equipment and means (Art 58 (1) (f))

4.20 Penalties

Article 84 makes provision for penalties in case of infringement of Regulation.

The penalties must be effective, proportionate and dissuasive.

Sub-topics in this section	GDPR	DPD

Given in Article	84
When will penalty be imposed	In case of infringements that are not subject to administrative fines
Who imposes them	Member State
Responsibility of Member State	To lay down the law and ensure implementation. To notify to the Commission, the law adopted, by 25 May 2018

^{^[1]} Recital 148 , GDPR

For more details visit http://editors.cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive

Comparative Analysis of DNA Profiling Legislations from Across the World

atreya — 2013-07-12T11:30:17Z

With the growing importance of forensic data in law enforcement and research, many countries have recognized the need to regulate the collection and use of forensic data and maintain DNA databases. Across the world around 60 countries maintain DNA databases which are generally regulated by specific legislations. Srinivas Atreya provides a broad overview of the important provisions of four different legislations which can be compared and contrasted with the Indian draft bill.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

Efforts to regulate the collection and use of DNA data were started in India in 2007 by the Centre for DNA Fingerprinting and Diagnostics through their draft DNA Profiling Bill. Although the bill has evolved from its original conception, several concerns with regard to human rights and privacy still remain. The draft bill heavily borrows the different aspects related to collection, profiling and use of forensic data from the legislations of the United States, United Kingdom, Canada and Australia.

Click to find an overview of a comparative analysis of DNA Profiling Legislations.

For more details visit http://editors.cis-india.org/internet-governance/blog/comparative-analysis-of-dna-profiling-legislations-across-the-world

Community Standards Roundtable Conversations

Admin — 2018-10-16T14:01:55Z

Ambika Tandon was a participant in a roundtable organized by Facebook, School of Media & Cultural Studies, and Tata Institute of Social Sciences in Bengaluru on October 7, 2018.

The agenda for the roundtable was to discuss their community standards, particularly hate speech and harassment, and receive feedback from a feminist and gendered lens. Click to read more.

For more details visit http://editors.cis-india.org/internet-governance/news/community-standards-roundtable-conversations

Communication Rights in the Age of Digital Technology

rakesh — 2015-10-24T07:45:26Z

The Centre for Internet & Society (CIS) invites you to a conference to discuss the evolution of privacy and surveillance in India on Friday, October 30, 2015 at Deck Suite Hall, 5th Floor, Habitat Centre, Lodhi Road, Near Air Force Bal Bharti School, New Delhi - 110003, from 11 a.m. to 5 p.m.

The conference will be conducted in a round-table format. Topics to be discussed shall include, among others, the Human DNA Profiling Bill, 2012, the PIL questioning the data collection under the UID scheme, the draft National Encryption Policy and the Supreme Court judgement in Shreya Singhal v. Union of India, in the context of privacy and surveillance in India. The conference will be a forum for discussion, knowledge exchange and agenda building.

Background Note

In India, the Right to Privacy has been interpreted to mean an individuals’ right to be left alone. In the age of massive use of Information and Communications Technology, it has become imperative to have this right protected. The Supreme Court has held in a number of its decisions that the right to privacy is implicit in the fundamental right to life and personal liberty under Article 21 of the Indian Constitution, though Part III does not explicitly mention this right. Since the 1960s, the Apex Court has been dealing with this issue, primarily with respect to privacy being recognised as a fundamental or common law right and the standards that need to be satisfied in order to impose any restrictions on it.

In the year 2012, the Planning Commission constituted a Group of Experts under the chairmanship of Justice AP Shah, Former Chief Justice of the Delhi High Court to recommend a potential privacy framework for privacy in India. Previously in 2011 the Department of Personnel and Training had prepared a draft Bill on Right to Privacy which has yet to materialize into a comprehensive legislation on privacy. In 2014, a version of the revised Right to Privacy Bill was leaked. Amendments to the Bill aim to protect individuals against misuse of their data by the government or private agencies, and is in the process of being finalized by the Indian Government .

Of late, privacy concerns have gained importance in India due to the initiation of national programmes like the UID Scheme, DNA Profiling, the National Encryption Policy, etc. attracting criticism for their impact on the right to privacy. For example, DeitY introduced a draft National Encryption Policy in September this year to prescribe methods for encryption. However, the policy would have posed significant restriction on the ability of citizens to encrypt online communication. Backlash from the citizens, industry, social media and privacy experts led the Government to withdraw the policy as the measures included made the information system vulnerable in every sense.

Earlier this year, the Apex Court gave a historical judgement by striking down section 66A of the IT (Amendment) Act 2008. The Court upheld section 69A and the Information Technology (Procedure & Safeguards for Blocking for Access of Information by Public) Rules 2009 to be constitutionally valid, which accords the government with the authority to block transmission of information and websites when it deems it as necessary for reasons like sovereignty and integrity of India, public order, etc.

Another government initiative which has generated considerable controversy for its threat to privacy is the UID project which aims to issue a unique identification number to all citizens by the Unique Identification Authority of India, which can be authenticated and verified online. In August this year, the Supreme Court, vide an interim order, restricted the use of Aadhaar by declaring it to be optional for availing government benefits and services. Though the Government contended the right to privacy as a fundamental right in India, the Court deferred this issue to a larger Constitutional Bench, and the Supreme Court upheld its decision yet again in the month of October.

Similarly, the d raft Human DNA P rofiling B ill 2015 is being questioned on grounds of privacy invasion on a massive scale as it aims to collect and store the DNA samples of criminals, suspects, volunteers, and victims and regulate DNA laboratories and DNA sampling for use by law enforcement agencies. The Bill also fails to include comprehensive privacy safeguards and provisions regarding collection of DNA samples with or without the consent of an individual, making individual privacy an important concern.

Going by these ongoing debates, one can say that Privacy as a right has primarily evolved by way of judicial interpretation and continues to evolve in light of several controversial Government policies, projects and schemes. However its development is often undermined by tension between several competing national interests which calls for clear guidelines to protect this inviolable right of the citizens.

Download the Invite

For more details visit http://editors.cis-india.org/internet-governance/events/communication-rights-in-the-age-of-digital-technology

Comments to the United Nations Human Rights Commission Report on Gender and Privacy

Aayush Rathi, Ambika Tandon and Pallavi Bedi — 2019-12-30T17:40:20Z

This submission to UNHRC presents a response by researchers at the CIS to ‘gender issues arising in the digital era and their impacts on women, men and individuals of diverse sexual orientations gender identities, gender expressions and sex characteristics’. It was prepared by Aayush Rathi, Ambika Tandon, and Pallavi Bedi in response to a report of consultation by a thematic taskforce established by the Special Rapporteur on the Right to Privacy on ‘Privacy and Personality’ (hereafter, HRC Gender Report).

HRC Gender Report - Consultation version: Read (PDF)

Submitted comments: Read (PDF)

The Centre for Internet and Society (CIS), India, is an 11-year old non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and regulatory practices around internet, technology, and society in India,and elsewhere. Current focus areas include cybersecurity, privacy, freedom of speech, labour and artificial intelligence. CIS has been taking efforts to mainstream gender across its programmes, as well as develop specifically gender-focused research using a feminist approach.

CIS appreciates the efforts of Dr. Elizabeth Coombs, Chair, Thematic Action Stream Taskforce on “A better understanding of privacy”, and those of Professor Joseph Cannataci, Special Rapporteur on the Right to Privacy. We are also grateful for the opportunity to put forth our views and comment on the HRC Gender Report.

For more details visit http://editors.cis-india.org/internet-governance/blog/comments-to-the-unhrc-report-on-gender-and-privacy

Comments to the Personal Data Protection Bill 2019

Amber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya Rajwade — 2020-02-21T10:13:35Z

The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019.

Please view our general comments below, or download as PDF here.

Our comments and recommendations can be downloaded as PDF here.

We have also prepared an annotated version of the Bill, where our detailed comments and recommendations can be viewed alongside the Bill, available as PDF here.

General Comments

1. Executive notification cannot abrogate fundamental rights

In 2017, the Supreme Court in K.S. Puttaswamy v Union of India [1] held the right to privacy to be a fundamental right. While this right is subject to reasonable restrictions, the restrictions have to meet a three fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.Under the 2018 Bill, the exemption to government agencies for processing of personal data from the provisions of the Bill in the ‘interest of the security of the State’ [2] was subject to a law being passed by Parliament. However, under Clause 35 of the present Bill, the Central Government is merely required to pass a written order exempting the government agency from the provisions of the Bill.Any restriction on the right to privacy will have to comply with the conditions prescribed in Puttaswamy I. An executive order issued by the central government authorising any agency of the government to process personal data does not satisfy the first requirement laid down by the Supreme Court in Puttaswamy I — as it is not a law passed by Parliament. The Supreme Court while deciding upon the validity of Aadhar in K.S. Puttaswamy v Union of India [3] noted that “an executive notification does not satisfy the requirement of a valid law contemplated under Puttaswamy. A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”

2. Exemptions under Clause 35 do not comply with the legitimacy and proportionality test

The lead judgement in Puttaswamy I while formulating the three fold test held that the restraint on privacy emanate from the procedural and content based mandate of Article 21 [4]. The Supreme Court in Maneka Gandhi v Union India [5] had clearly established that “mere prescription of some kind of procedure cannot ever meet the mandate of Article 21. The procedure prescribed by law has to be fair, just and reasonable, not fanciful, oppressive and arbitrary” [6]. The existence of a law is the first requirement; the second requirement is that of ‘legitimate state aim’. As per the lead judgement this requirement ensures that “the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action” [7]. It is established that for a provision which confers upon the executive or administrative authority discretionary powers to be regarded as non-arbitrary, the provision should lay down clear and specific guidelines for the executive to exercise the power [8]. The third test to be complied with is that the restriction should be ‘proportionate,’ i.e. the means that are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law. The Supreme Court in Modern Dental College & Research Centre v State of Madhya Pradesh [9] specified the components of proportionality standards —

A measure restricting a right must have a legitimate goal;
It must be a suitable means of furthering this goal;
There must not be any less restrictive, but equally effective alternative; and
The measure must not have any disproportionate impact on the right holder

Clause 35 provides extensive grounds for the Central Government to exempt any agency from the requirements of the bill but does not specify the procedure to be followed by the agency while processing personal data under this provision. It merely states that the ‘procedure, safeguards and oversight mechanism to be followed’ will be prescribed in the rules.The wide powers conferred on the central government without clearly specifying the procedure may be contrary to the three fold test laid down in Puttaswamy I, as it is difficult to ascertain whether a legitimate or proportionate objective is being fulfilled [10].

3. Limited powers of Data Protection Authority in comparison with the Central Government

In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example:

In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so.
Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.

In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate and resources. The political nature of the personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Authority are independent of the Executive.

4. No clarity on data sandbox

The Bill contemplates a sandbox for “ innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” A Data Sandbox is a non-operational environment where the analyst can model and manipulate data inside the data management system. Data sandboxes have been envisioned as a secure area where only a copy of the company’s or participant companies’ data is located [11]. In essence, it refers to the scalable and creation platform which can be used to explore an enterprise’s information sets. On the other hand, regulatory sandboxes are controlled environments where firms can introduce innovations to a limited customer base within a relaxed regulatory framework, after which they may be allowed entry into the larger market after meeting certain conditions. This purportedly encourages innovation through the lowering of entry barriers by protecting newer entrants from unnecessary and burdensome regulation. Regulatory sandboxes can be interpreted as a form of responsive regulation by governments that seek to encourage innovation – they allow selected companies to experiment with solutions within an environment that is relatively free of most of the cumbersome regulations that they would ordinarily be subject to, while still subject to some appropriate safeguards and regulatory requirements. Sandboxes are regulatory tools which may be used to permit companies to innovate in the absence of heavy regulatory burdens. However, these ordinarily refer to burdens related to high barriers to entry (such as capital requirements for financial and banking companies), or regulatory costs. In this Bill, however, the relaxing of data protection provisions for data fiduciaries would lead to restrictions of the privacy of individuals. Limitations to a fundamental rights on grounds of ‘fostering innovation’ is not a constitutional tenable position, and contradict the primary objectives of a data protection law.

5. The primacy of ‘harm’ in the Bill ought to be reconsidered

While a harms based approach is necessary for data protection frameworks, such approaches should be restricted to the positive obligations, penal provisions and responsive regulation of the Authority. The Bill does not provide any guidance on either the interpretation of the term ‘harm,’ [12] or on the various activities covered within the definition of the term. Terms such as ‘loss of reputation or humiliation’ ‘any discriminatory treatment’ are a subjective standard and are open to varied interpretations. This ambiguity in the definition will make it difficult for the data principal to demonstrate harm and for the DPA to take necessary action as several provisions are based upon harm being caused or likely to be caused.Some of the significant provisions where ‘harm’ is a precondition for the provision to come into effect are —

Clause 25: Data Fiduciary is required to notify the Authority about the breach of personal data processed by the data fiduciary, if such breach is likely to cause harm to any data principal. The Authority after taking into account the severity of the harm that may be caused to the data principal will determine whether the data principal should be notified about the breach.
Clause 32 (2): A data principal can file a complaint with the data fiduciary for a contravention of any of the provisions of the Act, which has caused or is likely to cause ‘harm’ to the data principal.
Clause 64 (1): A data principal who has suffered harm as a result of any violation of the provision of the Act by a data fiduciary, has the right to seek compensation from the data fiduciary.

Clause 16 (5): The guardian data fiduciary is barred from profiling, tracking or undertaking targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.

6. Non personal data should be outside the scope of this Bill

Clause 91 (1) states that the Act does not prevent the Central Government from framing a policy for the digital economy, in so far as such policy does not govern personal data. The Central Government can, in consultation with the Authority, direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence based policies in any manner as may be prescribed.It is concerning that the data protection bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymized and/or non-personal data that rests with any data fiduciary that falls under the ambit of the bill to support the digital economy including for its growth, security, integrity, and prevention of misuse. It is unclear how the government, in practice, will be able to compel organizations to share this data. Further, there is a lack of clarity on the contours of the definition of non-personal data and the Bill does not define the term. It is also unclear whether the Central Government can compel the data fiduciary to transfer/share all forms of non-personal data and the rights and obligations of the data fiduciaries and data principals over such forms of data. Anonymised data refers to data which has ‘ irreversibly’ been converted into a form in which the data principal cannot be identified. However, as several instances have shown ‘ irreversible’ anonymisation is not possible. In the United States, the home addresses of taxi drivers were uncovered and in Australia individual health records were mined from anonymised medical bills [13]. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee under the chairmanship of Kris Gopalkrishnan to study various issues relating to non-personal data and to deliberate over a data governance framework for the regulation of such data.The provision should be deleted and the scope of the bill should be limited to protection of personal data and to provide a framework for the protection of individual privacy. Until the report of the expert committee is published, the Central Government should not frame any law/regulation on the access and monetisation of non-personal/ anonymised data nor can they create a blanket provision allowing them to request such data from any data fiduciary that falls within the ambit of the bill. If the government wishes to use data resting with a data fiduciary; it must do so on a case to case basis and under formal and legal agreements with each data fiduciary.

7. Steps towards greater decentralisation of power

We propose the following steps towards greater decentralisation of powers and devolved jurisdiction —

Creation of State Data Protection Authorities: A single centralised body may not be the appropriate form of such a regulator. We propose that on the lines of central and state commissions under the Right to Information Act, 2005, state data protection authorities are set up which are in a position to respond to local complaints and exercise jurisdiction over entities within their territorial jurisdictions.
More involvement of industry bodies and civil society actors: In order to lessen the burden on the data protection authorities it is necessary that there is active engagement with industry bodies, sectoral regulators and civil society bodies engaged in privacy research. Currently, the Bill provides for involvement of industry or trade association, association representing the interests of data principals, sectoral regulator or statutory Authority, or an departments or ministries of the Central or State Government in the formulation of codes of practice. However, it would be useful to also have a more active participation of industry associations and civil society bodies in activities such as promoting awareness among data fiduciaries of their obligations under this Act, promoting measures and undertaking research for innovation in the field of protection of personal data.

8. The Authority must be empowered to exercise responsive regulation

In a country like India, the challenge is to move rapidly from a state of little or no data protection law, and consequently an abysmal state of data privacy practices to a strong data protection regulation and a powerful regulator capable of enabling a state of robust data privacy practices. This requires a system of supportive mechanisms to the stakeholders in the data ecosystem, as well as systemic measures which enable the proactive detection of breaches. Further, keeping in mind the limited regulatory capacity in India, there is a need for the Authority to make use of different kinds of inexpensive and innovative strategies.We recommend the following additional powers for the Authority to be clearly spelt out in the Bill —

Informal Guidance: It would be useful for the Authority to set up a mechanism on the lines of the Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law. Given that this is the first omnibus data protection law in India, and there is very little jurisprudence on the subject from India, it would be extremely useful for regulated entities to get guidance from the regulator.
Power to name and shame: When a DPA makes public the names of organisations that have seriously contravened data protection legislation, this is a practice known as “naming and shaming.” The UK ICO and other DPAs recognise the power of publicity, as evidenced by their willingness to co-operate with the media. The ICO does not simply post monetary penalty notices (MPNs or fines) on its websites for journalists to find, but frequently issues press releases, briefs journalists and uses social media. The ICO’s publicity statement on communicating enforcement activities states that the “ICO aims to get media coverage for enforcement activities.”
Undertakings: The UK ICO has also leveraged the threats of fines into an alternative enforcement mechanism seeking contractual undertakings from data controllers to take certain remedial steps. Undertakings have significant advantages for the regulator. Since an undertaking is a more “co-operative”solution, it is less likely that a data controller will change it. An undertaking is simpler and easier to put in place. Furthermore, the Authority can put an undertaking in place quickly as opposed to legal proceedings which are longer.

9. No clear roadmap for the implementation of the Bill

The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified [14]. It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within within which the Authority shall be established and specific rules and regulations notified. Considering that 25 provisions have been deferred to rules that have to be framed by the Central Government and a further 19 provisions have been deferred to the regulations to be notified by the Authority the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill.The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Authority. This is important to give full and effective effect to the right of privacy of the
individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.For offences, we suggest a system of mail boxing where provisions and punishments are enforced in a staggered manner, for a period till the fiduciaries are aligned with the provisions of the Act. The Authority must ensure that data principals and fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment are brought into force. This will allow the data fiduciaries to align their practices with the provisions of this new legislation and the Authority will also have time to define and determine certain provisions that the Bill has left the Authority to define. Additionally enforcing penalties for offences initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders from paying a high price. This will relieve the fear of smaller companies and startups who might fear processing data for the fear of paying penalties for offences.

10. Lack of interoperability

In its current form, a number of the provisions in the Bill will make it difficult for India’s framework to be interoperable with other frameworks globally and in the region. For example, differences between the draft Bill and the GDPR can be found in the grounds for processing, data localization frameworks, the framework for cross border transfers, definitions of sensitive personal data, inclusion of the undefined category of ‘critical data’, and the roles of the authority and the central government.

11. Legal Uncertainty

In its current structure, there are a number of provisions in the Bill that, when implemented, run the risk of creating an environment of legal uncertainty. These include: lack of definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’, ability of the government to define further categories of sensitive personal data, inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’, framing of the requirements for data transfers, bar on processing of certain forms of biometric data as defined by the Central Government, the functioning between a consent manager and another data fiduciary, the inclusion of an AI sandbox and the definition of state. To ensure the greatest amount of protection of individual privacy rights and the protection of personal data while also enabling innovation, it is important that any data protection framework is structured and drafted in a way to provide as much legal certainty as possible.

Endnotes

1. (2017) 10 SCC 641 (“Puttaswamy I”).

2. Clause 42(1) of the 2018 Bill states that “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to such interests being achieved.”

3. (2019) 1 SCC 1 (“Puttaswamy II”)

4. Puttaswamy I, supra, para 180.

5. (1978) 1 SCC 248.

6. Ibid para 48.

7. Puttaswamy I supra para 180.

8. State of W.B. v. Anwar Ali Sarkar, 1952 SCR 284; Satwant Singh Sawhney v A.P.O AIR 1967 SC1836.

9. (2016)7 SCC 353.

10. Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill, 2019 introduced in Lok Sabha on 11 December 2019”, January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).

11. “A Data Sandbox for Your Company”, Terrific Data, last accessed on January 31, 2019, http://terrificdata.com/2016/12/02/3221/.

12. Clause 3(20) — “harm” includes (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (ii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of service,benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal.

13. Alex Hern “Anonymised data can never be totally anonymous, says study”, July 23, 2019 https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds.

14. Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6)The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f ) security safeguards under section 31; (g) research purposes under section 45; (h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”

For more details visit http://editors.cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019

Comments to the ID4D Practitioners’ Guide

Yesha Tshering Paul, Prakriti Singh, and Amber Sinha — 2019-08-08T10:25:13Z

This post presents our comments to the ID4D Practitioners’ Guide: Draft For Consultation released by ID4D in June, 2019. CIS has conducted research on issues related to digital identity since 2012. This submission is divided into three main parts. The first part (General Comments) contains the high-level comments on the Practitioners’ Guide, while the second part (Specific Comments) addresses individual sections in the Guide. The third and final part (Additional Comments) does not relate to particulars in the Practitioners' Guide but other documents that it relies upon. We submitted these comments to ID4D on August 5, 2019. Read our comments here.

For more details visit http://editors.cis-india.org/internet-governance/blog/comments-to-the-id4d-practitioners2019-guide

Comments to the draft Motor Vehicle Aggregators Scheme, 2021

Chiara Furtado, Aayush Rathi and Abhishek Sekharan — 2022-04-01T15:25:06Z

This submission presents a response by researchers at the Centre for Internet and Society, India (CIS) to the draft Motor Vehicle Aggregators Scheme, 2021 published by the Transport Department, Government of National Capital Territory of Delhi, (hereafter “draft Scheme”).

CIS, established in Bengaluru in 2008 as a non-profit organisation, undertakes interdisciplinary research on internet and digital technologies from public policy andacademic perspectives. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and regulatory practices around internet, technology,and society in India, and elsewhere.

CIS is grateful for the opportunity to submit its comments to the draft Scheme. Please find below our thematically organised comments.

Click here to read more.

For more details visit http://editors.cis-india.org/internet-governance/blog/comments-to-the-draft-motor-vehicle-aggregators-scheme-2021

Comments on the RBI's Consultation Paper on Peer to Peer Lending

sumandro — 2016-06-01T20:21:13Z

The Reserve Bank of India published a Consultation Paper on Peer to Peer Lending on April 28, 2016, and invited comments from the public. CIS submitted the following response, authored by Elonnai Hickok, Pavishka Mittal, Sumandro Chattapadhyay, Vidushi Marda, and Vipul Kharbanda.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) on the Consultation Paper on Peer to Peer Lending (“the consultation paper”) by the Reserve Bank of India (“RBI”) [1].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS [2], is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the concerns of citizens’ and users’ rights in the context of products, services, and transactions facilitated by digital media technologies, the , the principle that regulation should be defined around functions of the acts concerned, and not the technologies of delivery. Our comments are limited to the clauses that most directly have an impact on these concerns.

3. Response

3.1. Whether there is a felt need for regulating peer to peer lending platforms?

3.1.1. Peer to peer (“P2P”) lenders are platforms serving as marketplaces for the lenders and the borrowers of funds to connect. Their very business model does not render them as a provider of finance, as they aspire to function as pure intermediaries to enable lending and borrowing.

3.1.2. The Section 45I.(f)(iii) of the RBI Act, 1935 [3], provides RBI the authority to classify any financial institution as a non-banking financial company (“NBFC”) “with the previous approval of the Central Government and by notification in the Official Gazette.” Since the P2P lending platforms do not provide any finance themselves, undertake acquisition of financial instruments, deliver financial and/or insurance services, or collect financial resources directly, the only ground for classifying such companies as “financial institutions” [4] appears to be their involvement in “managing, conducting or supervising, as foreman, agent or in any other capacity, of chits or kuries as defined in any law which is for the time being in force in any State, or any business, which is similar thereto” [5]. P2P lending platforms can be considered to be brokers and thus there are other aspects that merit scrutiny such as antitrust issues, obligations of either party, company activities and the transactional system involved, as we will discuss in this document.

3.1.3. The consultation paper itself states that the balance sheet of the platform cannot indicate any borrowing / lending activity, which entails that the platform cannot itself provide finance or receive any funds for the provision of loans to others. Platforms are not allowed to determine the interest rates as they are not a party to the transaction. Neither would they be liable in cases of default by the borrower. These rules, standard for P2P platforms in other jurisdictions as well, confirm the assumption that the platform itself is not providing finance and thus, cannot be entrusted with any liability, obligation from the transaction.

3.1.4. Further, with RBI raising the threshold asset size for an NBFC to be considered systemically important (NBFC-ND-SI) from Rs. 100 Crores to Rs. 500 Crores [6], and Economic Times reporting that one of the biggest Indian P2P lending platform’s enterprise valuation (which can be taken as indicative of its net assets) is Rs 50 Crores [7], we may assume that most P2P lending platforms will have net assets worth less than 500 crore, at least in the near future; although there is a possibility for exponential growth with some companies.

3.1.5. Given the limited sphere of operation, restricted ability (by design) of these platforms to shape interest rates and other features of financial instruments, and their generally non-systemically-important nature, we would submit that the regulation of such P2P lending platforms are kept to an absolute minimum, so that their economic viability is not undermined, and at the same time the key risks associated with their operations are addressed by RBI.

3.2. Is the assessment of P2P lending and risks associated with it adequate?

3.2.1. CIS observes that the following are the key risks involved with the operations of the P2P lending platforms, and these are being respectively addressed by, or can be addressed by RBI in the following manners.

Insufficient information about the conditions of lending, leading to defrauding of the borrower: The borrower may not receive appropriate information about the terms of the loan, and/or the P2P lending platform may not act in a “fair” manner (say, in case of collusion between the P2P lending platform and the lender, or the lending platform and the borrower), which may lead to defrauding and/or economic loss of either party. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Guidelines on Fair Practices Code for NBFCs [8], which extensively addresses concerns related to this type of risks.
Insufficient information about the borrower, or her/his ability to repay the loan, may lead to non-repayment and economic loss of the lender: If the P2P lending platform allows the lender to offer loans to borrowers without acquiring and/or providing sufficient information to the lender about the borrower’s credit history and/or ability to repay the loan, modes of formulating security for loans, this may heighten the risks of non-repayment of loans. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Master Circular – 'Know Your Customer' (KYC) Guidelines – Anti Money Laundering Standards (AML) - Prevention of Money Laundering Act, 2002 - Obligations of NBFCs [9], which extensively addresses concerns related to this type of risks.
Credit-related information of the lenders and the borrowers collected by P2P lending platforms may not be made available to other financial institutions and that will lead asymmetry in credit information available across various actors in the sector: Credit information, related to both lending and borrowing practices of entities using the platform concerned, is a key asset of the P2P lending platforms. Lack of sharing of such information with Credit Information Companies, for economic reasons or otherwise, may however, lead to information asymmetry within the financial sector, which will structurally weaken the entire sector (with pieces of credit information being distributed across actors and not being shared internally). By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Credit Information Companies (Regulation) Act, 2005 [10], which extensively addresses concerns related to this type of risks.
P2P lending platforms diversifying their financial operations without informing RBI and hence without appropriate regulatory control: It is possible that P2P lending platforms may decide to diversify their activities. There have been similar examples in other related sectors, say e-commerce marketplaces, that have started their own product re/selling companies that use the same online marketplace concerned. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies provide RBI with detailed and regular reports of their economic activities and investments, which is expected to address concerns related to this type of risks.

3.3. Are there any other risks which ought to be addressed?

3.3.1. CIS observes that as part of the usual transaction related activities of the P2P lending platforms, the companies will come into possession of what has been defined as “sensitive personal data or information” by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 [11]. The concerns related to this type of risk is directly addressed by the Rules concerned, and may not require additional attention from the RBI.

3.3.2. CIS observes that as borrowers and lenders start using specific P2P lending platforms, the data regarding their credit histories and/or “financial reputation” will be owned by these companies. While such information might be shared internally within the financial sector through the Credit Information Companies, the borrowers and lenders themselves may not get direct access to such data. Hence, the borrowers and lenders will not be able to move easily and smoothly to a new P2P lending platform and make use of their existing credit information and/or “financial reputation” when accessing services offered via the new P2P lending platform. In other words, the borrowers and lenders may face a service provider lock-in, and inability to move between P2P lending platforms easily, without explicit access to their own credit history/reputation, and will not have the ability to migrate such information from one P2P lending platform to another (or to any other agency, for that matter). CIS submits that RBI must provide a mechanism to allow users to migrate between platforms as it has not been discussed in the consultation paper.

3.4. Is the proposed approach to regulating these platforms adequate?

3.4.1. CIS observes that while classification of P2P lending platforms will appropriately address key risks associated with their operations (as listed in 3.2.1. A-D), it will not address a major risk emerging out of their operations that is unique to the technological basis of the business concerned (as mentioned in 3.3.2.), and further, it will impose substantial financial and management obligations that have a very high probability of undermining the economic viability of this emerging and niche sector of intermediated direct lending and borrowing.

3.4.2. CIS observes that these financial and management obligations may involve the following topics among others discussed: 1) minimum net worth requirement for registration, 2) minimum investments required to be made government securities, 3) transferring of minimum percentage of net profits to RBI, 4) guidelines regarding corporate governance [12], etc.

3.4.3. Given this, CIS submits that instead of classifying P2P lending platforms as “Misc NBFCs,” a new sub-classification is created under the category of NBFC for such platforms, that directly addresses the key risks associated with businesses of P2P lending platforms, and protects lenders as well as borrowers while enhancing transparency in operations. This new sub-classification of P2P lending companies should also be divided into systemically-important and non-systemically-important like other NBFCs, and requirements regarding financial operations and corporate management should only be enforced for the former category of P2P lending companies.

3.5. Any other relevant issues pertaining to P2P lending

Beyond the issues already discussed above, CIS seek clarity from the RBI around the following aspects:

Transactional system pertaining to P2P lending:
1. What are the requirements and prerequisites for mandating the collection of user identity?
2. Establishing a maximum sum that can be transferred per transaction.
Company activities:
1. Fees that can be charged by platforms.
2. How data security can be best addressed.
3. How the financial transactions are brokered.
4. Modes of redressal.
5. Restitution to users if something goes amiss in the transaction.
6. Insurance that the company has to buy or capital on hand to support.

Endnotes

[1] See: https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=3164.

[2] See: http://cis-india.org/.

[3] See: https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.pdf.

[4] See Section 45I.(c) of RBI Act, 1923, last amended on January 07, 2013.

[5] See Section 45I.(c)(v) of RBI Act, 1923, last amended on January 07, 2013.

[6] See: https://rbidocs.rbi.org.in/rdocs/content/pdfs/PNNBFC200315.pdf.

[7] See: http://economictimes.indiatimes.com/small-biz/startups/faircent-com-raises-pre-series-a-funding-of-250k/articleshow/47630279.cms.

[8] See: https://rbi.org.in/scripts/NotificationUser.aspx?Id=7866.

[9] See: https://rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=8168.

[10] See: http://www.incometaxindia.gov.in/Pages/acts/credit-information-companies-act.aspx.

[11] See: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf.

[12] See: https://www.rbi.org.in/scripts/BS_NBFCNotificationView.aspx?Id=3706.

For more details visit http://editors.cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending

Comments on the National Digital Health Blueprint

Samyukta Prabhu, Ambika Tandon, Torsha Sarkar and Aayush Rathi — 2019-08-07T13:24:55Z

The Ministry of Health and Family Welfare had released the National Digital Health Blueprint on 15 July 2019 for comments. The Centre for Internet & Society submitted its comments.

This submission presents comments by the Centre for Internet and Society (CIS), on the National Digital Health Blueprint (NDHB) Report, released on 15th July 2019 for publicconsulations. It must be noted at the outset that the time given for comments was less than three weeks, and such a short window of time is inadequate for all stakeholdersinvolved to comprehensively address the various aspects of the Report. Accordingly, on behalf of all other interested parties, we request more time for consultations.

We also note that the nature of data which would be subject to processing in the proposed digital framework pre-supposes a robust data protection regime in India, onewhich is currently absent. Accordingly, we also urge ceasing the implementation of the framework until the Personal Data Protection Bill is passed by the parliament. We wouldbe explaining our reasonings on this particular point below.

Click to download the full submission here.

For more details visit http://editors.cis-india.org/internet-governance/blog/samyukta-prabhu-ambika-tandon-torsha-sarkar-and-aayush-rathi-august-4-2019-comments-on-national-digital-health-blueprint

Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

bhairav — 2013-07-12T12:13:53Z

Bhairav Acharya on behalf of the Centre for Internet and Society prepared the following comments on the Sensitive Personal Data Rules. These were submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

I Preliminary

1.1 The Centre for Internet and Society (“CIS”) is pleased to present this submission on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 313(E) on 11 April 2011 (“Sensitive Personal Data Rules” or “Rules”) to the Committee on Subordinate Legislation of the Fifteenth Lok Sabha.

1.2 The protection of personal information lies at the heart of the right to privacy; and, for this reason, it is an imperative legislative and policy concern in liberal democracies around the world. In India, although remedies for invasions of privacy exist in tort law and despite the Supreme Court of India according limited constitutional recognition to the right to privacy[1], there have never been codified provisions protecting the privacy of individuals and their personal information.

The Sensitive Personal Data Rules represent India’s first legislative attempt to recognise that all persons have a right to protect the privacy of their personal information. However, the Rules suffer from numerous conceptual, substantive and procedural weaknesses, including drafting defects, which demand scrutiny and rectification. The interpretation and applicability of the Rules was further confused when, on 24 August 2011, the Department of Information Technology of the Ministry of Communications attempted to reinterpret the Rules through a press release oblivious to the universally accepted basic proposition that law cannot be made or reinterpreted via press releases.[2] Therefore, the attention of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha is called to the following submissions:

II Principles to Facilitate Appraisal
2.1 The Sensitive Personal Data Rules are an important step towards building a legal regime that protects the privacy of individuals whilst enabling the secure collection, use and storage of personal information by state and private entities. The Rules are to be welcomed in principle. However, at present, the Rules construct an incomplete regime that does not adequately protect privacy and, for this reason, falls short of internationally accepted data protection standards.[3]

This not only harms the personal liberties of Indian citizens, it also affects the ability of Indian companies to conduct commerce in foreign countries. More importantly, the Rules offer no protection against the state.

2.2 To enact a comprehensive personal information protection regime, CIS believes that the Rules should proceed on the basis of the following broad principles:

(a) Principle of Notice / Prior Knowledge

All persons from whom personal information is collected have a right to know, before the personal information is collected and, where applicable, at any point thereafter: (i) of an impending collection of personal information; (ii) the content and nature of the personal information being collected; (iii) the purpose for which the personal information is being collected; (iv) the broad identities of all natural and juristic persons who will have access to the collected personal information; (v) the manner in which the collected personal information will be used; (vi) the duration for which the collected personal information will be stored; (vii) whether the collected personal information will be disclosed to third parties including the police and other law enforcement agencies; (viii) of the manner in which they may access, check, modify or withdraw their collected personal information; (ix) the security practices and safeguards that will govern the sanctity of the collected personal information; (x) of all privacy policies and other policies in relation to the collected personal information; (xi) of any breaches in the security, safety, privacy and sanctity of the collected personal information; and, (xii) the procedure for recourse, including identities and contact details of ombudsmen and grievance redress officers, in relation to any misuse of the collected personal information.

(b) Principle of Consent

Personal information must only be collected once the person to whom it pertains has consented to its collection. Such consent must be informed, explicit and freely given. Informed consent is conditional upon the fulfilment of the principle of notice/prior knowledge set out in the preceding paragraph. Consent must be expressly given: the person to whom the personal information to be collected pertains must grant explicit and affirmative permission to collect personal information; and, he must know, or be made aware, of any action of his that will constitute such consent. Consent that is obtained using threats or coercion, such as a threat of refusal to provide services, does not constitute valid consent. Any person whose personal information has been consensually collected may, at any time, withdraw such consent for any or no reason and, consequently, his personal information, including his identity, must be destroyed. When consent is withdrawn in this manner, the person who withdrew consent may be denied any service that requires the use of the personal information for which consent was withdrawn.

Personal information must only be collected when, where and to the extent necessary. Necessity cannot be established in general; there must be a specific nexus connecting the content of the personal information to the purpose of its collection. Only the minimal amount of personal information necessary to achieve the purpose should be collected. If a purpose exists that warrants a temporally specific, or an event-dependent, collection of personal information, such a collection must only take place when that specific time is reached or that event occurs. If the purpose of personal information is dependent upon, or specific to, a geographical area or location, that personal information must only be collected from that geographical area or location.

(d) Right to be Forgotten / Principle of Purpose Limitation

Once collected, personal information must be processed, used, stored or otherwise only for the purpose for which it was collected. If the purpose for which personal information was collected is achieved, the collected personal information must be destroyed and the person to whom that personal information pertained must be ‘forgotten.’ Similarly, collected personal information must be destroyed and the person to whom it pertained ‘forgotten’ if the purpose for which it was collected expires or ceases to exist. Personal information collected for a certain purpose cannot be used or stored for another purpose nor even used or stored for a similar purpose to arise in the future without the express and informed consent of the person from whom it was collected in accordance with the principles of notice/prior knowledge and consent.

(e) Right of Access

All persons from whom personal information is collected have a right to access that personal information at any point following its collection to check its accuracy, make corrections or modifications and have destroyed that which is inaccurate. Where personal information of more than one person is held in an aggregated form such that affording one person access to it may endanger the right to privacy of another person, the entity holding the aggregated personal information must, to the best of its ability, identify the portion of the personal information that pertains to the person seeking access and make it available to him. All persons from whom personal information is collected must be given copies of their personal information upon request.

(f) Principle regarding Disclosure

Personal information, once collected, must never be disclosed. However, if the person to whom certain personal information pertains consents to its disclosure in accordance with the principle of consent after he has been made aware of the proposed disclosee and other details related to the personal information in accordance with the principle of notice/prior knowledge, the personal information may be disclosed. Consent to a disclosure of this nature may be obtained even during collection of the personal information if the person to whom it pertains expressly consents to its future disclosure. Notwithstanding the rule against disclosure and the consent exception to the rule, personal information may be disclosed to the police or other law enforcement agencies on certain absolute conditions. Since the protection of personal information is a policy imperative, the conditions permitting its disclosure must be founded on a clear and serious law enforcement need that overrides the right to privacy; and, in addition, the disclosure conditions must be strict, construed narrowly and, in the event of ambiguity, interpreted to favour the individual right to privacy. Therefore, (i) there must be a demonstrable need to access personal information in connection with a criminal offence; (ii) only that amount of personal information that is sufficient to satisfy the need must be disclosed; and, (iii), since such a disclosure is non-consensual, it must follow a minimal due process regime that at least immediately notifies the person concerned and affords him the right to protest the disclosure.

(g) Principle of Security

All personal information must be protected to absolutely maintain its sanctity, confidentiality and privacy by implementing safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, de-anonymisation, unauthorised disclosure and other risks. Such a level of protection must include physical, administrative and technical safeguards that are constantly and consistently audited. Protection measures must be revised to incorporate stronger measures and mechanisms as and when they arise.

(h) Principle of Transparency / ‘Open-ness’

All practices, procedures and policies governing personal information must be made available to the person to whom that personal information pertains in a simple and easy-to-understand manner. This includes policies relating to the privacy, security and disclosure of that personal information. If an entity that seeks to collect personal information does not have these policies, it must immediately draft, publish and display such policies in addition to making them available to the person from whom it seeks to collect personal information before the collection can begin.

(i) Principle of Accountability

Liability attaches to the possession of personal information of another person. Since rights and duties, such as those in relation to privacy of personal information, are predicated on accountability, this principle binds all entities that seek to possess personal information of another person. As a result, an entity seeking to collect, use, process, store or disclose personal information of another person is accountable to that person for complying with all these principles as well as the provisions of any law. The misuse of personal information causes harm to the person to whom it pertains to attract and civil and criminal penalties.

2.3 These principles are reflective of internationally accepted best practices to form the basis upon which Indian legislation to protect personal information should be drafted. The Sensitive Personal Data Rules, in their current form, fall far short of the achieving the substantive intent of these principles. CIS submits that either (i) the Sensitive Personal Data Rules should be replaced with new and comprehensive legislation that speaks to the objectives and purpose of these principles, or (ii) the Sensitive Personal Data Rules are radically modified by amendment to bring Indian law to par with world standards. Nevertheless, without prejudice to the preceding submission, CIS offers the following clause-by-clause comments on the Sensitive Personal Data Rules:

III Clause-by-Clause Analysis and Comments

Rule 2 - Definitions

3.1.1 Rule 2(1)(b) of the Sensitive Personal Data Rules defines “biometrics” as follows:

"Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', "facial patterns', 'hand measurements' and 'DNA' for authentication purposes.

3.1.2 Firstly, the Sensitive Personal Data Rules do not use the term “biometrics.” Instead, rule 3(vi), which defines sensitive personal data, uses the term “biometric information.” It is unclear why rule 2(1)(b) provides a definition of the technologies by which information is obtained instead of clearly identify the information that constitutes sensitive personal data. This is one of several examples of poor drafting of the Sensitive Personal Data Rules. Secondly, biometric information is not used only for authentication; there are many other reasons for collecting and using biometric information. For instance, DNA is widely collected and used for medical research. Restricting the application of the definition to only that biometric information that is used for authentication is illogical to deprive the Rules of meaning.

3.1.3 Therefore, it is proposed that rule 2(1)(b) be re-drafted to read as follows:

““Biometric information” means any information relating to the physical, physiological or behavioural characteristics of an individual which enable their unique identification including, but not limited to, fingerprints, retinas, irises, voice patterns, facial patterns, Deoxyribonucleic acid (DNA) and genetic information.”

3.2.1 Rule 2(1)(c) of the Sensitive Personal Data Rules defines “body corporate” in accordance with the definition provided in clause (i) of the Explanation to section 43A of the Information Technology Act, 2000 (“IT Act”) as follows:

“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

3.2.2 Firstly, this definition of a body corporate is poorly drafted to extend beyond incorporated entities to bring within its ambit even unincorporated professional organisations such as societies and associations which, by their very nature, are not bodies corporate.[4]

This is an arbitrary reinterpretation of the fundamental principles of company law. As it presently stands, this peculiar definition will extend to public and private limited companies, including incorporated public sector undertakings, ordinary and limited liability partnerships, firms, sole proprietorships, societies and associations; but, will exclude public and private trusts[5] and unincorporated public authorities. Hence, whereas non-governmental organisations that are organised as societies will fall within the definition of “body corporate,” those that are organised as trusts will not. Similarly, incorporated public authorities such as Delhi Transport Corporation and even municipal corporations such as the Municipal Corporation of Delhi will fall within the definition of “body corporate” but unincorporated public authorities such as the New Delhi Municipal Council and the Delhi Development Authority will not. This is a prima facie violation of the fundamental right of all persons to be treated equally under the law guaranteed by Article 14 of the Constitution of India.

3.2.3 Secondly, whereas state entities and public authorities often collect and use sensitive personal data, with the exception of state corporations the Sensitive Personal Data Rules do not apply to the state. This means that the procedural safeguards offered by the Rules do not bind the police and other law enforcement agencies allowing them a virtually unfettered right to collect and use, even misuse, sensitive personal data without consequence. Further, state entities such as the Unique Identification Authority of India or the various State Housing Boards which collect, handle, process, use and store sensitive personal data are not covered by the Rules and remain unregulated. It is not possible to include these unincorporated entities within the definition of a body corporate; but, in pursuance of the principles set out in paragraph 2.2 of this submission, the Rules should be expanded to all state entities, whether incorporated or not.

3.2.4 Therefore, it is proposed that rule 2(1)(c) be re-drafted to read as follows:

““body corporate” means the body corporate defined in sub-section (7) of section 2 read with section 3 of the Companies Act, 1956 (1 of 1956) and includes those entities which the Central Government may, by notification in the Official Gazette, specify in this behalf but shall not include societies registered under the Societies Registration Act, 1860 (21 of 1860), trusts created under the Indian Trusts Act, 1882 (2 of 1882) or any other association of individuals that is not a legal entity apart from the members constituting it and which does not enjoy perpetual succession.”

Further, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to societies registered under the Societies Registration Act, 1860 and trusts created under the Indian Trusts Act, 1882 in a manner reflective of their distinctiveness from bodies corporate.

Furthermore, it is proposed that the Sensitive Personal Data Rules be re-drafted to apply to public authorities and the state as defined in Article 12 of the Constitution of India.

3.3.1 Rule 2(1)(d) of the Sensitive Personal Data Rules defines “cyber incidents” as follows:

"Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.

3.3.2 Before examining the provisions of this clause, CIS questions the need for this definition. The term “cyber incidents” is used only once in these rules: the proviso to rule 6(1) which specifies the conditions upon which personal information or sensitive personal data may be disclosed to the police or other law enforcement authorities without the prior consent of the person to whom the information pertains. An analysis of rule 6(1) is contained at paragraphs 3.11.1 – 3.11.4 of this submission. Firstly, personal information and sensitive personal data should only be disclosed in connection with the prevention, investigation and prosecution of an existing offence. Offences cannot be created in the definitions clause of sub-statutory rules, they can only be created by a parent statute or another statute. Secondly, the scope and content of “cyber incidents” are already covered by section 43 of the IT Act. When read with section 66 of IT Act, an offence is created that is larger than the scope of the term “cyber incidents” to render this definition redundant.

3.3.3 Therefore, it is proposed that the definition of “cyber incidents” in rule 2(1)(d) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.

3.4.1 Rule 2(1)(g) of the Sensitive Personal Data Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. However, the term “intermediary” is not used anywhere in the Sensitive Personal Data Rules and so its definition is redundant. This is another instance of careless drafting of the Sensitive Personal Data Rules.

3.4.2 Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the remaining clauses in sub-rule (1) of rule 2 be accordingly renumbered.

Rule 3 - Sensitive Personal Data

3.5.1 Rule 3 of the Sensitive Personal Data Rules provides an aggregated definition of sensitive personal data as follows:

Sensitive personal data or information of a person means such personal information which consists of information relating to –

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

3.5.2 In accordance with the principle that certain kinds of personal information are particularly sensitive, due to the intimate nature of their content in relation to the right to privacy, to invite privileged protective measures regarding the collection, handling, processing, use and storage of such sensitive personal data, it is surprising that rule 3 does not protect electronic communication records of individuals. Emails and chat logs as well as records of internet activity such as online search histories are particularly vulnerable to abuse and misuse and should be accorded privileged protection.

3.5.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:

“Sensitive personal data or information of a person means personal information as to that person’s –

(i) passwords and encryption keys;

(ii) financial information including, but not limited to, information relating to his bank accounts, credit cards, debit cards, negotiable instruments, debt and other payment details;

(iii) physical, physiological and mental condition;

(iv) sexual activity and sexual orientation;

(v) medical records and history;

(vi) biometric information; and

(vii) electronic communication records including, but not limited to, emails, chat logs and other communications made using a computer;

and shall include any data or information related to the sensitive personal data or information set out in this rule that is provided to, or received by, a body corporate.

Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”

Rule 4 - Privacy and Disclosure Policy

3.6.1 Rule 4 of the Sensitive Personal Data Rules, which obligates certain bodies corporate to publish privacy and disclosure policies for personal information, states:

Body corporate to provide policy for privacy and disclosure of information. – (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for –

(i) Clear and easily accessible statements of its practices and policies;

(ii) type of personal or sensitive personal data or information collected under rule 3;

(iii) purpose of collection and usage of such information;

(iv) disclosure of information including sensitive personal data or information as provided in rule 6;

(v) reasonable security practices and procedures as provided under rule 8.

3.6.2 This rule is very badly drafted, contains several discrepancies and is legally imprecise. Firstly, this rule is overbroad to bind all bodies corporate that receive and use information, as opposed to “personal information” or “sensitive personal data.” All bodies corporate receive and use information, even a vegetable seller uses information relating to vegetables and prices; but, not all bodies corporate receive and use personal information and even fewer bodies corporate receive and use sensitive personal data. The application of this provision should turn on the reception and use of personal information, which includes sensitive personal data, and not simply information. Secondly, although this rule only applies when a provider of information provides information, the term “provider of information” is undefined. It may mean any single individual who gives his personal information to a body corporate, or it may even mean another entity that outsources or subcontracts work that involves the handling of personal information. This lack of clarity compromises the enforceability of this rule. The government’s press release of 24 August 2011 acknowledged this error but since it is impossible, not to mention unconstitutional, for a statutory instrument like these Rules to be amended, modified, interpreted or clarified by a press release, CIS is inclined to ignore the press release altogether. It is illogical that privacy policies not be required when personal information is directly given by a single individual. This rule should bind all bodies corporate that receive and use personal information irrespective of the source of the personal information. Thirdly, it is unclear whether separate privacy policies are required for personal information and for sensitive personal data. There is a distinction between personal information and sensitive personal data and since these Sensitive Personal Data Rules deal with the protection of sensitive personal data, this rule 4 should unambiguously mandate the publishing of privacy policies in relation to sensitive personal data. Any additional requirement for personal information must be set out to clearly mark its difference from sensitive personal data. Fourthly, because of sloppy drafting, the publishing duties of the body corporate in respect of any sensitive personal data are unclear. For example, the phrase “personal or sensitive personal data or information” used in clause (ii) is meaningless since “personal information” and “sensitive personal data or information” are defined terms.

3.6.3 Therefore, it is proposed that rule 3 be re-drafted to read as follows:

“Duty to publish certain policies. – (1) Any body corporate that collects, receives, possesses, stores, deals with or handles personal information or sensitive personal data from any source whatsoever shall, prior to collecting, receiving, possessing, storing, dealing with or handling such personal information or sensitive personal data, publish and prominently display the policies listed in sub-rule (2) in relation to such personal information and sensitive personal data.

(2) In accordance with sub-rule (1) of this rule, all bodies corporate shall publish separate policies for personal information and sensitive personal data that clearly state –

(i) the meanings of personal information and sensitive personal data in accordance with these rules;

(ii) the practices and policies of that body corporate in relation to personal information and sensitive personal data;

(iii) descriptive details of the nature and type of personal information and sensitive personal data collected, received, possessed, stored or handled by that body corporate;

(iv) the purpose for which such personal information and sensitive personal data is collected, received, possessed, stored or handled by that body corporate;

(v) the manner and conditions upon which such personal information and sensitive personal data may be disclosed in accordance with rule 6 of these rules; and

(vi) the reasonable security practices and procedures governing such personal information and sensitive personal data in accordance with rule 8 of these rules.”

Rule 5 - Collection of Information

3.7.1 Rule 5(1) of the Sensitive Personal Data Rules lays down the requirement of consent before personal information can be collected as follows:

Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.

3.7.2 Firstly, the principle and requirement of consent is of overriding importance when collecting personal information, which includes sensitive personal data. Pursuant to the principles laid down in paragraph 2.2 of this submission, consent must be informed, explicit and freely given. Since sub-rule (3) of rule 5 attempts to secure the informed consent of persons giving personal information, this sub-rule must establish that all personal information can only be collected upon explicit consent that is freely given, irrespective of the medium and manner in which it is given. Secondly, it may be noted that sub-rule (1) only applies to sensitive personal data and not to other personal information that is not sensitive personal data. This is ill advised. Thirdly, this sub-rule relating to actual collection of personal information should follow a provision establishing the principle of necessity before collection can begin. The principle of necessity is currently laid down in sub-rule (2) of rule 5 which should be re-numbered to precede this sub-rule relating to collection.

3.7.3 Therefore, it is proposed that rule 5(1) be re-numbered to sub-rule (2) of rule 5 and re-drafted to read as follows:

“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to collecting that personal information or sensitive personal data, obtain the express and informed consent of that person in any manner, and through any medium, that may be convenient but shall not obtain such consent through threat, duress or coercion.”

3.8.1 Rule 5(2) of the Sensitive Personal Data Rules sets out the principle of necessity governing the collection of personal information as follows:

Body corporate or any person on its behalf shall not collect sensitive personal data or information unless —

(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and

(b) the collection of the sensitive personal data or information is considered necessary for that purpose.

3.8.2 Firstly, before allowing a body corporate to collect personal information, which includes sensitive personal data, the law should strictly ensure that the collection of such personal information is necessary. Necessity cannot be established in general, there must be a nexus connecting the personal information to the purpose for which the personal information is sought to be collected. This important sub-rule sets out the principles upon which personal information can be collected; and, should therefore be the first sub-rule of rule 5. Secondly, this sub-rule only applies to sensitive personal data instead of all personal information. It is in the public interest that the principle of necessity applies to all personal information, including sensitive personal data.

3.8.3 Therefore, it is proposed that rule 5(2) be re-numbered to sub-rule (1) of rule 5 and re-drafted to read as follows:

“No body corporate shall collect any personal information or sensitive personal data of a person unless it clearly establishes that –

(a) the personal information or sensitive personal data is collected for a lawful purpose that is directly connected to a function or activity of the body corporate; and

(b) the collection of the personal information or sensitive personal data is necessary to achieve that lawful purpose.”

3.9.1 Rule 5(3) of the Sensitive Personal Data Rules attempts to create an informed consent regime for the collection of personal information as follows:

While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of —

(a) the fact that the information is being collected;

(b) the purpose for which the information is being collected;

(c) the intended recipients of the information; and

(d) the name and address of —

(i) the agency that is collecting the information; and

(ii) the agency that will retain the information.

3.9.2 Firstly, this sub-rule (3) betrays the carelessness of its drafters by bringing within its application any and all information collected by a body corporate from a person instead of only personal information or sensitive personal data. Secondly, this provision is crucial to establishing a regime of informed consent before personal information is given by a person to a body corporate. For consent to be informed, the person giving consent must be made aware of not only the collection of that personal information or sensitive personal data, but also the purpose for which it is being collected, the manner in which it will be used, the intended recipients to whom it will be sent or made accessible, the duration for which it will be stored, the conditions upon which it may be disclosed, the conditions upon which it may be destroyed as well as the identities of all persons who will collect, receive, possess, store, deal with or handle that personal information or sensitive personal data. Thirdly, the use of the phrase “take such steps as are, in the circumstances, reasonable” dilutes the purpose of this provision and compromises the establishment of an informed consent regime. Instead, the use of the term “reasonable efforts”, which has an understood meaning in law, will suffice to protect individuals while giving bodies corporate sufficient latitude to conduct their business.

3.9.3 Therefore, it is proposed that rule 5(3) be re-drafted to read as follows:

“A body corporate seeking to collect personal information or sensitive personal data of a person shall, prior to such collection, make reasonable efforts to inform that person of the following details in respect of his personal information or sensitive personal data –

(a) the fact that it is being collected;

(b) the purpose for which it is being collected;

(d) the intended recipients to whom it will be sent or made available;

(e) the duration for which it will be stored;

(f) the conditions upon which it may be disclosed;

(g) the conditions upon which it may be destroyed; and

(h) the identities of all persons and bodies corporate who will collect, receive, possess, store, deal with or handle it.”

3.10.1 Rule 5(4) of the Sensitive Personal Data Rules lays down temporal restrictions to the retention of personal information:

Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

3.10.2 Since this sub-rule (4) only applies to sensitive personal data instead of all personal information, bodies corporate are permitted to hold personal information of persons that is not sensitive personal data for as long as they like even after the necessity that informed the collection of that personal information expires and the purpose for which it was collected ends. This is a dangerous provision that deprives the owners of personal information of the ability to control its possession to jeopardise their right to privacy. The Sensitive Personal Data Rules should prescribe a temporal limit to the storage of all personal information by bodies corporate.

3.10.3 Therefore, it is proposed that rule 5(4) be re-drafted to read as follows:

“No body corporate shall store, retain or hold personal information or sensitive personal data for a period longer than is required to achieve the purpose for which that personal information or sensitive personal data was collected.”

Rule 6 - Disclosure of Information

3.11.1 Rule 6(1) of the Sensitive Personal Data Rules, which deals with the crucial issue of disclosure of personal information, states:

Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation:

Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.

3.11.2 In addition to errors and discrepancies in drafting, this sub-rule contains wide and vague conditions of disclosure of sensitive personal data to gravely impair the privacy rights and personal liberties of persons to whom such sensitive personal data pertains. A summary of drafting errors and discrepancies follows: Firstly, this sub-rule only applies to sensitive personal data instead of all personal information. The protection of personal information that is not sensitive personal data is an essential element of the right to privacy; hence, prohibiting bodies corporate from disclosing personal information at will is an important public interest prerogative. Secondly, the use of the phrase “any third party” lends vagueness to this provision since the term “third party” has not been defined. Thirdly, the repeated use of the undefined phrase “provider of information” throughout these Rules and in this sub-rule is confusing since, as pointed out in paragraph 3.6.2 of this submission, it could mean either or both of the single individual who consents to the collection of his personal information or another entity that transfers personal information to the body corporate.

3.11.3 Further, the conditions upon which bodies corporate may disclose personal information and sensitive personal data without the consent of the person to whom it pertains are dangerously wide. Firstly, the disclosure of personal information and sensitive personal data when it is “necessary for compliance of a legal obligation” is an extremely low protection standard. The law must intelligently specify the exact conditions upon which disclosure sans consent is possible; since the protection of personal information is a public interest priority, the conditions upon which it may be disclosed must outweigh this priority to be significant and serious enough to imperil the nation or endanger public interest. The disclosure of personal information and sensitive personal data for mere compliance of a legal obligation, such as failure to pay an electricity bill, is farcical. Secondly, the proviso sets out the conditions upon which the state, through its law enforcement agencies, may access personal information and sensitive personal data without the consent of the person to whom it pertains. Empowering the police with access to personal information can serve a public good if, and only if, it results in the prevention or resolution of crime; if not, this provision will give the police carte blanche to misuse and abuse this privilege. Hence, personal information should only be disclosed for the prevention, investigation and prosecution of an existing criminal offence. Thirdly, the definition and use of the term “cyber incidents” is unnecessary because section 43 of the IT Act already lists all such incidents. In addition, when read with section 66 of the IT Act, there emerges a clear list of offences to empower the police to seek non-consensual disclosure of personal information to obviate the need for any further new terminology. In sum, with regard to the non-consensual disclosure of personal information for the purposes of law enforcement: a demonstrable need to access personal information to prevent, investigate or prosecute crime must exist; only that amount of personal information sufficient to satisfy the need must be disclosed; and, finally, no disclosure may be permitted without clearly laid down procedural safeguards that fulfil the requirements of a minimal due process regime.

3.11.4 Therefore, it is proposed that rule 6(1) be re-drafted to read as follows:

“No body corporate shall disclose any personal information or sensitive personal data to anyone whosoever without the prior express consent of the person to whom the personal information or sensitive personal data to be disclosed pertains.

Provided that if the personal information or sensitive personal data was collected pursuant to an agreement that expressly authorises the body corporate to disclose such personal information or sensitive personal data, and if the person to whom the personal information or sensitive personal data pertains was aware of this authorisation prior to such collection, the body corporate may disclose the personal information or sensitive personal data without obtaining the consent of the person to whom it pertains in the form and manner specified in such agreement.

Provided further that if a reasonable threat to national security, defence or public order exists, or if the disclosure of personal information or sensitive personal data is necessary to prevent, investigate or prosecute a criminal offence, the body corporate shall, upon receiving a written request from the police or other law enforcement authority containing the particulars and details of the personal information or sensitive personal data to be disclosed, disclose such personal information or sensitive personal data to such police or other law enforcement authority without the prior consent of the person to whom it pertains.”

3.12.1 Rule 6(2) of the Sensitive Personal Data Rules creates an additional disclosure mechanism:

Notwithstanding anything contain in sub-rule (1), any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.

3.12.2 This sub-rule is overbroad to enable anyone’s sensitive personal data to be disclosed to any other person without the application of any standards of necessity, proportionality or due process and without the person to whom the sensitive personal data pertains having any recourse or remedy. Such provisions are the hallmarks of authoritarian and police states and have no place in a liberal democracy. For instance, the invocation of this sub-rule will enable a police constable in Delhi to exercise unfettered power to access the biometric information or credit card details of a politician in Kerala since an order of a policeman constitutes “an order under the law”. Pursuant to our submission in paragraph 3.11.4, adequate measures exist to secure the disclosure of personal information or sensitive public data in the public interest. The balance of convenience between privacy and public order has already been struck. This sub-rule should be removed.

3.12.3 Therefore, it is proposed that rule 6(2) be deleted and the remaining sub-rules in rule 6 be accordingly renumbered.

3.13.1 Rule 6(4) of the Sensitive Personal Data Rules states:

The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.

3.13.2 Firstly, as mentioned elsewhere in this submission, the phrase “third party” has not been defined. This is a drafting discrepancy that must be rectified. Secondly, this sub-rule only encompasses sensitive personal data and not other personal information that is not sensitive personal data. Thirdly, it may be necessary, in the interests of business or otherwise, for personal information or sensitive personal data that has been lawfully disclosed to a third person to be disclosed further if the person to whom that personal information consents to it.

3.13.3 Therefore, it is proposed that rule 6(4) be re-drafted to read as follows:

“Personal information and sensitive personal data that has been lawfully disclosed by a body corporate to a person who is not the person to whom such personal information or sensitive personal data pertains in accordance with the provisions of these rules may be disclosed further upon obtaining the prior and express consent of the person to whom it pertains.”

Rule 7 - Transfer of Information

3.14.1 Rule 7 of the Sensitive Personal Data Rules sets out the conditions upon which bodies corporate may transfer personal information or sensitive personal data to other bodies corporate in pursuance of a business arrangement:

A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

3.14.2 This provision allows personal information and sensitive personal data to be transferred across international borders to other bodies corporate in pursuance of a business agreement. The transfer of such information is a common feature of international commerce in which Indian information technology companies participate with significant success. Within India too, personal information and sensitive personal data is routinely transferred between companies in furtherance of an outsourced business model. Besides affecting ease of business, the sub-rule also affects the ability of persons to control their personal information and sensitive personal data. However, the sub-rule has been poorly drafted: firstly, the simultaneous use of the phrases “provider of information” and “such person” is imprecise and misleading; secondly, the person to whom any personal information or sensitive personal data pertains must pre-consent to the transfer of such information.

3.14.3 Therefore, it is proposed that rule 7 be re-drafted to read as follows:

“A body corporate may transfer any personal information or sensitive personal data in its possession to another body corporate, whether located in India or otherwise, if the transfer is pursuant to an agreement that binds the other body corporate to same, similar or stronger measures of privacy, protection, storage, use and disclosure of personal information and sensitive personal data as are contained in these rules, and if the express and informed consent of the person to whom the personal information or sensitive personal data pertains is obtained prior to the transfer.”

Rule 8 - Reasonable Security Practices

3.15.1 Following rule 8(1) of the Sensitive Personal Data Rules that prescribes reasonable security practices and procedures necessary for protecting personal information and sensitive personal data, rule 8(2) asserts that the international standard ISO/IEC 27001 fulfils the protection standards required by rule 8(1):

The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).

3.15.2 ISO/IEC 27001 is an information security management system standard that is prescribed by the International Organisation for Standardisation and the International Electrotechnical Commission. CIS raises no objection to the content or quality of the ISO/IEC 27001 standard. However, to achieve ISO/IEC 27001 compliance and certification, one must first purchase a copy of the standard. A copy of the ISO/IEC 27001 standard costs approximately Rs. _____/-. The cost of putting in place the protective measures required by the ISO/IEC 27001 standard are higher: these include the cost of literature and training, the cost of external assistance, the cost of technology, the cost of employees’ time and the cost of certification.

3.15.3 Therefore, to bring these standards within the reach of small and medium-sized Indian bodies corporate, an appropriate Indian authority, such as the Bureau of Indian Standards, should re-issue affordable standards that are equivalent to ISO/IEC 27001.

IV The Press Release of 24 August 2011

4.1 The shoddy drafting of the Sensitive Personal Data Rules resulted in national and international confusion about its interpretation. However, instead of promptly correcting the embarrassingly numerous errors in the Rules, the Department of Information Technology of the Ministry of Communications and Information Technology chose to issue a press release on 24 August 2011 that was published on the website of the Press Information Bureau. The content of that press release is brought to the attention of the Committee of Subordinate Legislation as follows:

Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000.

Press Note

The Department of Information Technology had notified Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 on 11.4.2011 vide notification no. G.S.R. 313(E).

These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6. Providers of information, as referred to in these Rules, are those natural persons who provide sensitive personal data or information to a body corporate. It is also clarified that privacy policy, as prescribed in Rule 4, relates to the body corporate and is not with respect to any particular obligation under any contract. Further, in Rule 5(1) consent includes consent given by any mode of electronic communication.

Ministry of Communications & Information Technology (Dept. of Information Technology)

Press Information Bureau, Government of India, Bhadra 2, 1933, August 24, 2011

SP/ska
(Release ID :74990)

4.2 It is apparent from a plain reading of the text that this press release seeks to re-interpret the application of rules 5 and 6 of the Sensitive Personal Data Rules insofar as they apply to Indian bodies corporate receiving personal information collected by another company outside India. Also, it seeks to define the term “providers of information” to address the confusion created by the repeated use this term in the Rules. Further, it re-interprets the scope and application of rule 4 relating to duty of bodies corporate to publish certain policies. Furthermore, it seeks to amend the provisions of rule 5(1) relating to manner and medium of obtaining consent prior to collecting personal information.

4.3 At the outset, it must be understood that a press release is not valid law. According to Article 13(3) of the Constitution of India,

...law includes any Ordinance, order, bye law, rule, regulation, notification, custom or usages having in the territory of India the force of law.

Law includes orders made in exercise of a statutory power as also orders and notifications made in exercise of a power conferred by statutory rules.

[See, Edward Mills AIR 1955 SC 25 at pr. 12, Babaji Kondaji Garad 1984 (1) SCR 767 at pp. 779-780 and Indramani Pyarelal Gupta 1963 (1) SCR 721 at pp. 73-744]

Sub-delegated orders, made in exercise of a power conferred by statutory rules, cannot modify the rules.

[See, Raj Narain Singh AIR 1954 SC 569 and Re Delhi Laws Act AIR 1951 SC 332]

Therefore, press releases, which are not made or issued in exercise of a delegated or sub-delegated power are not “law” and cannot modify statutory rules.

V Summary

5.1 CIS submits that the following provisions of the Sensitive Personal Data Rules be amended or annulled

Rule 2(1)(b);
Rule 2(1)(c);
Rule 2(1)(d);
Rule 2(1)(g);
Rule 3;
Rule 4(1);
Rule 5(1);
Rule 5(2);
Rule 5(3);
Rule 5(4);
Rule 6(1);
Rule 6(1) Proviso;
Rule 6(2);
Rule 6(4);
Rule 7; and
Rule 8.

5.2 CIS submits that the Committee on Subordinate Legislation should take a serious view of the press release issued by the Department of Information Technology of the Ministry of Communications and Information Technology on 24 August 2011.

5.3 CIS submits that in exercise of the powers granted to the Committee on Subordinate Legislation under Rules 317 and 320 of the Lok Sabha Rules of Procedure, the provisions of the Sensitive Personal Data Rules listed in the preceding paragraph 5.1 should be annulled; and, the Committee may be pleased to consider and recommend as an alternative the amendments proposed by CIS in this submission.

5.4 CIS thanks the Committee on Subordinate Legislation for the opportunity to present this submission and reiterates its commitment to supporting the Committee with any clarification, question or other requirement it may have.

[1]. See generally, Kharak Singh AIR 1963 SC 1295, Gobind (1975) 2 SCC 148, R. Rajagopal (1994) 6 SCC 632, People’s Union for Civil Liberties (1997) 1 SCC 301 and Canara Bank (2005) 1 SCC 496.

[2]. See infra pr. 4.3.

[3]. See, for comparison, Directive 95/46/EC of 24 October 1995 of the European Parliament and Council, the Data Protection Act, 1998 of the United Kingdom and the Proposed EU Regulation on on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

[4].See generally, Board of Trustees of Ayurvedic College AIR 1962 SC 458 and S. P. Mittal AIR 1983 SC 1.

[5]. See generally, W. O. Holdsworth AIR 1957 SC 887 and Duli Chand AIR 1984 Del 145.

For more details visit http://editors.cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011