DATA PROTECTION AND PRIVACY

INTRODUCTION

The terms data protection and data privacy are often used interchangeably, but hey refer to different aspects of data management. Data privacy defines who has access to data, whereas data protection involves the tools and policies that restrict access to the data.1 Compliance regulations ensure that companies honour users’ privacy requests and take measures to protect private user data.

Data protection and privacy are crucial for managing personal health information (PHI) and personally identifiable information (PII), playing a significant role in business operations, development, and finances.2 Effective data protection can prevent data breaches, safeguard a company’s reputation, and help meet regulatory requirements.
Data protection solutions include technologies such as data loss prevention (DLP), storage with built-in data protection, firewalls, encryption, and endpoint protection.3

What Is Data Protection and Why Is It Important?

Data protection refers to the strategic and procedural steps taken to safeguard the privacy, availability, and integrity of sensitive data. Often synonymous with data security, these measures are essential for organizations that collect, process, or store sensitive data. The goal of data protection is to prevent data corruption, loss, or damage, ensuring that sensitive information remains accessible and reliable.4
In an era of unprecedented data generation and storage, a robust data protection strategy is critical to maintaining trust and compliance in data-centric operations.

What Are Data Protection Principles?

Data protection principles are guidelines designed to safeguard data and ensure its availability under all circumstances. These principles cover operational data backup and business continuity/disaster recovery (BCDR), as well as aspects of data management
and data availability.

Key aspects include:
Data availability: Ensuring that users can access and use the data required to Perform business functions, even in cases of data loss or damage.
Data lifecycle management: Automating the transfer of critical data to both offline and online storage.
Information lifecycle management: Valuing, cataloging, and protecting information assets from various threats, such as facility outages, application and user errors, machine failure, and malware or virus attacks.6

Overview of global data protection frameworks (e.g., GDPR,
CCPA).

The General Data Protection Regulation (GDPR) is a regulation (EU Regulation 016/679) in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).7

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) is a Regulation in EU law on data protection and privacy in the EU (European Union) and the European Economic Area (EEA). It was approved by the EU in April 2016 and came into force on 25th May 2018.
The GDPR replaces the UK’s 1984 Data Protection Act and the EU’s Data Protection Directive, which initially came into force in 1995, with new guidelines that are better suited to the modern technology-dominated world.8 The GDPR’s primary objective is
to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It is a regulation, not a directive, and therefore is directly binding and applicable to each member state of the European Union.

There are 11 chapters containing 99 articles.
Under the terms of GDPR, organisations must ensure that personal data is gathered legally and under strict conditions and those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so. GDPR also provides additional rights to people who want their personal data to get deleted, provided there are no grounds for retaining it (Right to Erasure).

The GDPR also makes reporting obligations and enforcement stronger and the data breaches are to be reported within 72 hours. Failure to comply with the GDPR rules could result in a fine of upto 4% of global turnover or 20 million euros, whichever is greater.

To Whom Does GDPR Apply?
GDPR applies to any organisation operating within the European Union, as well as any organisation outside of the EU which offers goods and services to customers or businesses in the EU.

Therefore, GDPR is having global implications. There are two different types of data handlers the legislation applies to – Processors and Controllers.

Controllers – A ‘controller’ is a person, public authority, agency or any other body which alone or jointly with others, determines the purposes and means of processing the personal data.

Processor – A ‘processor’ is a person, public authority, agency or any other body which processes personal data on behalf of the controller. Controllers are forced to ensure that all contracts with processors are in compliance with GDPR.

Personal Data under GDPR

Personal data is data that relates to an identifiable living individual and includes names, e-mail IDs, ID card numbers and IP addresses. It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.

Supervisory Authority under GDPR
Spervisory Authority under GDPR Under GDPR all member states need to appoint a supervisory authority. It is an independent public authority which is established
in each member state to ensure the implementation and compliance with the GDPR.

• Data Protection Officer

GDPR legislation says that Data Protection Officers (DPO) must be appointed by some companies.12 This refers to public authorities and companies that process large amounts of data. The controller and the processor ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

The appointed DPO (Data Protection Officer) must have a high level of expert knowledge of the legislation, practices and GDPR compliance.

Pros and Cons of GDPR :-

The Pros :

• The GDPR acts as a guide to achieve a higher degree of data security.
• To comply with the GDPR rules, the companies doing business in the EU or serving EU customers have increased their cybersecurity status.
• With improved cybersecurity clients put their trust in companies and share their data knowing that they are doing so in a secure environment.
• GDPR provides maximum importance to consumers’ consent.
  
  The Cons:
  As is often the case with legislation, there is a concern about overregulation when it comes to GDPR. If the company fails to comply with the norms mentioned by the GDPR, the penalty is huge, 4% of the global turnover of the company or 20 million euros whichever is greater. GDPR increases a huge amount of complexity in online business. Every business needs to be compliant irrespective of their turnover. In India, the Information Technology Act, 2000 (IT Act) and IT Rules deal with online data protection.
  
  While both the IT Act and GDPR have the objective of controlling and regulating the transferring of data for e- commerce, GDPR is more concerned with safeguarding the rights of the citizens (of the EU) whereas the same is missing in the Indian legislation. Both direct that data collection should be done with legal justification and that data should be collected only for the purpose stated.
  
  While GDPR applies to data processing also, the IT Act applies only to data gathering and usage (and not processing). Data integrity, protection from unauthorised processing, accountability, fairness, and transparency are among the principles stated in the GDPR but not included in the IT Act. The GDPR gives the Member States the authority to set special processing requirements and list five additional Data Privacy Protection in India – Technology vis-à-vis Law, https://law.nirmauni.ac.in/data-privacy-protection-in-indiatechnology-vis-a-vis- law/.
  
  conditions on the necessity of processing. The IT Act does not entail such requirements. Both the IT Act and GDPR require consent before data collection and give consent providers the option to revoke such consent. GDPR defines consent, specifies conditions for children’s consent and requires the data controller to provide evidence of such consent, while the IT Act does not. Certain provisions of Section 43A of the IT Act (dealing with rights to rectification, to information, and to revoke consent) align roughly with GDPR.14

The California Consumer Privacy Act of 2018 (CCPA)

The California Consumer Privacy Act of 2018 (CCPA)15 was signed into law in June 2018 and put into effect on January 1st, 2020, to respond to growing instances of businesses exploiting data privacy through poor data handling policies or data breaches. The CCPA gives Californian consumers greater transparency into how their sensitive personal information is handled. California was the first state to implement such strong data collection and handling laws, and its data security framework will likely become a blueprint for all other states.16

Under the CCPA, California residents have a right to:

• Know when their personal data is collected by businesses
• Know when their personal data is being sold to, or shared with, a third party
• Deny the sale of their personal data
• Have their personal data deletion request honored
  As part of California’s new privacy law movement, this landmark move mirrors the consumer data protection posture outlined in the European Union’s General Data Protection Regulation (GDPR) and Canada’s propositions in Bill C-11. CCPA regulations17 also offer Californian businesses guidance on adhering to this law.
  In November 2020, the California Privacy Rights Act (CPRA) was passed as an amendment to the CCPA, adding many additional consumer privacy rights. CCPA and CPRA are often used interchangeably, both discussing the same privacy regulations.
  Similar data privacy laws are either being considered or are already implemented in Nebraska, New York, and Washington.
  Who Must Comply with the California Consumer Privacy Act?

The CCPA applies to for-profit businesses that have business
operations in California and meet any of the following criteria:

• Gross annual revenue of $25 million or more.
• Process personal information for over 50,000 Californian residents, households, or devices (including buying, receiving, or selling data).
• Attribute the sale of California residents’ personal data to at least 50% of their annual gross revenue.
• CCPA compliance is not limited to businesses physically located in California.

Any business located outside of California must still comply with CCPA regulations if it:

• Offers Californians the opportunity to purchase their products or services,
• Collects any personal information from Californians (such as IP addresses of web visitors), or
• Shares branding with a business that’s bound to the CCPA.
• The CCPA does not apply to non-profit businesses.

How Does the CCPA Define Personal Data?
The enforcement of this law depends on the CCPA’s classification of personal data. Under the CCPA, a consumer’s personal information includes any data that identifies, connects, or relates to an individual and/or their household.18
This includes the following categories of personal information:
• Email addresses
• Social Security numbers
• Records of purchased products
• Internet browsing history and search history
• Geolocation data
• Biometric data
• Driver’s license numbers
• Inferences from other sources that can be used to create a
profile about an individual’s preferences and characteristics

How Does the CCPA Differ From the GDPR?
The CCPA has a broader classification of personal data compared to the European Union’s (EU) GDPR. Unlike the GDPR, the CCPA expands its threshold of privacy practices to also households. Any data subject identifying an individual or household
could be liable to CCPA regulations. Another difference between the two regulations is that the (GDPR) applies to any organization establishing a private data
inventory for EU citizens. CCPA compliance, however, is only expected of businesses that meet any of CCPA’s three thresholds.

CCPA and the Current California Data Breach Notification Law

The CCPA does not impact current data breach notification obligations under Section 1798.82 in the State of California, meaning organizations are not required to report data breaches under the CCPA. However, businesses and state agencies must still notify
California residents whenever an unauthorized party gains access to their unencrypted personal data in a data breach under the current California Data Breach Notification Law. Businesses can submit data breach notifications via this online portal.
Businesses suffering a breach impacting more than 500 California residents must submit a sample copy of the breach notifications to the California Attorney General. This notification must exclude any personal information identifiers.19
The CPRA also established the California Privacy Protection Agency (CPPA) to help the California Attorney General enforce the notification laws. California residents have the right to access all data breach notification submissions via this search engine.
EMPLOYERS NEED TO KNOW. Competition Journal of the Antitrust and Unfair Competition Law Section of the California Lawyers Association, 29(2).

How Should Businesses Respond?

The following data breach mitigation actions should be implemented in response to the resilient security posture expectations that still apply to all Californian businesses:

• Review mandatory cybersecurity frameworks Businesses should review all mandatory cybersecurity regulations in their industry, such as HIPAA, PCI DSS, COBIT, NIST, ISO, etc.
• Implement cybersecurity frameworks – Even without mandatory compliance, implementing popular cybersecurity frameworks can significantly raise cyber resilience levels.
• Secure third-party attack surface – 60% of data breaches result from compromised third parties. A third-party attack surface monitoring solution will surface any third-party

• Review incident response plans – Ensure that all existing incident response plans support the rapid containment of data breaches and their notifications.

How to Comply with CCPA Requirements
Each of the key provisions of the CCPA detailed below is supported by a summary of how businesses should respond to attain compliance. Automatic disclosure of personal data processing practices

Under the CCPA, businesses must:

• Notify consumers of the categories of personal data being collected at or before the instance of the collection.
• Businesses must also update the following details in the data collection policies on their website every 12 months:
• A detailed description of consumer rights under the CCPA. This should include the right to data deletion and the right to opt-out of the sale of personal data.
• A detailed description of how to submit data deletion requests.
• An honest breakdown of all the categories of personal data sharing and selling practices in the last 12 months.
• Businesses are not obligated to honor requests to disclose personal data handling practices from the same customer more than twice in 12 months.

Evolution of Data Protection Law in India

“An Act to provide legal recognition for transactions carried out using electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of documents with the Government agencies… and for matters connected therewith or incidental thereto.”

Preamble, Information Technology Act of 2000.20

The Information Technology Act of 2000 (IT Act), which was enacted in the context set out above, forms the current statutory basis for India’s data protection and privacy law.

Data protection and privacy

Over the years, as various types of technology emerged, numerous changes were introduced to the IT Act to deal with the challenges that these technologies brought forth.21 One such change was the enactment of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Although the Rules provide a certain amount of protection to personal information, the majority of the Rules were focused on providing guidelines for
enhanced protection of sensitive personal information, a narrower subset of personal data/information. Additionally, since the Rules were enacted under the broader
ambit of the IT Act, the protection of personal information, including sensitive personal information, is restricted to such data collected electronically. Also note that the Rules, for the most part, apply to bodies (including firms, sole proprietorships or other associations of individuals) engaging in commercial or professional activities.
By extension, the Rules would not apply to entities such as government or philanthropic entities, which may handle personal information (including sensitive personal information). These factors in turn acutely limit their application.22 However, despite these drawbacks, the Rules, along with the IT Act, continue to remain the primary regulation governing personal information.
“The Rules, for the most part, apply to bodies (including firms, sole proprietorships or other associations of individuals) engaging in commercial or professional activities.”

A landmark ruling

The development of Indian data protection and privacy laws was accelerated due to the Supreme Court’s judgement in thecase of Justice K.S. Puttaswamy (Retd.) & Ors. v. Union of India23. This case was first filed in 2012 by Justice K.S. Puttaswamy (Retd.) and others who contended that the Indian Government’s proposed scheme for a biometric-based identity card to access governmental benefits and services was a violation of a citizen’s right to privacy. Through this judgement, the Supreme Court
held the right to privacy as a fundamental right under Article 21 of the Constitution of India and laid down a test to determine whether an act of the government would violate this right.

This judgement was a watershed moment in the evolution of personal data protection and privacy jurisprudence in India and kickstarted a movement for the introduction of a more robust and comprehensive data protection regulation in India.

“Organisations must gear up for the possible enactment of a more robust framework for the protection of personal information And prepare for newer compliance requirements that they may be subject to under such a framework.”

Following this judgement, several initiatives have been undertaken to provide a statutory framework for the fundamental right to privacy and enhance data protection through legislative means. In the course of the last six years, the Indian Government
has introduced and withdrawn two draft bills covering data protection and privacy, as well as tabled a report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 to examine the issues relating to data protection in India. Most recently, the Indian Government released the Draft Digital Personal Data Protection Bill, 2022, for public feedback. The Bill is due to be tabled in the Indian Parliament for discussion.24

The Bill applies to digitised personal data and imposes obligations on data fiduciaries to ensure the confidentiality, integrity, and security of personal data and provides for the right of individuals to access, correct, and erase their personal data. The Bill also proposes the establishment of a Data Protection Authority of India, which will be responsible for implementing and enforcing the provisions of the Bill. Additionally, the Bill allows for the transfer of personal data outside India.

Data security

Through an amendment to the IT Act in 2008, the Indian Computer Emergency Response Team (CERT-In) was designated as the national agency for performing certain functions in the area of cyber security. CERT-In is responsible for collecting, analysing,
and disseminating information on cyber security incidents, as well as forecasting and alerting on potential incidents of this nature. CERTIn is authorised to take emergency measures to handle cyber security incidents and coordinate response activities. The agency also issues guidelines, advisories, vulnerability notes, and white papers on
information security practices, procedures, prevention, response, and reporting of cyber incidents. Overall, CERT- In’s role is to ensure the security of information systems and to minimise the impact of any cyber security incidents that may occur.

The Indian personal data protection and privacy regulatory framework is currently evolving. It is expected that the Indian Government will replace the Rules with a more comprehensive framework for the protection of personal information and, in our
view, new statutes and rules for the protection of personal data and privacy will mature to meet the standards of the right to privacy as encapsulated in the case of Justice K.S. Puttaswamy (Retd.) & Ors. v. Union of India.

Organisations must gear up for the possible enactment of a more robust framework for the protection of personal information and prepare for newer compliance requirements that they may be subject to under such a framework.

REFERENCE

1. Chatterjee, S., 2019. Is data privacy a fundamental right in India? An analysis and recommendations from policy and legal perspective. International Journal of Law and Management, 61(1), pp.170-190.
2. Banisar, D. and Davies, S., 1999. Global trends in privacy protection: An international survey of privacy, data protection, and surveillance laws and developments. J. Marshall J. Computer & Info. L., 18, p.1.
3. Parsheera, S. and Jha, P., 2020. Cross-Border Data Access for Law Enforcement: What Are India’s Strategic Options. Carnegie
   India.
4. Kumaraguru, P. and Cranor, L., 2005, May. Privacy in India: Attitudes and awareness. In International workshop on privacy enhancing technologies (pp. 243-258). Berlin, Heidelberg: Springer Berlin Heidelberg.
5. P. Mell and T. Grance, “The nist definition of cloud computing,” National Institute of Standards and Technology, vol. 53, no. 6, article 50, 2009
6. Shiv Shankar Singh, Privacy and Data Protection in India: A Critical Assessment, JSTOR, Volume 53 no. 4, 2011.
7. Information to be provided where personal data are collected from the data subject, https://gdpr-info.eu/art-13-gdpr/.
8. Hunton & Williams, The Proposed EU General Data Protection Regulation, A Guide for in-house lawyers, 2015.
9. Information Commissioners Office – ICO, Data protection, Guide General Data Protection Regulation (GDPR), 2018.
10. G. Latchams, A practical guide to the General Data Protection Regulation, Version 1.0, 2017.
11. Charity Finance Group (CFG), Inspiring Financial Leadership, General data protection regulation: a guide for charities, 2017.
12. S. Blanchard, R. Smith, L. BlueVenn, The General Data Protection Regulation(GDPR) A practical guide for businesses, 2016.
13. Ibid.
14. The California Consumer Privacy Act, 2018, §§1798, No. 100-199 of the Civil Code (California).
15. Jerome, J., 2018. California Privacy Law Shows Data Protection is on the March. Antitrust, 33, p.96.
16. Li, Y., 2019. The California Consumer Privacy Act of 2018: Toughest US Data Privacy Law with Teeth?. Loy. ConsumerL. Rev., 32, p.177.
17. Determann, L. and Tam, J., 2020. The California Privacy Rights Act of 2020: A broad and complex data processing regulation that applies to businesses worldwide. Journal of Data Protection& Privacy, 4(1), pp.7-21.
18. de la Torre, L.F. and Kitces, L., 2019. COMPLIANCE WITH THE CALIFORNIA CONSUMER PRIVACY ACT IN THE WORKPLACE: WHAT
19. Information Technology Act, 2000, No. 21, Acts of Parliament,
    2000 (India).
20. Duraiswami, D.R., 2017. Privacy and Data Protection in India.
    Journal of Law & Cyber Warfare, 6(1), pp.166-186.
21. Singh, A., 2017. DATA PROTECTION. Journal of the Indian
    Law Institute, 59(1), pp.78-101.
22. AIR 2018 SC (SUPP) 1841.
23. Acharya, B., 2015. The four parts of privacy in India. Economic
    and Political Weekly, pp.32-38.