Comparison between Countries based on IT Act

1. Data Protection

European Union: In the EU, the General Data Protection Regulation 2016/679 is a regulation
in EU law on data protection and privacy for all individual citizens of the European Union and
the European Economic Area (EEA). It also addresses the export of personal data outside the
EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal
data and to simplify the regulatory environment for international business by unifying the
regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation
contains provisions and requirements pertaining to the processing of personal data of
individuals (formally called data subjects in the GDPR) inside the EEA. The GDPR have a
significant impact beyond the EU because it applies to any organization that collects or
processes data in the EU or from residents of the EU. The GDPR was created to harmonize
laws across all member states, though it still allows for individual nations to customize certain
aspects to fit national needs. It provides a comprehensive set of privacy and data protections,
as well as rules on breach disclosures, transfer of data and redress mechanisms. It also
specifies some of the highest penalties for violating such protections, with a maximum fine of
up to €20(Article 83, Paragraph 5 & 6) million for companies and other organizations, or 4%
of the prior year’s turnover for a company, if that amount is higher. If the GDPR were being
enforced in 2017, Equifax, which collects information of UK citizens and who are still EU
citizens pre-Brexit, would come in for considerable scrutiny for both its security measures prior
to the breach and its actions thereafter. Research indicates that approximately 25% of
software vulnerabilities have GDPR implications. Since Article 33 emphasizes breaches, not
bugs, security experts advise companies to invest in processes and capabilities to identify
vulnerabilities before they can be exploited, including Coordinated vulnerability disclosure
processes.

China: China too has multiple laws and regulations covering data protection. They provide
individual protections such as requiring consent, protection of sensitive information, and
limitation on use of data. The laws also highlight the state’s interest in knowing and controlling
individual’s speech and activities on the Internet. A new Cybersecurity Law that took effect on
May 1, 2017 forbids people from using information networks to violate the privacy of others,
using illegal methods to acquiring personal information, and using their positions of access to
acquire, leak, sell or share personal information. The law has also created confusion for
foreign businesses by requiring providers of critical information infrastructure (CII) to store
“personal information and other important data” on mainland China. The exact definitions of
what constitutes a CII provider and what is “important data” remain unclear

USA: Information technology law (also called "cyberlaw") concerns the law of information
technology, including computing and the internet. It also concerns with legal informatics, and
governs the digital dissemination of both (digitalized) information and software, information
security and electronic commerce. aspects and it has been described as "paper laws" for a
"paperless environment". It raises specific issues of intellectual property in computing and
online, contract law, privacy, freedom of expression, and jurisdiction. Intellectual property is
an important component of IT law, including copyright, rules on fair use, and special rules
on copy protection for digital media, and circumvention of such schemes. The area of software
patents is controversial, and still evolving in Europe and elsewhere. The issue of data privacy
in the US made news in due to the passing of a law that allows Internet service providers
(ISPs) to collect and sell their customers’ browsing data without prior consent. The US is
generally considered to have strong data privacy and protection laws, albeit in a patchwork of
regulations and federal and state laws. Disclosure of health data is highly regulated at the
federal level, and breach notification laws were pioneered in the US, though they vary by state.
The threat of legal class action lawsuits adds a powerful impetus for companies to take
measures to protect data and privacy. Due to its economic size and population, it sets a trend
for many other states.

India: The provisions of the IT Act are limited in their applicability and do not appear to take
into account the wide range of instances of data protection violation which may occur due to
advancement in technology used towards processing of personal data. Moreover, the
quantum of penalty prescribed under the provisions of the IT Act appear to be inadequate and
may not act as a deterrence to emerging e-commerce and other technology-based players in
India

In addition to the IT Act and the SPDI Rules, depending on the entity collecting the data and
type of data collected, several other India laws can also come into play when it comes to data
protection. For instance, collection of financial information (such as credit card, debit card,
other payment instrument details) is primarily regulated under the Credit Information
Companies (Regulation) Act, 2005 and regulations framed thereunder along with the circulars
issued by Reserve Bank of India, from time to time. In the telecom sector, certain data
protection norms can be found in the Unified License Agreement issued to Telecom Service
Providers by the Department of Telecommunications, and to deal with unsolicited commercial
communications, the Telecom Commercial Communications Customer Preference
Regulations, 2010 have been formulated
With the gamut of laws regulating collection and usage of various types of data, the data
protection regime in India is still not exhaustive enough, and several concerns are being raised
to further secure and adequately deal with the complex issues including loss of data and
consequent privacy

2. Cyber Security

UK: In the UK, the Data Protection Act and the Privacy and Electronic Communications
Regulations etc. are all regulatory legislations already existing in the area of information
security and cybercrime prevention. The Cybersecurity Act also creates a framework for
European Cybersecurity Certificates for products, processes and services that will be valid
throughout the EU. This is a ground breaking development as it is the first internal market law
that takes up the challenge of enhancing the security of connected products, Internet of Things
devices as well as critical infrastructure through such certificates. The creation of such a
cybersecurity certification framework incorporates security features in the early stages of their
technical design and development (security by design). It also enables their users to ascertain
the level of security assurance, and ensures that these security features are independently
verified. The new rules will help people trust the devices they use every day because they can
choose between products, like Internet of Things devices, which are cyber secure.

The certification framework will be a one-stop shop for cybersecurity certification, resulting in
significant cost saving for enterprises, especially SMEs that would have otherwise had to apply
for several certificates in several countries. A single certification will also remove potential
market-entry barriers. Moreover, companies are incentivized to invest in the cybersecurity of
their products and turn this into a competitive advantage.

USA: In USA there are many legislations governing e-commerce and cybercrimes going into
all the facets of cybercrimes. Data Communication, storage, child pornography, electronic
records and data privacy have all been addressed in separate Acts and Rules giving thrust in
the particular area focused in the Act.

The United States cyber security laws and privacy system is arguably the oldest, most robust
and effective in the world. The State’s’ privacy system relies more on post hoc government
enforcement and private litigation. Currently, cyber security regulation comprises of directives
from the Executive Branch and legislation from Congress that safeguards information
technology and computer systems.
The purpose of cyber security regulation is to force companies and organizations to protect
their systems and information from cyber-attacks such as viruses, trojan horses, phishing,
denial of service (DOS) attacks, unauthorized access (stealing intellectual property or
confidential information) and control system attacks.

There are three main federal cybersecurity regulations –

– 1996 Health Insurance Portability and Accountability Act (HIPAA)

– 1999 Gramm-Leach-Bliley Act

– 2002 Homeland Security Act, which included the Federal Information Security
Management Act (FISMA)

These three regulations mandate that healthcare organizations, financial institutions, and
federal agencies should protect their systems and information. However, these rules are not
fool-proof in securing the data and require only a “reasonable” level of security.

China: In China, the new Cyber security law is referred as China Internet Security law was
enacted to increase cybersecurity and national security, safeguard cyberspace sovereignty
and public interest, protect the legitimate rights and interests of citizens, legal persons and
other organizations and promote healthy economic and social development. Law in China is
too tight and brings restrictions to foreign companies doing business in China and has the
potential to discriminate against foreign technologies in favor of domestic industry. Below are
the provisions made under this Law:

 The principle of cyberspace sovereignty.

 Defined the security obligations of internet products and services providers

 Detailed the internet service providers' security obligations

 Further perfected the rules of personal information protection

 Established a security system for key information infrastructure

 Instituted rules for the transnational transmission of data at critical information

infrastructure

The Cybersecurity Law is applicable to network operators and businesses in critical sectors
which includes major networking businesses.
India: To protect one from the cybercrime, there was a need for cyber laws and so, the
implementation of cyber laws in India began in the year 2000, with the IT Act as an introduction
to Indian Cyber Law. Cyber-crimes are not defined anywhere in the information
technology law of India or in the 2013 policy on National Cyber Security or under any other
laws, cyber-crime rules or regulation in India. However, cyber-crime has been dealt with
under various cybersecurity laws such as Indian IT law, Indian Penal Code etc. In 2013,
Government of India introduced a National Cyber Security Policy with the aim of protecting
information infrastructure, reducing vulnerability, increasing capability and safeguarding it from
cyber-attacks. However, the policy was not a success as it was just a compilation of
statements and objectives without specifying any roadmap for implementation. Definition of
Cyberlaws states that it's a subset of law which specifically deals with the inter-network
technology. Meaning cyber law of India deals with the crime done through a computer or any
other digital device.

Cyber laws of India or Cybercrime law in India is important because of the prime reason that
cybercrime act in India encompasses and covers all the aspects which occur on or with the
internet - transactions and activities which concern the internet and cyberspace.

Types of Cyber crimes

 Identity theft - When personal information of a person is stolen with the purpose of
using their financial resources or to take a loan or credit card in their name then such
crime is known as Identity theft.

 Cyberbullying - When the teenager or adolescent harass, defame, embarrass or

intimidate somebody else with the use of the internet, phone, chat rooms, instant
messaging or any other social network then the person is said to be committing the
crime of Cyberbullying. When the same crime is done by the adults it is known
as Cyberstalking.

 Cyberterrorism - When a threat of extortion or any kind of harm is being subjected

towards a person, organization, group or state, it is known as the crime of Cyber
Terrorism.

 Hacking - In this crime, the person gets access to other person’s computers and
passwords to use it for their own wrongful gain.
Conclusion

In India, if or when a new privacy and data protection law is enacted, the question is how well
will it be enforced. Such is currently the issue with the existing Information Technology Rules,
which govern many aspects of data protection and privacy, but which remain abysmally
unenforced. It is not even clear what the current mechanism for enforcement should be. The
Cyber Appellate Tribunal, set up as a forum to redress cyber fraud, had not adjudicated a
single case in five years, according to a report in December 2016. It was therefore encouraging
to see the alacrity with which law enforcement investigated and apprehended suspects in the
case of the Reliance Jio data breach in July. However, six weeks later, Jio still has not
acknowledged the breach or notified its customers.

This is where the EU’s GDPR may play a role. Companies that do business in Europe, or that
may have customers in Europe, will have to abide by the GDPR. That means, for example,
that SBI, which has a branch in Frankfurt, would be subject to GDPR practices on data
collection, systems security and breach disclosures. So would Flipkart, which recently
announced that it would expand internationally. Indian companies that have branch offices or
employees in Europe would also be affected, as would Indian companies that want to provide
back-office data processing services to European companies.

The GDPR also generally prohibits the transfer of data from Europe to companies from outside
the EU unless those non-EU countries have been certified as providing adequate data
protections. It is a high bar and currently only a handful of countries have been certified. The
Indian government and industry have unsuccessfully lobbied for years to get India accredited
under the current regulations, but GDPR will make that even more difficult. In this regard, the
Supreme Court ruling that privacy is a fundamental right will help, but a lot more work needs
to be done. A comprehensive data protection and privacy law with real enforcement
mechanisms would benefit Indians in more ways than one.

In India we require framing separate laws which are focused on a type of threat. The concept
of data protection itself has categories of data having different utility values, and like the U.S,
many countries have different provisions for them. Being one of the most concerned topics of
discussion in the modern era, legislatures are required to frame more stringent and
comprehensive law for the protection of data which requires a qualitative effort rather than
quantitative.

In a society that is dependent more and more on technology, crime based on electronic
offences are bound to increase and the law makers have to go the extra mile compared to the
fraudsters, to keep them at bay. Technology is always a double-edged sword and can be used
for both the purposes – good or bad. Steganography, Trojan Horse, Scavenging (and even
DoS or DDoS) are all technologies and per se not crimes, but falling into the wrong hands with
a criminal intent who are out to capitalize them or misuse them, they come into the gamut of
cybercrime and become punishable offences. Hence, it should be the persistent efforts of
rulers and law makers to ensure that technology grows in a healthy manner and is used for
legal and ethical business growth and not for committing crimes

Worldwide: An Overview Of Data Protection Laws In India And European Union

Last Updated: 4 April 2018

Article by Seema Jhingan, Neha Yadav and Monica Benjamin

LexCounsel Law Offices

This article has been co-authored by the team of LexCounsel Law Offices in collaboration with Ms.
Magdalena Jacolik of Aliant Krzyżowska International Law Firm, Poland

Communication, transfer, storage and use of data (and often sensitive, confidential and personal
data) has become part and parcel of today's digital transactions. While electronic transactions are
quickly becoming an easier and efficient way of transacting as opposed to the traditional offline
paper work, they are not without the risk of hacking, data theft and other cybercrimes. Data
protection has therefore become a multi-jurisdictional issue in this borderless digital world, and
countries around the world have developed regulatory frameworks to specifically address and
protect against loss of privacy.

India is still at a relatively nascent stage when it comes to data protection regulations, as compared
to other jurisdictions such as the highly developed (and often stringent) guidelines prescribed by the
European Union ("EU") on data protection. Comparison of the two legal regimes offers certain
interesting insights on data protection laws, as discussed below.

A. Regulatory Framework in India.

(i) Information Technology Act, 2000 and SPDI Rules:

The legal principles regarding data protection are contained in the Information Technology Act, 2000
("IT Act") and the rules framed thereunder inter alia on matters relating to collection, storage,
disclosure and transfer of electronic data.

The IT Act also prescribes punishment of imprisonment and/or fine for offences involving illegal
downloading, destruction, alteration or deletion of data, introduction of viruses into computer
systems, illegal access to computer systems, data theft, identity theft, cheating by personation,
cyber terrorism, breach of confidentiality, privacy and disclosure of information in breach of lawful
contract, to name a few.

Specifically with respect to personal data, the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"),
mandate adherence to specified procedures and measures by a body corporate, which processes,
deals with, stores or handles sensitive personal information or data in a computer resource which it
owns, controls or operates. Some of the key compliances under the SPDI Rules are as follows:

 Obtaining prior written consent from the provider for collecting information, while providing
an option to the provider to not provide such information sought from it and to also
withdraw his/her consent given earlier in this regard.

 Taking of reasonable steps to ensure that the information provider has knowledge of the
fact of collection, purpose of usage, intended recipients of the information and details of the
agency that is collecting and that will retain the information.

 Personal information should not be retained for longer than is necessary for achieving the
corresponding purpose or as is otherwise required under applicable law.

 Formulation and communication of a privacy policy for handling of or dealing in personal

information.

 Non-disclosure of personal information to any third party without prior permission (unless
such disclosure is required by law or has been contractually agreed with the information
provider).

 Designation of a grievance officer for addressing discrepancies and grievances.

 Implementation and maintenance of reasonable security practices and procedures. The

international standard IS/ISO/IEC 27001 on "Information Technology -Security Techniques -
 Information Security Management System - Requirements" is deemed to be reasonable
security practice subject to certification by independent auditors.

 Information may be transferred to any other person that ensures the same level of data
protection as provided under the SPDI Rules, provided that it is necessary for performance
of lawful contract with the information provider or where such provider has consented to
data transfer.

In addition to the IT Act and the SPDI Rules, depending on the entity collecting the data and type of
data collected, several other India laws can also come into play when it comes to data protection.
For instance, collection of financial information (such as credit card, debit card, other payment
instrument details) is primarily regulated under the Credit Information Companies (Regulation) Act,
2005 and regulations framed thereunder along with the circulars issued by Reserve Bank of India,
from time to time. In the telecom sector, certain data protection norms can be found in the Unified
License Agreement issued to Telecom Service Providers by the Department of Telecommunications,
and to deal with unsolicited commercial communications, the Telecom Commercial Communications
Customer Preference Regulations, 2010 have been formulated. Data protection norms for personal
information collected under the Aadhaar (Targeted Delivery of Financial and Other Subsidies,
Benefits and Services) Act, 2016 are also found in the Aadhaar (Data Security) Regulations, 2016,
which impose an obligation on the Unique Identification Authority of India (UIDAI) to have a security
policy which sets out the technical and organizational measures which will be adopted by it to keep
the information secure.

(ii) A New Data Protection Law on the Horizon:

With the gamut of laws regulating collection and usage of various types of data, the data protection
regime in India is still not exhaustive enough, and several concerns are being raised to further secure
and adequately deal with the complex issues including loss of data and consequent privacy.

The Indian Government is however, seeking to further strengthen and equip its regulatory
framework for data protection and privacy. Accordingly, a Committee of Experts under the
chairmanship of former Supreme Court Justice, Shri B. N. Srikrishna ("Committee"), has been formed
to study various issues relating to data protection in India, make specific suggestions on principles to
be considered for data protection and suggest a draft Data Protection Bill. The Committee has
accordingly released a white paper on November 27, 2017, on a data protection framework for
India, seeking public comments. In January earlier this year, the Committee in collaboration with the
Indian Ministry of Electronics & Information Technology has also conducted stakeholders'
consultation meetings at various Indian cities, to obtain their opinions and concerns regarding the
issues raised in the white paper.

This white paper has come on the heels of the Supreme Court's landmark judgment of August 24,
2017 in the case of Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors., 2017 (10)
SCALE 1, where the Court recognized the right to privacy as an intrinsic part of the fundamental
right to life and personal liberty under Article 21 of the Constitution of India. The Court observed
that 'informational privacy' is a facet of the right to privacy and recognized that dangers to privacy in
an age of information can originate not only from the state but from non-state actors as well. The
Court referred to how "'Uber' owns no vehicles, 'Facebook' creates no content, 'Alibaba' has no
inventory and 'Airbnb', the world's largest accommodation provider, owns no real estate, but
entities like these and other social network providers, search engines, e-mail service providers and
messaging applications, are all further examples of non-state actors that have extensive knowledge
of our activities, financial transactions, conversations, health, mental state, shopping habits, etc.
With increase in people's reliance on internet based services, deeper and deeper digital footprints
are being created and there is an unprecedented need for regulation regarding the extent to which
such information can be stored, processed and used by non-state actors and also by the State. Since
the Government had informed the Supreme Court of the constitution of the Committee to
review inter alia data protection norms in the country, the Court felt it was appropriate to leave the
matter for expert determination so that a robust regime for the protection of data is put into place.

The Committee in the white paper, has suggested that the data protection framework should be
based on seven principles: (i) law should be flexible to take into account changing technologies, (ii)
law must apply to both government and private sector entities, (iii) consent should be genuine,
informed, and meaningful, (iv) processing of data should be minimal and only for the purpose for
which it is sought, (v) entities controlling the data should be accountable for any data processing, (vi)
enforcement of the data protection framework should be by a high-powered statutory authority,
and (vii) penalties should be adequate to discourage any wrongful acts.

The Committee has sought public comments on questions relating to territorial applicability of data
protection laws; extent to which the law should apply outside India such as inclusion of measures to
ensure compliance by foreign entities; definition of personal data; categories of exemptions of
entities from certain obligations (e.g., certain actions taken by the state during investigations);
conditions of valid consent; exposure of online risks for children, purpose of collection; participation
rights of data provider in its processing (such as right to confirm, access and rectify data);
enforcement models/tools to be used for code of conduct, breach of personal data, categorization of
different data controllers, and creation of a separate data protection authority.

The Committee has also noted that the provisions of the IT Act are limited in their applicability and
do not appear to take into account the wide range of instances of data protection violation which
may occur due to advancement in technology used towards processing of personal data. Moreover,
the quantum of penalty prescribed under the provisions of the IT Act appear to be inadequate and
may not act as a deterrence to emerging e-commerce and other technology based players in India.
The white paper has accordingly discussed penalties for offences under the proposed law, and
adjudicating authorities for complaints; and noted that awarding compensation to an individual who
has incurred a loss or damage due to the data controller's failure is an important remedy to be
specified under the law.

B. Regulatory Framework in EU.

A significant development in the data protection regime in the EU, has been the introduction of the
Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data and the repeal of Directive 95/46/EC ("General Data Protection Regulation" or
"Regulation").

This provisions contained in the Regulation are applicable from 25th May 2018. It is worth
mentioning, that in accordance with Article 288 of the Treaty on the Functioning of the European
Union, the Regulation is binding in its entirety and is directly applicable in all Member States of the
EU. Therefore this Regulation does not require additional implementation of acts of national law, as
the provisions included in it are binding from the date of its entry into force. An important feature
of the Regulation is also its direct effect, which means, that both the Member States and the units
can rely directly on the measures contained in the Regulation.
The Regulation concerns "the protection of individuals with regard to the processing of personal data
and (...) the free movement of such data". Certain fundamental features of the Regulation are
specified below:

 Key Definitions: Article 4(1) of the Regulation, defines the concept of "personal data" as,
"the personal information means information about an identified or identifiable natural
person (" the data subject"'); an identifiable person is a person that can be directly or
indirectly identified, in particular on the basis of the ID such as first and last name, ,
identification number, location data, online ID or one or more factors specific to physical,
physiological, genetic, mental, economic, cultural or social identity of the natural
person". Article 4(2) defines the concept of "processing", as "the processing means an
operation or set of operations performed on personal data or sets of personal data in an
automated or not-automated way, such as collection, organization, ordering, storage,
adaptation or modification, downloading, viewing, using, disclosure by sending,
dissemination or another type of sharing, matching or connecting, limiting, deleting or
destroying".

 It is also worth emphasizing that as per clause (15) the protection concerning the processing
of personal data should not be dependent on forms used for the processing of data. Also the
Regulation is not applicable to the processing of personal data by the relevant authorities in
order to e.g. protect the public or national safety under Article 2(d), and to the processing of
anonymous information including for statistical or research purposes under clause (26).

 Extra-Territorial Application: The question of territorial application of the Regulation, is

dealt with in Article 3, according to which the Regulation is applicable to:

(i) processing of personal data in connection with the activities carried out by the administrator's
organizational unit or by the processor in the European Union, regardless of whether the processing
takes place in the European Union;

(ii) the processing of personal data of the persons to whom the data relates, staying in the
European Union by the administrator or the processing unit without organizational units in the
Union, if the processing operations are related to:

a. offering goods or services to such persons to whom the data relates, in the European Union -
regardless of whether the payment from such persons is required; or

b. monitoring of their behaviour, unless the behaviour occurs in the European Union.

(iii) the processing of personal data by the administrator not having any organizational units in the
EU, but having an organizational unit in a place, where under the public international law the law of
the Member State of EU applies.

 Fair and lawful processing: Personal data must be processed fairly - in accordance with
clause (60) of the Regulation i.e. that the administrator should inform the person that such
data relates to, about the context, purposes and circumstances of information processed
and to be within the limits of the law - in accordance with clause (40) i.e., on the basis of
consent expressed by the person to whom the data relates or on the different legal basis.

 No Misleading Information: Any misleading information and those that are invalid from the
point of view of the purpose of the processing, should be corrected or deleted in accordance
with Article 5(1)(d) of the Regulation.
 Processing of Special Categories of Personal Data: It is not permitted to process the
personal data of a particular category i.e. including sexual orientation, political opinions,
religion, racial/ethnic origin or health (Article 9).

 Processing not requiring identification: When the information is not sufficient to identify
the person, the administrator is not required to obtain further information necessary for the
identification of such natural person, if the objectives of processing do not oblige to do that
(Article 11(1)).

 Purpose of Collection: Personal data should be processed in accordance with the purpose
for which these data were collected. However, if the administrator intends to process this
data for other purposes, he's obliged to inform the person to whom the data relates and
also provide necessary information (Clause (50) and Article 14(4)).

 Right of Access: The natural person should have access to information it relates to. The
administrator, who receives data from that person, should inform the person about the
purposes of the processing of such data, about the recipients and also about the right to
claim deletion, correction or objection by the administrator (at any time) (Article 15).

 Right to be forgotten: Article 17 establishes the "the right to be forgotten", i.e. a natural
person to which the data relates, may claim the right to delete data by the administrator in
designated circumstances, i.e.: in a situation where personal data are no longer needed for
the intentions in which they were collected, were processed in an unlawful manner, or the
person withdrew his consent or objected.

 Permitted Profiling: Making decisions on the basis of profiling should be permitted where it
is expressly permitted by European Union law or the law of the Member State to which the
administrator is subject, including the purposes of monitoring and prevention - in
accordance with the regulations and standards and recommendations of the institutions of
the European Union or national supervisory authorities - of fraud and tax evasion and to
guarantee the safety and reliability of the services provided by the administrator, or where it
is necessary for the conclusion or performance of a contract between a person the data
relates to and the administrator, or where the person the data relates to agreed explicitly
(Clause (71)).

 Restrictions: Restrictions in individuals' rights to the protection provided with regard to the
processing of personal data are justified if they are for protection of the public security,
public health, national security or crime prevention (Article 23).

 Safety: The administrator and the processing subject shall implement appropriate methods
to ensure the safety of data processing (Article 32).

 Duty to report breach: Article 33 relates to the duty of reporting breaches in the protection
of personal data, in accordance with which, the administrator should inform the supervisory
authority about the breach of personal data protection (within 72 hours).The processor is
required to inform the administrator of personal data breach without undue delay.

 Data protection impact assessment: Under Article 35, the administrator estimates the
effects of the planned data processing and assesses the possible risks that are associated
with the processing of such data.
  Data Protection Officer: Under Article 37(1) the administrator and the processor designates
a Data Protection Officer (DPO), in the situation when:

a) processing is carried out by the authority or a public body with the exception of the courts in
the exercise of the justice;

b) the main activity of the administrator or the processor is based on processing operations,
which due to their nature, scope or purposes require regular and systematic monitoring of persons
the data relates to, on a large scale; or

c) the main activity of the administrator or the processor is to process special categories of
personal data on a large scale, referred to in Article 9(1) and personal data on convictions and
infringements of the law as referred to in Article 10.

It should be noted that the principle of designation of the Data Protection Officer is based on
professional qualifications which officer directly reports to the top management of the administrator
or processor. Its tasks include:

a) informing the administrator, the processor and the employees who process personal data
about the their obligations under this Regulation and about other provisions of the EU or the
Member States about data protection and advising them on this matter;

b) monitoring the compliance with this Regulation, the other provisions of the European Union or
the Member States on data protection and administrator's or processors' in the field of protection of
personal data, including the responsibilities, actions aimed to raise awareness, training of staff
involved in the processing operations and the associated audits;

c) cooperation with the supervisory authority.

 Codes of Conduct: The Commission, the European Data Protection Board, the Member
States and supervisory authorities encourage the development of codes of conduct that are
to promote relevant application of the Regulation (Article 40).

 Certification: The Commission, the European Data Protection Board, the Member States and
supervisory authorities encourage the introduction of certification systems, quality labels
and markings that prove that the processing of personal data is adjust to provisions of this
Regulation.

 Supervisory Authority: In each Member State there is to be an independent supervisory

authority (at least one), that cares, i.e.: for the appropriate data protection of individuals in
relation to its processing and the appropriate use of the Regulation (Article 51).

 European Data Protection Board: Article 68 of the Regulation provides for establishment of
European Data Protection Board ("EDPB"). The EDPB consists of the Chairman of one
supervisory authority of each Member State and the European Data Protection Supervisor or
their representatives. Importantly, the Commission can participate in meetings or EROD
activities, but without the right to vote. It includes the chairman, who represents it, and two
vice-chairmen (Article 73). The EDPB is an independent body and settles disputes (Article
65), monitors and supports the proper application of the Regulation, makes
recommendations, guidelines and provides opinions on the European Commission on
certification, etc., and it also plays an advisory role (Article 70).
  Penalties: The provision under Article 83 of the Regulation provides for financial penalties
for infringement of the provisions. These penalties shall be proportional, but above all
effective and dissuasive.

 Adequacy Requirements: Transfers of personal data to third countries which have not been
recognized by EU as countries with adequate level of data protection (such as India), can
take place only on one of the following conditions as specified under Article 49, such as:

a) explicit consent of the data subject to the proposed transfer, after being informed of the
possible risks;

b) the transfer is necessary for the performance of a contract between the data subject and the
controller or the implementation of pre-contractual measures taken at the data subject's request or
for conclusion or performance of a contract concluded in the interest of the data subject between
the controller and another person;

c) the transfer is necessary for important reasons of public interest; or for establishment, exercise
or defence of legal claims; or in order to protect the vital interests of the data subject;

d) the transfer is made from a register of public information as prescribed therein; or

e) on certain other conditions as specified therein.

 Binding Corporate Rules: Article 47 of the Regulation also provides for the concept of
"Binding Corporate Rules" (BCR), which can be a viable alternative in cases where the
adequacy requirements are not met for transfer of data to third countries/organizations
outside EU. Binding corporate rules are defined as personal data protection policies adhered
to by a controller or processor established on the territory of a Member State for transfers
of personal data to a controller or processor in third countries within a group of
undertakings, or group of enterprises engaged in a joint economic activity. As per Article 47
of the Regulation, the competent supervisory authority is to approve binding corporate rules
in accordance with the mechanism set out in the Regulation.

Following the rapid development of the collaboration between EU and Indian companies, especially
in the IT field, it should be stressed that the data protection requirements on the similar level
between the parties are be expected. It is also important to note, that according to the Regulation,
processing of personal data located in the EU by the administrator or the processor, even if it does
not have an organizational unit in the EU, is subject to the Regulation even where it involves
monitoring the behaviour of those whose data is concerned, if this behaviour takes place in the EU.
Therefore, in order to be able to legally secure, without the risk of administrative penalties or civil
liability towards the customer, at the time of entrusting personal data to third-country entities
providing IT services, it seems that it is easiest and safest to conclude a data transfer contract with
the service provider that will contain standard contractual clauses on the protection of personal
data, approved by the European Commission. In case of international capital groups, whose
members often cooperate in a manner requiring the transfer of personal data, an attractive
alternative to the transfer agreements mentioned above may be to use appropriate binding
corporate rules as mentioned above.

C. The Future ahead.

As opposed to the stringent EU model, the current Indian regulatory framework on data protection
is not sufficiently adequate to address the growing concerns arising on account of collection and
linking of data including biometrics by the Government under the Aadhaar Act and the exponential
advancements in technology and digital transactions, which increases the risk of data violations.
Recognizing these issues, the Government of India is working on a more effective legal framework
for data protection which initiative is being led by the above stated Committee. However, the devil
lies in the details, and it remains to be seen as to how far appropriate changes and global concepts
will be introduced, implemented and enforced in the Indian context.

Further, in the meantime, the EU's new General Data Protection Regulation which is coming into
effect in May 2018 is expected to have far-reaching implications even in the Indian context, due to
its applicability to Indian entities who deal with data of EU nationals (as discussed above). As on
date, India is not recognized by EU as a country with adequate level of data protection, which
therefore requires additional compliances for transfer and processing of data by such Indian entities.
Therefore, from an Indian perspective, it becomes imperative for such Indian entities to implement
the data protection requirements stipulated in the EU Regulation within their systems, particularly
as their EU counterparts are likely to insist on compliance with the Regulation as part of their
standard contractual clauses, given the heavy penalties associated with non-compliance with the
Regulation.

Bibliography:

1. Information Technology Act, 2000 and Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules, 2011.

2. White Paper on Data Protection Framework for India: [http://meity.gov.in/white-paper-data-

protection-framework-india-public-comments-invited].

3. Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation)
EU official journal of 04.05.2016, L119, page 1.

4. Treaty on the Functioning of the European Union, official journal of 2012, C 326, page 1.

5. P. Justyńska, Zasady prawa Unii Europejskiej, [w:] J. Galster (red.) Podstawy prawa Unii
Europejskiej z uwzględnieniem Traktatu z Lizbony, Toruń 2010, page 251 i n, 326 i n.

6. http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=LEGISSUM%3Al14522, as at 02.01.2018.

7. Public consultation on White Paper – Data Protection Framework for India, Press Release dated
December 28, 2017:
[http://meity.gov.in/writereaddata/files/public_consultation_on_white_paper.pdf].

Magdalena Jacolik (Master in European Law), Associate (aliant@aliantlaw.pl)@ Aliant Krzyżowska

International Law Firm, Poland, assisted with this article.

This article has been co-authored by the team of LexCounsel Law Offices in collaboration with Ms.
Magdalena Jacolik of Aliant Krzyżowska International Law Firm, Poland

LexCounsel provides this e-update on a complimentary basis solely for informational purposes. It is
not intended to constitute, and should not be taken as, legal advice, or a communication intended to
solicit or establish any attorney-client relationship between LexCounsel and the reader(s).
LexCounsel shall not have any obligations or liabilities towards any acts or omission of any reader(s)
consequent to any information contained in this e-newsletter. The readers are advised to consult
competent professionals in their own judgment before acting on the basis of any information
provided hereby.

EU negotiators agree on strengthening Europe's cybersecurity

Last night, the European Parliament, the Council and the European
Commission have reached a political agreement on the Cybersecurity Act
which reinforces the mandate of the EU Agency for Cybersecurity,
(European Union Agency for Network and Information and Security,
ENISA) so as to better support Member States with tackling cybersecurity
threats and attacks. The Act also establishes an EU framework for
cybersecurity certification, boosting the cybersecurity of online services and
consumer devices.
Proposed in 2017 as part of a wide-ranging set of measures to deal with
cyber-attacks and to build strong cybersecurity in the EU, the Cybersecurity
Act includes:

 A permanent mandate for the EU Cybersecurity Agency, ENISA, to

replace its limited mandate that would have expired in 2020, as well
as more resources allocated to the agency to enable it to fulfil its
goals, and
 a stronger basis for ENISA in the new cybersecurity certification
framework to assist Member States in effectively responding to
cyber-attacks with a greater role in cooperation and coordination at
Union level.

In addition, ENISA will help increase cybersecurity capabilities at EU level

and support capacity building and preparedness. Finally, ENISA will be an
independent centre of expertise that will help promote high level of
awareness of citizens and businesses but also assist EU Institutions and
Member States in policy development and implementation.
The Cybersecurity Act also creates a framework for European
Cybersecurity Certificates for products, processes and services that will
be valid throughout the EU. This is a ground breaking development as it is
the first internal market law that takes up the challenge of enhancing the
security of connected products, Internet of Things devices as well as critical
infrastructure through such certificates. The creation of such a
cybersecurity certification framework incorporates security features in the
early stages of their technical design and development (security by design).
It also enables their users to ascertain the level of security assurance, and
ensures that these security features are independently verified.
Benefits for citizens and businesses
The new rules will help people trust the devices they use every day
because they can choose between products, like Internet of Things
devices, which are cyber secure.
The certification framework will be a one-stop shop for cybersecurity
certification, resulting in significant cost saving for enterprises, especially
SMEs that would have otherwise had to apply for several certificates in
several countries. A single certification will also remove potential market-
entry barriers. Moreover, companies are incentivized to invest in the
cybersecurity of their products and turn this into a competitive advantage.