Dissertation

by Gurneet Kaur

Submission date: 20-Sep-2019 01:39PM (UTC+0530)

Submission ID: 1176424233
File name: GDPR_AND_PDP.docx (46.07K)
Word count: 6149
Character count: 33265
INTRODUCTION

"The world's most Yaluable resource is no longer oil, but data"- The Economist

Data privacy has always been important across the globe. Earlier people used to put locks on
their cabinets which contained files holding their personal, sensitive information Recent
issues where phone numbers of hundreds of millions of people associated with their Facebook
profiles have been found on a database that is openly accessible to the people , data privacy is
gaining a great impo rtance.

Nearly millions of internet users are increasing day by day globally and the world is being
transitioned to a digital economy. The handling of individual data has just turned out to be
pervasive in both people in general and private division. Information is important in essence
and all the more in this way \Vhen it is shared prompting production of extensive
effectiveness . The truth of the advanced condition today, is that pretty much each and eve1y
movement embraced by an individual includes a ty pe of data exchange or the other.

The Internet has brought forth altogether new advertises: those managing in the accum
ulation, association and handling of individual data regardless of whether straightforwardly, or
as a basic segment of their plan of action. Something as straightforwa rd as hailing a taxi
currently includes the utilization of a portable application which gathers and uses different
kinds of information, for example, the client's budgetary data, their continuous area and data
concerning their past trips. Data is on a very basic level changing the manner in which people
work together , how they impart and how the y settle on their choices .

Various businesses are currently constructing tremendous databases of buyer inclinations and
conduct. Data can be compacted, arranged, cont rolled , found and translated as at no other
time, and would thus be able to be all the more effectively changed into helpful information.
There are numerous advantages to be picked up by gathering and investigating individual
information from people. Pooled datasets permit faster location of patterns and precise
focusing on.

For example in the healthcare sector by gathering and breaking down huge informational
collections of person's wellbeing records and past emergency clinic visi ts , healthcare
providers could make demonstrative forecasts and treatment proposals; a person's close to
home location information could be utilized for checking traffic and improving driving
conditions out and about; banks can utilize Big Data strategies to improve extortion discovery
; back up plans can
Page I 1
make the way toward apply ing for protection simpler by utilizing significant learning
gathered from pooled datase ts.

GENERAL DATA PROTECTION REGULATION

In the year 2012, the Europe Commission had set out a plan for the purpose of data protection
across the Europe union (EU) for the purpose of mak ing Europe to be "fi t for digital age" .
Gene ral Data Protections Regulation (GDPR) was approved after four years of debate and
preparation and was finally approved by the Parliament of Europe in the year 2016. The
official regulation was late r published in all official languages of the EU in the month of May
2016. The legislation came into existence on 25 May 2018.

One of the key segments of the changes is the presentation of the GDPR. This EU system
applies to associations in all member states and has suggestions for organizations and people
crosswise over Ew-ope, and past.

GDPR is another arrangement of principles intended to give EU residents more authority over
their o·wn information . It intends to streamline the adminis trative condition for business so
the two na tives and organizations in the European Union can completely be benefi tted by
the di gital economy. The changes are intended to mi1rnr the world we're living in now, and
brings laws and commitments - including those around close to home informat io n, security
and assent
- crosswise over Europe up to speed for the web associated age.

There are situat ion s where data breach happens inevitably _Sometimes the information is los t,
stolen or even released to people who had no intentions of seeing that data and these people
usua lly have a malicious intention. With the terms of GDPR organisations need to ensure that
the personal data while being gathered is done under legal and strict conditions. The people
collecting or managing the data are also obliged to safeguard the data from being misused or
exploited. Respecting the rights of the data owners is also essential or penalties may be
imposed for the contrary.

GDPR applies to any association working inside the EU, just as any associations outside of the
EU which offer products or administrations to clients or organizations in the EU. This implies
that pretty much every major enterprise in this world needs a GDPR compliance strategy_
There
are two different ty pes of data-handlers the legislation applies to: 'processors' and 'controllers'.
The definitions of each are laid out in AI1icle 4 of the General Data Protection Regulation 1•

GDPR ultim atel y is placing a legal obligation on the processor to keep up records of non
public info1mation and the way it's processed, providing a far higher level of legal liability
ought to the organisation be broken . It needs to be ensured that the contracts with process are
essentia lly in compliance with the GDPR. Photos, name address are considered under the
types of personal data under the current legislation. The defin ition is also extended to include
IP address. Sensitive personal data is also included such as biometric data, gene tic data which
can be process to identify an individual in a unique manner.

Companies like Amazon, Tata consul tancy services, Procam, etc have also restructured their
policies post GDPR because they hold large number of customer data and their priority is
keeping that data safe and ensuring their customers the same.

RIGHT TO BE FORGOTTEN

The circumstances under which individuals can exercise their right to be forgotten is

mentioned under the Article 172 of the GDPR outlines. Individuals have an option of getting
the data erased on the following basis:

• The data is not required any longer for the purpose it was collected.
• There is no legal basis existing in order to process the personal information.
• Data subject has withdrawn consent.
Erasure of da ta is to be performed by the Controller and he is liable for the same ·withou t
causing any dela y and cost of implementation in the case where the personal data is made
available to public. There are a few exemptions to this right. If the processing is required for
the purpose of freedom of speech and expression , then this obligation shall not be applied ,
for public health reasons , for compliance with a Union or Member State le gal obligation ,
exercise or defence of legal claims , for archival for performance of a public interest task or
exercise of official authorit y, research or statistical purposes (if any relevant conditions for
this type of processing are met); or if required for the establishment.

1
I
'cont roller ' means the natural or legal person, public autho rity , agency or other body which, alone or jointly
with oe rs, determines the purposes and means of the proce ssing of personal da ta: where the purposes and
means of such processing are determined by Union or Member State law, the controller or the specific criteria
for its nomin at io n may be provided for by U n io n or Member Stale law
2
("Art. 17 GDPR - Right to Erasure ('R ight to Be Forgotten') I Gener al Data Protection Regulation (GDPR)")
The right to be forgotten has both positi ve implications for the data subject and practical
implications for the data controllers and processors. Every organisation will need to have
processes and procedures in place to be able to erase all personal data held about any individua
l by that organisation (including any data held on back-up tapes and in data storage systems).3

Currently, keeping a track of personal data lifesty le has become an essential part of an
organization. But this is not curren tly done by many organizations as they need to consider
building new IT systems and put in place ne w procedures to ensure that while entertaining
such requests , privacy is maintained . It shall also be ensured by the data controllers that their
data processors are also exercising this rights and have maintained similar capabilities in order
to fulfil such requests of erasing the personal inf ormation stored in their system
. A leading search engine reported that it received over 50,000 requests4 for articles to be
remo ved from search results.

Even if all the requests would not have come from the same person but it clearly shows that
there is a huge demand to be forgotten amongst people. This right will give the freedom to
people to remo ve their personal infonnat ion which must have been with the organization for
ages. On the contrary this right is also seen to inconsistent with the freedom of expression and
is considered as an option for the data subject who may use this as an opportunity to cover up
their past. It is essential to assess this right on a case to case basis to avoid any situation where
people start taking advantage of it.

This right can neither be considered to be absolute or un limited . This right need to strike a
balance against the freedom of information and public interest.

The exceptions to the right to erasure and reasons to refuse to comply include 5:

• The right of freedom of expression and information

• Compliance with legal obligations or official authorities

i (ETCONTRIBUTORS)
4
(ET CONTRIBUTORS)
5
(ET CONTRIBUTORS)
 • Public health reasons or the performance of a public interest task
I I
• Archiving purposes in the public interest, scientific research, historic research or
statistical analysis

• If needed for the exercise or defence of legal claim s

The biggest challenge concerning the right to erasure is that the onus is on contro llers to
weigh up th is request with other competing rights and interests . In effect data controllers will
be required to be judge and jury, with any mishandling of requests sitting on their shoulders.

The greatest test concerning this right is that the controllers have the onus to weigh up the
request along with contending rights and interests. As a resu lt, data controllers will be
required to be judge and jury along with any misusing of any requests that are sitting on thei r
shou ld ers

ADMINISTRATIVE FINES
Imposition of significant adminis trative fines can be done by the supervisory authorities on
both data processors and data controllers. In addition to or instead of the measures ordered by
the super visory authorities , fines can also be imposed for a range of contra ventions which
also includes procedural infringements. These fines are not mandatory but discretionar y and
shall be imposed on case by case basis.

The two tiers of administra tive fines are":

• Some contraventions will be sub ject to admin is trative fines ofup to €10,000,000 or,
in the case of unde rtakings , 2% of global turnover, whichever is the higher .

• Othe rs wi ll be subject to administrative fines of up to €20,000,000 or, in the case of

undertakings , 4% of glo bal turnover, whiche ver is the h igher

• Member States ma y determine whethe r, and to what extent public authorities should
be subject to administra tive fines.

Adminis tra tive fmes shall not applicable auto matically but are to be imposed on a case by case
6
(Enforcement / Administrative Fines)
basis. Recital 1487 clarifies that in the case of a minor infringement or where a fine would
impose a disproportionate burden on a natural person , a reprimand may be issued instead of a
fine.

A high degree of variation currently ex ists across the member states in case of imposing financial
penalties by the supervisory authorities. Even though there are arrangements under the GDPR
which allow the authorities to use their discretion in relation to the imposi tion of maximwn
penalties, it is indicated under Recital 1508 that the consistenc y mechan ism can be used in order
to promote a consistent application re lated to administrative fines.
Rules can be laid down by each member state which can mention whether and to what extent
the administ rative fines can be imposed on bodies and public author ities established in those
member stat es.

FACTORS CONSIDERED FOR LEVYING FINE AS PER GDPR

• Nah1re of infringemen t:
• Num ber of people affected
• Damages suffered
• Duration of infringement
• Purpose of processing
• Intention: Whe th er the infrin gement is Intentional or Neg ligent.
• Mitigation : Actions taken to mitigate damage to data subjects.
• Preventative Measures: Preparedness of organiz ation to prevent non -compliance .
• History: Past relevant infr in gements not just under GDPR, and past administ rative
coJTe c tive actions.
• Cooperation: Level of cooperation shown by the firm to the Supervisory Authori ty
for remedy ing the infringement.
• Data ty pe: Type of data the infringement im pacts.
• Notific ation: Whether the infringement was proactive ly reported to the Sup ervis ory
Authorit y by the firm itse lf or a third party.
• Certification : Whether the firm had qualified under approved certification s or adhe red

7
("R ecit al 148 - Penalties I Genera l Data Protection Re gulation (GDPR)")
8
("Recit al 150- Administ r ati ve Fines I General Data Pr otection Regulat ion (GDPR)")
 to approved codes of conduct.
• Other: Other aggravating or mitigating factors may include financial impact on the
firm from the infringement.

COMPANIES PENALIZED

British Ainvays to face huge £183m fine for 2018 data breach

The Information Commissioner' s Office (ICO), in the UK has just handed out a huge fine of
£180m to IAG owned British Airways for the breach of its customer data. British Airways had
notified the ICO about the Cy ber incident back in September 2018.

What happened'!

• The user traffic on the British Airways website was being diverted to fraudulent sites
and the attackers harvested the customer details through these fraudulent.
• Variety of information including log in, payment card, and travel booking details as
well name and address information of the customers was stolen.
• Data of around 500000 customers was accessed by the attackers and British Airways
revealed that more than 380000 transactions were affected by the breach.
• Breach attributed to poor security arrangements by British Airwa ys by the ICO .
• The ICO has also acknowledged the fact that BA cooperated with its investigation and
made improvements to its security anangements.

Why the massive fine?

• The proposed penalty is 367 times higher than the previous highest fine by the ICO
which was the £500,000 imposed on Facebook over the Cambridge Analytica scandal.
• The UK has implemented a new data protection law minoring the GDPR under which
companies can be fined up to 4% of their annual global turnover.
• This fine amounts to 1.5% ofI AG ' s turnover in 2017 and 7% of its net profit last year.
• British Airways have been shrng by the huge fine, but it could have been worse. A fine
of 4% of the turnover wou ld have been in the £500m region. ICO ma y have taken
into account BA' s cooperation and conective measw-es undertaken afterwards.

BA has enhanced its internet security since the incident. They can appeal the findings and the
quantum of fine before a final decision by the ICO. The Chief Executive ofI AG, Willie Walsh
,
has confirmed that the BA will be making a representation before the ICO in relation to the
proposed fine.

Data breach at Capital One: Data of 100 million customers/ aJ)J)licants leaked

Personal information of approximately 106 million card customers and applicants at Capital
One Financial Corp . ,vas compromised in one of the largest-ever data breaches of a major
bank.

What ha1111ened'!
• Capital On e's firewall was breache d and customer data that the bank had stored on
Amazon.com Inc. ' s cloud service was accessed by a hacker.
• The breach is believed to have occurred in March but it was only found this month
by an ethical hacker who emaile d Capital One about the leak of its data and the bank
alerted law enforcement on July 19.
• The exposed data involved information submitted by customers and small business
es that had applied for Capital One credit cards betwee n 2005-2019 including
addresses , da tes of birth and self-reported income.
• Breach co mp romised-
o Approximately 140,000 Social Security numbers.
o 80 000 bank account numbers .
o Credit scores , Payment histories and Credit limits of some customers.
o One million Canadian social insurance numbers.

l mJ)lications of the breach

• Capital One will have to notify those affected and provide them with free credit
monitoring and identity protection.
• It's initially expected to cost in a range of $100 million to $150 million approx.
• The alleged hacker has been arrested and could face a maximum sentence of five
years in prison and $250,000 fine9.
• It follows a breach in 2017 at credit reporting company Equifax, which rec ently se ttled

9
("Capital One Data Bre ac h: Arrest after Details of 105m People Stolen")
 with the FTC for an eye-watering $700m

Facebook to pay a record $5 Billion fine for Data Privacy Breaches

Federal Trade Commission (FTC) has announced that Facebook Inc. will pay a record-breaking
$5 billion fine to resol ve a government probe into its privacy practices . This would be the largest
ever imJlosed on any comJlan y for violating consumer's 11rivacy and almost 20 X greater
than the current largest privacy or data security penalty ever imposed wo rldwide (Equifax @
$275Mn)

What ha1111ened'!

FTC alleges that:

• Facebook repeatedly used decepti ve disclosures and did not take adequate steps to
deal with apps that were violating its platform policies .
• They allowed sharing of user's personal information with third -party apps that were
download ed by the us er's "friends"
• Users were una ware that Facebook was sharing such i.nfo1mation and therefore could
not take the steps needed to opt-out of sharing.

Settlement:

• Facebook has agreed to pay $5 billion fine to FTC & additional $ 100Mn to Securitie s
and Exchange Commission (SEC) for settlement of alle gation s of mislead ing
investors about the seriousness of its misuse of user 's data.
• Facebook also agreed to:
o Create an independent privacy committee along wi th quarterly certification of
privacy practices by executive ' s
o Exercise greater oversight over third-part y apps and will end access to friend
data for Microsoft Corp and Sony Corp
o App wouldn' t ask for email passwords to other services when consumers sign
up and telephone numbers for advertisi ng

Not the First Time or Probably the Last

In past Facebook has been fined £500,000 by the Information Commissioner' s Office (IOC)
in the wake of the Cambridge Analytica scandal, afier allowing third party developers to
access user info1mation of at least lMn UK users , without sufficient consent.

U.S. Justice De))artment has announced tha t, it is opening a broad investigation of major
digital technology firms (search, social medi a, and some retail services online) into whether
they engage in anticompe titive practices.10

THE FINES AND THE GAPS WHEN CALCULATING THEM

GDPR might have completed on year rec ently but still there are some ambiguities which exist
relating to its interpretation and implementation of some provis ions. Huge gaps are existing in
terms of its enforcement even though the obligations have been affected under the GDPR. One
of these ambiguous area is related to the fines. It is considered to be one of the major concerns
for various ins urers, organizations, lega l obsen1ers and regulatory authorities. The issue is the
in terpretation and applicability in the real world of these provisi ons.

Provisions for fines under Article 83 of the GDPR11 are mentioned for the organizations on
breachin g of any GDPR obligations. The fine ranges up to €10 or €20 million or for the
companies , in any case of an ''tmdertaking" and ranges up to 2 per cent or 4 per cent of the
"total worldwide annual tu rnover" of the preceding financia l ye ar, in respect of certain
breaches of obligations under the GDPR.

One of the significant questions that can arise is in case a subsidiary of a subsidi ary had
infr inged the GDPR provisions, whether the Corporate Parent will be taken into consideration
for the purpose of dete rmining the total worldwide annual turnover.

Hypo the tically, if a global organization which has various divisions spread across numerous
jurisdictions including (for the purpose of this example) a complete ly India based divisi on
and which has no European Economic Area processing and further these is no processing of
any data which relates to European citizens (which means we are actually out of scope of
GDPR). But, the division is a subsidiary of the UK Company and other part of the Organi
zation falls afoul of GDPR. Facing an administrative fine is determined.

10
("FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook")
11
("Art. 83 GDPR - General Conditions for Imposing Admin istr ative Fines I Ge neral Data Protection Re
gulation (GDPR)")
 I
So, whether the turnover of the wholly India based subsidiary is factored in when
calculating the llen alty to be im1msed?

• The one word answer to this question is YES. Article 29 Workin g Part y on GDPR
12
has laid down guidelines on application and setting of administ rative fines.
According to the WP 29, "the concept of an undertaking is understood to mean an
economic unit , which may be formed by the parent company and all involved subs
idiaries."
• This clearly implies that the Parent company would be responsible for the purpose of
computation of the global turnover in spite of one of its remotest subsidiar ies mnning
afoul of the GDPR. However , it still does not clearly specifies that what shall happen
in case where the Parent company is silent and has no say in the regular and day-to
day operations of its subsidiary and does not have any authority in making important
decisions on behalf of the subsidiary.
• GDPR is silent on various issues and relies on EU Competition Law for many of its
provisio ns. By studyin g the related concepts under the EU Competition Law it can be
postulated how GDPR will be enforced ll_
• The defense on the lines of EU competition law along with distancing itself on the
grounds where it does not exert any dec isive influence over the subsidiary can be
taken by the Parent Compan y. If it can be demonstrated that the parents company has
exercised "decisi ve influence" over the infringing subsidia1y , then the commission
shall attribute the liability to parent company for the purpose of competitive activity
by the subsidiary under the EU competition law.

There are no such relevant cases till date where this question is answered unambiguousl y. The
Regulato ry Authorities have dealt with all the infr in gements on a case-to-case basis. The
authorities have been reluctant to slap exorbitant fines till now. Taking the example of Google'
s
€50m fine CNIL (French Data Regulator) imposed a fine which was on the higher side, but a
mere fraction of the internet giant' s annual global tmn over. If European Competition Law
princip les are applied, it may be possible for a Parent company to avoid being considered for
computation of global tmnover as per the GDPR fining provisi ons. We must first seek to
define " Undertaking " for the purpose of GDPR. GDPR does no t expressly define the term
 12
("ARTICLE29 Newsroom - Gu ideli nes on the Applicat ion and Setting of Admin istr ative Fines (Wp253). Now
Including Avai lable Language Versions. - European Commission")
n (Mayer Brown, GDPR fines - lessons from competition law)
" Undertakjng ". Rather , the Recital 150 of GDPR states that EU Competition Law provis ion s
should be used to outline the term as follows:

" Where administrative fines are imposed on an ru1dertaking an undertark should be

understood to be an undertaking in accordance with Articles 10l and l 02 [Treaty on the
14
Functioning of the European Union ("TFEU")] for those purposes." Further , decisions of
the CJEU and the European Commission should also be relied upon for determining the scope
of the term " Undert akin g".

The CJEU and the European Commission have elaborated the term " Undertaking ", through
the doctrine of " Singl e Economic Entity " and the inter-related concept of 'exercise of decisi
ve in fluence '. It is a given that "when a company exercises decisive influence over another
company the y form a single economic entity and, hence, are part of the same und e11akin g."

Therefore , "decisive influence" depicts a test of control of the parent company over a
subsidi ary. The "exercise of decisi ve influence" by one entity over another entity entails that
the latter entity does not enjoy real autonom y in de termining its commercial policy on the
market.

The CJEU has recently held that where a parent is able to exercise all of the voting rights ,
particula rly when it has a high majority stake in the subsidiary's share capital, such a parent is
in a position of a parent of a who lly owned subsidiary, and there is a legal presumptio n that
that parent is able to determine the economic and comme rcial strate gy of the subsidiary. 15

There is no exhaustive list of the factors which can dete1mine a subsidiary ' s conduct on a
market independently . I nstead , all of the relevant factors relatin g to the "economic ,
organizational and lega l links" benveen the parent and the subsidiary must be taken into
account. 16 However, the Commission has identified some of the factors signifying the exercise
of decisi ve influence as following:

• The power to appoint member of the board of directors in Subsidiary company .

• The powe r to call shareholders meetings or revoke directo rs.

14
("Recita l 150 - Administrati ve Fin es I General Data Prot ection Re gulation (GDPR)")
15
(Information and Notices)
16
(Information and Notices)
Page I
12
 • Level of representation of the Parent company m Subsidiary ' s board and their
management powers.

• Role of Parent on the committees established by the Subsidiary.

• Measures taken to ensure decisive control in the Subsidiary post IPO of shares of the
Subsidiary .

• Directors of the Parent company receiving regular updates from the subsidiary.

Possible way fonvard:

• The companies should deliberate upon their corporate structu re, and be prepared for
an adverse sihmtion where the entire h1mover is considered in the calculation of any
fine for GDPR infringements.
• In the absence of any clarity on this subject matter from the GDPR guidelines or
relevant case laws , risk-averse organizations should work towards tying up their
loose ends and work on minimizing their risks.
• GDPR is still in its nascent stage and the Regulatory Authorities have been
adjudicating upon the infringements on case to case basis. 2019 is supposed to be the
ye ar when the Regulators are expected to come down heavily on the infringements.
• As Data Regulators take more stringent action and work on resolving the plethora of
pending complaints which haven' t been adjudicated upon yet a better perspective on
the provisions ofGDPR will prevail.

WHAT IS PERSONAL DATA PROTECTION BILL, 2018'?

The Personal Data Protection Bill, 2018 (PDPB) guarantees insurance of people individual
information and directs the accumulation us e, trnnsfer and exposure of the said informat io n.
The Bill gives access to information to the people and places responsibility measures for
various organizations handling individual information by giving solutions for harmful and
unauthorized processes.

ApJllicability
1n its current state the Bill is applicable to those organizations that are 17:

11
(Risk Advisory India Draft Personal Data Protection Bill, 2018 and EU General Data Protection Regulation A
Comparative View Far Private Circulation Only)
a. Processing the data that has been collected disclosed or shared within the territory of India
b. Processing the personal data that has a connection with any business canied on in the
territory of India or has any connection with any activity which involves the profiling of data
princi ples .vithin the territory oflndia
c. The bill is applicable to the processing of personal data if the same is w1dertaken by the
State any Indian company or any Indian citizen or persons incorporated under the Indian law.

The bill is applicable to all types of industries as it is a sector less law. The te1ms Data
Subject and Data Controller have been termed as Data Principal and Data Fiduciary
respectively to highlight the nature ofrelationship between the two.

Key Features:

• Definitions: The Bill defines (i) ' personal data' as any information which renders an
individual id entifiable, (ii) da ta ' processing ' as any operation, including collecti on,
manipulation , sharing or storage of data , (iii) ' data principal' as the individual whose
personal data is being processed, (iv) ' data fiducia ry ' as the entity or indi vidual who
decides the means and purposes of processing data , and (v) ' data processor' as the
entity or indi vidual who processes data on behalf of the fiduciary_ 18

• Territorial a1111licability: The Bill oversees the handling of individual inf01mation by

(I) both government and private entities which are incorporate in India, and (ii) entities
fused abroad, in the event that the y efficiently manage information principals inside
the domain of India. The centrnl government may absolve Indian substances solely
managing information principals outside the domain of India by a notice .

• Grounds for data J)rocessing: Data processing by fiduciaries is allowed under the
bill provided that the individuals have provided their consent. Under certain
circumstances the permission of processing the data is also granted without taking the
consent of the individual.

• Sensif,o e J)ersonal data: Sensitive personal data has been defined in the Bill and it
includes genetic data , passwords , biometr ic , financial data, religious or political beliefs
and caste. Stringent grounds have been mentioned in the bill for the purpose of

18
j"Oraft Personal Data Protection Bill, 2018")
 processing the sensiti ve personal data , such as explicit consent of an individual shall
be taken prior to processing.

• Rights of the data 1>rincipal: Certain rights of the data principal whose data is being
processed such as are being laid down in the bill:

(i) The summary of the personal data can be obtained which is held by the data fiducial)'
(ii) The data which is inaccurate , incomplete or outdated can seek correction (iii) the
personal data can be transferred to any other data fiduciary under certain circumstances
and (iv) the right ' to be forgo tten' , which gives the data principal a right to prevent or
restrict continuing disclosure of their personal data.

• Obligations of the data fiduciary: Certain obligations are laid down in the bill for the
data fiduciary 'l"vho is responsible for handling the processing of personal data .
This shall include:

(i) The data to be processed in fair and reasonable manner (ii) data principle to be
notified of the purposes and nature of data collection along with their rights, amongst
others , and (iii) data that is needed for a specified purpose , only that much data shall
be collected and it shall only be stored for the time necessary and no longer than that

• Exemptions: An indi vidual' s personal data processing shall not be subject to the
obligations specified, and further the data principal shall no t have the rights which are
defined in the Bill in case of their personal data is processed for the following
purposes:

(i) national security (pursuant to a law) , (ii) prevention, detection , investigat ion and
prosecution of contra ventio ns to a law, (iii) legal proceedings, (iv) personal or
domestic purposes , and (v) journalistic purposes.

• Data Protection Authority: According to the Bill, a Data Protection Authority (DPA)
shall be established. The DPA has the power to

(i) draft specific regulations across different sector for all data fiduciaries (ii) mintor
and supervise data fiduciaries (iii) evaluate compliance with the Bill and commence
enforcement actions, and (iv) handle receive and redress complaints from the data
principals. It must consist of a chairperson along with six members , having the
knowledge in the field of information technology and data protection from past ten
years.
 • Cross-border storage of data: The Bill expresses that each fiduciary will keep a
'servin g copy' of eve1y single individual data in a server or server centre situated in
India. The Centrnl government can notify certain classifications of indi vidual
information as excluded from this prerequisite on grounds of need or key interests of
the State. The Central government ma y likewise tell certain classifications of
individual information as 'basic individual information' , which might be prepared
distinctl y in ser vers situated in India.

• Transfer of data outside the country: Personal data (aside from sensitive personal
data which can be ' cri tical' ) might be moved outside India in specific situations.
These incorporate situations where (i) the Central government endorses that moves to a
specific nation are reasonable, or (ii) the DPA favours the exchange in a circumstance
of need.

• Offences and 1>enalties: Under the Bill, the DPA may levy penalties on the fiduciary
for various contraventions to the law. These include failure to comply with (i) data
processing obligations (ii) directions issued by the DPA and (iii) cross-border data
storage and transfer requirements. For example, the fiduciary has to notify the DPA of
any data breach which is likely to cause harm to the principal. Failure to promptl y
not ify the DPA can attract a penalty of the higher of five crore rupees or l:\vo percent of
the worldwide turno ver of the fiduciary.

• Under the Bill, the DPA may impose punishments on the fiduciary for different
negations to the law. These incorporate inabili ty to consent to (I) info1mation preparing
commitments , (ii) directions that were issued by the DPA and (ii i) cross-border data
transfer and storage requirements.

Key issues

No guidelines s1>ecified foi- the 1mi-1>0se of 1nocessing the data in a 'faii- and i-easonable'
manner:

The bill imposes an obligation of processing the data in a fair and reasonable manner however,
no guidelines or principles are mentioned on the same. This could result into the standards for
fairness and reasonability to vary across various fiduciaries which ma y process similar kind of
data. It can be considered unreasonable to expect compliance for the same as various
organizations of the same industry might have different standards.
Optional re1)orting of data breaches might give rise to conflict of interest:

Selec tive reporting of infonnation breaches will preven t the DPA (Data protection authority )

from being burdened by large volumes of low-impact data breach reports. This will not create
reporting a burden on the fiduciary. While determin ing that whether the breach is supposed to
be reported, it might create a conflict of interest because the fiduciary is regulated by the DPA.
Independent audits which are ordered by the DPA causes assessment of instances of breaches
along with the promptness of the notification .

A complaint may be raised onlJ1 if there is a l)Ossibility of harm:

A complaint can only be raised by the data principal if there has been a violation in the
provisions of the Bill or it may cause them harm . A question can arise that why a complaint
cannot be raised on a mere violation of the rights of the principal. In addition, the data
principal additionally is supposed to demonstrate and also prove that harm is caused to them as
a result of unla wful data processing ; and this might also place an undue burden on the data
principal.

COMPARATIVE ANALYSIS OF GDPR AND PDPB:

Basis PDPB GDPR

Data princ ipal/ The data principal's consent 1s In the absence of an adequac y
subject consent needed in addition to the adequac y decision by the Commission or of
for cross decision by the Central Government appropriate safeguards such as
border data or the approved standard contractual standard contracnial clauses etc.
transfer clauses. personal data can be transferred to a
third country if the data subject has
explicitl y consented to the said
transfer.
Breach The data fiduciary is not obligated to The controller should communicate
no tification to inform the data principal about a the personal data breach to the data
data principal personal data breach unless and until subject without undu e delay m
the Data Protection Authori ty has casesj here the breach is lik e ly to
mandated such repor ting to the data result in a high risk to the rights and
principal. freedoms of natural persons.
Personal Data The Central government shall No such classification of data under
categorize certain personal data as the current provisions or guidelines .
critical personal data which must be
only processed in a server or data
centre located in India.
Right to No such explicit right has been The data subject has the right to defined
restriction of in the draft Bill as of now. restrict the controller from
processmg processi ng personal data provided
in certain cases. •
Right to be A data principal can only restrict or A data subject has the right to
forgotten/Right prevent continuing disclosure of the obtain erasure of their personal data
to erasure personal data by the data fiduciary if from the data controller if the the
grounds for such restriction are grounds for such erasure under the
fulfilled. No provision to erase Regulation is fulfilled.
personal data.
Conclusion and suggestions

Strong measures need to be ta ken in order to prevent harmful use of personal data. Both
GDPR and draft PDPB regulate the same .

Measures that can be taken to protect your data:

• The team shall be educated about their responsibilities while dealing with personal and
sensi tive data.
• Data categorization can be done in order to avoid confusion.
• Document and maintain records of all the processing activities.
• Detect , report and investigate if there is any breach in the personal data.
• Appoint a Data Protection Officer who can take the responsibility of data protection
compliance.
• Restrncture and redefine the policies according to the new rules.
• Clearly define what is protected under personal and sensitive data.
• Review and update all the contracts that are/were signed with third party vendors.
Bibliogra 1lhy

Works Cited

1. " Art. 17 GDPR - Right to Erasure (' Right to Be Forgotten') I General Data
Protection Regulation (GDPR)." General Data Protection Regulation (GDPR),
2013, gdpr info.eu /art-17- gdpr/. Accessed 6 Sept. 2019.
2. " Art. 83 GDPR- General Conditions for Imposing Adminis trati ve Fines I General
Data Protection Regulation (GDPR)." General Data Protection Regulation (GDPR)
2013 gdpr-info.eu/art-83-gdpr/. Accessed 10 Sept. 2019.
3. " ARTICLE29 Newsroom - Guide lines on the Application and Setting of
Administ rative Fines (Wp253). Now Including Available Language Version s. -
European Commission. " Europa.Eu , 4 Nov. 2016,
ec.euro pa.eu/n ewsroom/article 29/item-detail.cfm ?item_id=6l l 237 Accessed 10 Sept.
2019.
4. " Capital One Data Breach: AITest after Details of 106m People Stolen. " BBC News , 30
July 2019, www. bbc.com /ne ws/world-us-canada-4915985 9. Accessed 10 Sept. 2019.
5. " Draft Personal Data Protection Bill, 2018." PRSJndia, 21 Dec. 2018,
www .prsindia .org/billtrack/d raft-persona l- data-protection -bill-2 018. Accessed 11
Sept. 2019.
6. Enforcement I Administrative Fines.
7. ET CONTRIBUTORS. " GDPR: The Implications of the Right to Be Forgotten
Aspect of the Data Protection Legislation. ' The Economic Times, Economic Times,
26 May 2018, economictimes.indiatimes.com/small-biz/startups/newsbuzz/gdpr-the
implications-of-the-right-to-be-forgotten-aspect-of-the-data-protection
legisla tion/articleshow/64329304 .cms ?from=mdr. Accessed 8 Sept. 2019.
8. " FTC Im poses $5 Billion Penalty and Sweeping New Privacy Restric tions on
Facebook." Federal Trade Commission, 25 July 2019, www.ftc.gov/ne ws even
ts/press-releases /2019/07/ftc-im poses-5-billion-penal ty-swee pin g-new-privacy
restrictions. Accessed 10 Sept. 2019.
9. Inform ation and Notices. 2018.
10. Mayer Brown, GDPR fines - lessons from competition law. " GDPR Fines - Lessons
from Competition Law I Perspect ives & Events I Mayer Brown." Mayerbrown.Com
, 2019, www.mayerbrown.com/en/perspec tives-even ts /publ ications /2018/l 2/gdpr
fi nes ---lessons-from-competition- law. Accessed 10 Sept. 2019.

Page I 20
11. " Recital 148 - Penalties I General Data Protect io n Regulation (GDPR)." General Data
Protec/ion Regula/ion (GDPR), 2016, gdpr-info.eu/recitals /no-148/. Accessed 9 Sept.
2019.
12. " Recital 150 - Administrative Fines I General Data Protection Regulat ion (GDPR). "
General Data Protection Regulation (GDPR), 2016, gdpr-info.eu/recitals /no-150/.
Accessed 9 Sept. 20 L 9 .
13. ---. General Data Protection Regulation (GDPR), 2016, gdpr-info.eu/recitals /no-150 /.
Accesse d 10 Sept. 2019.
14. Risk Adviso,y India Drafl Personal Data Protection Bill, 2018 and EU General Data
Protection Regulation A Comparative View For Private Circulation Only.

Page I 21
 Dissertation
ORIGINALITY REPORT

8 %
SIMILARITY INDEX
7% 1% 4%
INTERNET SOURCES PUBLICATIONS STUDENT PAPERS

MATCH ALL SOURCES (ONLY SELECTED SOURCE PRINTED)

1%

"Current Trends in Web Engineering", Springer

Science and Business Media LLC, 2016
Publication

Exclude quotes On Exclude matches < 40 words

Exclude bibliography On