LAWS AND POLICIES RELATED TO DIGITAL DATA

PROTECTION IN INDIA :

A COMPARATIVE STUDY OF EU, CHINA AND CANADA

Page | 25
CHAPTER 1: INTRODUCTION

1.1 INTRODUCTION

India is going through a digital transformation where people are using technology and the internet
more and more in their daily lives1. As a result, the necessity for cyber security and data protection
measures to protect people and businesses from cyber attacks and data breaches has increased. India
is the second-largest internet market in the world, with an estimated population of 1.3 billion, and is
anticipated to expand quickly. The desire for more stringent data protection rules and regulations has
arisen as a result of concerns about data privacy and protection prompted by this expansion. There is
no denying that the world we live in has changed and is changing quickly. In recent years,
globalization and international trade have boosted the service sector, and modern industrialized
societies have depended on the storage of data and information. Data is no longer only a power or
source of information but has grown into a huge business from healthcare, services to education Both
the public and private sectors routinely collect data using low-tech methods for data storage. The
issue of people's privacy has always been raised by the internet's never-ending nature.

The right to privacy that we formerly took for granted has been completely destroyed by the new
digital environment. The development of the Internet has made it simple for the average person to
conduct all of their routine online activities in a secure manner, but questions about privacy and data
protection remain unanswered, which has led to security breaches. Data and information have caused
individuals and organizations to pause before disclosing their information to third parties.
Government bodies are quickly passing new laws emphasizing regulation on how businesses gather,
store, and process client related-data in light of the concerns surrounding digital privacy issues across
various sectors globally. All players in this space will greatly benefit from investing more resources
into robust cyber security programs capable enough not only to defend against known attacks but
also to detect/prevent emerging ones. Its become important to strike the right balance between
privacy and innovation in the development and implementation of data protection laws and
regulations. Data Protection refers to the set of privacy laws, policies and procedures that aim to
minimize intrusion into one's privacy caused by the collection, storage and dissemination of personal
data. Personal data generally refers to the information or data which relate to a person who can be
identified from that information or data whether collected by any Government or any private
organization or an agency Maintaining of data bases is not as much difficult task as maintaining its
1

Page | 26
integrity, so in this era the most concerned debate is going on to innovate a perfect method of data
protection. With the advancement in technological development, there took place a transition in the
standard of crimes2.

In the present era most of the crimes are being done by the professionals through the easiest medium
i.e. computers and electronic gadgets. Just by the single click, the criminals are able to get the
secured information. The lust of information is acting as a catalyst in the growth of cyber crimes. It is
the very big headache for the business houses, financial institutions and the governmental bodies so
as to give adequate protection to their huge databases. In the absence of any particular stringent law
relating to data protection, the miscreants are gaining expertise in their work day by day.

1.2 LITERATURE REVIEW

The primary literature review is the current legal legislative framework of Data protection in
India, the China Union, the United state of America, and Canada.

1 The Digital Personal Data Protection Bill, 2022:

Union Ministry for Electronics and Technology (MeitY). (2022). The Digital Personal Data
Protection Bill, 2022.

2 General Data Protection Regulation, 2016/679:

China Parliament, & Council of the China Union. (2016). Regulation (EU) 2016/679 of the
China Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation). Official Journal of the China Union,
L 119, 1-88.

3 United State of America Regulation on Data Protection Children's Online Privacy

Protection Act, 15 U.S.C. §§ 6501-6505.

Canada Regulation on Data Protection

Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 Citation format
for the Act: Personal Information Protection and Electronic Documents Act, S.C. 2000 3

2
Ibid
3

Page | 27
4 A Soft Tone with a Tiger Claw a Critical Commentary on the Digital Personal Data
Protection Bill, 2022.

The commentary on the Digital Personal Data Protection Bill, 2022, provides valuable insights
into the evolution of the bill from the lengthy Personal Data Protection Bill 2019 to the more
concise DPDPB 2022. The commentary examines various important aspects of the bill,
including the rights and duties of digital citizens, the rights to privacy of children, and the
redressal mechanism for data fiduciaries. Moreover, the commentary thoughtfully analyses
ambiguous clauses related to deemed consent, which has been a topic of debate. For the
purpose of this research, the commentary will be utilized to thoroughly grab the understanding
of the complex concept and to discuss the mentioned concept with comparison.

5 Twelve Major Concerns with India’s Data Protection Bill, 2022. Media

This article discusses the 12 major concerns with the digital data protection bill 2022, which
are relevant to researchers who seek to analyze these concerns in a broad manner and assess
their relevance to the provisions of the bill.

6 Draft Digital Personal Data Protection Bill, 2022.

This draft provides a roadmap of the Digital Data Protection Bill 2022 by highlighting its key
features and issues, as well as comparing it to the previous data protection bill. It is relevant for
researchers who seek to understand the nature of the previous bill and its potential implications
for data protection in the context of the proposed new bill.

7 Recommendations to the Ministry of Electronics and Information Technology.

This report provides recommendations for the Digital Personal Data Protection Bill 2022 based
on a stakeholder consultation organized by the Observe Research Foundation, where over 25
participants shared their opinions on the bill. The report is relevant for analyzing the feedback
received from stakeholders and the recommendations provided by them, which can provide
valuable insights for policymakers and researchers in the field of data protection4.

8 India’s Digital Personal Data Protection Bill, 2022: How Practical is Consent

The article provides a brief discussion of the concept of consent in relation to the Digital
Personal Data Protection Bill, highlighting the key issues related to consent in the bill and

Page | 28
emphasizing the relevance of understanding the concept of consent in different countries
legislation for research purposes.

9 Comments on the Draft Digital Personal Data Protection Bill, 2022 Submissions to the
Ministry of Electronics and Information Technology

This report provided recommendations made by the VDIHI Centre that cover several
provisions and important definitions of the Digital Personal Data Protection Bill. The report
thoroughly analyses the bill and important concepts such as the definition of data principles,
deemed consent, and the application of the act. For research purposes, this report is important
to understand the current nature of the provisions and the recommendations provided by the
VDIHI Centre.

1.3 OBJECTIVES:

 To understand the concept of Data Protection.

 To understand the impact of Data Protection Laws on society.
 To analyze various Data Protection Laws in India.
 To understand Government regulation of the Data Protection.
 To compare the different Laws in foreign countries related to Data Protection.

1.4 RESEARCH QUESTIONS

 Whether India has any enforcement regulation in case of an invasion of the right to
privacy?
 Whether the present Indian legislative framework effective in addressing the legal issue
of data breaches by international entities?
 Whether data protection laws in India as effective as those in the EU, USA, and
Canada?
 Whether there are any major differences in the data protection of India vis-à-vis the
EU,US, and Canada legislative framework?

1.5 RESEARCH METHODOLOGY:

Page | 29
"For the purpose of this research, the author utilized the Doctrinal Research framework
method5. This framework involves a critical analysis of legal documents and literature,
including statutes, case law, and scholarly articles. The author draws on both primary and
secondary sources. Primary sources include relevant Indian, China Union, United States, and
Canadian regulations, such as the Information Technology Act, of 2000, the Personal Data
Protection Bill, of 2019, the General data protection Regulation of 2016, etc as well as case law
and judicial decisions.

Secondary sources include scholarly articles, books, and reports from relevant organizations
and experts in the field of data protection. A Comparative Study method is also employed for
analysis of the different topics in the research and to make a comparison between India, China
Union, the United States, and Canada’s laws. This method involves a comparison of the laws
and regulations of India with the China Union, the United States, and Canada in terms of data
protection, privacy, and enforcement. This allows for a comprehensive analysis of the strengths
and weaknesses of India's legal framework and the potential implications of the data protection
law, in comparison to other jurisdictions.

1.6 HYPOTHESIS

Despite the efforts of data protection legislation in the form of various Data Protection Bills
India, still lacks adequate and set laws and regulations for data protection as compared to the
EU, USA, and Canada, mainly due to weaker enforcement mechanisms, and lack of provisions.

Page | 30
CHAPTER 2: PROTECTION LAW IN INDIA

It is the private information of the individual which can be used to trace/monitor him online. It is any
information relating to an identified or identifiable individual. This should not be disclosed to any
other third party6. Personal data includes medical, biological, financial, and residential information
Personal information is an important currency in the new millennium. The monetary value of
personal data is large and still growing, and corporate world is moving quickly to profit from this
trend'. Companies view this information as a corporate asset and have invested heavily in software
that facilitates the collection of consumer information. Moreover, a strong conception of personal
data as a commodity is emerging in the United States, and individual Americans are already
participating in the commoditization of their personal data.3 Once personal data become a
commodity, questions arise regarding the necessity, if any, of legal limits on data trade. Legal
scholars interested in protecting information privacy, however, have been suspicious of treating
personal data as a form of property and have generally advocated imposing a ban on data trade,
rather than restrictions on transferability. In contrast, other legal scholars have advocated propitiation
of personal information, albeit generally without sufficient sensitivity to privacy concerns. As a
result, such scholars usually see no need for legal limits on data trade5- that is, no need for
"inalienability’s," which, in Susan Rose-Ackerman's succinct definition, are "any restrictions on the
transferability, ownership or use of an entitlement

2.1 CONSTITUTION OF INDIA

The constitution of India has some provisions like, ‘Freedom of Speech and Expression and ‘Right to
Life and Personal Liberty These provisions has its effect to the right to privacy as a fundamental
right. There are number of cases24 also which establishes the right to privacy as a fundamental right.
The conceptuality of this proposition has also connected with the new dimension of the ‘Data
Protection’. The linkage between this privacy and data protection are interdependent to each other.
The right of data protection is the closely related with the ‘information’ of an individual. The study
of constitutional provisions to understand the relationship of privacy with explicitly scripted rights
along with interpretation accorded by the apex court of the country. It explores the issue of data
protection dealt under different legislations. Finally it builds a case of treating an issue of data
protection from a right-based perspective.

Page | 31
As a matter of human right, Sir John Simmons says, “Human rights are rights possessed by all
human beings at all times and in all places, simply by virtue of their humanity They will have the
properties of universality, independence from social or legal recognition, naturalness, inalienability
from social or legal recognition, naturalness, inalienability, non-forfeit ability, and imprescriptibility.
Only so understood will an account of human rights capture the central idea of rights that can always
be claimed by any human being”. Therefore the idea to protect the human right is also the protection
of data. The universality and the independence of the data protection is an essential matter for an
individual. These data protection also leads to right to privacy. The most significant and illumination
discussion is that privacy and data protection has a different link to each other. These linkage or
shadows of different areas that are interrelated with these regime. Like the privacy is a concept
related to seclusion, solitude and isolation, although it is not synonymous with these terms; far
beyond the purely descriptive aspects of privacy like withdrawal from the company, curiosity, and
influence of others, implying the right to exclusive control of access to individual realms7.

The pathfinder of this developmental right as an activism in the part of the court are also being
highlighted as a matter of right. The rights of an individual can be acquire naturally, so that the right
to privacy has also to be attain naturally. The jurist Herbert Hart in his influential article, ‘Are There
Any Natural Rights?’ distinguishes between ‘general rights’ and ‘special rights’. Special rights arise
out of ‘special transactions or special relationships’ such as promises, contracts, or membership in a
political society, whereas general rights belong to ‘all men capable of choice...in the absence of those
special conditions which give rise to special rights’. By this view that the data protection is a general
or special right are also being taken into consideration in this work.

2.2 INDIAN CONTRACT ACT, 1872

A contract is an essential part of every business operation. Without a contract, a business cannot run
smoothly. A contract is nothing but a document that legally binds two or parties to an agreement
where the rights and duties of every party to the agreement are mentioned. It can be a promise by the
parties to a contract to do something or to refrain from doing something. A contract, in order to be
valid, requires the mutual consent of both the parties to a contract where one party makes the offer to
the other party and the other party accepts the offer made by the first party. All the contracts in India

Page | 32
are governed by the Indian Contract Act, 1872. Section 23 of the Indian Contract Act, 1872 states
that the consideration or the object of a contract is deemed to be lawful unless it is forbidden by the
law. It can be unlawful if it goes against any of the provisions of law or is fraudulent and immoral in
nature or it causes any injury to a person or a property it is also unlawful if it goes against the public
policy of India. Under the Indian Contract Act 1872, the term contract is defined under Section 2(H),
which states that an agreement that is enforceable by the law is known as a Contract. In contract,
there must be an intent to create legal relationships not social, moral, or religious.

2.2.1 Essentials of a valid consideration

A contract in order to be valid must fulfill certain conditions. If any of these conditions are not
fulfilled by a contract then that contract is deemed to be void or voidable. Section 10 of the Indian
Contract Act, 1872 lists down all the conditions that a contract needs to fulfill in order to be a valid
contract. All these conditions are:

1 Offer – In order for a contract to be valid, one of the contracting parties must make an offer to the
other party to the contract. A contract cannot be made without an offer. So, on offer is the most
essential part of a contract8.

2 Acceptance – A contract in order to be made needs two parties, one who makes an offer and the
other party who accepts that offer. So, an acceptance of the offer is equally important as an offer.
Without an offer and the acceptance of it a contact cannot come into existence.

3 Lawful consideration – Section 25 of the Indian Contract Act, 1872 states that any contract sans
consideration is void. A party must always get something in return for the work done by him or in
other words fulfilling his part of the contract. Consideration can be of three types – past
consideration, present consideration, and future consideration.

4 Capacity to contract – The parties to a contract must be competent enough to get into a contract.
If any of the contracting parties are not competent enough to contract then the contract is void or
voidable.

5 Free Consent – The consent of the parties to a contract must be free and out of their own will.
Consent taken by coercion, under undue influence, fraud, misrepresentation, or mistake is not valid.
It is deemed to be unlawful. Section 15, Section 16, Section 17, Section 18, and Section 20 of the
8

Page | 33
Indian Contract Act, 1872 talk about coercion, undue influence, fraud, misrepresentation, and
mistake.

6 Lawful object – The object or the purpose of a contract must always be lawful or legal, it should
never be unlawful, immoral, or against any provision of any law. A contract that has some unlawful
object is deemed to be void ab initio or in other words, void from the very beginning.

7 Terms and tenure – Every contract in order to be valid must have clearly listed and fixed terms
and conditions. Any contract with vague terms and conditions cannot be valid. Apart from this, the
term of the contract should also be clearly mentioned in the contract, it must not be vague 9.

Performance – Every valid or legally binding contract must be capable of being performed. It
should not have any condition or act which is impossible to perform by any party to a contract. If a
contract has terms or conditions or acts which are impossible to perform then the contract is void in
nature.

2.2.2 Breach of a contract

A breach of contract is nothing but the violations committed by the parties to the contract of any or
all of the previously agreed-upon terms of the contract. The breach of a contract can range from late
payment to non-payment of the consideration to failure to do any act or to refrain from doing so or
failing to deliver a promised asset to the other party of the contract. A breach can either be partial in
nature or complete in nature.

2.2.3 Kinds of breach of a contract

The breach of contract is classified into three different categories ranging from the degree of a
breach. They are:

1 Material breach – This kind of breach of a contract occurs when any of the main components of a
contract is not fulfilled by either of the parties of the contract as promised by them in the contract. A

Page | 34
breach like this defeats the objective of the contract and the aggrieved party is not left with any other
choice but to knock the doors of the court for the redressal of this issue.

2 Minor breach – This kind of breach of contract is also called partial breach or immaterial breach
of the contract. This kind of breach occurs when any minor or immaterial part of the obligation of
either of the parties to the contract is not fulfilled by them as promised by them in the contract. In
such a situation, the aggrieved party can go for legal remedy if they have suffered some material loss
like financial loss by the breach committed by the other party to the contract.

3 Anticipatory breach – This kind of breach of the contract occurs when either of the parties to the
contract informs the other party to the contract via some medium like a letter, email, etc about their
incapability to perform any or all of their obligations in the agreed-upon time as listed down in the
contract by them10.

2.2.4 Remedies of breach of a contract

Whenever two parties decide to get into a contract, there is always a possibility of a dispute arising
between them with regard to the contract. And in order to deal with such a situation, Section 73 of
the Indian Contract Act, 1872 comes into play. It states that whenever any party to the contract
suffers damage because of the action or inaction of the other party to the contract then the aggrieved
party is entitled to receive compensation from the other party for such damages. It also states that the
aggrieved party can only claim compensation if he has suffered a loss due to the breach of contract
by the other party. The compensation cannot be claimed by the aggrieved party if the loss suffered by
him is not direct or remote in nature.

An aggrieved party usually files a lawsuit against the other party to the contract when the attempt of
resolving the breach or dispute fails by informal methods. The aggrieved party goes for filing a
lawsuit in the Hon’ble District Court if the sum at issue is below Rs. 20,00,000/- and if it is above
Rs. 20,00,000/- then the aggrieved party goes for filing a lawsuit in the Hon’ble High Court of the
state where the contract was executed or as per mutual agreed by the parties in the contract they
signed. When a breach in the contract occurs, the parties to the contract may choose to hire an

10

Page | 35
arbitrator and may choose to review the contractual argument or differences and resolve it through
arbitration, mediation, or conciliation.

2.3 INFORMATION TECHNOLOGY ACT, 2000 AND RULES MADE THERE UNDER

This is where the Information Technology Act of 2000 comes into the picture. The Act defines
various offences related to breach of data and privacy of an individual and provides punishment or
penalties for them. It also talks about intermediaries and regulates the power of social media. With
the advancement of technology and e-commerce, there has been a tremendous increase in cyber
crimes and offences related to data and authentic information. Even the data related to the security
and integrity of the country was not safe, and so the government decided to regulate the activities of
social media and data stored therein. The article gives the objectives and features of the Act and
provides various offences and their punishments as given in the Act. The Act provides a legal
framework for electronic governance by giving recognition to electronic records and digital
signatures. It also defines cyber crimes and prescribes penalties for them. The Act directed the
formation of a Controller of Certifying Authorities to regulate the issuance of digital signatures 11.

2.3.1 Background of Information Technology Act, 2000

The United Nations Commission on International Trade Law in 1996 adopted a model law on e-
commerce and digital intricacies. It also made it compulsory for every country to have its own laws
on e-commerce and cybercrimes. In order to protect the data of citizens and the government, the Act
was passed in 2000, making India the 12th country in the world to pass legislation for cyber crimes.
It is also called the IT Act and provides the legal framework to protect data related to e-commerce
and digital signatures. It was further amended in 2008 and 2018 to meet the needs of society. The
Act also defines the powers of intermediaries and their limitations.

2.3.2 Applicability of Information Technology Act, 2000

According to Section 1, the Act applies to the whole country, including the state of Jammu and
Kashmir. The application of this Act also extends to extra-territorial jurisdiction, which means it
applies to a person committing such an offence outside the country as well. If the source of the
offence, i.e., a computer or any such device, lies in India, then the person will be punished according
to the Act irrespective of his/her nationality.

11

Page | 36
The Act, however, does not apply to documents given under Schedule 1. These are:

 Any negotiable instrument other than a cheque as given under Section 13 of

the Negotiable Instruments Act, 1881.

 Any power of attorney according to Section 1A of the Powers of Attorney Act, 1882.

 Any sort of trust according to Section 3 of the Indian Trusts Act, 1882.

 Any will including testamentary disposition given under the Indian Succession Act, 1925

 Any contract or sale deed of any immovable property.

2.3.3 Amendments to Information Technology Act, 2000

With the advancement of time and technology, it was necessary to bring some changes to the Act to
meet the needs of society, and so it was amended12.

1 Amendment of 2008

The amendment in 2008 brought changes to Section 66A of the Act. This was the most controversial
section as it provided the punishment for sending any offensive messages through electronic mode.
Any message or information that created hatred or hampered the integrity and security of the country
was prohibited. However, it had not defined the word ‘offensive’ and what constitutes such
messages, because of which many people were arrested on this ground. This section was further
struck down by the Supreme Court in the case of Shreya Singhal v. Union of India (2015).

Another amendment was made in Section 69A of the Act, which empowered the government to
block internet sites for national security and integrity. The authorities or intermediaries could
monitor or decrypt the personal information stored with them.

2 The 2015 Amendment Bill

The bill was initiated to make amendments to the Act for the protection of fundamental rights
guaranteed by the Constitution of the country to its citizens. The bill made an attempt to make
changes to Section 66A, which provides the punishment for sending offensive messages through
electronic means. The section did not define what amounts to offensive messages and what acts
12

Page | 37
would constitute the offence. It was further struck down by the Supreme Court in the case of Shreya
Singhal declaring it as violative of Article 19.

2.3.4 Information Technology Intermediaries Guidelines (Amendment) Rules, 2018

The government in 2018 issued some guidelines for the intermediaries in order to make them
accountable and regulate their activities. Some of these are:

 The intermediaries were required to publish and amend their privacy policies so that
citizens could be protected from unethical activities like pornography, objectionable
messages and images, messages spreading hatred, etc13.

 They must provide the information to the government as and when it is sought within 72
hours for national security.

 It is mandatory for every intermediary to appoint a ‘nodal person of contact’ for 24×7
service.

 They must have technologies that could help in reducing unlawful activities done online.

 The rules also break end-to-end encryption if needed to determine the origin of harmful
messages.

2.3.5 Information Technology (Intermediaries Guidelines and Digital Media Ethics Code)
Rules 2021

The government of India in 2021 drafted certain rules to be followed by the intermediaries. The rules
made it mandatory for intermediaries to work with due diligence and appoint a grievance officer.
They were also required to form a Grievance Appellate Tribunal. All complaints from users must be
acknowledged within 24 hours and resolved within 15 days. It also provides a “Code of Ethics” for
the people publishing news and current affairs, which makes it controversial. Many believe that the
rules curtail freedom of speech and expression and freedom of the press.

The intermediaries were also required to share the information and details of a suspicious user with
the government if there was any threat to the security and integrity of the country14.

13

14

Page | 38
2.4 INDIAN PENAL CODE, 1860

The Indian Penal Code has its roots in the time of British rule in India. The first introductory draft
was formulated in 1860s under the chairmanship of Lord Macaulay. By this the relation with ‘data
protection’ with the provision of ‘Indian Penal Code’ are not that much satisfying the all need. The
Indian Criminal law does not specifically address breaches of data privacy. Under the Indian Penal
Code, liability for such breaches must be inferred from related crimes. For instance, Section 403 of
the India Penal Code imposes criminal penalty for dishonest misappropriation or conversion of
“movable property for one’s own use. When it come under the liability part of other then the
question arise on opposite that whose right are to be protected. The Section 405 and Section 409
speaks about whoever misappropriates some other person’s property is punishable under criminal
breach of trust.

In another Section 378 no one can dishonestly take any movable property out of the possession of
any person without that person’s consent, if he does so then he is said to commit theft and is
punished but there is not any particular act regarding electronic data protection to till date. In this
concern there are two way to addresses the legal right which one may can undergo. Actually the
crime is done against the state only. Hence the right of the state to maintain law and order it’s a
serious concern. In Penal Code penalties are mention and in civil actions laws for damages including
the amount of damages, must be determined by the verdict of a jury59. The idea to mention this are
very much relevant for addressing the right issue. The relationship of the ‘data protection’ and
‘Indian Penal Code’ on addressing the right are appropriate. In this texture the state also come under
the purview to protect the data of an individuals.

Data protection has its focus on the individual itself irrespective of the data content
and legal constraints. Data security revolves around protecting the integrity and
confidentiality of data and is achieved by technical and organizational measures. The Data
Protection Act was brought to force for healing such memories of misuse of information.

The first ever computer specified Data Protection Act was enacted in Hesse, in

Page | 39
19701. The misuse of data by the Nazi regime had raised concerns about ability of
computers to store and process data along with data protection amongst people. 2 Sweden
introduced data protection legislation for a different reason which naturally fitted with two
hundred years old system of freedom of information in 1973.3 It introduced the concept of
data subject access to his information stored.4

The China Parliament and the Council of Europe on 24 October 1995 adopted its
Directive (95/46/EC) for the protection of processing of personal data and on the free
movement of such data.5 The Directives came up as an elaborate data protection structure.
The Directive is particularly specific on the transfer of data. It sets down principles
concerning the transfer of data to 3rd country. The Directive’s major focal point is that
the private data of EU

It must be noted that data protection laws were created in 1970ies where computer
data was primarily handled by government officials. The international developments
gradually showed that the protection of personal data cannot be addressed exclusively
at the national level only. At the beginning of the 80ies the Council of Europe
and OECD issued standard information for data protection laws. Throughout the 90s,
the China "single market" plan emerged to facilitate easier trade. The EU Data
Protection Directive (EU DPD) was provided to support single market before internet
became common amongst the masses. The development and consequences of data
protection are below-

 1970ies: The first ever data protection laws were created, when computers were used
by few and majorly by government officials. There was a threat that the state, by
connecting various registries, would gain an informational superpower over the
individual, the motive of the Data Protection Laws was to prevent abuse of non-public
information and to confirm the rights of access and rectification. Obligations
regarding registering the databases containing personal data were noted in this

Page | 40
 generation of data protection laws. In 1970 the German Land of Hessen adopted the
primary law on the protection of non-public information within the world. It was
followed by Sweden (1973), Germany (Federal Act, 1977), France (1978) and other
countries. Three countries included data protection among their constitutionally
guaranteed rights (1976 Portugal, 1978 Spain and 1978 Austria).7

 1980ies: The international developments, however, step by step showed that the
protection of non-public information cannot be manage completely at the national
level. At the starting of the 80ies the Council of Europe in conjunction with the OECD issued
data protection regulations. At this time cross-border flows of personal data could be
considered as discrete events, with data travelling in bulk between identified parties. Data
transfers would occur, in massive batches with use rudimentary physical devices like tapes
for processing information. International data banks were simply rising, and the web was in
its starting phase therefore there were some prohibitions on business use. In 1983 the
German Federal Court declared that it was a basic right of individuals to see how their data
was being used. This information was self-determined and concentrates on the specific rights
for the individual concerning the whole system of personal data processing and influenced
the data protection legislation in the following years. The Single China Act was signed in 1987
with the gradual move towards a "single market" for trade. The elimination of boundaries
between eastern and western Europe i.e., the Berlin Wall further unified Europe in 1989.8

 1990ies: Throughout this period, the "single market" plan emerged to support easier
trade. The EU Data Protection Directive (EU DPD) was formulated before the
World Wide Web was invented and hence it was designed for a world in which data
processing took place in comparatively few, easily identifiable locations, usually with
mainframe computers. The technological changes of the period – the appearance of
personal computers, and their subsequent connection to networks – decreased the
regulation of technology. Regulations became increasingly abstract and less
technology-specific. Computing moved from being a single computer to a globally
connected network of computers. New principles (e.g. data economy by a minimum
processing of personal data in the German Tele Services Data Protection Act 1997)
were enacted as the internet grew more and more powerful.

 Since 2000: New technological developments like cloud computing and social
networks etc. occurred since Directive 95/46 was adopted. New

Page | 41
8
A historical overview on the information technology developments and its implication on
data protection legislation is given by the dataprotection.eu.

Page | 42
 internet corporations entered the arena such as Google, Facebook, Twitter, Skype
etc. This lead to a gradually rise of easier cross border information
transfers. With rise of technology and consecutive data flows, there was also a rise in
using internet for purposes of terrorism, anti- social activities, forms of international
organized crime etc., which has resulted in an increase in international judicial
activities supported by enormous exchange of information for law enforcement
(Hustinx 2011). These developments caused the revision of the EU Data Protection
Directive as communicated in China Commission 2010b.9

1. HISTORICAL BACKGROUND OF DATA

PROTECTION IN CHINA COUNTIRES

Referring to the experiences under World War II era the extensive China privacy
regulation can be justified. Chinas were a bit apprehensive of unchecked use of personal
information. World War II and the post-War period was a time in Europe that disclosure
of race or ethnicity led to secret denunciations and seizures that sent friends and
neighbours to work camps and concentration camps. With the technological leaps, Chinas
started taking data protection seriously.10

China countries were the chief countries to adapt and frame laws concerning
the protection of personal rights of someone. The historical root of the EU lies within
the Second warfare. After the war, Europe had split into East and West. Six West China
nations created the Council of Europe in 1949. It was a primary step towards getting
much needed unity amongst them. Gradually began the formation of the China Union
which was noticed first as a trading group. In 1957 six countries signed the Treaties of
Rome in effect making the China Economic Community

Page | 43
establishing central union by removing customs duties on product imported from one
another and allowing free cross-border trade for the first time. In 1987, the Single China
Act was signed with the intention to finish the solo market by 1992. There was a steady
increase in countries joining as member- 1973: nine countries, 1986: twelve countries,
1995: fifteen countries covering nearly the full of Western Europe, 2002: twenty five
countries, 2007: twenty seven countries.11

The China Union was officially recognised only when the Maastricht Treaty came
into force on 1 November 1993. Maastricht Treaty officially replaced the name China
Community to China Union.12 The main aim of establishing China Union was to unify
Europe in additional ways beyond trade, having unified rules all over, having single
currency and additionally for foreign and security policy along with unity in justice and
home affairs. In 2002, Euro was introduced as common currency amongst the public of
China Union. By 2007, twenty-seven EU countries signed the Treaty Of Lisbon, which
basically amends the previous Treaties. It enhanced the democracy, efficiency and
transparency of China Union. It mandates that the EU Parliament and Council supply
norms for data protection within the public and non-public (private) sectors. Article 16 of
China Union 2008, gives the right of individual’s personal data to be protected.

1.1 COUNCIL OF EUROPE

The Council of Europe13 was incorporated in 1949 post World War II by 10

China countries and now covers whole China continent, with 47 member countries. It
strengthens democracy, human rights and the rule of law throughout its member states, it
was one of the major task of Convention 108. It was affirmed in the ‘China Convention
for the Protection of Human Rights and Fundamental Freedoms” (1950), that each
individual has right to

11
The History of the China Union, http://europa.eu/about-eu/eu-history/index_en.htm, visited
on 17th November 2015.

Page | 44
12
International Relations, fourth edition book by Peu Ghosh published by Eastern Economy

Edition.

13
Council of Europe, http://www.coe.int, visited on 2nd June 2016.

private life and personal communications without any state interference.

As automatic processing became more relevant during the 70ies this led in 1980 to
the “Convention for the Protection of Individuals with Regard to the Automatic
Processing of Personal Data” (also called Convention 108).14 The Council of Europe
worked in conjunction with OECD in the late 1970ies and in January 1981 Convention
108 was opened for signature. OECD, along with additionally four of its non-China
member countries (Australia, Canada, Japan and also the United States) placed a proxy
observer on the Council of Europe's committee formulating the Convention.

The Convention was the first legally binding international instrument in the data
protection field only for the countries that ratified it. According to the Convention, the
parties wishing to ratify with the convention were required to amend their national
legislation in conjunction with the principles laid down for processing of personal
data. The Convention outlined the fundamental privacy principle for automatically
processing of personal data that are –

1. gathered and consecutively processed in a legal manner;

2. stored for specific and legal purposes only and not any other interests;

3. adequate, pertinent and appropriate information must be stored for achieving

the said purpose;

4. accurate and up to date with latest data;

5. the identifiers factors of the data should not be stored for longer than what is
required.15

Page | 45
 ‘Safe Harbour Privacy Principles’ were released in July 27 th, 2000. In order to meet the EU
“adequacy” standards, US developed a ‘Safe Harbour’ framework, according to which the
US Department of Commerce would maintain a list of US companies that have been self-
certified to the safe harbor framework. It may be noted that subscribing to the Safe
Harbour Initiative remains voluntary to the corporates. The legal enforcement power of
19
these principles is governed by the Federal Trade Commission.

3 HISTORICAL BACKGROUND OF DATA

PROTECTION IN UNITED STATES OF AMERICA

United States and the E.U, focuses on data protection. However, both their approaches
are different. In the U.S data is segregated into different types according to their use and
sensitivity.20 The government awards a certain level of protection to each class of data. 21

Beyond the constitutional interpretations given by the court and international treaties, there
are many other laws that deal only with data protection. While discussing history of data
protection in USA, the Privacy Act of 1974 and the Computer Matching and Privacy
Act were the first laws which dealt with the data stored by the government and do not
govern data held by other corporates or ancillary government entities.

The Privacy Act set out standards for government bodies to guide them as to when
it was legal to analyse data in different databases. The Privacy Act of 1974 along with the
company of Freedom Of Information Act (FOLA) of 1966 provided the people right to

Page | 46
had its exceptions such as employee records and medical files were not freely accessible as
they would cause a breach to privacy. People’s request to access their own records was
initially denied under this provision. Privacy Act was an open statute which gave people
22
the right to get their information as well as protect information in government databases.
The act was developed explicitly to address the problems posed by electronic technologies
and personal records systems and covers the vast majority of personal records systems
maintained by the federal government. The act set forth some basic principles of “fair
information practice,” and provided that people could now challenge their information
present in government databases. However, Information could only be disclosed by the
consent of the person it concerns.15

Additionally The Computer Security Act of 1987 also governs personal records of
people kept by the government systems. The Act formulated standards for computer
security and assigns responsibility for those standards to National Institute of Standards.
The law beyond that implores the government to identify the most sensitive systems and
formulate appropriate safeguards regarding them. 23 The Computer Matching and
Privacy Protection Act of 1988 was an updated version of the Privacy Act and it had new
provisions that governed computer matching primarily. Computer matching refers to the
process with which a common comparison is used to match up information about a person
from various sources in order to see if the person qualifies for certain government
benefits.

The Electronic Communications Privacy Act was formulated to restrict

surveillance of electronic communication as well as prohibiting access to stored data
without consent of the individual or the service provider at large. The Children's Online
Privacy Protection Act was enacted in 1998 which mandated that website controllers
took requisite permission from parents of
24
15
Web 20 (Social Media) Policies in Higher Education, by Anne Arendt, Utah
Valley University, published on 6th November 2009, available at
https://www.slideshare.net/annearendt/web-20-social-media-policies-in-higher-education

Page | 47
Page | 48
children before gathering any information about them. The Consumer Internet Privacy
Protection Act required an ISP to get permission of the subscriber before disclosing his
personal information to third parties. 24 The Video Privacy Protection Act of 1988
amended the Federal Criminal Code and it restricts any disclosure of records of video
rentals containing any identifiers of personal information. Any individual who believes
their rights were violated can challenge it in civil court under this act for damages as well
as destruction of his /her records after a frame of time.

There are many other laws concerning data protection. Those laws are the one is
concerned with the data held by government. Generally, laws provide explicit declaration
regarding types of data and best practices to deal with such data is to ensure their optimum
protection. Some of these laws only allow information to be disclosed to Census officials.
Data with the national health centre can only be used for any research purposes without
any exceptions.

The National Education Statistics Act re-authorized and rectified the provisions of
the National Centre for Educational Statistics and the National Assessment of Educational
Progress. The confidentiality and distribution processes were changed after this law was
enacted. The Tax Reform Act mandates that financial information eg tax returns, gross
income etc need to be kept confidential. The act permits only limited disclosure of returns
and returns information for specific purposes, and specifies procedures for disclosure. It
specifies the punitive actions possible in case one violates any of the clauses and does an
illegal disclosure of such information. The victim can take civil action for damages and
also criminal penalties are established for wrongful disclosures under the act.

The Fair Credit Reporting Act governs the use of financial data by consumer
credit reporting agencies. They should always assure that

Page | 49
 information supplies by them is completely accurate, relevant to the purpose for which it
is used and at the same time appropriate privacy rights of the individuals are maintained at
all times. With evolving technologies, even the field of data protection is getting more
refined and new laws are being made to address the new rising issues.

4 HISTORICAL BACKGROUND OF DATA

PROTECTION IN INDIA

Before the Constitution of India was enacted in the year 1950, the state did not
grant any guarantee for rights to the citizens. The enforcement of Constitution provided
the status of citizens to the people of India. After the Constitution came in force, there was
no explicit guarantee of fundamental provision concerning the right to privacy. The
Constitution of India, mentioned the Fundamental Rights in part III enumerated in Article
14-30. Judicial activism brought right to privacy as part of the Fundamental Rights.

Right to privacy was deduced to Right to Life and Personal Liberty enshrined
under Article 21 by the Supreme Court through an extensive interpretation of the phrase
Personal Liberty.25 Article 21 mentions that nobody should be allowed to deprive anyone
else from their fundamental rights and law should be followed at all times. 26 Taking this
provision as a baseline, the Supreme Court observed that “those who deprive other persons
of their personal liberty in discharge of their duty must strictly observe the rules of law”.
Therefore according to the Supreme Court “Personal Liberty” can be viewed as life free
from abuses not sustainable in the eyes of law.

Since the Constitution came into force, Indian judiciary deals with

Page | 50
25
Article 21 of the Constitution - Protection of life and personal liberty.- No person shall
be deprived of his life or personal liberty except according to procedure established by
law.

26
Indian Public Administration: Institutions and Issues, by Ramesh K. Arora and Rajni
Goyal, published by Wishwa Prakashan.

Page | 51
privacy concerning issue either under the light of fundamental rights or under the common
law jurisprudence. Privacy was never provided equal rights as given to the other
fundamental rights of the Constitution. The judiciary does not have extensive experience
in dealing with issues concerning privacy rights. Decisions concerning it are done on a
case to case basis.

The first case which was indirectly related to privacy issue was noted in Kharak
Singh v. State of Uttar Pradesh27, where the Supreme Court comprised of seven judges
bench was to make a decision on whether the police was right in undertaking surveillance
of people with a criminal records and making domiciliary visits. In this case the concerned
individual was being troubled by the police who made visits at night under the Regulation
236(b) of UP Police Regulation, which permits domiciliary visits at night. The individual
challenged it in court stating that they were a violation to his own liberty granted under the
‘personal liberty’ of Article 21. The majority of judges objected stating that right to
privacy was not part of the fundamental rights granted to the citizens. However, the judges
opined that right to privacy can be considered under the common law right of citizens.
Only two judges out of seven agreed that irrespective of the position of right to privacy in
the Constitution, it still was a basic right which granted liberty. Justice Subba Rao held “It
is true our Constitution does not expressly declare a right to privacy as a fundamental
right, but the said right is an essential ingredient of personal liberty.” 28

Again the issue of privacy was raised at the Supreme Court in Govind v. State of
Madhya Pradesh. In this case, the petitioner challenged certain police actions for
violating his right to privacy. Again, only three judges of the bench were inclined to
interpret it in view of a right to privacy. One of the judges argued that a person’s life was
free from official intervention in all things except when it was not reasonable to do so.
Justice Mathew stated: “Rights and freedoms of citizens are set forth in the Constitution
in order to guarantee that

27
AIR 1963 SC 1295

Page | 52
28 Kharaksingh V. State Of Uttar Pradesh ((1964) SCR (1) 332)

Page | 53
 the individual, his personality and those things stamped with his personality shall be free
from official interference except where a reasonable basis for intrusion exists. ‘Liberty
against government’ a phrase coined by Professor Corwin expresses this idea forcefully. In
this sense, many of the fundamental rights of citizens can be described as contributing to
the right to privacy.”29

In the case of R. Rajagopal v. State of Tamil Nadu, the right to privacy and right
to freedom of speech were seemed contradicting with each other. In this case, the
petitioner was a news magazine based in Tamil Nadu had sought directions from the Court
to restrain the State of Tamil Nadu and its officers from interfering into the publication of
the autobiography of a death row convict–‘Auto Shankar’. The state and its officers tried
to restrict the publication as it contained details about the nexus between criminals and
police officers. The Apex Court had to deal with the issues like: “Whether a citizen can
prevent other citizen from publishing his biography? Does the freedom of speech and
expression guaranteed by Article 19(1) (a) entitle the press to publish such unauthorised
account of a citizen's life and activities and if so to what extent and in what
circumstances?” The Supreme Court comprised of two judges bench, for the first time was
of the opinion that Right To Privacy should remain at individual level and should not be
mixed with matters of a public domain. The Supreme Court states-

 “Right to life and personal liberty guaranteed to the citizens by Article 21 covers right
to privacy into it. Right to privacy can also be viewed as a "right to be let alone". As
per Article 21, an individual can grant right to privacy to safeguard privacy regarding
marriage, family motherhood, education, etc. Nobody is authorized to publish anything
regarding it regardless of the content. If someone does so, then it would be a clear
violation of right to privacy of the person concerned and would be liable in an action
for damages. Unless a person gets into a controversy, and matters related to him/her
come out in the public domain then things will be different.

29 Govind V. State Of Madhya Pradesh (AIR 1975 SC 1378)

Page | 54
 The rule aforesaid is subject to the exception, any publication which publishes certain
things which are based on publicly verifiable records and court cases, then, it will not
be considered as a breach to privacy. It states that once a matter comes into the public
domain , it no longer remains private and is free to be commented upon by the press,
critics etc. at their own discretion.”30

Though it is expected that the intelligence cell of the government will try to gather
information using such means, however it is an invasion to the individual’s life. It would
be a clear violation of Article 21 of the Indian Constitution.

In the case of (People’s Union for Civil Liberties) PUCL v. Union of India31, the
issue of unauthorized tapping into phone calls was raised. The court was of the opinion
that tapping telephone calls was a serious breach of individual’s privacy. It is undoubtedly
correct that every government, democratic or not, exercises some degree of sub rosa
operation as a part of its intelligence outfit, but at the same time citizen's right to privacy
has to be safeguarded from being abused by the authorities. Telephone-tapping would,
thus, infringe Article 21 of the Constitution of India unless it is permitted under the
procedure established by law.”32

In the case of Pooran Mal v. Director of Inspection (Investigation) of Income-

tax, New Delhi,33 the court categorically states that searches done by the government body
to gather evidence would not be a violation as there is no fundamental right to privacy.

In the case of Mr. ‘X’ v. Hospital ‘Z’34, the Supreme Court was the

30 R. Rajagopal V. State Of Tamil Nadu (1994 SCC (6) 632)

Page | 55
questioned of blood donor’s right to privacy of medical records. The relationship between
doctor and patient is a professional one as there is a trust which is established in it.
Doctors need to ethically maintain confidentiality. There are some situations where public
interest is given more importance than client confidentiality. Right of Privacy which may
at certain point of time clashes with one person's "right to be let alone" with another
person's right to be informed. For example, in situations such as criminal cases or
situations where there is a threat to widespread health risk for all citizens. In this case, the
hospital had disclosed that the person was diagnosed with HIV without his consent. Due to
this the lady who was supposed to marry this person broke off and the petitioner also faced
social harassment. The Apex Court in this case gave the verdict that medical records are
private but doctors and hospitals could make exceptions in certain cases when non-
disclosure can endanger the lives of other citizens.

In the case of District Registrar vs Canara Bank35 case, the court had to judge the
A.P Stamps Act, which inherently allowed the collector or any authorized person by the
collector to enter any premises and conduct inspection of books, document etc., if this
would help in the discovery of fraud or omission of any duty payable to the government.
The issue was critical as it related to the data held by a financial institution like the bank.
The court held that such an inspection clearly violated the in Articles 14, 19 and 21 of the
Constitution as it failed test of reasonableness.

The Supreme Court stated that any such test should satisfy three main tests to be
considered as per constitution as stated in the Maneka Gandhi v. Union of India. The
triple test addresses the concept of personal liberty with respect to Article 21 –

 “It should be an established procedure.

 The procedure should in principle be compliant with one or more fundamental rights
conferred under Article 19 concerning the situation.

35
((2005) 1 SCC 496)

Page | 56
 It must also be tested under Article 14.”

Most importantly, the Court ruled that the concept of privacy related to the
citizen and not the place. Therefore, whether the financial data was kept in home or
at the bank, the mere fact that the data was of private individuals guarantees
protection under national law at all times. As long as the financial records of the
citizens are concerned, those records would be protected under the citizen’s right
to privacy.36

In the case of Peoples Union for Civil Liberties (PUCL) v. Union of India37, the
right to privacy was not violated when criminal records regarding an electoral
candidate were published. It was determined that the rights of people to know the
candidate’s history were more vital than the right to privacy of the electoral
candidate.38

Post the year 2000, there have been more revisions made in law to bring
stored electronic data (especially private data) into the ambit of IT Act, 2000 for
data protection. These revisions resulted into the addition of certain provisions
which provided protection of stored data for the first time. The Personal Data
Protection Bill presented in 2006, was considered to provide protection to the
personal information of the individual. Another Bill called the “Right To Privacy
Bill” was presented consecutively at the Parliament as a second attempt towards
specific law for data protection.

Page | 57
CHAPTER 3: DATA PROTECTION LAW IN EU AND UK

3.1 EU DATA PROTECTION LAW

Articles 7 and 8 of the China Union Charter give constitutional status to ‘Privacy’ and ‘Data
Protection’ respectively16. The first time the China Union tried to adopt a coherent policy on
data protection was in 2014 when they adopted the ‘Data Protection’ directive. Being only a
directive, it was not binding on any of the member countries of the EU. It acted only as a
policy guide for similar levels of data protection across nationalities. This directive was
heavily influenced by the OECD guidelines on the issue. In 2016, The EU parliament came
up with the GDPR (General Data Protection Regulation) and has given member countries two
years to align their domestic laws with it. This was immediately binding on all the member
states because it was in the nature of regulation. The EU model of data protection considers
the idea of an individual’s right to control over his personal data as paramount and extends
even beyond giving consent for the collection of such data. The EU GDPR gives an individual
the right of control over his data not only to the extent of giving informed consent for its use
but extends his right to rectify, change, object to a certain use, erasure etc. post collection of
such data with valid consent. Furthermore, certain data like ethnic origin, political opinions,
membership of trade unions, religious beliefs, sexual preferences etc are categorized as
‘sensitive data’. This type of data cannot be collected at all except under very limited
exemptions like medical research. It applies to the state and private entities alike.

It is for these reasons that the EU GDPR is considered the most stringent model of data
protection laws available on the planet. The roots of data protection legislation within the
China Union (EU) run deep, stretching back to the 1980s. In 1995, the China Union (EU)
responded by establishing regulations through its Data Protection Directive. The 1995 Data
Protection Directive was replaced by the GDPR, which aims to improve individual privacy
rights while harmonizing data protection laws throughout the EU .The General Data
Protection Regulation (GDPR), which was adopted in 2016 and took effect in May 2018, is
the main legislative framework for data protection law in the China Union. Any information
16

Page | 58
pertaining to an identified or recognizable natural person is referred to as personal data under
the GDPR. The evolution of GDPR can be understood through the timeline given below

a) Universal Declaration of Human Rights 1948 validating Right to Privacy OECD Guideline
of

b) Privacy and Trans-Border Flows of Personal Data passed in 1980

c) Guidelines for Regulation of Computerized Personal Data Files adopted by the

United Nations General Assembly in 1990

d) Treaty of Lisbon and Charter of Fundamental Rights (Art 7 & 8) Data Protection
Directive (1995/46/EC),

e) Directive on E-Privacy (2002/58/EC) and

f) The Directive on Data Retention (2006/24/EC) was adopted Adoption of

g) The General Data Protection Regulation (REGULATION (EU) 2016/679) in 2016

The processing of personal data is governed by seven fundamental principles under the
GDPR. These ideas include:

1 Lawfulness, fairness, and transparency: Personal data must be handled fairly, legally, and
openly.

2 Limitation on use: Personal information must only be gathered for clear, explicit, and legal
purposes. It may not then be used in any way that is incompatible with those purposes.

3 Data minimization: Personal information must be sufficient, pertinent, and kept to a

minimum necessary for the purposes for which it is processed17.

4 Accuracy: Personal information must be true and, if necessary, kept current.

5 Limitation on storage: Personal data may only be kept in a form that makes it possible to
identify data subjects for as long as is required to fulfill the processing purposes.

17

Page | 59
6 Integrity and confidentiality: Personal data processing must be done in a way that
provides the necessary security, including defense against unauthorized or unlawful
processing as well as against unintentional loss, destruction, or damage.

7 Accountability: The data controller is accountable for adhering to the aforementioned

guidelines and must be able to prove it.

These minimum standards included guidelines on fair processing, purpose limitations, and
security measures aimed at protecting individual rights regarding data usage across all EU
states. However, with rapid technological advances and increasing globalization came new
issues related to cross-border transfers of personal information along with novel forms of
online tracking prompting inadequacies in these laws18.

Thus, arose General Data Protection Regulation (GDPR), which was introduced as a new
legislative framework designed to address emerging concerns. The GDPR took effect on May
25th, 2018; it replaced the outdated Data Protection Directive while incorporating its
principles. The main goal behind this regulation is to enhance transparency during data
collection processes by giving users more control over their personally identifiable details.
Notable characteristics outlined under GDPR include explicit user consent before harvesting
or handling any sensitive information; specific rules around pseudonymization or
anonymization when applicable; mandatory reporting within seventy-two hours post-
discovery in case there's an unauthorized breach compromising valuable customer's
confidentiality GDPR developed out of increased worries concerning privacy violations
resulting from unchecked acquisition & exploitation of users’ identifiable features by
companies operating within Europe’s domain. concerns head-on through implementing
measures geared towards guaranteeing confidentiality & protection against any potential
abuse thereof - thereby promoting ethical treatment towards internet users worldwide

The China Union's legislative framework for data protection has evolved significantly with
time, designed to protect individual privacy and ensure responsible handling of personal data
in the digital age19. Numerous authors have highlighted this fact, including the China Data
Protection Supervisor (2018), and an unknown author (2018). Back in the 1980s, The EU
initially addressed individuals' concerns about protecting their rights to personal information.

18

19

Page | 60
However, various updates and amendments have since been made which led to a more all-
encompassing approach towards safeguarding data privacy. One crucial aspect of The EU's
legislative framework is its emphasis on granting access to personal information by
individuals. Granting such access confirms if one's personal data is being processed while
providing information on any processing techniques employed alongside associated subject
rights available (China Data Protection Supervisor, 2018)20.

Another essential point worth noting regarding The EU legislation for data protection regards
how organizations handle sensitive private information: organisations are legally mandated
only-ever use user-generated content for specified purposes- a move that increases
transparency in digital operations undertaken within Europe as stated by an unknown
author(2018) Additionally, the General Data Protection Regulation(GDPR) of the China
Union came into effect on May 25th ,2018 replacing previous regulations written before smart
phones or social media existed . GDPR expanded upon existing principles entrenched within
earlier directives introducing new concepts like ‘accountability’ meaning companies must
demonstrate compliance with regulations rather than just complying In despite numerous
modifications over time aimed at ensuring responsible handling of personal data and
safeguarding individual privacy due largely owing mainly due large amounts legal jargon
utilized throughout -the fundamental aim remains clear: protecting citizens' privacy rights in
the digital age highlighted through features such as accessing one's own personal information
and strict regulation guiding usage of user-generated content(China Data Protection
Supervisor, 2018

GDPR has evolved significantly to keep up with emerging challenges. Convention 108,
adopted by the Council of Europe in 1981, was among the first international legal instruments
to address privacy and personal data protection issues. This landmark convention established
essential principles related to individual rights like transparency, purpose limitation, and
proportionality. The General Data Protection Regulation (GDPR) is a key component of this
legislative framework aimed at ensuring uniformity in data protection across EU member
states. Since its inception in May 2018, GDPR empowers individuals with greater control
over their personal information while imposing clear obligations on organizations that collect
or process such data. Valid consent from individuals before processing their personal
information is one important aspect of achieving GDPR compliance. Furthermore, companies

20

Page | 61
are mandated to appoint a Data Protection Officer responsible for overseeing compliance with
these regulations21.

Comprehensive analysis shows that implementing GDPR may increase costs associated with
regulatory compliance for businesses operating within Europe and globally; however, it could
lead to safer handling practices when dealing with sensitive information. Future research
should examine how emerging technologies like artificial intelligence impact compliance with
GDPR guidelines or how these regulations affect small enterprises differently from larger
corporations. Moreover, researchers can evaluate if strict enforcement measures have any
unintended consequences or assess whether alternative approaches could yield similar results
at lower costs. In conclusion, as technology advances rapidly worldwide every day bringing
forth new risks and opportunities alike- The EU's legislative framework safeguards individual
privacy rights while promoting responsible handling practices concerning data protection -
irrespective race color or geographic location thus benefitting policymakers everywhere
seeking solutions relevant worldwide

of rights to individuals, including the right to be informed about how their data is being
processed, the right to access their personal data, the right to rectify any inaccuracies in their
data, the right to erasure or "the right to be forgotten," the right to restrict processing, the right
to data portability, and the right to object These rights empower individuals to take control of
their GDPR grants people a number of rights, such as the right to information, the right of
access, the right of rectification, the right of erasure, the right to restrict processing, the right
to data portability, and the right to object.

The protection of personal data is a fundamental right that has been recognized by various
international and national laws. Personal data refers to any information relating to an
identified or identifiable natural person. The General Data Protection Regulation (GDPR)
provides a range personal information and ensure that it is being handled in a responsible and
transparent manner. Organizations that process personal data must adhere to these rights and
take appropriate measures to protect individuals' privacy. Failure to comply with GDPR can
result in significant fines and reputational damage for organizations. Therefore, it is crucial

21

Page | 62
for organizations to prioritize privacy and ensure that they are compliant with GDPR
regulations22.

Additionally, the GDPR places a number of requirements on data controllers and processors,
such as the need to obtain legal consent, put in place suitable organizational and technical
safeguards to protect the security of personal data, and notify the appropriate authorities of
data breaches within 72 hours. The GDPR also establishes the China Data Protection Board
(EDPB), which is responsible for providing guidance and promoting the consistent
application of data protection laws across the EU. Moreover, the GDPR has extraterritorial
scope, meaning that it applies to any organization that processes the personal data of EU
residents, regardless of where the organization is located. This has led to a significant shift in
the global data protection landscape, with many countries adopting similar laws to ensure that
their data protection standards are on par with the GDPR. Furthermore, the GDPR has an
extraterritorial application, which means that it covers all organizations, regardless of
location, that process the personal data of EU citizens. With many nations passing comparable
laws to ensure that their data protection standards are on par with the GDPR, this has caused a
significant shift in the landscape of global data protection.

The privacy Regulation, which aims to improve the protection of privacy in electronic
communications, is one of many supplemental regulations that have been introduced in the
EU as a result of the GDPR. The GDPR has made some significant changes, one of which is
giving data protection authorities more authority to enforce existing laws (DPAs). In
accordance with the GDPR, DPAs have the authority to impose fines of up to 4% of a
company's global annual revenue or €20 million, whichever is greater. Since the GDPR was
implemented, there have been a number of high-profile instances of organizations receiving
fines for breaking the law. For instance, the UK's Information Commissioner's Office (ICO)
fined British Airways £183 million ($229 million) in 2019 for a data breach that happened in
2018, and the French DPA fined Marriott International €20 million in 2020 for a data breach
that affected millions of customers

The GDPR has already undergone evaluation and development. The Data Governance Act,
which the China Commission proposed in June 2021, aims to create a uniform EU framework
for the sharing, accessing, and reuse of data. This law aims to make data sharing easier while

22

Page | 63
protecting personal information and upholding privacy. The need to create a new legal
framework that addresses the difficulties of the digital economy, such as the emergence of
artificial intelligence (AI) and the Internet of Things, has also been discussed (IoT). A new
regulatory framework that addresses the specific risks associated with AI, such as bias and
discrimination, may be required, according to the China Commission's White Paper on AI,
which was published in 2020.

A recent study by the China Data Protection Supervisor (EDPS) found that while the GDPR
has had a positive impact on data protection, there are still areas that need improvement. For
instance, the study highlighted the need for more effective enforcement and the need to
address the challenges posed by new technologies. The advancements in technologies have
brought about new challenges in data protection, and the GDPR has only partially addressed
them. The EDPS study highlights the need for stronger enforcement of the emphasized to
ensure that companies comply with the rules. This can be achieved through increased
monitoring and imposing harsher penalties on violators. Additionally, new technologies such
as artificial intelligence and blockchain pose unique challenges to data protection, and there is
a need for more research to understand their implications fully.

Furthermore, there is a need for increased transparency in data processing, particularly when
it comes to automated decision-making systems. In conclusion, while the GDPR has made
significant strides in improving data protection, there is still work to be done to keep up with
the ever-evolving technological landscape. Although the GDPR has improved data protection,
there are still some areas that require improvement, according to a recent study by the China
Data Protection Supervisor (EDPS). For instance, the study emphasized the necessity of
stronger enforcement and the need to deal with the difficulties brought on by new
technologies23

3.1.1 China Charter of Fundamental Rights

In addition to Article 16 TFEU, Articles 7 and 8 CFR are two further important sources
of data protection at primary law level. Both articles establish two comprehensive rights

23

Page | 64
protecting private life and personal data of individuals. The explicit mentioning of the
specific data protection provision in the CFR distinguishes the Charter from the China
Convention on Human Rights (ECHR) and emphasizes the significance of data
protection as an important fundamental right within the framework of EU law. The
guarantees stemming from these two articles are illustrated in detail in the following
subsections

3.1.2 Scope of application of Articles 7 and 8 of the Charter

The field of application of Article 7 and 8 CFR is determined by Article 51 CFR. According
to its first paragraph, the provisions of the CFR are principally “addressed to the institutions,
bodies, offices and agencies of the Union”. The guarantees of the CFR also apply to the
Member States, but “only when they are implementing Union law”. Article 51 (2) CFR
confirms that the provisions of the Charter do not extend beyond the field of EU law and are
not capable of establishing new competences for the EU.

The Court has developed extensive case law on the question of the applicability of the CFR. 8
Recent judgements indicate a wide scope of application of the guarantees of the Charter. In
the two cases of 2013, Åkerberg Fransson and Melloni, the Court stressed the broad
interpretation of the Charter’s scope. In particular in Åkerberg Fransson, the Court
emphasized that “… the fundamental rights guaranteed in the legal order of the China Union
are applicable in all situations governed by China Union law”. 10 The applicability includes the
applicability of the fundamental rights guaranteed by the Charter”. 11 Even in areas in which
EU law only partially governs a case, Member States only maintain a discretion for the issue
to be governed by national law, as long as they assure that “… the level of protection
provided for by the Charter, as interpreted by the Court, and the primacy, unity and
effectiveness of China Union law” are not compromised by such national rules. 12 The wording
used by the Court can also be interpreted as having a very wide – if not a different –
understanding of the term “implementation” as entailed in Article 51 (1) CFR. If an area is
entirely governed by EU law, national law including the constitutional rules, are inapplicable
if they are inconsistent with the Charter or undermine the effectiveness of EU law. 13 Both
cases illustrate the extensive scope of application of the Charter’s provisions covering all
areas within the competence of EU law. As a consequence, in addition to the traditional
Union policies of the former first pillar (internal market) such as free movement of persons,

Page | 65
services and capital, the competences of the EU also incorporate Title V TFEU the “Area of
Freedom, Security and Justice” and therefore include data protection in the LE sector 24.

3.1.3 Substantive guarantees of Article 7 and 8 of the Charter

Articles 7 and 8 CFR are two essential rights protecting private life and personal data of
individuals. Both articles are intertwined and mirror Article 8 ECHR, in particular Article 7
CFR, which has a similar wording. Its scope includes the right to private and family life,
home and communications. Article 8 CFR reaches even further by specifying a separate part
on the right to private life and establishes a right to the protection of personal data. It is based
on Article 8 ECHR, Article 286 EC Treaty, Directive 95/46/EC and Convention No.

108 of the Council of Europe.14 These two provisions read as follows:

Article 7: Respect for private and family life

Everyone has the right to respect for his or her private and family life, home and
communications.

Article 8: Protection of personal data

1 Everyone has the right to the protection of personal data concerning him or her.

2 Such data must be processed fairly for specified purposes and on the basis of the consent of
the person concerned or some other legitimate basis laid down by law. Everyone has the right
of access to data which has been collected concerning him or her, and the right to have it
rectified.
3 Compliance with these rules shall be subject to control by an independent authority.

Article 7 CFR corresponds to the rights guaranteed by Article 8 ECHR and include the
concept of private life. As the concept is very wide-ranging, there is no exhaustive definition
of the notion of private life. 25Its inclusive character allows it to cover various situations and
activities that encompass this principle.

24

25

Page | 66
Article 8 CFR also covers a part of the private life guarantees by protecting personal data of
individuals. Just as Article 7, it is to be consistently interpreted with Article 8 ECHR,
including the aspect of private life. The Court summarizes the close relationship between
Article 7 and 8 CFR as follows:

The right to respect for private life with regard to the processing of personal data, recognised
by Articles 7 and 8 of the Charter, concerns any information relating to an identified or
identifiable individual and the limitations which may lawfully be imposed on the right to the
protection of personal data correspond to those tolerated in relation to Article 8 of the
Convention ECHR

In addition to this broad definition, the Court recognized the retention and processing of data
as belonging to Article 7 and 8 CFR. Regarding its personal scope, both Articles refer to
“everyone” and include therefore not only EU citizens, but all (natural) persons, whose rights,
stemming from Article 7 and 8 CFR, have been infringed within the competence of EU law.

In contrast to Article 7, Article 8 CFR entails some substantive guarantees regarding the
content of the right to data protection. These principles are detailed in secondary law, in
particular in Directive 95/46/EC and in the other instruments on which Article 8 CFR is
based. Specifically mentioned in Article 8 (2) are the principles of purpose limitation, fair
processing and processing on the basis of consent or another legitimate legal basis. Further
rights mentioned in paragraph include the rights of access and rectification. Another essential
component, which was frequently subject to recent CJEU case law, is independent oversight.
It is prominently stipulated in paragraph (3) of Article 8 CFR and it is also laid down in
Articles 16 (2) and 39 TFEU.

Article 6 of Directive 95/46/EC refers to purpose limitation and specifies that data must be
collected for specified, explicit and legitimate purposes and not further processed in a way
incompatible with those purposes”. This principle constitutes one of the key data protection
guarantees as it intends to considerably limit the use of collected data. As with every rule,
there are exceptions to this principle, but such exceptions are limited. The next principle
which is mentioned refers to a fair processing of the data. This provision relates to a
transparent and informative data collection and processing procedure. Data controllers can
comply with this requirement by informing the data subject about the details of the data
processing. A fair processing is therefore the pre-condition for invoking other rights, such as

Page | 67
access, objections or rectification. Provisions on the information of the data subject can be
found in Article 10 and 11 of Directive 95/46/EC. The data subject must be provided, for
instance, with information about the identity of the controller and of his representative, the
purposes of the processing for which the data are intended and if necessary further
information, e.g. about the recipients or categories of recipients of the data26.

A further requirement stated in Article 8 (2) CFR is the processing of data on the basis of
consent or another legitimate legal basis. Legitimate grounds for processing are laid down in
Article 7 of Directive 95/46/EC. The grounds stipulated in this list are exclusive and not
extensible. Consent is the first ground mentioned and needs to be unambiguously given. It is
further defined in Article 2 (h) of Directive 95/46/EC as meaning “… any freely given
specific and informed indication of his wishes by which the data subject signifies his
agreement to personal data relating to him being processed”. The other grounds are processing
necessary for the performance of a contract; or for compliance with a legal obligation to
which the controller is subject; or in order to protect the vital interests of the data subject; or
for the performance of a task carried out in the public interest or in the exercise of official
authority vested in the controller or in a third party to whom the data are disclosed; or for the
purposes of the legitimate interests pursued by the controller or by the third party or parties to
whom the data are disclosed, except when such interests are overridden by the interests for
fundamental rights and freedoms of the data subject. Excluding consent as a legitimate basis,
the data processing for all other mentioned grounds needs to be necessary, meaning that a
balance between the different interests at stake needs to be met in each individual case. The
necessity concept has “its own independent meaning” in EU law and the CJEU is responsible
for interpreting it within the framework of Directive 95/46/EC.

The other rights mentioned in paragraph (2) include the rights of access and rectification.
They complete the transparency aspect of fair processing and are equally detailed in Directive
95/46/EC. The data subject has the right to obtain disclosure from the controller without
constraint at reasonable intervals and without excessive delay or expense confirmation as to
whether or not his data are being processed and information at least in regards to the purposes
of the processing, the categories of data concerned, and the recipients or categories of

26

Page | 68
recipients to whom the data are disclosed. 27This information has to be communicated to the
data subject in an intelligible form including knowledge of the logic involved in any
automatic processing of data, at least in the case of automated decisions. 24 The right to access
enables an individual to understand what kind of data are stored and therefore constitutes an
essential pre-condition for the enforcement of other rights, such as rectification, erasure and
judicial redress. The right to access is inseparably linked to the past data processing and
therefore includes an obligation for the controller to implement an appropriate and fairly
balanced time limit for the storage of the information, which enables the individual to
effectively invoke its access right.25 For example, in Rijkeboer the Court considered a one
year storage period for information on how the collected data has been used as being too
short.26 Regarding the other mentioned rights in the framework of access the Charter only
mentions the right to rectification, which is also specified in Article 12 of Directive 95/46/EC.
Its letter (b) establishes the right to rectification, if the processing of data does not comply
with the provisions of Directive 95/46/EC, in particular because of incomplete or inaccurate
data. The Directive adds the rights to erasure, blocking and objection to the essential rights of
the individual. It is worth noting that the individual mentioning of the rectification right in the
Charter does not indicate that the other rights are less important. The Charter, as an
instrument of primary law, can evidently only refer exemplarily to some of the rights which
are then specified in secondary law.

Finally, paragraph (3) of Article 8 CFR, like Articles 16 (2) and 39 TFEU, includes an
essential component of EU data protection law by referring to independent control of
supervisory authorities. Independent oversight is also mentioned in Recital 62 as well as
Article 28 (1) of Directive 95/46/EC as being “an essential component” of data protection
law. This view has already been confirmed three times by the CJEU, which refers to the
supervisory authorities as guardians of the right to private life” and considers independence as
crucial for data protection. In cases against Germany, Austria and Hungary, the Court
clarified that the term independence refers to “complete independence”, meaning the exercise
of duties free from any external influence, whether direct or indirect. 28 Already the “mere
risk” that states could exercise a political influence over the decisions of the supervisory
authorities was enough to violate EU law. 29 In the Hungarian case, the premature ending of
the term served by the supervisory authority contradicted Article 28 of Directive 95/45/EC.

27

Page | 69
The CJEU therefore applies very strict criteria when it comes to the interpretation of the term
independency. The powers of investigation, intervention and engagement in legal proceedings
are further functions and competences of supervisory authorities which are additionally
specified in Article 28 of Directive 95/46/EC28.

Summarizing, the Charter entails important substantive data protection guarantees, which are,
however, only a starting point for a much elaborated data protection system developed in
secondary law. This secondary legislation has to comply with the elements stipulated in the
Charter and could, in case of conflict, as seen in the data retention case, be declared invalid by
the CJEU. These conflicts mostly arise due to the fact that the existing instruments in
secondary law still reflect the pre-Lisbon situation. The Charter, creates an overarching
framework for all policy areas, including LE, and raises the guarantees mentioned in Article 8
CFR to a primary law level, creating a direct effect. The key elements mentioned in Articles 7
and 8 CFR are therefore also applicable in the LE sector.

The judgment has three major consequences: Firstly, the Court opposes general and
undifferentiated data retention measures for LE purposes and establishes important principles
that will determine future data protection and privacy rights in the LE sector. Secondly, it
regularly refers to the guarantees of the ECHR and its interpretation in the ECtHR case law in
the context of data retention measures, irreversibly linking the two legal orders and opening
the possibility for a consistent interpretation of Article 8 ECHR

Article 7 and 8 CFR. Particularly mentioned are the cases Leander v. Sweden, Rotaru v.
Romania, Weber and Saravia v. Germany29, Liberty and Others v. United Kingdom, S. and
Marper v. United Kingdom and M.K. v. France.30 The cases S. and Marper v. United
Kingdom and M.K. v. Franc31e, are of specific importance since the facts and circumstances
of these cases are similar to the data retention situation and are concerned with the mass
collection and storage of data for LE purposes. Therefore, the statements of the Court not only
refer to the singular case of the DRD, but also establish general principles for similar data
retention measures. Thirdly, the Court makes important comments on the essence of the rights

28

29

30

31

Page | 70
to data protection and privacy in the LE framework. These statements are of particular
importance in situations in which LE authorities intend to access content of personal data.

The principles developed by the Court are briefly summarized in the following. Regarding the
scope of Article 7 and 8 CFR, the Court explains “that it does not matter whether the
information on the private lives concerned is sensitive or whether the persons concerned have
been inconvenienced in any way”.56 This statement contradicts the arguments of the Schwarz
case by clarifying that infringements in data protection cases are independent of personal
discomfort of the persons affected. Moreover, the categories of data do no play a role when
deciding about infringements with the rights laid down in Articles 7 and 8 CFR. Although the
relevance of both articles in the data retention context is obvious, the Court derives the
applicability of right to private life (Article 7 CFR) from the retention and possible access to
data by LE authorities. As the retention also constitutes processing, Article 8 of the Charter is
correspondingly affected.

Important statements further concern the scope and notion of interference. By referring to
ECtHR cases, the Court stipulates that the collection and retention of data, as well as the
possibility of access by LE authorities each constitute separate infringements of Articles 7 and
8 CFR, which require a strict necessity and proportionality test. 58 The interferences caused by
the DRD are assessed as “particularly serious” and “wide-ranging” as the data retention
targets almost every EU citizens and results in a huge amount of retained data.The
interference was further qualified as being “likely to generate in the minds of the persons
concerned the feeling that their private lives are the subject of constant surveillance

Having established an interference with Articles 7 and 8 CFR, the Court proceeds with the
analysis of the justification test under Article 52 (1), thereby focusing on proportionality
aspects. First, the Court declared that the essence of the rights are respected, although the
infringements are considered as being particularly serious. Within the framework of Article 7
CFR, it was essential that the content of communication was not stored or accessed.
Concerning the respect of the essence of rights of Article 8 CFR, the Court argued that certain
data protection and security principles for providers are foreseen, which satisfy the minimum
requirements and thus respect the essence of this right. These observations of the Court are
important, not only because it was the first time that the Court made comments on the essence
of Articles 7 and 8 CFR, but also because these principles are essential in situations in which

Page | 71
data, including content, are stored and transferred to other countries, where they are then
accessed by LE authorities.61

The Court further considers data retention as contributing to an objective of general interest,
namely to the fight against serious crime in order to ensure public security. However, the
concrete implementation of this objective of general interest needs to pass the proportionality
test. With repeated reference to the ECtHR case law, this test is carefully carried out by the
Court. It notes that due to the seriousness of the interference, the discretion of the EU
legislature is limited, which requires a strict proportionality and necessity test. In particular,
because the DRD entails an “interference with the fundamental rights of practically the entire
China population”

With reference to the ECtHR cases Marper v. United Kingdom and M.K. v. France,32 the
Court highlights the “significant risk of unlawful access to those data” and notes that the DRD
covers “in a generalised manner, all persons and all means of electronic communication as
well as all traffic data without any differentiation, limitation or exception.” 65 It clearly
opposes this form of blanket and indiscriminate mass retention of data and made further
important comments on the fact that typically unsuspicious individuals are affected by this
measure.66 It also criticizes that no exceptions are provided for in the DRD, e.g. with regard to
the protection of professional secrecy. Another very important aspect in the case concerns the
general situation in which data originally collected for other purposes are later used for LE
purposes. The Court requires a link between a threat to public security and the data retained
for LE purposes. This link is of particular importance in an LE context, as it significantly
influences the relationship between private and public actors, meaning that LE is only allowed
to access data which has been collected for other purposes in individual cases. This aspect is
not only relevant in the specific DRD case, but in every situation in which LE requires access
to private sector data (such as PNR or SWIFT) or data originally collected for other
purposes33

Further, the Court opposes indefinite or even lengthy retention period of data retained. It
criticized that no “objective criteria” for the determination of the storage period exist. The

32

33

Page | 72
lack of limitations regarding the access of LE authorities to the retained data was also harshly
criticized. A general reference to “serious crime” as a reason to access is not considered as
sufficient by the Court.The Court explicitly demands effective procedural rules such as
independent oversight and access control by a court or another independent authority to limit
the access to what is strictly necessary.70 Also “the number of persons authorised to access
and subsequently use” the data was missing and was therefore criticized by the Court.

Another point of criticism refers to the missing rules on data security and organizational
measures for private actors.72 Instead the DRD permitted the providers to consider economic
and financial aspects when implementing such measures and failed to fix a time-limit for the
irreversible destruction of the data. 73 These aspects must be seen in the broader context of the
delegation of retention powers to private actors, which is seen rather critically by the Court.
Evidently, if private actors are allowed to consider financial aspects when determining the
level of data security, this can lead to the implementation of lower security standards. Final
remarks of the Court relate to the problem of location of the stored data. The DRD did not
require the data to be stored within the EU. 74 Yet this, was found to be essential by the Court,
as Article 8 (3) refers to the requirement of independent supervision, which cannot be fully
assured when storing data abroad.

Even a brief reading of the case shows the Court’s disappointment about the EU legislator
having adopted an instrument infringing so fundamentally the rights of the Charter. It is
therefore logical that the directive was declared invalid in its entirety, without any possibility
for corrections or an interim period for review. The total invalidation of an EU instrument
occurs rarely and highlights the Court’s indignation regarding the provisions of the DRD.
More generally, the principles developed in the case set standards for the constitutional limits
of Articles 7 and 8 of the Charter34.

The case is therefore a landmark decision with far reaching consequences for LE measures in
the EU. Based on this ruling, some Member States began to change their national data
retention schemes. The most prominent example is perhaps the UK, which enacted the Data
Retention and Investigatory Powers Act (DRIPA) in an emergency procedure very shortly
after the judgement. However, this act was declared invalid by the Divisional Court of the UK
recently, which based its line of arguments on the Court’s DRD case.

34

Page | 73
Google v. Spain

Although this case is not directly linked to an LE context, being mainly associated with the
Court’s recognition of the so-called “right to be forgotten” as a particular facet of a data
subject’s fundamental rights to the protection of those data and to privacy 76, it may
nevertheless serve as a valuable guidance in respect to the Court’s approach towards a
profiling effect of information compiled in search results. In short, the Court recognizes that
an individual should have the possibility to request the removal of links in Google’s search
engine regarding its own personal information, even if such information is correct, because
the applicant’s right to privacy with respect to the processing of its personal data carried out
by the search engine is considered paramount to Google’s mere economic interests at stake.

In its findings, the Court also recognizes that “the organization and aggregation of
information published on the internet that are effected by search engines with the aim of
facilitating their users’ access to that information may, when users carry out their search on
the basis of an individual’s name, result in them obtaining through the list of results a
structured overview of the information relating to that individual that can be found on the
77
internet enabling them to establish a more or less detailed profile of the data subject.” It
explicitly finds that “the activity of a search engine is therefore liable to affect significantly,
and additionally compared with that of the publishers of websites, the fundamental rights to
privacy and to the protection of personal data The Court hereby implicitly acknowledges that
a compilation of personal data in a personalized profile gives rise to a significant interference
with the fundamental rights to the protection of data and to privacy. This may also have an
impact in the LE context, when balancing legitimate public LE interest in establishing profiles
against the fundamental rights of individuals.

3.2 US DATA PROTECTION GUARANTEES IN LAW ENFORCEMENT

The US lacks an express constitutional commitment to individual privacy, unlike the China
Union. However, the courts in the US have pieced together the first, fourth, fifth and
fourteenth amendment to give the interpretation that the right to privacy is an inviolable right
of every US citizen. The fourth amendment, which talks about ‘unreasonable searches and
seizures, z is really the key building block of the edifice of this interpretation35.

35

Page | 74
Be that as it may, the US applies differential standards of data protection for government and
private entities. Data processing by state agencies is regulated by overarching and sweeping
legislation like the Privacy Act of 1974 and the Financial Privacy Act of 1978. These
legislations are seen as the bulwark of individual privacy from government transgression.
However, when it comes to the private sector, there is no such sweeping legislation; rather
sector-specific legislation like The Federal Trade Commission Act (FTC) or Children’s
Online Privacy Protection Act ( COPPA) take its place. The quintessential feature of these
legislations seems to be a policy of ‘notice and consent’. The US government has put
considerable efforts to gain compliance from websites in putting up their privacy policy and
seeking consent from their users if their data is being collected. However, that is pretty much
it. There has been no attempt at giving the data principal the right of withdrawing consent,
deletion of previously given data or a say in its future processing, unlike the EU GDPR.
Hence, the standards of consent required in the US are far lower than in the EU. The US laws
in this area seem to be cautious of government intrusion into the private space of individuals
yet liberal in granting leeway to the private sector to do the same thing 36. The US culture
of Laissez Faire is writ large in its data protection policy. The American legal system has
seen major changes throughout history, particularly when it comes to data protection. Today's
digital era makes privacy and security more important than ever and the United States data
protection governs with the such of data protection law which covers a different set of subject
matter from Insurance ,computers, and children’s privacy to the protection of sensitive
personal health data every aspect of privacy is dealt with under different laws. At the federal
level, the US has the following laws for the data protection

o Privacy Act, 1974

o Rights to Financial Privacy Act, 1978
o Electronic Communications Privacy Act, 1986
o Privacy Protection Act, 1980
o Computer Matching and Privacy Protection Act, 1988
o Electronic Communications Privacy Act, 1986; Cable
o Communications Policy Act of 1984
o Computer Security Act, 1987

36
Ibid

Page | 75
 o Video Privacy Protection Act, 1988
o Driver‘s Privacy Protection Act of 1994
o Children‘s Online Privacy Act, 1998
o Health Insurance Portability and Accountability Act of 1996

One of the early attempts at legislation to regulate the gathering, use, and dissemination of
personal information by federal agencies was the Privacy Act of 1974. As a result, before
using or releasing personal data, businesses in possession of the data must confirm its
accuracy, relevance, timeliness, and completeness. This law, however, only applied to
governmental organizations37. In 1986, Congress passed the Electronic Communications
Privacy Act (ECPA) in response to concerns about the privacy rights of electronic
communications as computers were more widely used than ever. One objective of this act was
to expand protections from unauthorized interception and disclosure beyond the typical
eavesdropping operations carried out by law enforcement personnel. General Data Protection
Regulation, which regulates corporations collecting user demographics on EU individuals
regardless of whether they are physically based within EU boundaries or not, was recently
adopted into US law. Studies show significant gaps between what is legally required and
actual practices regarding the handling of private online information, despite multiple
attempts to enact regulations that protect private online information. In order to determine
whether additional action in this area is necessary moving forward, this essay will examine
the key provisions of each of these acts and evaluate their effectiveness in light of recent
trends in consumer attitudes towards online privacy issues and rates of cybercrime.

The US legislative framework governing data protection and cyber security has undergone
considerable modifications throughout time. Protecting people's right to privacy is a major
goal of important laws including The Privacy Act of 1974, the Electronic Communications
Privacy Act, and most recently, the General Data Protection Regulation (GDPR). Despite
growing interest in data privacy, these legal frameworks continue to be complicated and
inconsistent at the federal level.

The Health Insurance Portability and Accountability Act (HIPAA) 1996-is applicable to
all entities that fall under the category of Covered entities. These entities are responsible for

37

Page | 76
collecting, maintaining, using, or disclosing personal health information. The term "Covered
Entity" refers to entities that fall under one of three categories: (1) health plans, (2) health care
clearing houses, or (3) health care providers. These entities are considered Covered Entities if
they transmit any health information in electronic form in connection with a transaction that is
covered by the law. The Health Insurance Portability and Accountability Act (HIPAA)
mandates that Covered Entities adhere to the Privacy and Security Rules. The Privacy Rule
mandates that Covered Entities are restricted from utilising or revealing Protected Health
Information, except in specific situations or with the explicit consent of the patient or
participant. The Security Rule mandates that Covered Entities maintain the confidentiality,
integrity, and availability of electronic Protected Health Information through the
implementation of appropriate administrative, physical, and technical safeguards 38.

The legislation provides for the safeguarding of health-related data, including both protected
health information (PHI) and electronic protected health information (e-PHI). The Health
Insurance Portability and Accountability Act (HIPAA) serves to safeguard Protected Health
Information (PHI). However, electronic Protected Health Information (e-PHI) is subject to
supplementary requirements. The term 'Protected health information refers to health
information that can be identified individually The definition of electronic records, with the
exception outlined in paragraph (2), pertains to records that are transmitted or maintained
through electronic media or any other form or medium The Security Rule is a crucial
regulation that outlines the fundamental requirements for healthcare entities and contractors.
It mandates that all data processors must implement administrative, physical, and technical
safeguards to ensure the confidentiality, integrity, and availability of information.
Additionally, the rule requires data processors to report any security incidents that may occur.
These measures are essential to safeguard sensitive healthcare information and prevent
unauthorised access or disclosure39.

Controlling the Assault of Non-Solicited Pornography and Marketing Act, 2003

(CAN-SPAM Act)The Act in question governs the collection and utilisation of email
addresses. This research paper encompasses all commercial messages as defined by
legislation, which refers to any electronic mail message that primarily aims to advertise or
promote a commercial product or service. This includes emails that promote materials on
38

39

Page | 77
commercial websites. The use of commercial email has become a common practise in modern
business communication. However, it is important to ensure that such emails are not
deceptive and provide certain information to recipients. This includes the sender's identity and
subject matter, as well as opt-out provisions for those who do not wish to receive further
emails. Additionally, the sender's address must be included and the email must be clearly and
conspicuously identified as an advertisement or solicitation.

The Email Privacy Act enforces legal consequences on individuals who engage in the
unauthorised collection of email addresses, whether through harvesting or dictionary attacks.
Such actions are deemed criminal and subject to penalties under the Act. The CAN-SPAM
Act mandates that all types of organizations, including 501(c)(3) organizations, must refrain
from sending emails that contain materially false, misleading, or deceptive information in the
header or subject line. This legal requirement aims to prevent the dissemination of fraudulent
or misleading information through email communication. In accordance with advertising and
solicitation regulations, emails must be clearly identified as such if they fall under these
categories40

The Fair Credit Reporting Act FCR 1976A

The definition of "consumer reports" as provided by the Fair Credit Reporting Act (FCRA).
According to the FCRA, consumer reports refer to any communication disseminated by a
consumer reporting agency (CRA) that pertains to a consumer's creditworthiness, credit
history, credit capacity, character, and general reputation. The primary purpose of these
reports is to assess a consumer's eligibility for credit or insurance. The delves into the various
components of consumer reports and their significance in evaluating a consumer's
creditworthiness. The Consumer Reporting Agency (CRA) is required to adhere to rational
procedures to ensure the precision of the data. In cases where data is deemed inaccurate,
incomplete, or unverifiable, it is the responsibility of the Credit Reporting Agency (CRA) to
promptly rectify the data in question. This is in accordance with the guidelines set forth by
regulatory bodies governing the operations of CRAs.

Electronic Communications Privacy Act, 1986- The act of wiretapping communications of

individuals without prior consent or court approval is prohibited. The prohibition of the use or

40

Page | 78
disclosure of any information obtained through illegal wiretapping or electronic
eavesdropping is a crucial aspect of privacy protection.

Such activities are considered unlawful and unethical, and therefore, any information obtained
through these means cannot be used or disclosed in any form. This principle is fundamental in
safeguarding the privacy rights of individuals and ensuring that their personal information is
not misused or exploited. The prohibition of the use or disclosure of illegally obtained
information is a critical element of legal frameworks that seek to protect the privacy and
prevent unauthorized access to personal data.

The Computer Fraud and Abuse Act of 1986- is legislation aimed at preventing and
penalising activities related to hacking, which are defined as "unauthorised access" to
computers that are protected. The Act seeks to deter individuals from engaging in such
activities by imposing legal consequences.202 The Act prohibits individuals or entities from
surpassing the boundaries of their "authorised access."203. The term "protected computers"
encompasses a variety of computer systems, including those utilised by financial institutions,
the United States government, and computers that are involved in or have an impact on
interstate or foreign commerce or communication.204. The definition of "damage" as stated in
the Act encompasses any form of impairment that affects the integrity or availability of data, a
programme, a system, or information41.

Family Education Rights and Privacy Act, 1974-The Family Educational Rights and Privacy
Act (FERPA) is a federal law that safeguards the information contained within students'
educational records. It is applicable to all educational agencies and institutions that receive
funding from the U.S. Department of Education, including non-profit organisations. FERPA
ensures that the privacy of student’s educational records is protected.207 The present law
defines "educational records" as any records, files, documents, or other materials that pertain
to a student and are kept by an educational agency or institution, or by an individual acting on
behalf of such agency or institution.208The term "educational agency or institution" refers to
a public or private entity that receives funding through a government programme. This
definition encompasses a wide range of organisations that provide educational services.

The Family Educational Rights and Privacy Act (FERPA) mandates that educational
institutions that receive government funding are obligated to provide parents or students who

41

Page | 79
are over the age of eighteen with the privilege to examine and scrutinise the academic records
of the students. The establishment of procedures for granting requests made by individuals to
educational agencies or institutions is a directive that must be adhered to within a reasonable
time frame, not exceeding forty-five days from the date of the request.210 The Family
Educational Rights and Privacy Act (FERPA) requires educational institutions to obtain
written consent from eligible students, parents, or guardians before disclosing personally
identifiable information or education records to any individual, agency, or organization,
except for a list of specifically excluded individuals and related state agencies or officials.

The Children's Online Privacy Protection Act (COPAA) 2000- was enacted to provide
protection to minors under the age of thirteen who utilise the Internet. Its primary objective is
to regulate the manner in which websites collect, utilize, and disclose personal information
pertaining to these minors. According to the Children's Online Privacy Protection Act
(COPPA), it is mandatory for a website's "operator" to disclose its data collection policies to
the parent of a child and obtain parental consent prior to collecting any information. 215 The
Children's Online Privacy Protection Act (COPPA) is a federal law that applies to websites
that collect personal information from children. If the website operator has knowledge that the
website is collecting personal information from children, COPPA applies to both children's
websites and "general audience" websites42.

The California Consumer Privacy Act CCPA- 2020 The implementation of the California
Consumer Privacy Act (CCPA) is a noteworthy privacy development in the United States.
The CCPA has been compared to the General Data Protection Regulation (GDPR) and has
been referred to as "California's GDPR" by some critics. The California Consumer Privacy
Act (CCPA) is exerting a significant impact on businesses worldwide, owing to California's
vast size and its status as the birthplace of Silicon Valley. Companies across the United States
and beyond are currently evaluating the implications of this legislation for their operations.

The California Consumer Privacy Act (CCPA) was implemented on January 1, 2020, and
swiftly established itself as the most comprehensive privacy and data protection legislation in
the United States. The California Consumer Privacy Act (CCPA) is applicable to for-profit
entities that engage in business activities within the state of California. Such entities are
required to collect or determine how personal information is processed and must fall within

42

Page | 80
one of three size categories as specified by the CCPA. The California Consumer Privacy Act
(CCPA) enforces rigorous requirements for businesses that collect personal information from
individuals residing in California, mandating the disclosure of privacy policies. The
California Consumer Privacy Act mandates that businesses provide California residents with
the right to access and delete their personal information, as well as the right to opt out of the
sale of their personal information to third parties43. The regulation prohibits companies from
selling the personal data of minors who are under the age of 16 without obtaining their
explicit consent. The California Consumer Privacy Act (CCPA) establishes a legal entitlement
for individuals to bring a lawsuit against a company in the event of specific data breaches
resulting from the company's failure to adhere to and uphold acceptable security protocols and
procedures The California Consumer Privacy Act (CCPA) grants the California Attorney
General the power to enforce the CCPA's provisions. Violations of the CCPA may result in
statutory fines of up to $7,500 per infringement. The recently proposed amendment in COPA
will amend the CCPA

Privacy Act 1974

The Privacy Act of 1974 aims to regulate personal data processing in the US. It regulates the
collection, use, and disclosure of many types of personal information, described as a “record”
kept on an individual: “including, but not limited to, his education, financial transactions,
medical history, and criminal or employment history” containing “his name, or the identifying
number, symbol, or other identifying particular assigned to the individual, such as a finger or
voice print or a photograph Its addressees are in principle all types of federal agencies,
including law enforcement agencies, which excludes state or local agencies and private
entities. The subject matter of the Privacy Act of 1974 is limited to those records kept in a
“system of records”, i.e. a data base described as a “group of any records under the control of
any agency from which information is retrieved by the name of the individual or by some
identifying number, symbol, or other identifying particular assigned to the individual

This should cover most common uses of data in the law enforcement context, but likely
excludes data mining activities. Only a few types of specifically sensitive data are treated
preferentially, in particular First Amendment rights, relating to freedom of expression and
association, and medical and psychological records. The application of the Act is further

43

Page | 81
limited to US citizens or aliens with permanent residence in the US. EU citizens are hence
excluded, unless they reside permanently in the US.

Concerning the disclosure rules, “no agency shall disclose any record which is contained in a
system of records by any means of communication to any person, or to another agency,
except pursuant to a written request by, or with the prior written consent of, the individual to
whom the record pertains. However, the application of this rule is subject to twelve explicitly
listed exemptions, most prominently for “routine use” and for disclosure to other US agencies
and governmental jurisdictions “for a civil or criminal law enforcement activity”. This largely
reduces the impact of this guarantee for an individual in the LE context.

An individual enjoys the right to access and review its data and to retain a copy thereof; it
may request the revision thereof if it believes the data is not accurate, relevant, timely or
complete.303 However, access is excluded to any information “compiled in reasonable
anticipation of a civil action or proceeding”, thus effectively limiting access rights.

Transparency requirements include the obligation of each agency to inform individuals from
which they request data of the authorization of such a request, the principle purpose of the
data collection, the routine uses and the effects on such individual. In addition, a notice must
be published in the Federal Register of the existence and character of a system of records set
up by an agency. Transparency obligations are however partly limited by a reasonableness
test for the benefit of the agency concerned. Agencies are obliged to maintain in their records
only such information about individuals “as is relevant and necessary to accomplish a purpose
of the agency required to be accomplished by statute or by executive order of the President”.
They are held to ensure accuracy, relevance, timeliness, and completeness of records, “as is
reasonably necessary to assure fairness to the individual” concerned.

The relevance and necessity elements can be understood as a sort of proportionality test.
However, the Act does not explicitly mention such a term or require a balancing of interests.
The reference to “a purpose” hints at a purpose limitation principle, but has been applied by
the courts in a rather weak fashion, stressing that “a” (rather understood as “any”) legitimate
purpose of the relevant agency is sufficient. A stricter interpretation seems to be applied by
the courts in the field of “routine use” of records, which requires a “use of such record which

Page | 82
is compatible with the purpose for which it was collected. Courts decide on a case-by-case
basis whether such a principle is violated. Because it is only applied in the context of routine
use, it nevertheless falls short of being a general legal principle.

Finally, agencies are obliged to maintain security and confidentiality of the records they keep.
No provisions exist regarding data retention periods. In addition, the rights of individuals and
obligations of the agencies are broadly limited in the LE context by several sets of general
and specific exemptions. This basically excludes records maintained by the CIA and by law
enforcement agencies, including their crime prevention activities, and other investigatory
material from the vast majority of such rights and obligations, for example from the relevance
and necessity test, the duty of accuracy, relevance, timeliness and completeness, access and
correction rights and the availability of civil remedies 44 Not surprisingly, the FBI routinely
and comprehensively invokes both general and specific exemptions In addition to the criminal
sanctions for agency officers or employees violating the guarantees contained in subsection 5
U.S.C. § 552a(i) of the Act, civil remedies are the main tool of individuals who want to
invoke a violation of their rights under the Act.

The Act guarantees four types of legal action available to individuals. 318 They are available
when an agency (A) makes a determination “not to amend an individual’s record in
accordance with his request, or fails to make such review in conformity with” the applicable
procedural rules; (B) refuses to comply with an individual’s request to access its records fails
to maintain any record concerning any individual with such accuracy, relevance, timeliness,
and completeness as is necessary to assure fairness in any determination relating to the
qualifications, character, rights, or opportunities of, or benefits to the individual that may be
made on the basis of such record, and consequently a determination is made which is adverse
to the individual”; or (D), quite generally, “fails to comply with any other provision of this
section” , “or any rule promulgated there under, in such a way as to have an adverse effect on
an individual Under these four types of legal action, if found in favor of the individual, courts
shall grant the individual (A) an amendment of the record relating to the individual, plus
attorney’s fees and other litigation costs; (B) access to its records, plus attorney’s fees and

44

Page | 83
other litigation costs; and (C) and (D) actual damages with a minimum of USD 1,000, plus the
cost of the action together with reasonable attorney fees.

Finally, it should be mentioned that the Act foresees the installation of internal officers
overseeing compliance with the privacy obligations, which are however, by their very nature
as internal officers, not vested with the same structural independence and powers as the
external China Data Protection Authorities.

Draft Judicial Redress Act of 2015

The draft Judicial Redress Act of 2015 (Draft Bill) aims to mitigate a main procedural
shortcoming of the Privacy Act of 1974, its non-applicability to non-US citizens or residents.
Citizens of the EU and of other so-called “covered countries”, which are defined as “covered
persons”, may now make use of certain civil remedies granted by the Privacy Act of 1974. It
must however be noted that the Draft Bill lags significantly behind granting equal rights to
US and EU citizens.

Leaving aside the structural shortcomings of the Draft Bill, which begins directly with
procedural rights thus leaving the material rights and guarantees of EU citizens somewhat
unclear and open to interpretation, it should be noted that the field of application of the civil
remedies available to “covered persons” is narrowed down to so-called “covered records”. 45

These are only those records maintained by a US agency; such terms are defined in the
Privacy Act of 197446, which are “transferred (A) by a public authority of, or private entity
within, a country or regional economic organization, or member country of such organization,
which at the time the record is transferred is a covered country; and (B) to a designated
Federal agency or component for purposes of preventing, investigating, detecting, or
prosecuting criminal offenses.”324 This means that any data relating to EU citizens, which is
not actively transferred by the public authorities or private entities in the EU to US
authorities, but otherwise retrieved or collected by these US authorities is not covered.
Likewise, only data transferred to “designated Federal agencies and components” is covered,

45
On the structural deficits see Bignami, p. 13.
46
5 U.S.C. § 552a(a)(1) and (4).

Page | 84
while the designation of such agencies lies in the discretion of the US Attorney General and is
not subject to judicial review.

Such designation is, with the exception of the Department of Justice, also subject to the
approval of the head of the agency concerned and must, among other things, be in the law
enforcement interests of the United States, which is also not further defined and leaves room
for utmost discretion.47 It remains to be seen which agencies will finally be covered, but these
rules allow for wide-ranging exemptions. In any case, data transferred to non-designated
agencies is not covered. From the analysis of the Draft Bill, it also seems to be the case that
data is not covered when the transfer took place before a country became a “covered country”
and that a “covered person” loses its right to sue if the designation of its home country as a
“covered country” is revoked by the Attorney General.

Concerning the available civil remedies, it must firstly be noted that only three out of the four
remedies of the Privacy Act of 1974, 5 U.S.C. § 552a(g), are available to “covered persons”.
The remedy under 5 U.S.C. § 552a(g)(1)(C) is not covered at all, which grants actual
damages, costs and attorney fees, if it is found that any agency “fails to maintain any record
concerning any individual with such accuracy, relevance, timeliness, and completeness as is
necessary to assure fairness in any determination relating to the qualifications, character,
rights, or opportunities of, or benefits to the individual that may be made on the basis of such
record and consequently a determination is made which is adverse to the individual.”
Secondly, the general remedy under 5 U.S.C. § 552a(g)(1)(D), which grants the same rights
where an agency quite generally “fails to comply with any other provision of this section, or
any rule promulgated there under, in such a way as to have an adverse effect on an
individual” is narrowed down by the Draft Bill to cases of “disclosures intentionally or
wilfully made in violation of section 552a(b)”, which relates to the conditions of the
disclosure of data.48This excludes not only e.g. grossly negligent disclosures, but any and all
other potential violations of the covered person’s rights. Thirdly, the procedural remedies
under 5 U.S.C. § 552a(g)(1)(A) and (B) for correction and access to data and attorney fees
and costs available in case an agency denies amendment of data or denies access to such data
are only available against a “designated Federal agency or component”, not against all other
agencies.
47
Section 2(e)(2)(B) of the Judicial Redress Act.
48
Section 2(a)(1) of the Judicial Redress Act.

Page | 85
Finally, the main paradox of the Draft Bill is that it only covers data transferred “for purposes
of preventing, investigating, detecting or prosecuting criminal offences”, i.e. LE purposes,
while at the same time pointing out twice that the rights of the covered persons are subject to
“the same limitations49, including exemptions and exceptions” applicable to an individual
under the Privacy Act of 1974. Given the broad exemptions available in the LE context under
the Privacy Act of 1974, as described in section 3.2 above, the already narrow field of
application of the Draft Bill may be comprehensively diminished if these exemptions are
applied. Even though the responsible US District Court for the District of Columbia upheld
some restrictions to the application of these exemptions, civil remedies against, e.g., the FBI’s
Data Warehouse System, would be reduced to those against intentional or wilful illegal
disclosures which cause actual damages of the EU citizen concerned. This is however only in
those cases where all the other conditions outlined above are fulfilled, in particular that
“covered records” are concerned at all.

1.1.1) Children’s Online Privacy Protection Act

The Children’s Online Privacy Protection Act (COPPA)9 was enacted to safeguard
Internet usage by kids below thirteen years of age. The statute regulated how websites
are collecting, protecting and using the data obtained from kids. This statute makes its

7
20 USC § 1232g, available at www.gpo.gov, visited on 14th March 2015.
8
20 USC § 1232g(a)(1)(D)(3) available at www.gpo.gov, visited on 14th March 2015.
9
15 U.S.C. §§ 6501, available at www.coppa.org, visited on 27th March 2015

49

Page | 86
mandatory for websites to notify and take consent of the parents before accumulating
data of kids. It should also disclose its data collection practices in a transparent manner.
This statute is aimed at both, websites where the target audience is children and generic
websites where information of kids will be collected. From 2013, personal information’s
scope was widened to include other vital details such as geo-location data and any
information transferred by way of cookies while using the website.

1.1.2) Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) covers

primarily institutes which actively collect, store and use specific personal health data of
individuals. These include all ancillary parties too eg drug stores, insurance companies
etc10. Such entities need to comply with the below rules-
1) PrivacyRules.
2) Security Rules

Privacy Rules prohibit any disclosure of Confidential Health Information of

patients unless it is for some adhoc situations or explicitly authorized by patient.
Security Rules specify that such entities need to have proper policies and standard
operating procedures for the collection, storage and usage of confidential Health
information. These rules were revised in 2013 as part of the HIPAA “Omnibus Rule”.

Another similar statute called the Health Information Technology for Economic
and Clinical Health Act (HITECH) also pertains to personal health information. 11 The
HITECH Act primarily focuses on corporates that work in tandem with health institutes.
These may be companies that work on behalf of health institutes or alternatively
companies that assist health institutes in their proper usage and disclosure of any such
confidential health information. This makes such corporates equally responsible for
complying with Privacy and Security Rules. Any defects observed in compliance of the

10
www.legalarchiver.org, visited on 4th October 2017.
11
www.healthit.gov, visited on 18th February 2013

Page | 87
same will make them liable for legal prosecution for failing to deliver their duties of
stewardship of confidential health data.

1.1.3) Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)

The Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)12
is primarily concerned with regulating commercial emails. These emails are
promotional mails which seek to advertise products or services of a commercial
nature.13 Personal emails are not covered under this law. This law prohibits companies
from sending any inaccurate or deceptive advertisements to lure the target audience.
Beyond this the providers also need to ensure that they give an opportunity for the email
recipient to unsubscribe from the email messages without any obligations. The emails
should also have the physical mailing address of the company in the email message. The
senders must respect the decisions of recipient’s unwillingness of receiving any such
future emails from the sender. This Act is legally enforced by the Federal Trade Council
(FTC).It may also be noted that State Attorney Generals can also enforce this statute as
it is a violation of state laws preventing such type of electronic promotional messages.

1.1.4) Fair Credit Reporting Act

The aim of introducing the Fair Credit Reporting Act (FCRA) was to fundamentally
ensure that credit reporting is done both fair and accurately as it concerns financial
matters.14 The Act through its provisions also gives proper guidelines regarding the
accumulation, storage and use of such data held by “Consumer Reporting Agencies”
shared through the issuance of Consumer Reports. These agencies primarily collect
information and analyze it and thereafter forward it to a third party. 15 According to this
statute a consumer report contains all factual information to determine an individual’s

12
20 USC § 1232g(a)(4)(B) available at www.gpo.gov, visited on 18th February 2013
13
20 USC § 1232f available at www.gpo.gov, visited on 12th June 2017
14
15 U.S.C. § 1681, available at www.ftc.gov, visited on 10th January 2015.
15
15 U.S.C. § 1681a(f), available at www.ftc.gov, visited on 10th January 2015

Page | 88
historic repayment track and other lifestyle factors which will be analyzed as per
requisite processes before granting any credit or insurance approval.16

According to this law the Consumer Report should not be used for any advertising
purposes unless-

 The consumer is informed in advance that their information will be shared publicly

 The consumer did not use his chance to opt out of the marketing.

The consumer should be given adequate time to opt out of such marketing. Once opted
out they will be free from any such promotional messages for at least 5 years.
Companies are legally bound to give customers a facility to opt out and give adequate
warning in case they are disclosing any personal credit information. When a corporate
discloses information to other affiliates without complying with the law, both the
company and its affiliate are liable for prosecution under FCRA.

1.1.5) Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA)17 makes it compulsory for financial

18
institutions to safeguard the confidential non-public information of its consumers.
Here the term ‘financial institutions’ represents institutions such as banks, insurance
firms, security companies and other related companies that are involved in providing
products and services of financial nature to the public. Non-Public Personal Information
represents all personally identifiable information which is given by the customer to such
an institute while availing any product/service. It also includes information obtained
from other sources.19

16
15 U.S.C. §§ 1681a(d)(1), 1681a(f), available at www.ftc.gov, visited on 10th January 2015
17
20 USC § 6801 available at www.gpo.gov, 4th November 2015.
18
20 USC § 6801(a) available at www.gpo.gov, 4th November 2015.

Page | 89
 To ensure strict compliance of the Gramm-Leach-Bliley Act, financial institutions
must disclose-

1. Its internal policies and procedures concerning handling of non-public information

in both kinds of companies – affiliated and non-affiliated.
2. The wide spectrum of non-public information that such an institute collects as part
of normal course of business.
3. Policies to safeguard such information. Such institutions should disclose its privacy
policies at the starting itself to the customer. They should also give them an option
to deny sharing of such information to any third parties. Third parties should be
furnished with the privacy policies of the company every year. 20

The financial institution must clearly disclose their privacy policy at the time of
establishing relationship with the consumer. In addition, financial institutions are
required to provide customers with annual notice of their privacy policies and of the
right of unwillingness from sharing personal information with non-affiliated third
parties. The third party which maintains an ongoing relationship with the consumer who
agrees to disclose their non-public financial information to them should be provided
copies of the organization’s privacy policy annually.

Financial institutes should keep in mind below points to remain compliant of the Act-

 A designated employee should be assigned with the duties of maintaining the

information security program.
 Internal procedure to be established to combat any risks to such vital
information and necessary controls to be put in place for it.
 Ensure all service vendors are contractually bound to protect such information.
 Modify the information security program as and when needed.21

20
20 USC §§ 6803(c)(1)-(3), available at www.gpo.gov, 14th March 2015.
21
15 U.S.C. § 6805(a), available at www.gpo.gov, 14th March 2015.

Page | 90
 Unlike many other acts, this statute can be enforced only by government bodies.
Apart from these policies there are other such rules also to ensure privacy such as
Safeguards rule, Disposal Rule and last but not the least- the Red Flag Rule which
covers financial data and is officially regulated by the FTC.

1.1.6) Electronic Communications Privacy Act and Computer Fraud and Abuse
Act

The Electronic Communications Privacy Act deals with electronic

communication. Likewise, the Computer Fraud and Abuse Act, deals with any illegal
tampering of IT devices to serve any ulterior motives. In 2008, such a fraud was
reported and a particular internet service provider working in tandem with an
advertising company captured data emanating from individual computers and their
respective ISP servers.

1.2 STATE STATUTES

Majority of the states in U.S.A have recognized the need for data protection and
have accordingly formulated laws. Moreover, Federal Laws are also applicable along
with the State laws for the data privacy protection in the states which have enacted data
privacy laws. Hence one cannot strike a difference in the applicability of the Federal
and State Laws. The Federal and State Laws are sets of laws that would be applied in
concert with each other. While State Laws are limited in terms of the geographical state
that they cover, federal laws are applicable throughout the nation. State laws generally
require corporates to disclose any breach of data to the public. Beyond this, the
customers who have been affected by the data breach need to be informed within
reasonable time. It may be noted that few states have relatively more advanced laws
when it comes to data protection such as California and Massachusetts. It is important to
note that California and Massachusetts enacted laws that apply to any entity, in whole
United States, with access to non-public information of any of their residents.

Page | 91
1.2.1) New York Data Privacy Laws

1) Information Security Breach and Notification Act

The New York General Business Law clearly states that any company in New
York that owns or licenses for specific computer data which also has private
information of the resident of New York, is also responsible for disclosing any breach
of data by illegal means.22 In this context data represents all personally identifiable
information such as online cards details, name, telephone number, credit card number,
social security number etc.23

In usual practice the State attorney can enforce this law and any institution that
does not comply with the same can be legally prosecuted. It is vital to note that any such
organization that provides data breach information notice to New York resident should
also notify such information to the State Attorney, department of state and the police. In
case it’s there is a large volume of data which is breached and more than five thousand
residents inhabiting in New York need to be notified, in that case such information of
data breach should also be supplied to consumer reporting agencies with full details
regarding the breach.24

2) Social Security Number Protection Law

Under this law, institutions are prevented from disclosing the social security
number to anyone publicly. It includes and is not limited to mere printing of the social
security number on any cards but also to retrieve other information. It also prohibits,
sharing the social security number of individuals over the internet and printing and
mailing it to the individual.25 The social security number is very confidential and is
issued by the federal government to the individual. The State Attorney General can
enforce this particular law, and there is no private cause of action.

22
N.Y. Gen. Bus. Law § 899-aa, available on www.codes.findlaw.com
23
N.Y. Gen. Bus. Law §§ 899-aa(1)(a)-(b), available on www.codes.findlaw.com
24
N.Y. Gen. Bus. Law §§ 899-aa(6)(a), available on www.codes.findlaw.com

Page | 92
1.2.2) California Data Privacy Laws

Residents of California aptly recognized the need for strong data protection laws
considering that technology companies are becoming quite vital in today’s era. Data
protection and enforcement of data privacy laws is an emerging area at the moment in
government circles. California, with its advanced data protection laws has ensured that
it is a step ahead of other jurisdictions. Therefore, entities complying with the data
protection laws of California by default also ensure compliance with laws of other states
regulating data protection. The jurisdiction of California covers Data Protection Laws as
below -

1) California Financial Information Privacy Act

The California Financial Information Privacy Act (CFPIA) safeguards public

interest by ensuring that corporates indulging in trade of selling personal non -public
information without consumer permission are prosecuted. 26 Financial institutions and
non-public personal information terms have the same definition as in the GLBA. This
act can be enforced by the State attorney as no private cases are entertained.

According to this statute, companies need to take written consent, with signature
and date from the customer in order to share any non-public personal information to the
third party. The consent states that such customer is allowing full disclosure of his/her
non-public personal information to third parties. In case the corporation wants to share
such information to an affiliated party, it should annually communicate to the customer
about such disclosure and notify them that they have not opted for any non-disclosure of
the information.

26
Cal. Fin. Code § 4052.5, available at. www.leginfo.ca.gov, 12th August 2014.

Page | 93
2) California Shine the Light Law

As per the California Shine the Light Law, any corporate that forwards personal
information for marketing purposes to third parties, should disclose publicly its data
27
sharing practices whenever any resident of the state asks them to furnish the same.
Institutions need to give a full list of the third parties with their contact information and
also the notify kind of data shared to them. Institutions should set up a dedicated email
address where residents can request such information.

Under this act personal information is defined as any information -- when it was
disclosed, identified or described, was able to be associated with an individual. In this
statute, personal information covers a wider scope to include information such as –

 Person’s name and address or email id,

 Age or date of birth,

 height, weight, race, religion, occupation, political party affiliation,

 Children Details,

 Real estate transaction details,

 Banking card details (i.e., credit or debit card number),

 Investment account, debit or credit card balance.28

3) California Online Privacy Protection Act

The California Online Privacy Protection Act (Cal. COPPA) makes it mandatory
for owners of website that are accessed by the general public (especially residents of
California) and collect information from public need to prominently display their
privacy policy on their website.29 Personally Identifiable Information means the
“information regarding a customer that can be individually traced and linked to that

27
Cal. Civ. Code § 1798.83, available at www.leginfo.ca.gov, 20th April 2015.
28
Cal. Civ. Code § 1798.83 (e)(7). available on www.codes.findlaw.com

Page | 94
 particular customer and is collected by an online website”. The definition extends to
data fields such as contact information, first and last name, social security number etc.
and any other information collected by the website.

The entities that deal with the accumulation and maintenance of data need to
comply with the privacy policy of the Cal .COPPA. It must be accordingly to the
following provisions:

(i) The types of information collected needs to be marked.

(ii) Any third party with which the operator is sharing any kind of personal
information needs to be shared.
(iii) Customers should be aware of the process to change any personal information
if
required.
(iv) The date of the privacy policy should be clearly stated.30

The organization should analyze their activities to determine whether it comply

with Cal. COPPA, as when such organization’s activity involves California resident then
such organization are liable under Cal. COPPA. In recent times many instances have
come up where the State of California Attorney General (CA AG) has questioned
corporates involved in making mobile applications, on the failure to include any privacy
policy.

4) District Of Columbia Data Privacy Laws

The Consumer Personal Information Security Breach Notification Act is a statute

which has been enforced upon by the District of Columbia and it requires all corporates
owning electronic data in its region to notify consumers in case any data breach has
taken place.31 If the numbers of people that need to be informed are more than thousand
then they are also required by law to report the incident to the consumer reporting

30
Cal. Bus. & Prof. Code § 22575(b), available at oag.ca.gov, 31st May 2015.

Page | 95
31
D.C. Code §§ 28-3851 – 28-3853, available at www.beta.code.dccouncil.us

Page | 96
agency. Prosecution under this law may be initiated by private citizens or alternatively
the attorney general.

Under this statute personal information comprises of the citizen’s name, address,
telephone number, social security number, bank cards number, bank account number,
identification number issues by the District of Colombia etc.

2.2.3 Massachusetts Data Privacy Laws

The state of Massachusetts law undertaking practical approach enforces very

minimal compliance requirements as far as data protection is concerned upon
corporations, association, partnership or other legal entity and persons that maintain
personal information of its residents.32 Any institution which has sensitive personal data
regarding Massachusetts residents must incorporate the Information Security Program
which is included in the Massachusetts Data Privacy Laws. Personal information
comprises of the resident’s name, social security number, driver license, bank account
number and identification number issued by the state to the citizen.33

In accordance with the Massachusetts Data Privacy Laws all corporates need to
assess the data privacy risks and accordingly develop their security policy and ensure
that it is strictly monitored to spot. The state requires that there should be an employee
who looks after the maintenance of the security program. The policy should be reviewed
annually and beyond that any deviations from the policy in practice should be identified
and penalized accordingly.34

32
201 CMR § 1700 (2010), available at www.mass.gov, 9th January 2017.
33
201 CMR § 1702 available at www.mass.gov, 9th January 2017.

Page | 97
34
201 CMR § 1703 available at www.mass.gov, 9th January 2017.

Page | 98
 1.3OTHER STATUTORY FRAMEWORKS
FOR DATA PROTECTION

Beyond the federal and state laws discussed, there are other equally vital statutes
of this field which are:

1.3.1) Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) gives policies regarding
credit card information. With digital payments becoming a critical factor in both
developed and developing economies, the need for corporates to adopt to this
technological shift is quite critical. This makes the policies surrounding online
payments more relevant than ever. PCI DSS was formulated keeping in mind the
protection of consumers. These policies need to be applied by corporates that gather,
store, process or use cardholder data in their business operations. Some of the policies
are-

 Companies should incorporate a firewall to safeguard such sensitive data.

 Corporates should reset all passwords for their equipment. They should not
continue using passwords set by their suppliers. As there could be a breach of
data.

 They should protect the cardholder data always.

 Any data which gets transmitted should duly be encrypted across the span of
all networks.

 Anti-virus software needs to be updated to the latest version available.

 Systems that are maintained need to be secure and so do any applications that
are interacting with the systems at any level.

 Cardholder data should not be accessible by all.

 Each employee should have a unique ID to identify him/her in case of any breach
done by them.

Page | 99
 Anyone accessing cardholder data needs to be monitored and the data being
accessed by them should also be checked if it’s strictly for business use.

 Review network access privileges periodically.

 All systems need to be tested regularly for any issues.

 Policy should keep in mind information security for all employees.

1.3.2) U.S. EU Safe Harbor Framework

The China Union and U. S’s Department of Commerce have collaborated to create
a “Safe Harbour” framework, in which US companies can acknowledge themselves that
they are compliant with EU laws for data protection. Companies that become a part of
this initiative can easily transfer data between themselves. As of now there are twenty
seven Member States of EU that are part of the initiative. The list of companies that are
part of this initiative is displayed on the Safe Harbor Website so both EU and US.
Organizations can see the companies in other countries before transferring any kind of
data which is of a personal nature. Organisations are free to join the Safe Harbour
Initiative as and when they wish to. The Safe Harbour Initiative in the US comes under
the purview of the FTC as part of the FTCA which is there to prevent any misleading
practices by companies. As part of the Safe Harbour initiative, any claims raised by
citizens of EU against U.S, companies will be heard in U.S.

The Safe Harbour Initiative mandates that companies should comply with the
following core principles –

 Notice- Companies should clearly tell individuals as to why their data is being
collected, how will it be used by the companies and also how will it be protected.
Companies should also give information as to how the grievance redressal
mechanism would work for the consumers.

 Choice- Companies should give individuals choice to opt -in or opt-out of any data
(with more protection to sensitive personal data) transfer to third parties where
their data is going to be used for other uses than originally meant to be used.

Page |
100
 Onward Transfer: All third parties that are working in conjunction with them also
need to comply with Safe Harbour data practices.

 Access: Individuals should duly be given access to change their personal

information if the costs for doing so is not high and it does not in any way interfere
with any other individual’s rights.

 Security- Corporates need to ensure they have implemented a host of security

measures to prevent any data breach by loss, theft etc.

 Data Integrity – It is vital that all sensitive personal information is used for the
correct purposes only and no other reason.

 Enforcement- Organizations should ensure that they have a proper grievance

redressal system and there should be identified employees who are responsible for
compliance with the Safe Harbour rules.

Companies that are part of this initiative need to ensure that their own privacy policies
cover the seven Safe Harbour rules.

1.3.3) Cross-Border Privacy Rules System (US-APEC)

The US became a part of the Cross-Border Privacy Rules System (CBPR System) in
the year 2012. The CBPR was originally formulated by Asia-Pacific Economic
Cooperation (APEC) under which organizations agree to comply with a host of standard
policies governing data protection, thereby giving them the right to transfer data
between countries. The policies under this need to be approved by an authorized APEC
Accountability Agent who testified as to what degree is the company compliant with the
CBPR guidelines. Once a company is certified and its privacy policies are agreed upon,
they can freely be enforced by defined authority upon the company. The CBPR
fundamentally contains four key statutes-

 Self-assessment: Organizations can use the APEC approved questionnaire which is

duly furnished by the APEC-Accountability Agent. The questionnaire seeks basic

Page |
101
 details such as notice, collection limitations, uses of personal data, choice options,
security procedures, data access along with corrections, redressal systems etc.

 Compliance Review- The questionnaire is duly submitted to the Accountability

Agent, for review. They then perform check to ascertain if the compliance
procedures are implemented in accordance with the CBPR requirements.

 Recognition/Acceptance:-Organizations compliant with the CBPR are listed publicly

in a directory, this allows customers to know. Besides the enforcement agent for
each company where they can seek any complaint resolution as well as the agents
who approved their compliance are listed.

 Dispute resolution and enforcement: The Accountability Agents and Privacy

Enforcements Authorities can enforce the CBPR compliance in the companies they
assess.

Since this is a very critical topic, the U.S. government is quite active in this field since
2013-

 It prosecuted advertisers for taking geo location and device identification numbers
from a company giving free torch mobile application. The company took data
without taking the user’s consent.
 It also charged medical billing corporates for not safeguarding data of clients. This
security lapse could lead to unauthorized leakage of customer’s health related
data.
 It charged companies that misled people stating that their privacy policies were in
compliance with the Safe Harbour initiative.
 It prosecuted companies manufacturing internet cameras as they failed to
safeguard customer privacy. Anyone with internet address of the device could view
live footage.

Page |
102
2. DATA PROTECTION LAWS IN
CHINA UNION
EU law is an amalgamation of treaties and ancillary EU laws. The treaties such as
the Treaty on China Union (TEU) and the Treaty on the Functioning of the China Union
(TFEU) are ratified by all EU member States and are thereby called ‘primary EU law’.
The institutions that have been approved and given legal authority by the EU are
thereby called “EU secondary law”.

2.1 BACKGROUND

The Council of Europe was formed during the outbreak of the Second World War
with a primary aim of unite all China states and promote democracy, social progress,
law and fundamental human rights. In 1950, Europe adopted the China Convention on
Human Rights (ECHR). It came into effect in 1953. All States need to follow the
statutes laid down by the EHCR. The member states of COE made their national law in
consonance with the ECHR, which obliged them to act in harmony with the provisions
of the Convention. To make sure that the Contracting Parties observe their obligations
under the ECHR, the China Court of Human Rights (ECtHR), was established at
Strasbourg, France, in 1959. Safeguarding of personal data comes under Article 8 of
EHCR which fundamentally gives citizens the right to respect of domestic life and
communication and it also gives guidance on the circumstances under which restrictions
of this right is permitted.

With passage of time the ECHR has examined various ancillary grey areas
surrounding data protection such as surveillance and safeguarding confidential personal
data from government agencies. However the ECHR has clarified in Article 8 that it
prohibits any member nations to prevent any actions that breach their core principles,
that of giving due respect to private and family life.

Since the information technology field has grown by leaps and bounds, it has
become of paramount importance to formulate detailed rules and procedures to

Page |
103
safeguard rules. In the 1970s various clauses regarding the protection of confidential
personal data were adopted by the Committee of Ministers of the Council of Europe. 35
Convention 180 was adopted in 1981 which dealt primarily with the processing of data
35
CoE, Committee of Ministers (1973), Resolution (73) 22 on the protection of the privacy of
individuals

vis-à-vis electronic data banks in the private sector, 26 September 1973, available at
www.wcd.coe.int.

Page |
104
without human intervention was opened for signature.36 Convention 108 still remains,
the only legally binding international instrument in the data protection field.

The Convention 108 is universal in nature and is compiled by private and public
bodies. It also gives protection against individual’s data abuses during the data flow
between countries. The convention provides reliability on the general accumulation and
processing of personal data along with proper legal safeguards for the processing of
‘sensitive’ data. Although the convention provides for free flow of personal data
between State Parties, it imposes some regulation on the data flow between
government bodies. The EU was formally declared as a party to the Convention held in
37
1999. In 2001, there were additional clauses that were added to it. These dealt with
data flow between member countries and non-member countries. In such a case data
flow would be allowed provided the non -member countries have an established data
protection body which governs data flow.

Directive 95/46/EC is the chief legal instrument of China Parliament and the
Council. It was established on 24 October 1995 and dealt with primarily safeguarding
private data and the transmission of data (Data Protection Directive).38 It was enacted in
1995, when most Member States already had established some regulation revolving
around the matter of data protection. It was agreed that free flow of data, capital and
manpower was not possible between member States unless they had a uniform data
protection regulation between all States.

36
CoE, Convention for the Protection of Individuals with regard to Automatic Processing of Personal
Data, Council of Europe, CETS No. 108, 1981, available at www.wcd.coe.int.
37
CoE, Amendments to the Convention for the protection of individuals with regard to automatic

processing of Personal Data allowing the China Communities to accede, adopted by the Committee of
Ministers, in Strasbourg, on 15 June 1999; Art. 23 (2) of the Convention 108 in its amended form,
available at www.wcd.coe.int.

Page |
105
38
Data Protection Directive, Official Journal of China Communities 1995 No. L 281/31, available at
ec.europe.eu.

Page |
106
 The core belief behind the Data Protection Directive was to ensure that national
law in member states is fairly uniform so that there is less confusion of legal
interpretation. The Data Protection Directive fundamentally aims to provide same level
of rights to all citizens in member states as far as the protection of private rights to
individuals is concerned. The design of Data Protection Directive gives meaning to the
right to privacy which is already contained in Convention 108 and it further expand
them. The Data Protection Directive can in accordance with Article 11 of the
Convention 108, make any changes to privacy rights. This kind of system creates a
parallel form of supervision over existing law and thus ensures that the law is quite
competent enough to meet the challenges of data protection. The Data Protection
Directive is not limited to the 28 EU Member States only but it also covers non-EU
member states such as Iceland, Liechtenstein and Norway which form a part of the
China Economic Area (EEA).39

2.2 CONCEPT OF PERSONAL DATA AND OTHER RELATED

TERMS UNDER DATA PROTECTION DIRECTIVE

As per EU data protection law and the CoE law, ‘personal data’ comprises
primarily of information through which one can come to know, as to which person is the
data referring to. The individual in this case is referred to as the ‘data subject’.

3.2.1. Concept Of A Person

People form the core of data protection. Respect for private life is the baseline of
the data protection law. The ECtHR’s regulations in terms of Article 8 point out that
sometimes it becomes very difficult for people to pick out personal and professional life
individually as both lives get merged.40 For example in the case of Amann v.

39
Agreement on the China Economic Area, OJ 1994 L 1, which entered into force on 1 January 1994,
available at ec.europe.eu.
40
ECtHR, Niemietz v. Germany, 13710/88, 16 December 1992, available at www.worldlii.org.

Page |
107
Switzerland,41 it was observed that the government body chose to record a business
phone call of the party and on the basis of that information, further legal action was
taken by the State. The ECtHR interpreted this as a clear violation of the person’s
private life and storing of such data was thus deemed illegal. It stresses upon the fact
that forming relationships with other people comes under the ambit of ‘private life’,
furthermore, there was no reason of principle to justify excluding activities of a
professional or business nature from the notion of ‘private life’ and hence it was
considered as a clear breach of Article 8 of ECHR.

This also brings us to the question as to why this data protection should only
include natural persons and not seek to cover other things too. The EU data protection
law only puts its focus on the natural persons. The law in place does not seek to include
other legal persons such as corporates which are regarded as an artificial legal person
against the use of their data under Article 8 of the ECHR. The Court, however,
examined the case under the right to respect for home and correspondence, rather than
under private life. Hence, according to Convention 108, data protection deals, primarily,
with the protection of natural persons; however, the contracting parties may extend data
protection to legal persons in their domestic law. However, EU data protection law does
not, in general, cover the protection of legal persons with regard to the data processing
that concerns them. The EU data protection law leaves it to legislators at a national level
to decide the treatment of data protection in relation to artificial legal persons.42

3.2.2. Concept Of Identifiable Person

Both EU data protection law and CoE law, information incorporates data about a
person only if the below parameters is met.:

 A particular person is explicitly identified in this information; or

41
ECtHR, Amann v. Switzerland [GC], No. 27798/95, 16 February 2000, para. 65, available at
swarb.co.uk.
42
Data Protection Directive, Recital 24, available at googleweblight.com

Page |
108
  If an individual who is not identified but adequate data is disclosed wherein
after some basic research one would be able to identify him/her.

The above information is legally protected as per the data protection law. The
ECtHR has repeatedly stated that the concept of ‘personal data’ under the ECHR is the
same as in Convention 108, specially relating to the condition of identifiability of an
individual.43 Moreover identification needs basics which describe a person in such a
way that he or she is distinguishable from all other persons and recognizable as an
individual. Name for an example of a person cannot by itself be called an identifier as
there are many people with similar names. Hence more identifiers are needed to
accurately recognize a person and not confuse him/her with anyone else. Date and
birthplace are used as the common identifiers to verify a person’s identity. In addition,
personalized numbers have been introduced in some countries for better recognition of
their citizens.

However in many places, new age technology is used such as biometrics, iris
scans etc. to accurately recognize people. In the China data protection law, there is no
mandate for ensuring advanced recognition techniques. A person is regarded identifiable
if a piece of information contains essentials of identification through which the person
can be identified, whether directly or indirectly. 44 In accordance with the Recital 26 of
the Data Protection Directive, the primary basis is whether it is likely that reasonable
means for identification will be accessible and administered by the target users of the
information. This clause also includes third-party.

3.2.3. Concept Of Personal Data

Any type of information that concerns an individual is personal data. Personal

data covers specific information of an individual’s personal and professional life. It may
be noted that the link between a person and an event can both qualify as personal data

43
ECtHR, Amann v. Switzerland [GC], No. 27798/95, 16 February 2000, available at swarb.co.uk.
44
Data Protection Directive, Art. 2 (a), available at www.dataprotection.ie.

Page |
109
eg mobile phone of a particular person getting lost. It is important to note that while
safeguards are necessary, however the data protection law does not specify the form in
which any data is supposed to be stored. Personal data can be textual or visual and also
sound at times,45 Eg written text, camera recordings (CCTV) or recorded call. 46 It is
observed that even cell samples are likely to be treated as personal data as they do
incorporate the DNA of a person.

3.2.4. Concept Of Sensitive Personal Data

As far as the EU data protection act is concerned, there are specific data which pose
massive risk to its subjects and therefore it needs more special treatment at the time of
processing it. These special categories of personal data are known as Sensitive Personal
Data and the processing of such sensitive personal data must therefore be allowed only
with specific safeguards. Both the Convention 108 (Article 6) and the Data Protection
Directive are unanimous on personal data related to below points-

 race or ethnic origin;

 political opinions, religious or other beliefs;

 health.47

The Data Protection Directive also emphasizes on ‘trade union membership’ as it

correlates to political belief of a person. In accordance with Article 8 (7) of the Data
Protection Directive makes obligatory for EU member States “to determine the
fundamental conditions under which a national identification number or any other such
data will be processed.”

45
ECtHR, Von Hannover v. Germany, No. 59320/00, 24 June 2004; ECtHR, Sciacca v. Italy, No.
50774/99, 11 January 2005, available at www.5rb.com>Cases
46
ECtHR, Peck v. the United Kingdom, No. 44647/98, 28 January 2003; ECtHR, Köpke v. Germany, No.
420/07, 5 October 2010, available at www.5rb.com>Cases
47
Article 8 of the Data Protection Directives, available at www.dataprotection.ie.

Page |
110
3.2.5. Concept Of Anonymised and Pseudonymised Data

Data will inherently become anonymised if all particular identifiers are

removed. In such cases one would need to put in substantial effort in order to identify
the particular person.48 If personal data is completely anonymized then it becomes
irrelevant, and storage of such anonymized data in a personalized form for the
purpose of historical, statistical or scientific use are allowed under Data Protection
Directives.49

Personal information contains identifiers, after getting pseudonymized the

identifiers are replaced with only one particular pseudonym. There is no clear mention
of Pseudonymised data in the definitions given in either Convention 108 or the Data
Protection Directive. However, the Explanatory Report to Convention 108 mentions in
Article 42 that while the data need not be separated permanently from the person’s
name, there should always be a provision to relink and establish suitable linkage
between the identifiers and the related data. This is an effect which can be achieved by
pseudonymising the data.

3.2.6. PERCEPTION OF DATA PROCESSING

The Data Protection Directive mainly revolves around the regulations of
automatic data processing. As per the EU law, automated data processing refers to the
process where any data is processed completely or in certain parts with non-human
intervention.50 According to EU laws Data Protection in no ways can stick only to
automated data processing. Data protection in this aspect has a broadened view and also
covers data which is stored in manual files for future retrieval. This is done for the
following reasons-

 Manual filing makes it easy to organize data based on some parameters; and

48
Data Protection Directives, Recital 26, available at googleweblight.com.
49
Data Protection Directive, Art. 6 (1) (e), available at www.dataprotection.ie.

Page |
111
50
Data Protection Directive, Art. 2 (b) and Art. 3 (1), available at www.dataprotection.ie.

Page |
112
 Storing data in physical files might be used as a turnaround to sabotage
the principles of the data protection directive.51

It is important to observe that data processing is a fairly comprehensive concept

and this means that act done or series of ancillary acts for storing, collecting, recording,
organising, amending, retrieval, consulting, using, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, blocking,
erasure or destruction etc. on personal data , comes under its purview.52 Even processing
qualifies as a mere transfer of responsibility from one controller to another controller in
the usual course of business.

3.2.7. USERS OF PERSONAL DATA

The key components of personal data are: Data Controllers, Data Processors, Data
Recipients and Third Parties.

1) Data Controller
As per the clauses of the EU data protection law, a controller is mainly someone
who independently or in conjunction with other decides the purpose and process of data
processing.53 Hence, the controller has overall discretion, on how data will get
processed and moreover what different types of raw data will be stored and for how
long. Data controllers are identifiable and are personally responsible in case there is any
data processing that happens illegally. A request for deletion must therefore always be
addressed to the ‘factual’ controller.

The term ‘controller’ as per the Data Protection Directive can also be interpreted
as a group of companies that are jointly managing data control. The law does not

51
Data Protection Directives, Rectical 27, available at googleweblight.com.
52
Data Protection Directive, Art. 2 (b), available at www.dataprotection.ie.
53
Data Protection Directive, Art. 2 (d), available at www.dataprotection.ie.

Page |
113
 indicate that the purpose of data control of all entities that are jointly managing it be the
same.54 This is legally possible, excluding certain cases where a special legal basis
provides for processing the data jointly for a common purpose. This is a grey area
subject to further legal interpretation. The entities may have common or diverse
purposes.

2) Data Processor
Under EU data protection a data processor is basically someone who works under
the controller to process the data under supervision.55 Processors may be given diverse
range of activities surrounding data protection. Such processors are in turn also data
controllers in their own authority for the work they are given to perform.

3) The Third Party

The term ‘third party’ is someone who is distinct from the controller. There should
be a bonafide reason for any data transfer to third parties. As per the Article 2 (f) of the
Data Protection Directive, a third party refers to any individual, corporate, public
authority or any other body that is not the main data subject, or the data controller
and/or processor. This can be interpreted since their legal constitution differs, from the
main head company even if they are part of the same group. Bank branches processing
customer’s accounts under the direct authority of their headquarters would not be
considered as ‘third parties’56.

a. Data Recipients
‘Recipient’ is more comprehensive than ‘third party’. As per Article 2 (g) of the
Data Protection Directive, recipient could be any individual, agency, public authority,
corporate or any other body with whom data is shared. The recipient can be person

54
Data Protection Directive, Art. 2 (d), available at www.dataprotection.ie.
55
Data Protection Directive, Art. 2 (e), available at www.dataprotection.ie.

Page |
114
56
Article 29 Working Party (2010), Opinion 1/2010 on the concept of ‘controller’ and ‘processor’,
WP 169, Brussels, 16 February 2010, p. 31, available at ec.europe.eu.

Page |
115
outside the controller or processor – this would then be a third party – or someone
inside the controller or processor, such as an employee or another division within the
same company or authority.

As per structure the controller is considered to be the driving force behind data
protection and its methods use. Controller however is responsible for the processing
done by the data processors. The controller must manage compliance of the data
processing function in accordance with applicable laws. So it may be interpreted that
any binding contract that forbids the controller to make decisions of processing will
result in dual controllership, thereby absolving the controller from legal responsibility.

The legal distinction between the recipient and third parties is critical. While
recipients may be the data processors or controller along with the employees of
controller themselves as they receive data to process it. However, any data possessed by
a third party should have a legal reason for it; absence of it would declare it as an illegal
possession of confidential data. ‘Third-party recipients’ of data will, therefore, always
need a legal basis for lawfully receiving personal data.

3.2.8 PERCEPTION OF CONSENT

As per Article 2(h) of the Data Protection Directive consent is defined as “any free
indication of the data subject’s wishes.” Consent is the core backbone behind data
collection, processing or its subsequent storage anywhere. As per the EU data protection
law, the following conditions are deemed necessary for anything to constitute as
consent.

 The data subject should not be under any kind of external pressure while he/she
is giving consent.
 It is important that the data subject has been informed of the ramifications of
giving his/her consent, and
 The overall scope of consent given should be on reasonable grounds.

Page |
116
 It is to be noted that both the China civil law and the Data Protection Directive
have the same requirements for qualifying any consent. Beyond the rules mentioned
above, there are also some fundamental legal laws that apply as far as consent is
concerned. For people who do not have any legal basis, their consent will not count as
legal basis for protecting data. The consent can be given either explicitly or non-
explicitly.57 Explicit consent is clear in its intentions and can be made either orally or in
writing; while non-explicit consent concluded from the circumstances. Consent - should
be specific in nature and not unambiguous. Consent can be free consent, informed
consent and specific consent depending upon the circumstance under which the consent
is acquired.

a) Free Consent
The concept of free consent is only of any value if the data subject can exercise an
actual choice in and there lies no fear or threat if the subject does not give his /her
consent.58. It may also happen that there is a natural imbalance between the data subject
59
and controller in terms of economic power etc. which could lead to a forced consent.
Negative consequences of not consenting do not mean that the consent can never be
valid; it majorly depends upon the circumstances prevailing while consenting or not
consenting. There are situations wherein, lack of consent leads to undesired aspects in
day to day life eg your local supermarket may not give you additional discount if you
are unwilling to provide them your contact details. There are also situations wherein
getting products or services are directly conditional upon disclosing data. In such
situations it is fair to assume that the consent given is not on a fair basis.

b) Informed Consent
The data subject must have adequate information at his/her disposal before giving their
consent. They should be clearly explained the consequences of giving or not giving any

57
Data Protection Directive, Art. 8 (2), available at www.dataprotection.ie.
58
Article 29 Working Party (2011), Opinion 15/2011 on the notion of consent, available at
ec.europe.eu.

Page |
117
59
Article 26 (1) of Directive 95/46/EC of 24 October 1995, available at www.dataprotection.ie.

Page |
118
consent and beyond that a clear description of why consent is being taken must be
given. The language should be understandable to the data subject and should be in
accordance with the location. There should be adequate accessibility as well as visibility
of information. The data subject should be given a brief description and along with that
the option to go in depth to seek more details of the case in case he/she wishes to do so.

c) Specific Consent

For consent to qualify as valid consent it is equally important that the consent given is
specific in nature. This goes hand in hand with the quality of information given about
the object of consent. In this background, the reasonable expectations of an average data
subject will be relevant. The data subject must be asked again for consent if there is any
change to data processing or any additional requirement that need to be changed if
things were not known while giving initial consents.

d) Right For Withdrawal Of Consent

The Data Protection Directive does not categorically specify the right to withdraw any
consent given. It would ideally be possible that a data subject might withdraw his/her
earlier consent on some reasonable grounds. Having said that, there is no compulsion to
state any reasons for withdrawing and beyond that no ancillary negative consequences
for the same.

2.3 IDEOLOGIES OF THE DATA PROTECTION DIRECTIVES

In accordance with the Article 6 of the Data Protection Directive, all subsequent
laws regarding data protection legislation in EU or CoE need to follow ideologies and
keep in mind those before framing any subsequent laws. Any exceptions of the same

Page |
119
should duly be covered under national law. 60 The following ideologies need to be kept
in mind for it-

3.3.1 Lawful Processing

Processing of personal data will duly be seen as interference to the personal life of
data subject concerned. This right again is not absolute within itself and is balanced by
public interest which are given due importance. As per the ECtHR, any such
interference would be within limits of domestic laws. It is said that law should be
accessible to all people and it should be a law which addresses foreseeable issues. 61
Generally speaking a rule is foreseeable if it is formulated with enough care to give an
individual sufficient advice regarding to mind his/her behavior as a civic citizen.62

As per the ECtHR, any kind of undue interference is considered acceptable if it

adequately addresses a particular social need and has the core purpose to protect the
rights of other citizens.63 Article 8 (2) of the ECHR states that lawful processing means
that the conditions for justified interferences are the minimum requirements for the
lawful limitations of the right to data protection according to the Charter. Legal
processing of personal data mandates under EU law that the conditions of Article 8 (2)
of the ECHR at least be fulfilled all the times; EU law could, however, state extra
requirements for exceptions. The principle of lawful processing under EU law and the
relevant provisions of the ECHR is further extended by Article 6 (3) of the TEU,
provides that “fundamental rights, which are guaranteed by the China Convention for
the Protection of Human Rights and Fundamental Freedoms, also form general
principles of the Union’s law”.

60
Data Protection Directive, Art. 13 (2), available at www.dataprotection.ie.
61
ECtHR, Amann v. Switzerland [GC], No. 27798/95, 16 February 2000, para. 50, available at
swarb.co.uk.
62
ECtHR, Amann v. Switzerland [GC], No. 27798/95, 16 February 2000, para. 56, available at
swarb.co.uk.

Page |
120
63
ECtHR, Leander v. Sweden, No. 9248/81, 26 March 1987, para. 58, available at swarb.co.uk.

Page |
121
3.3.2 Specification and Limitation
The main principle of purpose specification and restriction means that the legal
processing of personal data will depend mainly on the purpose.64 The core purpose must
have been stated and made obvious by the controller before starting the procedure of
data processing. As per EU law, this should be done by explicit declaration, in other
words by informing the appropriate supervisory authority or, at the least, by internal
documentation given by the controller for inspection to the higher authorities. Every
data processing request should be accompanied with a specific legitimate reason. In
turn, legitimate processing is limited to its firstly specified purpose and any new
purpose of processing will require a separate new legal basis. Disclosure of data to third
parties will have to be considered carefully, as disclosure usually mandates a new
purpose and therefore needs a legal basis, different from the one originally used for
collecting the data.

So the processing of personal data for undefined and/or broad range of purposes
is illegal. The Data Protection Directive states that the processing of data for historical,
statistical or scientific is not considered as incompatible if Member States make sure
that safeguards are in place. The Directives further provides that the compatible use of
data can be allowed on the ground of legal basis. However, it may be noted the meaning
of ‘compatible’ is not defined explicitly.

3.3.3. Data Quality

The type of data selected for processing must be necessary to achieve the
declared overall aim of the processing operations, and a controller should restrict
accumulation of only what is necessary for a specific purpose. Nowadays data relevancy
has an additional consideration: by making explicit use of special privacy-enhancing
technology, it sometimes is completely possible to avoid using personal data or
alternatively use only pseudonymised data, which results in a privacy-friendly solution.

64
Data Protection Directive, Art. 6 (1) (b).

Page |
122
 A controller having personal information should ideally not use that information
without taking steps to verify if the data is updated and correct. The obligation to ensure
accuracy of data must be seen in the background of the purpose of data processing.
There are cases where data accuracy and updating, is needed because of the undesirable
ramifications to the data subject if data were inaccurate.

Article 6 (1) (e) of the Data Protection Directive mandates all Member States to
ensure that personal data is kept so that subsequent identification and retrieval is done in
accordance with the purpose for which the data was collected. 65 Such data should be
wiped out once the original use is over. The time limitation for storing personal data
applies, however, only to data kept in a form which permits identification of data
subjects. If one wants to store unrequired data that is no longer needed one can keep it
anonymised or pseudonymised. However storing data for potential scientific, historical
or statistical use is explicitly exempt from the principle of limited data retention in the
Data Protection Directive. Such ongoing storage and use of personal data must,
however, be accompanied by special safeguards under national law.

3.3.4. Fair Processing

The principle of fair processing looks over the relationship between the controller
and the data subject. This principle makes the controller responsible for establishing an
obligation for the controller to keep data subjects informed on how data are used. It
should be explained to the data subject in an easy to understand way.

Controllers should inform data subjects and public that their processing is done in
a transparent way. Processing operations must not be performed in secret and should not
have unforeseeable negative effects. Controllers should ensure that customers, clients or
citizens are informed about the use of their data. Further, ccontrollers should always

65
Data Protection Directive, Art. 6 (1) (c), available at www.dataprotection.ie.

Page |
123
work in accordance with the wishes of data subjects over matters regarding their data
use.

With reference to internet services, data-processing system must be featured in

such a way that it makes possible for data subjects to clearly understand about the use of
their data. Fair processing also means that data controllers should go beyond legal
requirements to keep data subjects informed.

2.4 RULES FOR DATA PROCESSING UNDER DATA

PROTECTION DIRECTIVES
The Data Protection Directive contains different sets of procedures for lawful
processing of data.

3.4.1. Lawful Processing Of Non-Sensitive Data

Chapter II of Directive 95/46, named as ‘General rules on the lawfulness of the

processing of personal data’, states that barring exceptions permitted under Article 13,
all processing of personal data must comply with the relevant principles provided under
Article 6 concerning data quality and, secondly, with one of the criteria for making data
processing legitimate, listed under Article 7.

Under EU data protection law, consent as a way for legal data processing is firmly
stated in Article 7 (a) of the Data Protection Directive. Also Article 7 (b) of the Data
Protection Directive provides different legal basis for data protection for such data
processing and that it should only be necessary for the contract to get fulfilled.

According to Article 7 (c), of the Data Protection Directive, private controllers

need to ensure that all their practices are completely in compliance with all local laws
that they are subject to. Article 7 (e) of the Data Protection Directive covers mainly
controllers that are present in public sector. The legal obligations of controller become

Page |
124
the foundation of lawful data processing. In many situations private controllers are
obliged by law to process data of others; e.g. hospitals and doctors need to keep data on
the treatment practices for patients for multiple years.

Article 7 (d) of the Data Protection Directive puts focus on the point that the
processing personal data is legal if it is needed to protect the data subject’s interests.
Such data can be used for future analysis eg processing data of missing people would be
considered as processing of personal information but it its very critical from a larger
perspective. Even the fundamental rights protection should never endanger the crucial
interests of the person who is protected.

Article 7 (e) of the Data Protection Directive explains that personal data can
legally be processed if it is needed for the adequate performance of a public interest or
to enforce of official power vested upon the controller or on a third party with whom the
data are is shared”. Article 7(f) of the Directive 95/46 states that in the absence of the
data subject’s consent, and to enable processing of that data subject’s personal data as is
necessary to practice in a genuine interests of the data controller or of the third party or,
also inherently require that the fundamental rights and freedoms of the data subject be
respected.

3.4.2. Lawful Processing Of Sensitive Data

Article 8 of the Data Protection Directive, mandates the practices needed for
processing categories of data that reveal key demographics, political opinions, religious
or philosophical beliefs, trade union membership or information on health etc.
Processing of sensitive data is prohibited in general. 66 However, it may also be noted
that a complete list of exemptions to this prohibition can be found in Article 8 (2) and
(3) of the directive. These exemptions also involve direct consent of the data subject,
crucial interest of data subject and genuine interest of the public at large. If sensitive

66
Data Protection Directive, Art. 8 (1), available at www.dataprotection.ie.

Page |
125
data are to be processed as part of a contract with the data subject, use of these data
requires the data subject’s direct consent, and a statement agreeing for entering into the
contract.

1) Clear Consent

The first condition for legal processing of any kind of data is the actual consent of the
data subject. In the case of sensitive data, such consent must be direct and clear.
National law states that a mere consent to use sensitive data does not justify the legal
need for permitting data processing.67 In one special case, even implicit consent is
acknowledged as a legal basis for processing sensitive data: Article 8 (2) (e) of the
directive states that processing such data is not banned and especially if data is made
public by the data subject. According to the provision consent will be implied for the
use of data when data subject is making his or her data public.

2) Interest of Data Subject

Sensitive data is crucially important for a data subject and hence it must be legally
processed with extra safeguards.68 In case where data subject cannot give his consent
(i.e., data subject is unconscious, absent or could not be reached) for the processing of
sensitive data, then it would be legitimate on the basis that it is to submit the question to
the data subject for deciding.

3) Public’s Genuine Interest

Article 8 (2) of the Data Protection Directive, provides provisions that if the genuine
interest of others are involved then legal processing of sensitive data is valid but
under following cases:

 where data subject is physically or legally incapable of giving his consent and his
data processing is necessary because of the crucial interests of another person;
67
Data Protection Directive, Art. 8 (2) (a), available at www.dataprotection.ie.
68
Data Protection Directive, Art. 8 (2) (c), available at www.dataprotection.ie.

Page |
126
 where sensitive data are relevant in the field of employment law, such as health
data, such as in the context of a specifically dangerous work place, or data on
religious beliefs, such as in the context of holidays;

 where foundations, associations or other non-profit-seeking bodies with a

political, philosophical, religious or trade union aim, process data about their
members or sponsors or other interested parties (such data are sensitive
because they are likely to reveal the religious or political beliefs of the
individuals concerned);

 where sensitive data are used in the context of legal proceedings before a
court or administrative authority for the establishment, exercise or defense of a
legal claim.

 Moreover, according to Article 8 (3) of the Data Protection Directive where

health data are used for medical examination and treatment by healthcare
providers the management of these services is included in this exemption. As a
special safeguard, persons are recognized as “health care providers” only if they
are subject to specific professional obligations to confidentiality.69

Additionally, according to Article 8 (4) of the Data Protection Directive, Member

States may introduce further purposes for which sensitive data may be processed,
as long as:

 processing data is for reasons of large public interest; and

 it is provided for by national law or by decision of the supervisory authority; and

 the national law or decision of the supervisory authority contains the

necessary safeguards in order to effectively protect the interests of the data
subjects.70

Page |
127
69

Page |
128
3.4.3. Security Of Processing

The duty of controllers and processors is to put suitable measures in place to

ensure data security is, therefore, is in accordance with what is laid down in EU data
protection law. As per the required provisions in EU data protection law:

“Member States shall provide that the controller must implement appropriate technical
and organizational measures to protect personal data against accidental or unlawful
destruction or accidental loss, alteration, unauthorized disclosure or access, in
particular where the processing involves the transmission of data over a network and
against all other unlawful forms of processing.”71

Secured processing of data has been governed, guided and developed by many
industrial, national and international principles. The China Privacy Seal (EuroPriSe) is
an eTEN (Trans-China Telecommunications Networks) project of the EU which has
particularly navigated possibilities of certifying products, especially software, to being
in compliance with China data protection law. The China Network and Information
Security Agency (ENISA) were set up to enhance the EU member’s states and business
community to prevent, address and respond to network and information security hurdles.
ENISA on a regular basis prints analysis of current security threats and advice on how to
address them.

Data security is not just accumulated by the right equipment – hardware and software –
in place. It needs to be governed by some principles such as-

 spreading awareness of obligations and confidentiality amongst the employees

for data protection;

 proper distribution of roles & responsibilities for data processing with

special reference to processing of personal data and transfer of data to third
parties;

 usage of personal data should be in accordance to the competent

person’s instructions as well as in accordance to general rules;

Page |
129
71
Data Protection Directive, Art. 17 (1), available at www.dataprotection.ie.

Page |
130
 restricting access to locations and to hardware- and software of the controller
or processor.

 ensuring that authorizations to access personal data are granted by the

competent person and with due documentation;

 automated protocols for access to personal data inbuilt in the system and
regular random checks of such protocols by the internal supervisory desk;

 Full documentation for other kinds of disclosure than automated access to data
in order to be able to demonstrate that no illegal data transmissions have taken
place.

Granting sufficient and relevant data security education to the staff members is
also a critical element of effective security precautions. Verification procedures must
also be inbuilt in order to make sure that these measures not only exist on paper but are
also implemented. Personal data protection officials, security education to the
employees, steady audits, penetration tests and quality seals are some of the instruments
which help improving the security level of a controller or processor.

1) Confidentiality
Under EU data protection law, the secure processing of data is further protected by the
general duty of all persons, controllers or processors, to be sure that data remain
confidential. Article 16 of the Data Protection Directive revolves around confidentiality
only within a controller– processor relationship. The controllers are mandated to keep
data confidential, in a way that they may not disclose them to third parties, which is
compliant with Articles 7 and 8 of the directive. Confidentiality does not cover
situations where data is known to a person in his or her capacity as a private individual
and not as an employee of a controller or processor. Article 16 of the Data Protection
Directive does not apply to this case at all, as, in fact; the use of personal data by private
individuals is totally exempted from the directive’s remit where such use falls within the
margins of the so-called household exemption.

Page |
131
Processors need to follow instructions given by controller all the time. For the
employees of a controller/processor, confidentiality implies that they use personal data
only according to the instructions given by their superiors. Duty of confidentiality must
be on contractual basis between controller and their processors. Additionally
employment contract contains clauses of confidentiality which lays legal duty over the
employees of the controller and processors.

3.4.4. Transparency Of Processing

The principle of fair processing requires transparency in processing. EU data

protection law is quite specific, for securing transparency on behalf of the data subject
by levying duty over the controller to inform the data subject, and for the general
public through notification. Further EU data protection law states that, exemptions
and restrictions from the transparency implementation by the controller may exist
in national law when such a restriction constitutes a necessary measure to
safeguard certain public interests or the protection of the data subject or of the
rights and freedoms of others, as long as this is necessary in a democratic society.72

1) Ways of providing information

The ideal way of providing information would be to inform every single data subject,
orally or in writing. Both data accumulation and giving information should go hand in
hand. In case where data is collected from third party data subject should be reached
through the way of appropriate publication (where data subject could not be reached
personally due to practical difficulties). One of the most effective ways to provide
information will be to display information clauses on the home page of the controller,
such as a website privacy policy. While using the above way it should be also be
taken into consideration that majority of the population does not use internet and
therefore providing the information of company’s policy or public authority ought
to be taken in account.

Page |
132
72
Data Protection Directive, Art. 13 (1) , available at www.dataprotection.ie.

Page |
133
2) Information

According to EU data protection law, controllers of processing operations are duty

bound to inform the data subject in advance about their intended processing practices.
The said duty of controller is not dependent on the request from data subject. This duty
does not depend on a request from the data subject but it must be given proactively by
the controller, despite of whether the data subject shows interest in the information or
not. The information must encapsulate the purpose of processing, and details like
identity and contact number of the controller.73 Additional information is to be given
where it is necessary in specific circumstances in which data are accumulated to
guarantee fair processing of data in compliance with the Data Protection Directive.
Articles 10 and 11 of the directive frameworks, the categories of data processed and the
recipients of such data along with the information about the core right to access and
amend. Where data are collected from the data subjects, the information should clarify
whether replies to the questions are mandatory or not, as well as the possible
consequences of a failure to reply.74

Fair processing requires information be easily understandable by the data subjects.

Language must be used which is appropriate for the addressees according to the local
language. Some data people will want to be informed only in a brief manner as to how
and why their data is being processed, whereas others will require a comprehensive
explanation. Article 11 (2) of the Data Protection Directive states that data subjects need
not be informed about processing operations if they are laid down by law.

3) Notification

As per EU data protection law, controllers can choose to appoint a personal data
protection official, who is liable in particular for keeping a record of processing
operations carried out by the controller. This internal record must be made available to
members of the public on request in a transparent manner. The publication of

73
Data Protection Directive, Art. 10 (a) and (b), available at www.dataprotection.ie.
74
Data Protection Directive, Art. 10 (c), available at www.dataprotection.ie.

Page |
134
notifications by the supervisory authority must be in the form of a special register. In
order to accomplish its purpose, access to this register should be given for free and in
easy manner. Article 18(2) lists the clauses for exemptions from the duties to notify
competent supervisory authority or to appoint internal data protection official which
might cause specific risk to the data subjects.

3.4.5. Encouraging Compliance

Developing accountability, the Data Protection Directive mentions several

instruments for encouraging it:

1) Prior checking

Article 20 states that due diligence should be done by the supervisory authority to
safeguard specific risks posed against the rights and freedoms of the data subjects
before even beginning the data processing. A supervising authority should ensure that
this check is done before commencing data processing. The supervisory authority is
empowered to take coercive actions and even fine the controllers for not executing their
duty of notification.

2) Personal data protection officials

The Data Protection Directive allows controllers to appoint a person specifically as a

personal data protection official. This is done in the best interests to safeguard the rights
and freedoms of data subjects. To do things accurately one will need to give some
independence to such an official as he/she does their duty. Efficient functioning of this
office depends on strong employment rights to guard against eventualities such as
unjustified dismissal would also be necessary.

3) Codes of conduct

To ensure proper compliance the best practices and the processing activities can be
made into a rule manual. This will help corporates to look at it whenever they face any

Page |
135
 doubt on their own practices. The China Commission encourages having a code of
conduct specific to the sector, so it can help in proper implementation of the data
practices.75 Data Protection Directive, Member States also need to formulate a standard
procedure for evaluating the Code of Conduct framed. The above said procedure would
require the national authority involvement along with the support of trade associations
and other bodies representing categories of controllers.76

2.5 RIGHTS OF DATA SUBJECT

Every data subject should be given rights to question controller if his/her data is
being processed. Thus, national law grants them the following-

 access their personal data by asking the controller who has their data for processing;

 have their data amended in case the data controller has incorrect data;

 get their data deleted or blocked in case it is found that the data has been
illegally obtained for processing by the controller;

 to raise questions about the data processing if it has undesirable consequences;

 to object in case their own data is being used by marketing companies.

3.5.1 Right of access

The Article 12 of Data Protection Directive states that certain provisions such as the
right to access along with the right to obtain confirmation from the controller about their
data being processed or not, purpose of processing of data, categories of data concerned
and recipients to whom the data is disclosed. Also, the data subject has right to obtain
information like rectification, cancellation or blocking of data processing that does not
comply thoroughly with the Data Protection Directive.

75
Data Protection Directive, Art. 27 (1) , available at www.dataprotection.ie.
76
Data Protection Directive, Art. 27 (2) , available at www.dataprotection.ie.
Page |
136
As per Article 13 of the Data Protection Directive there may be some contradictory legal
interests of others as a result of which the data controller may be unable to accept the
data subject’s request for his/her data. Superseding legal interests can be various types
such as national security, public security, prosecuting of criminal offences and also
sometimes private interests where the interest of data subject subsides. The Data
Protection Directive allows processing of data for scientific research of statistical
purposes with narrowly applicable access rights by the national law; however,
safeguards need to be in place at all times. Article 13(2) of the Data Protection Directive
mandates that no decisions are taken regarding the data subject on the basis of data
processing and at no point should the data subject’s privacy be breached.77

3.5.2 Right to Access One’s Own Data

Right to access one’s own data is the right provided under in Article 12 of the Data
Protection Directive. Data subject should have full access and knowledge about his data
being used and even the data currently in process by the data controller. Controller is
duty bound to explain the data subject in details about what category of data is to be
processed. Information about source of data which is processed must be given to the
data subject by the controller. Data subject can also get information as to what category
of data is being used and also to whom is it going to be distributed. In case data is being
processed by way of computers without human intervention the data subject must be
explained logic being used to process this data.

3.5.3 Right to rectification, erasure and blocking of data

As per the Data Protection Directives Recital 41, all data subjects have a right to ask for
any changes or also blocking of their data if they feel that data processing is not done in
accordance to the data protection directive.78 Precisely this provision provides the data
subject with the right for rectification, erasure and blocking of his own data.79 In certain

77
Data Protection Directive, Art. 13 (2) , available at www.dataprotection.ie.
78
Data Protection Directive, Recital 41, available at googleweblight.com.
79
Data Protection Directive, Article 12(b) , available at www.dataprotection.ie.
Page |
137
cases, if the rectification relates to spelling mistake or change of address a simple
request for rectification would be sufficient for the controller for making changes.
However, in some cases where there is a link to legal issues it may be possible that the
data controller may ask for proof of inaccuracy from the data subject if needed.

Data subjects usually request erasing of data when they suspect that data processing is
not done legitimately. This situation arises in the case where the original consent is
withdrawn or maybe data becomes irrelevant to the original purpose of data collection.
As per the provision controller at all the time should have a rationale to defend the data
processing taking place. The data subject can object to the data processing and can
demand that the data be blocked till further investigations reach to a conclusion. With
this the data controller will not be able to use the data. National law should give more
clarity on this provision to advise when and how it can be used .It may be observed that
inaccurate data may even cause harm to the data subject.

It is important that in case there is any rectification done in data or it is required to be

erased then all parties to whom it is disclosed need to be contacted and advised of it
unless it is impossible to reach out to so many parties. Contacting data recipients for the
rectification, deletion or blocking of data is mandatory, “unless this proves impossible
or involves a disproportionate effort” as per the provisions of Data Protection
Directives.80

3.5.4 Right to object to automated individual decisions

Data subject have a right to contest to any automatic decisions that take place regarding
personal data. Such decisions taken by automatic means on the basis of inaccurate data
can harm the data subject leading to undesirable consequences. If such decisions are
likely to have considerable impact on the lives of individuals as they relate, for instance,
to creditworthiness, performance at work, conduct or reliability, special protection is

80
Data Protection Directive, Art.12 (c), available at www.dataprotection.ie.

Page |
138
necessary to avoid inappropriate consequences. The directive mandates that the
individual be given rights to review the automatic decision affecting him/her.81 Member
states need to ensure that since data in question concerns the data subject so adequate
provisions need to be kept in place.82

3.5.5 Right to Object about the processing of their data if it leads to disproportionate
results.
There is no general right of data subjects to object to the processing of their data. There
is a provision under Article 14 (a) of the Data Protection Directive wherein a data
subject may object to a situation that leads to undesired consequences. Such provisions
aim at finding the correct balance between the data subject’s data protection rights and
the legitimate rights of others in processing the data subject’s data. If such right is
exercised then the data controller has no authority to continue processing the data.
However if such data is already processed before the data subject protested, then the
data processes still remains legal.

3.5.6 Right to object to further use of data for direct marketing purposes
According to Article 14(b) of the Directive, the data subject may have right to object for
their data given out for direct marketing purposes. Similar rights are also discussed in
the CoE Direct Marketing Recommendations. This right can be exercised before data is
disclosed to third party marketing companies. Hence, the data subject must be given the
opportunity to exercise his right to object before the data are transferred for marketing
purpose.

3.5.7 Independent Supervision

The Data Protection Directive mandates there should be an independent supervising
body that would effectively ensure that data protection is complied in the right manner.

81
Data Protection Directive, Art.15 (1), available at www.dataprotection.ie.
82
Data Protection Directive, Art.15 (2), available at www.dataprotection.ie.

Page |
139
The directive introduced an instrument for the enforcement of data protection which did
not appear, at first, in Convention 108 or in the OECD Privacy Guidelines. Independent
supervision is critical for data protection as it ensures that there are no lapses and holds
the responsible people accountable for any deficiencies in data protection measures
taken. OECD privacy Guidelines revised edition of 2013 added new provisions which
states that the Member states should empower the supervision bodies with adequate
resources and power in order to do their work properly and ensure that it is done in an
impartial manner at all times. 83 The outline of competence and organizational structure
of supervisory authorities was for the first time described under Article 28 (1) of the
Directive. Data Protection Directive requires Member States to give complete
independence to be given to the authorities to execute their duties.

The supervisory authorities have powers to guide data controller and data subjects on all
the matters, to ensure that they are following the best practices to safeguard the data, to
investigate and intervene in the data processing operations, to warn the controllers, to
order rectification, blocking, deleting and destruction of data, to order for temporary or
definitive ban on processing and to refer the matter to court. During the course of an
enquiry the supervising body should have full access to personal data so they can
investigate and take any required action. Supervisory authorities are also empowered to
ban or restrain data controllers from processing data if they feel that it is being done in a
manner which is not in the best interests of the data subject.

2.6 REMEDIES AND SANCTIONS

As per the Data Protection Directive the national laws in place should adequately
address any breaches of the data protection act. Only the data subject whose personal
rights are endangered may exercise it. Children need to be represented by their

83
OECD (2013), Guidelines governing theprotection of privacyand transborder flows of personal data
, para. 19 (c).

Page |
140
guardians in such cases. It is also possible that people from associations which seek
transparency and advocate data protection rights may have their member testify in court.

3.6.1 Requests to the controller

In most cases one should address all matters of concern to the data controller itself. In
case one is not satisfied with the response, one may move to higher judicial authorities
for suitable remedies. As per the Data Protection Directive, provisions under Article 12
a), such a request should be honoured in a time bound manner.

Data controller is considered to be the first authority and hence he must be approached
first rather that approaching the national supervisory authority or a court directly. The
formal requirements for a legally relevant request to a controller, especially whether or
not it must be a written request, ought to be regulated by national law. Data subject
must be responded within the time frame provided by national law. National law should,
therefore, prescribe a definite time frame which is not too long and also it provides
enough time to the data controller to deal with the request.

Before accepting any such claims the data controller needs to be vigilant to verify the
identity of the person who requested such information to ascertain if he/she is the actual
data subject and not some third party seeking such confidential information and thus
avoid a serious breach of confidentiality. Article 12 (a) points out that access to such
information needs to be given to the part requesting at a nominal cost. Some nations
mandate that such information should be given for free. The law however has provisions
to block any misuse of such a service by individuals.

3.6.2 Claims before the Supervisory Authority

When a person who has requested information on his data does not receive a
satisfactory response in a given time frame then he/she can go to the national data
protection supervisory authority to seek justice. One will need to advise the authority if
the data controller/body was obliged to respond and if an adequate response was given.

Page |
141
The outcome of the proceedings needs to be conveyed to the individual who pursued the
case. If one does not get a satisfactory response from the authority itself then they can
seek further appeal in the court. 84 This applies to the data subject as well as to
controllers, having been a party to proceedings before a supervisory authority.

3.6.3 Claim before the court

As per the Data Protection Directive, if a person has made a request to the data
85
controller. And did not get a suitable response they can go to the national court.
However it is recommended that they appeal to the supervisory authority before
approaching the court as it will be easier to address their issues. The judgement issued
by the supervisory authority can also help to pursue the case in the higher court by the
litigant.

Under EU law, individuals whose data has been breached may also approach the CJEU
for a suitable judgement in the following cases-

- If the data protection of the plaintiff has been breached by an ancillary body of
the CJEU they can appeal to it.

- If the data protection rights of Article 16 of TFEU are infringed by an EU

institution while processing data, such a case can also be sent to the General
Court of CJEU.

3.6.4 Sanctions
As per Article 24 of the Data Protection Directive the Member States, need to follow all
the clauses stated in the Directive and also have remedies for any breaches that might
occur. Member states can be free on choosing the remedies that they wish to for
noncompliance. As per the CJEU national law is not given full freedom to choose

84
Data Protection Directive, Art. 28 (4) , available at www.dataprotection.ie.
85
Data Protection Directive, Art. 22, available at www.dataprotection.ie.

Page |
142
remedies. Disciplinary action is prescribed by CJEU in case where any breach amongst
EU bodies is done in accordance with the EU Institutions Data Protection Regulation.
This is covered under Article 49, wherein any noncompliance due to any negligence or
otherwise, makes the concerned person liable for disciplinary action against them.

2.7 TRANS-BORDER FLOW OF THE DATA

The Data Protection Directive allows for a natural flow of Data between the
Member States however there are certain laws that come when it comes to transferring
data to non-Member Countries. The CoE has addressed this point in another Additional
Protocol to Convention 108 enacted in the year 2001, which became the main
regulatory feature on trans-border data flow. Article 25 (1) of the Data Protection
Directive deals with regulations for transfer of data to third countries for both pre-
processed data and raw data which is to be processed.

In Bodil Lindqvist,86 the CJEU held that “the act of referring, on an internet page,
to various persons and identifying them by name or by other means, for instance by
giving their telephone number or information regarding their working conditions and
hobbies, constitutes ‘the processing of personal data wholly or partly by automatic
means’, within the meaning of Article 3 (1) of Directive 95/46”. There is also provision
to allow member states to keep a track of the data which is sent to third countries.

It may be noted that the mere publication of personal data cannot be treated as a
trans-border flow and it applies to online public registers or mass media (such as e-
newspaper and television) also. Only data which is aimed at specific people who receive
the data is eligible under this clause.

86
CJEU, C-101/01, Bodil Lindqvist, 6 November 2003, available on curia.europa.eu

Page |
143
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

3.7.1 Free data flows between Member States

Article 1 (2) of the Data Protection Directive is broader in nature and increases the
spectrum of trans-border data flow. It also includes EEA countries like Iceland,
Liechtenstein and Norway under its ambit and treats these countries as internal market.
Article 12(2) allows free flow of personal data between parties to the convention.
Domestic law cannot put impose restrictions upon the free flow of data to an external
87
contracting party unless the data is of a very specific sensitive nature. As concerns
CoE law, all areas are included within the scope of Convention 108 and the Additional
Protocol to Convention 108, although exemptions may be made by the Contracting
Parties. All members of the EEA are also Parties to Convention 108.

3.7.2 Free data flows to third countries

Transfer of personal data to non-member countries is said to be free from any
prohibition under national law if –

- There are adequate safeguards at the disposal of the receiver for data protection, or

- It is necessary to keep the data subject’s interests and interests of other such
as important public interests.

1) Adequate Protection
Free flow of data to external countries is considered in Article 25 (1) stated in the Data
Protection Directive. Article 25 (6) mandates that China commission needs to have
competency to gauge the level of data protection standards in other countries by
researching them. The findings stated by the China commission would be deemed as
final. The Commission would be publishing its findings in the Official Journal of the
China Union and all the member countries of EEA are bound to follow the decision. The
commission’s published list itself is enough and no further verification is required to be
made.

87
Convention 108, Art. 12 (3) (a).

Page | 89
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

One of such example can be the Safe Harbour Privacy Principles under which
corporates can voluntarily take up membership. These principles were elaborated
between the EU and the US for US business companies. Safe Harbour is kind of Code
Of Conduct with which if the agencies agree can register and take membership. The
Safe Harbour Privacy also comes with an element of state monitoring from the US
Federal Trade Commission, and only those companies can join the Safe Harbour, which
are subject to the supervision

2) Free Data Flow in Specific Cases

Article 26 (1) has provisions which run parallel to the Additional Protocol to
Convention 108.As per this interest of the data subject upon their data flow to third
country may be justified if –

 The data subject openly gives consent to data being exported to other countries.

 The data subject is contractually bound to send data to another country

 There is a contract between data controller and an external agency which is sealed
in the best interests of the data subject.

 Data transfer is mandatory to safeguard the data subject.

 There is necessary data transfer from public registers and it in the interests
of transparency that general public is allowed to access the same. 88

3.7.3 Restricted data flows to third countries

The Data Protection Directive and the Additional Protocol to Convention 108 permit
domestic law to establish regimes for trans-border data flows to third countries not
ensuring an adequate level of data protection, so long as the controller has made
special arrangements to ensure adequate data protection safeguards at the
recipient and so long as the controller can prove this to a competent authority. This
requirement is clearly mentioned only in the Additional Protocol to Convention
108;

Page | 90
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

88
Data Protection Directive, Art. 26 (1) (d) , available at www.dataprotection.ie.

Page | 90
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

however, it is also considered to be standard procedure under the Data Protection

Directive. The trans-border data flow depends upon the clauses laid in the
agreements made between EU Member States and third countries. Examples of such
clauses can be as follows:

1) Contractual Clauses

In accordance with the EU standards the China commission with assistance of Article
29 Working Party has formulated set of contract based clauses which are officially
89
certified by Commission Decision as a proof of adequate data protection. The
commission’s decision is binding to the member states. In case of trans-border data
transfer, the data controller and the data receiver in external non-member country need
to sign these clauses in order assure authorities that the data protection methods are
adequate. The vital components of these clauses are-

- Third party beneficiary clause can allow the data subject to enforce their rights
even though they were not a part of the contract.

- The data recipient of third country agrees to comply with the regulatory standards
of the exporting country including national supervisory authority and/or courts in
case of dispute.

It may be noted that data transfer in between controllers are regulated by two clauses,
whereas data transfer between data controllers and processors is regulated by one
clause.

2) Special international agreements

The EU has concluded special agreements for two types of data transfers:

 Passenger Name Records

89
Data Protection Directive, Art. 26 (4), available at www.dataprotection.ie.

Page | 91
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

Passenger Name Records (PNR) refers to the data obtained by flight carriers as part of
reservation. This usually includes data such as name, address, email, bank card details,
phone number etc. As per the prevailing law in the US, all airline carriers need to
strictly report passenger details to the US homeland Security even before a flight
coming to or going from the US. The China Union runs a similar program, called the
‘PNR package’ which was adopted in 2004.

Post the CJEU’s revocation of the ‘PNR package’, the China Union and the US signed
separate agreements to give legal protection of PNR data amongst the authorities that it
is shared. Beyond this the mission of the agreements was to ensure that there is adequate
infrastructure and policies in place for data protection in countries where the data was
getting transferred.

The new agreement signed offered significant improvements. It restricts and clarifies
the purposes for which the information may be used, such as serious transnational
crimes and terrorism. According to this new agreement data can be stored only for a
period of six months beyond which it needs to be deconstructed and left. Data should
not be misused for any illegal activities as prescribed under the US law. Individuals
have full authority to view their PNR data and in case it is inaccurate they can ask the
US department of Homeland Security to rectify it or even erase it. The agreement was
ratified in 2012 and will remain in force till 2019.

In December 2011, the Council of the China Union officially authorized, EU Australia
Agreement on the processing and transfer of PNR data. The agreement proved to be a
benchmark in setting up PNR data best practices guidelines at an international level and
also navigating agreements with other countries.

 Financial messaging data

The Society for Worldwide Interbank Financial Telecommunication (SWIFT), based in

Belgium, is the establishment behind all global money transfers between banks

Page | 92
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

worldwide. It was operating with a parallel centre in the US and was confronted with
the request to disclose data to the US Department of the Treasury for terrorism
investigation purposes.90 From the EU point of view, there was no sufficient legal basis
for disclosing these considerable China data, which were available in the United States
only because one of SWIFT’s data service-processing centres was located there.
Another special agreement was concluded in 2010 between EU and the US referred as
the SWIFT agreement, to provide the necessary legal basis and to secure adequate data
protection to financial data.91

As per this the SWIFT data can be given to US Treasury Department for the purpose of
prevention, investigation, detection, or prosecution of terrorism or any terrorist
financing etc. The US Treasury Department can seek financial data from SWIFT if it
meets below parameters-

 Identifies the particular financial data set that it needs

 Justifies the data needed.
 Request is narrow in nature so that there is a small amount of data that is being
asked for and not a big chunk of it.
 It does not ask for any ancillary information such as the Single Euro Payments Area
(SEPA)

China government should be furnished with a copy of the original request seeking data
so they can judge whether SWIFT principles are complied with. SWIFT after
confirming the parameters should provide any authorized data straight to US Treasury
Department and not through any intermediary.

90
Article 29 Working Party (2011), Opinion 14/2011 on data protection issues related to the prevention
of money laundering and terrorist financing,
91
China Council’s decision of 13 July 2010 on the conclusion of the Agreement between the

China Union and the United States of America on the processing and transfer of Financial Messaging
Data from the China Union to the United States for the purposes of the Terrorist Finance Tracking
Program.
Page | 93
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

The financial data needs to be stored in separate and safe data centres wherein the data
is secure and also it can be accessed by officials actually investigating the data to reach
a conclusion. SWIFT can store financial data it receives not more than five years.
Financial data which are relevant for specific investigations or prosecutions may be
retained for as long as the data are necessary for these investigations or prosecutions.
The US Treasury department can choose to transfer data to any of its agencies inside or
outside the country it wishes to, only for the purpose of investigation, detection,
prevention or prosecution of terrorism and its financing or public security. Transfer of
financial data of EU resident needs consent from competent authorities before the
transfer. The SWIFT agreement was valid till 2015with unlimited renewal for a year
each time till any party seeks to not renew it by giving six months’ notice to the
counterpart.

2.8 OTHER DATA PROTECTION LAWS IN EUROPE

Certain legal instruments are adapted and present at the China Convention such
as –

3.8.1 Electronic communications

CoE issued a recommendation for data protection specifically for communications field
with particular reference to telephone services in 1995. 92 It mandated that personal data
being collected should only be for network usage and making telecommunication
services available to users eg billing, operations etc. Particular attention was given also
to the use of communications networks for sending direct marketing messages. For
automated calling devices which are used for mass advertising they should only be used
if the consumer has given his/her express consent to it. Domestic law shall provide for
detailed rules in this area.

92
CoE, Committee of Ministers (1995), Recommendation Rec(95)4 to member states on the protection
of personal data in the area of telecommunication services, with particular reference to telephone
services, 7 February 1995.

Page | 94
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

The Directive concerning privacy and electronic communication was enacted in 2002,
and some changes were made in the year 2009 in order to complement the provisions
laid down in Data Protection Directives for telecommunications. The Directive on
privacy and electronic communications differentiate three main types of data generated
in the course of a communication:

- Strictly confidential data- This data refers to the messages shared in private
conversations.
- Traffic data-This data concerns data which is used for maintaining
telecommunications operations.
- Location data- This data concerns location of telecommunication devices
(particularly relevant to mobile device location) and also other ancillary data
concerning users of these devices.

Traffic data is usually used for billing consumers and providing adequate service.
However, such data may be disclosed to controllers for offering other premium services
such as the next metro station from the user’s location or pharmacy or the weather
forecast for user’s location. These can be important facts related to a person’s location
and nearby places of business. The amendments to the Directive for electronic
communications in 200993 were,

 Restrictions on sending SMS, MMS and other similar messages for direct marketing
which also covers emails being sent out. These all activities are prohibited unless
prior consent is taken from the user.
 Member states need to ensure that there are legal remedies for sending unwanted
94
communication.

93
Directive 2002/22/EC on universal service and users’ rights relating to electronic communications
networks and services, Directive 2002/58/EC concerning the processing of personal data and the
protection of privacy in the electronic communications sector
94
Article 13 of the amended Directive.

Page | 95
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

 Cookies on online portals should only be allowed to track user information after
taking consent from user. Further national law must take care about the type of
consent to be taken for adequate protection.

In case there is any data breach due to illegal access or loss of data, the supervisory
body must be immediately informed and beyond that subscribers should also be notified
where possible damage to them is the consequence. The EU Member States shall
designate independent public authorities which are responsible for monitoring the
security of the retained data. Surveillance methods of any kind are prohibited and only
allowed in case of certain exceptions such as national/state security, protecting rights of
data subject, public safety, the monetary interests of the state or the suppression of
criminal offences etc.

3.8.2. Employment data

There is no specific statute under EU that deals with employment data. However, when
an issue related to employment is concerned, Article 8 (2) of the Data a Protection
Directive is usually referred which deals with the processing of sensitive data. One kind
of monitoring that exists is the monitoring of communications of an employee at the
workplace. The only solution to it is barring private use of communication facilities at
work place which seems unrealistic at the same time.

CoE Employment Recommendation states that personal data collected for employment
commitments should be obtained from the employee itself. Any data taken at time of
recruitment should be only restricted to key information to gauge candidature of the
employee. Also judgmental data taken relating to the performance or potential of
individual employee should be fair based on honest evaluation.

Sensitive Data taken during employment should be taken only to determine if the person
is employable in accordance with the domestic law. Other information such as health
related details or medical examination etc. may be asked only if necessary to determine

Page | 96
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

their eligibility for the employment. Employees should be informed as to how their data
will be processed, stored and the entities to whom data are regularly communicated
along with the purpose of such communication. In case the company is changing to
automated data processing solutions, the employees should be informed even of that. As
in other cases, employees should have full access to view and change any of their
inaccurate data. If an employee is denied access, rectification or erasure of personal
employment data, national law must provide appropriate procedures to contest such
denial.

3.8.3. Medical data

Medical data is data which is related to health conditions of an individual and are
qualified as sensitive data under Article 8 (1) of the Data Protection Directive and under
Article 6 of Convention 108. Article 8 (3) of Data Protection Directive authorizes
medical data to be processed for preventative medicine, medical diagnosis and also the
proper management of services rendered by a healthcare provider.

The CoE Medical Data Recommendation of 1997 in consonance with the principles of
95
Convention 108 goes deeper into medical data processing. The proposed
recommendations are in line with those of the Data Protection Directive as concerns the
legitimate purposes of processing medical data and confidentiality maintained at all
times. Like other statutes even this allows for data access and rectification of inaccurate
data. Medical data should not be disclosed to law authorities until it is certain that
safeguards are in place and there is not breach of rights of an individual. Additionally,
the Medical Data Recommendation there is special protection granted to provision
related to medical data of unborn children, disabled people and on the processing of
genetic data.

95
CoE, Committee of Ministers (1997), Recommendation Rec(97)5 to member states on the protection
of medical data, 13 February 1997.

Page | 97
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

Data may be kept for research purposes till a certain period of time. Pseudonymisation
and anonymization may be used as an alternative to ensure that both scientific needs and
interests of patient are kept in mind. There are discussions of creating a nationwide
electronic database of health files96 to allow for transmission of information for cross
97
border healthcare initiatives. There are many other legislative and other initiatives
pending at the EU level regarding personal data in the health sector.98

3.8.4. Data processing for statistical purposes

As per the Data Protection Directive, processing data for statistical research purposes
also needs to be protected. Article 13 (2), covers the rules surrounding it. The data
accumulated should not be used to make decisions about data subjects. Secondary
statistics may be used by acquiring previously collected data and forming theories
around it. However, it should also be anonymised or pseudonymised before it is
transmitted to any external agency. Article 6 (1) (b) of the Data Protection Directive
contains rules regarding safeguards for data to be used for statistical research purpose.
Statistics bureaus often use such data to frame public policies. Citizens usually have to
share data with national statistics bodies. However, it is important that officials working
for such bodies are duty bound to maintain confidentiality regarding the data they
possess.

Statistical Data Recommendation which was enacted in 1997 monitors statistics usage
99
in public and private sectors. It is important to note that any data which is collected
mainly for statistical use may only be used for it. However, data collected for other
reasons may be used for statistical studies in the future. Such data shared to other third-

96
Article 29 Working Party (2007), Working Document on the processing of personal data relating
to health in electronic health records (EHR), WP 131, Brussels, 15 February 2007.
97
Directive 2011/24/EU of the China Parliament and of the Council of 9 March 2011 on the
application of patients’ rights in cross border healthcare
98
EDPS (2013), Opinion of the China Data Protection Supervisor on the Communication from the
Commission on ‘eHealth Action Plan 2012–2020 – Innovative healthcare for the 21st century’,
Brussels, 27 March 2013.

Page | 98
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

99
Council of Europe, Committee of Ministers (1997), Recommendation Rec(97)18 to member states
on the protection of personal data collected and processed for statistical purposes, 30 September
1997.

Page | 99
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

party statistics agencies for any further study is permissible under this
Recommendation. However, such parties should agree and write down the extent of the
legitimate further use for statistics. It is important to anonymise statistical data for use
before it can get transferred for further use.

If a statistical survey using personal data is not prescribed by law, the data subjects
would have to consent for the use of their data so as to make it lawful, or they should at
least be given a chance to object. If personal data is taken by interviewing people, then
they need to be informed beforehand about data collection of data and its distribution.
Sensitive data should never be collected in such a way that an individual can be
identified unless clearly permitted by national law. After relevant statistical studies are
done on the personal data they can be either removed or anonymised. While the
encryption keys with other identifying specific data should be stored separately from the
anonymised or pseudonymised data.

3.8.5. Financial data

The Convention 108, called for providing clauses surrounding data protection with
reference to payments data perspective and such legal framework was developed by
CoE in Recommendation Rec(90)19 of 1990.100 This recommendation makes clear that
the scope of legitimate collection and use of data in the context of payments, especially
by means of payment cards. The Recommendations guided that the National laws need
to ensure data from payment cards is encrypted and that there are fixed procedures
surrounding its transparency. It further recommends to the domestic legislators detailed
regulations on the limits of communicating payment data to third parties, on time limits
for the conservation of data, on transparency, data security and trans-border data flows
and, finally, on supervision and remedies. There are various legal statutes that are
being

100
CoE, Committee of Ministers (1990), Recommendation No. R(90)19 on the protection of personal
data used for payment and other related operations, 13 September 1990.
Page | 100
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

formulated to regulate the financial services sector and the activities of credit
institutions and investment firms.101 There are many vital issues surrounding it such as-

 Breach reporting mechanism

 Holding of records of financial dealings.

 Understanding between Member countries and China Securities and Markets

Authority (ESMA);

 Surveillance by tapping phone conversations, including the power of the capable

authorities to request telephone and data traffic records

 Transfer of personal data to other countries.

 The power of capable authority to seize documents and conduct raids

 the disclosure of personal information, including the publication of sanctions;

There are also other issues in these areas that are specifically addressed, including
collecting data on the financial status of data subjects or cross-border payment via
banking transfers, which inevitably leads to personal data flows.102

CHAPTER 4 COMPARISON ANALYSIS OF DATA PROTECTIONIN VARIOUS

JURISDICTION

Page | 101
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

4.1 INFORMATION TECHNOLOGY ACT, 2000

Information Technology Act, 2000 is based on the United Nations Model Law on Electronic
Commerce and is the major legal framework that was adopted in the year 2000 and enforced on
17/10/200050. Later in the year 2008, certain amendments were proposed to the act to address issues
related to cybercrime, data protection, and electronic signatures which were enforced in February
2019. In spite of the amendment, there are limited provisions that deal with data protection under the
Act 2000. The term data and information are separately defined under section 2 of the IT Act, 2000,
Section 2(o) of the Act defines data as "the formalized representation of information, knowledge,
facts, concepts, and instructions prepared in a formalized manner and processed in a computer
system, computer network, optical storage media, punched cards, or stored internally in the memory
of the computer and Section 2 (sub-section 1 clause v) defines that the information, as message, text,
image audio sound, codes, computer program, software, database or micro film or computer-
generated micro fiche covered under the preview of information. However, the act does not provide
any definition clause that defines personal data and sensitive personal data.

1 Section 43 - .A), B), and I) - This section states that anyone who uses a computer, computer
system, or computer network without the owner's or another person in charge's consent is in
violation. Accessing or securing access to such a computer, computer system, or computer network;
downloading, copying, or extracting any data, computer database, or information from such a
computer, computer system, or computer network, including data held or stored in any removable
storage medium; stealing, concealing, destroying, or altering, or inducing another person to steal,
conceal, destroying, or altering any computer source code used for a computer resource with the
intent to cause harm; will be required to pay damages in the form of compensation not exceeding the
sum of INR 1,00,00,000 (Rupees One Crore) to the person

2 Section 43A inserted by Amendment 2009 dealt with the compensation for failure to protect data.
Section 43 A imposed liability on the ITES/BPO and other body corporate dealing or handling with
sensitive personal data or information to maintain the security practice and procedure for the
protection of data in case of wrongful gain or wrong full gain the company with providers to protect
the data of the individuals and for this reason refers to body corporates and excludes a natural person

50
Page | 102
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

from its purview. However, section 43A does not mention what information or data is sensitive
personal data the scope to determine is left with the central government51.

3 Section 66 C – This section addresses identity theft and states that anyone who uses another
person's electronic signature, password, or other distinctive identification feature fraudulently or
dishonestly faces up to three years in prison and a fine of INR 1,000,000 (Rupees One Lakh) in
addition to other penalties.

4 Section 66 E - This section states that anyone who wilfully or knowingly takes, publishes, or
transmits an image of a private area of another person without that person's consent, infringing on
their right to privacy27, will be punished with up to three years in prison, a fine of no more than INR
200,000 (Indian Rupees Two Lakh), or both.

5 Section 72 This section provided that anyone who gets access to a person's electronic record, book,
register, correspondence, information, document, or other material without that person's permission
and then gives that record, book, register, correspondence, information, document, or other material
to someone else will be punished with up to two years in prison or a fine of up to INR 1,00,000
(Rupees one million).

6 Section 72A The section provides the criminal penalty where in the course of performing a
contract, a person or intermediary while providing services discloses personal information without
the data subject’s consent or in breach of a lawful contract and with the knowledge that he or she will
cause or is likely to cause wrongful loss or gain. The punishment prescribed is imprisonment of up to
three years, a fine of up to Rs500,000, or both.

4.2 INTERMEDIARY GUIDELINE 2021

The Indian government established the Information Technology (Intermediaries Guidelines) Rules,
2011, as a framework for regulating online intermediaries. The rules attempt to strike a balance
between the need for freedom of speech and expression and the need to protect against harmful and
illegal online content52. The guideline made the Intermediaries must exercise due diligence when
performing their duties, as stated in Rule 3 of the guidelines. To explain to users the nature of the
services provided, the terms of use, and the privacy practices, they are required to publish rules and
regulations, user agreements, and privacy policies. This clause guarantees that intermediaries are
51

52
Page | 103
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

open about their procedures and business dealings. According to the guidelines, intermediaries must
also take down or make content that is deemed to be harmful, offensive, or defamatory in nature
inaccessible within 36 hours of receiving a complaint or notification from a government body. This
clause aids in limiting the online dissemination of illegal material. As stated in Rule 4(2) of the
guidelines, intermediaries are not permitted to host, display, upload, modify, publish, transmit,
update, or share any information that is against any law in force in India. By requiring it,
intermediaries are guaranteed to understand their obligations to uphold Indian law and stop the
dissemination of illegal content. The guidelines have also played a significant role in influencing
India's data protection environment. The guidelines have aided in creating a culture of accountability
and responsibility among online intermediaries by requiring intermediaries to follow specific
standards.

Additionally, they have contributed to a greater understanding of the legal responsibilities of

intermediaries in relation to online content. The rules have, however, come under fire from some
quarters Some experts believed that the guidelines are too flexible and might be used to suppress
acceptable online expression. Others have made the point that the recommendations fall short of
protecting user privacy, which raises concerns about middlemen collecting and misusing personal
information. Despite these concerns, the guidelines are nevertheless an essential instrument for
regulating internet intermediaries in India. As internet usage rises in India, it is essential for the
government to continue updating and enhancing the laws so that it can continue to effectively block
dangerous online content while upholding free expression and consumer privacy. India's approach to
data protection has been significantly impacted by the Information Technology (Intermediaries
Guidelines) Rules, 2011, in general. Due diligence, compliance with the law, and acceptance of
responsibility for the content on their platforms are all requirements outlined in the standards, which
have helped to establish a culture of accountability and responsibility among internet
intermediaries.201153.

4.3 ANALYSIS OF DATA PROTECTION BILL,2006 AND DATA PROTECTION BILL,2019

The court made a special committee to produce a bill on personal data, The Sri Krishna Committee.
The committee headed by retired Supreme court judge BN Krishna submitted a report on July 27,
2018. The bill of Personal Data Protection,2019 was framed by the government and was immediately
sent to Joint Parliamentary Committee(JPC)and is not implemented yet, the committee said that the
framework is not precise and is not suitable for the dynamic environment of the technology. It took 5

53
Page | 104
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

extensions since 2019 to approve the made bill. The PDP, 2019 clause 35gives shelter to the
government to access any information of any user and even trace information of the people of the
nation.

The government had absolute powers to track people and their information online (if necessary).
There should be a legislative framework on the matter as it has been becoming a concern of national
security. The PDP Bill proposes the concepts of a ‘data fiduciary’ and a ‘data processor’. A ‘data
fiduciary’ and a ‘data processor’ are equivalent to the concept of controller and processor under the
GDPR. The bill gives protection to individuals by penalizing entities for data collected without user
consent. The PDP Bill will not only apply to persons in India but also to persons outside India
concerning business conducted in India, the offering of goods or services to individuals in India, or
the profiling of individuals. The bill also specified provisions regarding the holding of user data.

4.4 OTHER FRAMEWORK REGULATING DATA

In India, there is no legislative framework approved on Data Privacy.

4.4.1 Right to privacy: A fundamental right

Article 21 is the heart and soul of the constitution and the heart of fundamental rights. The judicial
intervention said that the rights are included within it, the scope of Article 21 is not narrow and
restricted. It has been widening by several judgments. The court included the following rights that
are covered under Article 21 based on its judgments54 :

1. Right to privacy

2. Right to shelter

3. Right to go abroad

54
Page | 105
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

4. Right against custodial death

5. Right to pollution-free water and air

6. Right against solitary confinement

7. Right to social justice and economic empowerment

8. Right against handcuffing

9. Right against delayed execution

10. Right against public hanging

11. Protection of cultural heritage

12. Right of every child to full development

13. Right to health and medical aid

14. Right to education

15. Protection of under-trials.

In the case of Justice K.S Puttaswany v UoI55 The Advocate General of India responding on behalf
of the union, made a statement that the right to privacy is no fundamental right and was not
mentioned anywhere, according to the constitution. The apex court unanimously held that the right to
privacy is protected as a fundamental right and falls under Article 21 of the Indian Constitution.

Right to be forgotten

The right to be forgotten is the right of an individual to remove personal data from internet histories
and other intermediaries, middlemen. The Honorable court, recently held that the right to be
forgotten is a subset of the right to privacy.

Vinit Kumar v CBI and Ors 56 In this case, calls of businessmen were intercepted on the order of the
Union home ministry, against which the petitioner challenged the orders in the High court of
Bombay, i.e., the infringement of the right to privacy. The court held that there was no lawful
justification for the orders and set them aside. There are 2 sections relating to data disclosure and
failure to protect data, in the Information Technology Act, 2000.

55
(2017) 10 SCC
56
Wp No 2367 of 201
Page | 106
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

CHAPTER 5: ISSUES IN DATA PROTECTION

5.1 TECHNOLOGICAL ADVANCEMENTS

Indian information has been substantially modified as a result of globalization and the Information
and Communications Technology (ICT) revolution 57. It improved the portability and accessibility of
information. Not just the corporate sector, but also the government sector and even individuals desire
to be adaptable and clever in today's world. Despite the fact that it has made our lives easier, faster,
and more advanced, it has also brought about some unexpected mayhem and made our personal lives
more visible. Biometrics (fingerprints, hand geometry, face, voice, iris, and keystroke recognition),
RFID, Smart cards, Voice over Internet Protocol (VoIP), Wireless technologies, Location detection
technologies (such as Global Positioning Systems), Data-matching and data mining technologies,
and Surveillance Technologies are some of the technologies that have the potential to impact
privacy. Technology has developed to the point that computers can now not only store large volumes
of data but can also automatically filter through, extract, and compare data from large amounts of
data. Data matching is a type of data mining that requires looking at specific bits of data or patterns
within data to see whether they indicate a particular trait, propensity, or behavior that may be
predicted. Data matching poses a unique threat to personal privacy because it includes evaluating
information about huge groups of persons without a suspicion of committing a crime. When data
warehouses are handled by third parties, such as business process outsourcing (BPO) companies, this
sector becomes even more important. "Privacy shields us from abuses by those in authority, even if
we're doing nothing wrong at the time of surveillance," explains security expert Bruce Schneier
57
Page | 107
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

A number of Internet security and privacy professionals say that "security doesn't exist" and that
"privacy is dead-get over it." Cookies and site loggers have made private information more
susceptible on the internet. A lot of progress has been made in discovering new knowledge in the
field of information and communication technology. Some of the new knowledge and advancements
have been used destructively. For instance, hackers use their high-tech skills to change, intrude or
interfere with computer networks with an intention of destroying information or making some money
out of it e.g. a banking fraudulent deal. Bullesbach (2004) notes that, development and application of
new information and communication technologies lead to challenges of data protection 58. Though
new technologies in developing countries are a positive step of development, proper planning is
necessary before applying new knowledge. Hackers use principles of new technologies. It should be
noted that hackers may indeed be consultants in the particular firms they are working for. It means
that such crimes may go undetected or can be detected after a long time. The reason is that the
consultant (hacker) occupies a position of trust and nobody would suspect any ill motives in his
operations.

After all, he is a consultant. Capron (1996) explains that, most computer crimes are discovered by
accident. He identifies a case in which employees of a certain city welfare department created a
fictitious workforce and programmed the computer to issue pay cheques, which the employees would
intercept and cash. Spamming is a crime that is also linked to technological advancement in the field
of information and communication technology. The current explosion of mobile phone
communication and cheap email services has attracted a lot of spamming activities. Palfrey (2005)
observes that, spam is the preferred delivery mechanism for internet security threats such as viruses
which is harming the effects of those in developing countries to persuade users to begin to rely on
digital communication.

This is why a Kenyan lawyer, Mathew Ngugi observes that the massive gains brought by the
information age are not perfect (Ngugi, 2005). This clearly illustrates how the economies of
developing countries continue to suffer as they apply new technologies. Developing countries lack
specialized personnel who can effectively deal with advanced computer crime. Computer crimes
have become more pronounced and more complicated to the police due to expansion of internet
communications (Wikipedia, the free encyclopedia, 2006). This challenge is technological in
character which can be associated with the curriculum offered to police officers during their training.
They have no training based on information technology and that is why an investigation on computer
crime is bound to yield no result as the investigator is not well equipped with current technology
58
Page | 108
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

based investigative procedures. If law enforcement agents like the police detect a computer crime,
Capron (1996), observes that they do not fully understand the complexities of computer related
fraud.

5.2 ETHICAL PROBLEMS

Ethical problem in the work environment form the basis of success for any business venture.
observes that, employees in small business firms are likely to pirate software, a practice that is
seemingly endorsed by the management for purposes of business survival. The main challenge here
is piracy within the office/business atmosphere where the superiors may not regulate their users.
Otherwise, there may not be clear guidelines on ethical practice in the office. Piracy of data is
practiced by experts with the necessary technical knowledge. For example, IT (Information
Technology) consultants may use pirated software to complete certain projects. They accept projects
that involve software they cannot afford to purchase . They seek illegal means of obtaining such
software. Developing countries experience this problem because of the increasing unemployment
trends, where people survive by using illegal business practices to make a living. The use of the
internet in the office acts as an entry point to pirated software. Illegal transactions can be carried over
a network without being noticed. For example, Froomkin (1996) observes that, trans-border
gambling can go on over the internet, evading regulations imposed by jurisdictions in their countries
One of the most important ethical issues in data analysis is ensuring the quality and accuracy of your
data. Data quality and accuracy refer to how well your data reflects the reality of the situation, how
reliable and valid your data sources are, and how free your data is from errors and biases Unethical
computer use in the office can also be exemplified by a case in which Downey; a judge admitted
viewing pornographic material in his office computer (North Country Gazette, 2006). Downey
viewed his action as not being unlawful. From this case, it is clear that ethics at work place are not
clearly defined and that there are no clear descriptors of what is unethical. This case illustrates the
situation in developing countries. Ethical use of computers in the office is challenged by lack of
proper guidelines on privacy. Invading a computer to find out what an employee is doing is
interfering with his privacy. On the other hand, restricting internet use in the office is different .
From a survey carried out in three different companies situated in Nairobi Kenya on employee
monitoring, of the employees interviewed, 50% said that they were being monitored secretly when
working with the computer, 30% felt that work ethics should guide a person and not monitoring from
superiors and 20% felt that monitoring was okay only if it is objectively done. This illustrates the
state of affairs in developing countries implying that there are no clear guidelines on privacy and
information access at work place. This challenges the employee who should be an agent of privacy at
Page | 109
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

work place. This is why; Bynum (2000) explains that, there are always problems in the application of
computer ethics because there are no clear policies of how computer technologies should be used.

5.2.1 Computer System Mal-function And Hardware Failure

Data should not only be protected from people (users) but also from computer systems that either not
functioning well or hard ware that fails to function appropriately. System operations are related to the
software used. System failure, according to, may result from the complexity of the software used.
Developing countries are using modern software which is more complex and efficient in operation. If
there is improper coding of software, the system is likely to fail. Data held in such a system is also
likely to vanish if the system malfunctions. System failure can result from the user e.g. when the user
gives the computer inaccurate instructions. This may lead to loss of files and indeed data held in
these files (Capron, 1996). Certain types of hardware such as diskettes are vulnerable to conditions
such as extreme temperatures, scratching, pressure and presence of magnetic fields (Capron, 1996).
As such, data in them is likely to be lost because of such conditions. This is common in developing
countries because the hardware being sold to consumers is of low quality and quite susceptible to the
said conditions.

5.2.2 Internet Regulations For Both Users and Internet Service Providers

New technologies contribute to the national development of developing countries. However,

challenges due to the technological advancement retard the growth of some sectors of the economy.
Internet access is one of the main issues. Developing countries need to initiate self regulation
mechanisms. Bullesbach (2004) observes that, adequate data protection is effective when countries
initiate data protection by means of self regulation. This is an important aspect for developing
countries because of the different cultural diversities of their people. Self regulation mechanisms
would cater for all diverse cultures different from the western countries. Palfrey (2005) observes that,
internet service providers must be encouraged to establish codes of conduct that prohibit their users
from using the internet to access illegal information or doing illegal business transactions.
Developing countries should embrace a self regulatory approach by encouraging their internet
service providers to regulate their customers by establishing regulatory mechanisms internal to their
businesses. This would cultivate ethics among customers in using the internet. Spamming can also be
controlled by using combined efforts between law enforcement agencies and internet service
providers. Instead of chasing spammers, according to Palfrey (2005), regulators in less developed
countries can only succeed by working in liaison with internet service providers who are closer to the
source of the problem i.e. their customers and the technology in question. Because of the complexity
Page | 110
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

of spamming, developing countries can avail resources and the necessary personnel to help combat
spamming. The primary role of data access and protection lies with the users. The users must be
ethical in accessing data. Unethical users need to be legally regulated. This is why; Barroso (2001)
cites that, internet use should be legally regulated besides having the users’ role in its regulation

5.2.3 Computer Ethics Education And Training Among Users

Ethical practices are an important component of any professional field. In this era of Information and
communication technology, a lot of data relating to people, governments and business organizations
is being handled by computing professionals. As a result a high level of ethical practice is essential.
Ethical practices can be imparted to computing professionals during their course of study or being
given in-service training. Weckert (2000) says that, there must be involvement in the education of
computing professionals. The computing profession calls for excellence in its ethical perspective
(ACM, 1992). Ethical practices in developing countries should serve a central role in alleviating data
crimes. Computer users in these countries should be trained on ethical issues related to data
protection. There is a need for refresher courses on emerging issues such as internet pornography,
spamming, hacking and other forms of cyber crime. All these issues are as result of the advancement
in information and communication technology. The main remedy is therefore a code of practice for
all computing professionals and service providers in information and communication technology.
Not all computer-related infringements are noticed. This is why all computing professionals should
regulate their practices in an ethical point of view. As Barroso (2001) notes that, the cyber society in
which we live needs an ethics of the internet and that internet ethics depend on the receiver or
navigator. As a result, internet service regulatory bodies and internet service providers can educate
their customers about certain dangers of internet communication (Palfrey, 2005). Personal data
should also be protected from unauthorized access. A culture of personal data protection should be
cultivated among users. Lace (2005) proposes that, people should be made aware of how to protect
their personal data and resist any mal-practices involving their data

5.3 LEGAL GAPS

Inappropriate mechanisms to data protection have hampered data protection in developing

countries59. They have laws on data protection and privacy though not specific to the target. They use
general laws such as consumer protection (Palfrey, 2005). Consumer protection is a general term that
can imply personal security against physical injury. There are a lot of inadequacies in the Kenyan
legislation on data protection which is also expected to be the case in other developing countries. A
59
Page | 111
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

Kenyan lawyer, Mathew Ngugi observes that, there is lack of analogy between most cyber crimes
and their conventional counterparts. He compares trespassing and hacking into a computer network.
The penalty on trespass does not hold against hacking and accessing private data.

This clearly illustrates a challenging situation whereby no relevant laws on hacking are available. A
good example in the Kenyan law system is the evidence act that was amended in the year 2000 to
comprehensively define a computer. The entire body of statute law remains oblivious of the changes
and developments brought by the digital era . Intellectual property rights are another issue that is not
well catered for in the Kenyan legislation narrates a case in which a man came up with a condom
dispenser about a decade ago, but reaped very little from it. People in developing countries are
widely using the internet. Though cheap and convenient, these countries have not put sufficient
regulatory mechanisms on data access cites Singapore government, as not being able to do much to
censor the internet. Instead, the government limits access to internet and at the same time benefit
from information age. This significantly illustrates how developing countries want to benefit from
new technologies without laying a proper foundation of regulatory procedures on data protection
further cites that information deemed obscene (pornography) in one jurisdiction may be legal
elsewhere.

This illustrates the conflicting legal provisions of internet regulation for different countries.
Censorship is an important aspect of internet regulation. Governments’ legal structures have been
challenged in court. For instance, the Zimbabwe government was challenged by private mobile
phone providers through a high court order restraining the government from controlling the
information gateway system for the providers. This illustrates how data regulatory mechanisms in
developing countries are still wanting60.

5.2.1 No guidelines for processing of data in a ‘fair and reasonable’ manner

The Bill defines ‘data principal’ as the individual whose data is being processed. The ‘data
fiduciary’ may be a service provider who collects, stores and uses data in the course of providing
such goods and services. While processing the data, the fiduciary is obligated to ensure that data is
processed ‘in a fair and reasonable manner that respects the privacy of the individual’. Further, the
fiduciary has to be able to demonstrate to the Data Protection Authority (DPA) that data has been
processed in a fair and reasonable manner. In case of a violation of this provision, the fiduciary is

60
Page | 112
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

liable to a penalty of four percent of the total worldwide turnover of the fiduciary (subject to a
minimum of Rs 15 crore).

While the Bill places this obligation on all data fiduciaries, it does not specify any principles or
guidelines for what constitutes a ‘fair and reasonable’ manner of personal data processing. The
absence of guiding principles could allow fairness and reasonability standards to vary across
fiduciaries processing similar types of data; and fiduciaries in the same industry may develop and
follow different standards. Further, in the absence of any guidelines, it may be unreasonable to
expect the fiduciary to demonstrate compliance. Note that non-compliance with this provision may
entail a significant monetary penalty. The Justice Srikrishna Committee Report had suggested that
courts of law and regulatory authorities should be allowed to evolve principles of fair and reasonable
processing. These standards may vary with technological progress over time, and across different
data fiduciaries.

5.2.2 Conflict of interest could arise from optional reporting of data breaches

Data fiduciaries are regulated by the DPA set up under the Bill, which assesses their compliance with
the law and initiates appropriate enforcement actions and penalties. The Bill states that the fiduciary
shall inform the DPA in the event of a data breach (i.e., an accidental or unauthorised use or
disclosure of data) only if such a breach is likely to cause harm to any data principal. The question is
whether the fiduciary should have the discretion to determine whether a data breach needs to be
reported to the DPA61.

Selective reporting of data breaches will avoid the DPA from being burdened with high volume of
low-impact data breach reports, and also not make the burden of reporting too onerous on the
fiduciary. However, there may be a conflict of interest while determining whether a breach is to be
reported, as the fiduciary is regulated by the DPA. Instances of breaches and promptness of
notification are assessed in independent data audits ordered by the DPA. Audit results are
summarised into a score, which is public, and influences the perception of a fiduciary’s
trustworthiness. Further, fiduciaries have economic interests in downplaying the risk of data
breaches, as there have been instances of breaches negatively affecting stock prices of companies.

61
Page | 113
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

5.3.3 Exemptions for certain kinds of data processing could be questioned

The Bill lays down certain obligations on all data fiduciaries for processing the data principal’s
information. The fiduciary must provide notice to the principal and take their consent before
processing. They may use the data only for specified purposes, and store it with suitable security
safeguards for no longer than required. Further, the data principal also has several rights with respect
to their data, such as the right to (i) obtain a summary of their personal data held with the fiduciary,
and (ii) seek correction of inaccurate, incomplete, or outdated data.

However, the above obligations and safeguards do not apply if data is processed for the purposes of
(i) national security, (ii) prevention, investigation and prosecution of violations of a law, (iii) legal
proceedings, (iv) personal or domestic purposes, and (v) research and journalistic purposes. The
question is whether all exemptions defined in the Bill are warranted.

The Supreme Court, in Puttaswamy vs UoI62, allowed exceptions to the right to privacy of an
individual under certain situations. These include cases where a larger public purpose is satisfied by
the infringement of privacy of an individual. Such an exemption must be backed by a law, and must
be necessary for and proportionate to achieving the purpose. From this, it appears that an exemption
for national security, pursuant to a law, may be justified. However, it is unclear if exemptions for
legal proceedings, or for research and journalistic purposes meet the requirements of necessity and
proportionality. Note that the Supreme Court, in deciding the constitutionality of Aadhaar, had
declared the provision to link Aadhaar numbers with SIM cards as disproportionate, and thereby
unconstitutional.

The Bill allows an exemption for the disclosure of personal data for legal proceedings such as (i)
enforcing a legal right or claim, (ii) defending any charge, and (iii) obtaining legal advice. It can be
questioned whether asking for personal information without a court order becomes permissible per
this exemption. Further, it is unclear whether the requirements laid out in Puttaswamy vs UoI are
met by the exemptions for research and journalistic purposes. The legitimate aims of these
exemptions – that is, permitting journalistic freedom or building scope for research – have to be
balanced against preserving the right to privacy of data principals.

5.3.4 Processing of data for functions of the State does not require consent

Under the Bill, data fiduciaries (including the State) cannot process an individual’s data without their
consent. However, the State may process data without consent for certain functions, such as (i) for
62
Page | 114
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

provision of services and benefits, and (ii) for issuance of certification, licences and permits. The
Justice Srikrishna Committee Report had argued that the validity of consent given by the individual
while availing State welfare benefits is questionable, given the imbalance of power between the
citizen and the State. Thus, data processing for the provision of any service in the nature of welfare
benefits should be allowed without the consent of the individual.

Further, the Report states that only those government bodies which are performing functions directly
related to the provision of welfare benefits or regulatory functions should be allowed non-consensual
processing of data. While the Report acknowledges that non-consensual processing by government
entities for all kinds of public functions may be too wide an exception to consent, the Bill allows
non-consensual data processing for all services of the State.5 For example, this would include public
sector banks or public sector telecom companies. Private sector counterparts in such sectors would
need to obtain the individual’s consent before processing their data63.

5.3.5 Functions of the legislature requiring non-consensual processing of data is unclear

The Bill allows for processing of an individual’s personal data without their consent if it is necessary
for any function of the Parliament or state legislature. It is unclear what functions of the Parliament
would necessitate such processing of data without the consent of the individual.

5.3.6 Storage of a copy of data within the territory of India

The Bill states that every data fiduciary shall keep a ‘serving copy’ of all personal and sensitive
personal data in a server in India. The central government may notify certain categories of personal
data as exempt from this requirement on grounds of necessity or strategic interests of the State.
Also, the government may notify certain ‘critical personal data’ which shall be processed only in
servers located in India.

5.3.7 The definitions of ‘serving copy’ and ‘critical personal data’ are not provided

It is unclear what is meant by a ‘serving copy’ of data. It could be a live, real time replication of data
on a server within India, or it could be a backup at a specified frequency. The specification is
needed, as costs, implications and implementation timelines for fiduciaries would vary significantly
with the exact nature of a ‘serving copy’. Further, it may be argued that the broad criteria for
classifying data as ‘critical’ needs to be specified in the law, as this is necessary for fiduciaries to
prepare for the requirement of storing this data solely in India.

63
Page | 115
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

5.3.8 Benefits of local storage of a copy of data within the country are unclear

The Justice Srikrishna Committee Report had recognised several benefits of local storage of personal
data. It could simplify and accelerate the process of accessing data by law enforcement agencies for
investigation. It could help prevent foreign surveillance of Indian citizens; and boost domestic
research in artificial intelligence64 However, law enforcement may not necessarily be expedited in
some cases where the data fiduciary is registered as an entity in a foreign country. Obligations under
Mutual Legal Assistance Treaties (MLATs) will continue to apply, as a conflict of law question
could arise with the entity being registered in another country. The Justice Srikrishna Committee
Report had noted that the MLAT process is time-consuming, and therefore the objective of
expediting law enforcement may not be met by locally storing the data.

Further, some data fiduciaries may be discouraged from investing in India as a market due to
additional costs arising from setting up duplicate servers; and hence, consumers may not have the
choice of availing services of all data fiduciaries. Additional costs may be passed down to
consumers for certain digital services. It may have an adverse impact on smaller data fiduciaries
who rely on alternative storage mechanisms that may be cheaper. Note that as per laws in the China
Union, Australia and Canada, storage of a copy of data within the country’s territory is not required.
Further, Australian and Canadian laws allow the data user (fiduciary) to independently ascertain
whether data may be transferred outside the country. The Bill necessitates the involvement of the
DPA in making this decision, similar to the China Union.

5.3.9 A complaint may be raised only if there is a possibility of harm

The Bill places several restrictions on the processing of data (such as, collection of only as much data
as needed for specified purposes, among others), and also provides certain rights to the data principal
to take control of their data. However, the data principal may raise a complaint only if a violation of
the provisions of the Bill has caused, or may cause them harm. It could be questioned why the mere
violation of the rights of the principal is not enough to raise a complaint. The data principal
additionally has to demonstrate and prove that harm has been caused to them by unlawful data
processing; and this may place undue burden on the data principal

64
Page | 116
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

5.3.10 Powers and functions of the Data Protection Authority

The Bill allows the DPA to impose penalties on data fiduciaries for violation of provisions of the
law. Recovery Officers appointed by the DPA shall have the power to enforce penalties and
compensation orders of the DPA. The Officers, per the orders of the DPA, may conduct several
enforcement actions against the data fiduciary, including (i) attachment or sale of movable and
immovable property, and (ii) arrest and detention in prison65.

The Bill does not specify that a court order would be required for the above enforcement actions.
Other Acts allow regulators such as the RBI or the IRDA to take actions such as attachment and sale
of property and arrest of persons only after the approval of a court. However, following the
Securities Laws (Amendment) Act, 2014, the SEBI Act permits the Recovery Officer of the SEBI to
take such actions on the orders of the Board.

5.3.11 Creation of an exclusive Data Protection Awareness Fund could lead to conflict of
interest

The Bill specifies penalties ranging up to fifteen crore rupees or four percent of the fiduciary’s global
annual turnover for violation of its provisions. Penalties will be credited to the Data Protection
Awareness Fund, and be utilized by the DPA for generating awareness about (i) methods of data
anonymisation, and (ii) appropriate responses to data breaches, among others. It is unclear why
penalties realized under the Bill will not be credited to the Consolidated Fund of India. Creating a
separate Data Protection Awareness Fund to be used solely by the DPA could skew the DPA’s
incentive to levy higher penalties, and thereby present a conflict of interest while adjudicating
disputes and redressing grievances. Acts such as the SEBI Act, 1992 mandate that all sums realized
through penalties be credited to the Consolidated Fund of India. However, the PFRDA Act, 2013
establishes the Subscriber Education and Protection Fund to protect the interests of pension fund
subscribers. All penalties realized under the Act are credited to this Fund, and used solely by the
PFRDA.

CHAPTER 6:

CONCLUSION AND SUGGESTIONS

65
Page | 117
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

Data Protection is effective when done for the right purpose and with transparency. The data
collected should be specific for the intended purpose. There should be a minimum data requirement
and accountability of the website holder. There is a need for accuracy. Internet privacy has attracted
the attention of internet users, due to incidents of privacy breaches and the evolution of technology.
Regularly assess privacy settings on your accounts. You may be sharing more information than just
name and age with people you’ve never met. The Data Protection Bill of 2022 is a much-awaited
legislation and a step in the right direction as well. The bill shows that we are clearly in favour of the
umbrella law model of the EU. This entails its own advantages and disadvantages. While most
developed countries like Singapore and Canada too have chosen the omnibus law model of the EU, it
may not prove to be the best idea for India. Unlike these countries, India has an astounding litigation
pendency rate. Such a law will only add to the already colossal case burden of our courts. Divergent
interpretations of provisions in the statute by various High Courts could also discourage investors by
making the business atmosphere hostile. On the flip side, we also cannot afford a sector-specific
approach like the US because that would, in my opinion, require setting up tribunals which are
expensive affairs in their own right. It might help create a nimble and professional business
ecosystem but the SC has deprecated the practice of ‘tribunalising’ the justice system and hence
might frown on it. Moreover, preferring a tribunal award for appeal would anyway drag it to the
courts. On the balance, the approach taken by the committee seems prudent, reasonable and most
importantly actionable. It incorporates helpful provisions from both approaches. One change, if a
change is necessary, needs to be further qualification and truncation of the sweeping exemptions to
government agencies that can be easily given under the law Privacy is the ability of an individual or
group to seclude themselves or information about themselves and thereby reveal themselves
selectively. The boundaries and content of what is considered private differ among cultures and
individuals, but share basic common themes. Privacy is sometimes related to anonymity, the wish to
remain unnoticed or unidentified in the public realm. When something is private to a person, it
usually means there is something within them that is considered inherently special or personally
sensitive. The degree to which private information is exposed therefore depends on how the public
will receive this information, which differs between places and over time. Privacy partially intersects
security, including for instance the concepts of appropriate use, as well as protection, of information.

The right not to be subjected to unsanctioned invasion of privacy by the government, corporations or
individuals is part of many countries' privacy laws, and in some cases, constitutions. Almost all
countries have laws which in some way limit privacy; an example of this would be law concerning
Page | 118
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

taxation, which normally requires the sharing of information about personal income or earnings. In
some countries individual privacy may conflict with freedom of speech laws and some laws may
require public disclosure of information which would be considered private in other countries and
cultures. Privacy may be voluntarily sacrificed, normally in exchange for perceived benefits and very
often with specific dangers and losses, although this is a very strategic view of human relationships.
Academics who are economists, evolutionary theorists, and research psychologists describe
revealing privacy as a 'voluntary sacrifice', for instance by willing participants in sweepstakes or
competitions. In the business world, a person may volunteer personal details (often for advertising
purposes) in order to gamble on winning a prize. Personal information which is voluntarily shared
but subsequently stolen or misused can lead to identity theft.

Privacy, as the term is generally understood in the West, is not a universal concept and remained
virtually unknown in some cultures until recent times. Most cultures, however, recognize the ability
of individuals to withhold certain parts of their personal information from wider society - a fig leaf
over the genitals being an ancient example The right of privacy has been gaining recognition, though
lately, and it has been declared as a part of Art. 21, though the Indian Constitution does not speak in
explicit terms. Art. 21 which says “No person shall be deprived of his life and personal liberty
according to procedure established by law”. The right to privacy can be exercised only if the violator
is the state and not a private individual or institution. This right being not absolute can be interfered
in the interest of health and medical standards. This right does not prohibit any publication of matter
which is of general interest.

So far the law relating to the right to privacy has been relegated to a penumbral status and is still
going through the state of infancy. It is high time that the government and information technology
industry come together to check out ways and means to curb the problem of intrusion of privacy. Our
legislatures have to protect privacy rather than laws that facilitate violation of individual’s privacy in
the name of governmental functions.

Privacy is a fundamental human right recognized in the UN Declaration of Human Rights, the
International Covenant on Civil and Political Rights and in many other international and regional
treaties. Privacy underpins human dignity and other key values such as freedom of association and
freedom of speech. It has become one of the most important human rights issues of the modem age.
The growing importance, diversity and complexity of this fundamental right are reflected. However,
the right to privacy is under serious threat due to the emergence of information technology. The
Page | 119
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

application of various electronic gadgets has made the surveillance of the activities of the individuals
very easy. The existing laws have been found to be ineffective in dealing with this problem and this
has necessitated enactment of new laws.

Nearly every country in the world recognizes a right of privacy explicitly in its Constitution. At a
minimum, these provisions include rights of inviolability of the home and secrecy of
communications. Most recently-written Constitutions such as South Africa's and Hungary's include
specific rights to access and control one's personal information. In many of the countries where
privacy is not explicitly recognized in the Constitution, such as the United States, Ireland and India,
the courts have found that right in other provisions. In many countries, international agreements that
recognize privacy rights such as the International Covenant on Civil and Political Rights or the China
Convention on Human Rights have been adopted into law.

In the early 1970s, countries began adopting broad laws intended to protect individual privacy.
Throughout the world, there is a general movement towards the adoption of comprehensive privacy
laws that set a framework for protection. Most of these laws are based on the models introduced by
the Organization for Economic Cooperation and Development and the Council of Europe.

In 1995, conscious both of the shortcomings of law, and the many differences in the level of
protection in each of its States, the China Union passed a Europe-wide directive which will provide
citizens with a wider range of protections over abuses of their data. The directive on the "Protection
of Individuals with regard to the processing of personal data and on the free movement of such data"
sets a benchmark for national law. Each EU State had to pass complementary legislation by October
1998.

The Directive also imposes an obligation on member States to ensure that the personal information
relating to China citizens is covered by law when it is exported to and processed in countries outside
Europe. This requirement has resulted in growing pressure outside Europe for the passage of privacy
laws. More than forty countries now have data protection or information privacy laws. More are in
the process of being enacted.
Page | 120
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

The evidence gathered during this study showed clearly that the success or failure of privacy and
data protection is not governed by the text of legislation, but rather by the actions of those called
upon to enforce the law. It cannot be stressed enough that supervisory authorities must be given an
appropriate level of responsibility for this arrangement to work. The stronger, results oriented
approach aims to protect data subjects against personal harm resulting from the unlawful processing
of any data, rather than making personal data the building block of data protection regulations. It
would move away from a regulatory framework that measures the adequacy of data processing by
measuring compliance with certain formalities, towards a framework that instead requires certain
fundamental principles to be respected, and has the ability, legal authority and conviction to impose
harsh sanctions when these principles are violated.

Data protection is an issue that is gaining increasing importance as our transnational exchange of
private information grows. While the E. U. has adopted stringent legislation to protect data, and the
U.S. has reached agreement with the E.U. to offer protection, the Indian laws remain unsatisfactory.
It is anticipated that India will soon enact legislation which will provide acceptable protection to
private data. The issue that remains to be dealt with in the Indian context is, unfortunately, far larger
than the enactment of strong protectionist laws. Laws act as a deterrent to wrongful conduct if they
are applied with certainty and speed: both sadly deficient in the Indian judicial system. Unless
addressed, the systemic problems of enforcement in India, and specifically, of unresolved cases due
to court delays, will continue to render India's data protection laws inadequate. Cyber Infringement
Courts, specialized courts with jurisdiction over a intellectual property and data protection issues, are
a necessary solution to India's enforcement problems. India must expediently adopt this system of
specialized courts in order to render adequate protection to data and maintain its growing presence in
the global technology arena. Cloud computing has significant implications for the privacy of
personal information as well as for the confidentiality of business and governmental information. A
principal goal of this analysis is to identify privacy and confidentiality issues that may be of interest
or concern to cloud computing participants. While the storage of user data on remote servers is not
new, current emphasis on and expansion of cloud computing warrants a more careful look at its
actual and potential privacy and confidentiality

Many experts argue that cloud computing is more secure than the various traditional methods of data
storage such as servers, hard disks, etc., though organizations still take the risk of data being stolen
by any outsider hacking into the security system of the cloud. The main reason why organisations are
not opting for cloud services is the lack of security. However, the traditional storage methods also

Page | 121
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

present risks—the servers can also be hacked into by an outsider and hard disks can also crash and
destroy the data stored.

In the Indian scenario, as cloud computing is a novel concept there is no law which specifically
governs it and the law at present lacks clarity. Questions as to the applicable law and the jurisdiction
of the court still remain unanswered. Still, organizations are switching from traditional methods of
storage to cloud computing because of the cost efficiency. The proposition deduced here is that cloud
computing may not be ideal for all organizations because of the various issues raised but, it is
economical and convenient for global organizations to use in order to store data which can be
accessed from any part of the world at any time. After reviewing some of the "cyberspace"
legislation, it is not surprising to find that the legislation in this field lacks clarity. The Digital
Millennium Copyright Act of the United States has clearly defined the standard of knowledge an ISP
is required to possess for it to be held liable for illegal third party activities. The Digital Millennium
Copyright Act allows ISPs to terminate the accounts of individuals who infringe copyrights on a
regular basis. Furthermore, in the United States, ISPs have to register an agent with the appropriate
office so they can receive information of copyright infringements. This eliminates the possibility of
an ISP being caught unaware of third party infringements. As is seen, the EU Directive has some
loopholes that need to be closed. The most troublesome of which include, a lack of a "notice and
takedown" procedure, which threatens freedom of expression; and the fact that the current regime
may actually promote unfair competition in some situations. The lack of a notice and take down
procedure causes the ISPs to become a sort of censorship body, in order to avoid liability when they
opt to take down a Web page upon receipt of a claim regarding the content on that page. This
threatens freedom of expression as long as customers are without protection against unfounded
complaints. Unfair competition may be promoted in cases where companies engage in a form of
commercial war in cyberspace, lobbing bad faith claims against their competitor's Web content.

The Credit Information Companies (Regulation) Act 2005, although it is not yet fully operational,
includes privacy principles which cover most usual data protection rights, though only in relation to
the context of credit reporting. There is otherwise as yet no significant legislation protecting personal
information in India, though some provisions in the ITAA2008 may emerge as significant depending
on regulations made and implementation, particularly concerning data security. There is no special
protection for personal information imported into India from other jurisdictions.

There is an effective right of access to personal information in the public sector, under the Right to
Information Act 2005, and this right of access is probably the most significant aspect of data
Page | 122
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

protection in India at present. There is also protection within India against telemarketing through the
Telecom Unsolicited Commercial Communications Regulations 2007. Significant though these areas
are, it cannot be said that privacy principles apply to most aspects of Indian life. The Central
Information Commission, State Information Commissions, and the network of Information Officers
in all public authorities in India, constitute an effective means of administering and enforcing the
access principle. The CIC actively enforces the law by the use of both compensation and penalties. If
the Right to Information Act 2005 had added to it the rest of the set of data protection principles,
India would be likely to have an effective enforcement system for data protection. Neither the
National Human Rights Commission nor the Cyber Regulation Appellate Tribunal seems to be as
promising as the basis for a data protection authority. The Do-Not-Call register seems to be
developing effective enforcement, but that is in a much specialized area.

The Credit Information Companies (Regulation) Act 2005, although it does include a full set of
privacy principles, is lacking in comprehensive enforcement measures. It relies almost entirely on
prosecution of offences, either through the courts or administratively by the Reserve Bank. There is
no obvious way for complaints to be made. The Reserve Bank has extensive directive powers, but is
not a consumer protection agency and its interests are more obviously in creating a modem credit
economy than in protecting consumer privacy. However, the system is untested, and it is necessary
to wait and see.

There is as yet no significant self-regulation for the purposes of privacy protection in India. There are
no aspects of India’s data protection which would unequivocally be regarded as ‘adequate’ by China
Union standards as yet, though further investigation might indicate that there are some sectoral areas
of adequacy. This could also change as rules are made under existing legislation. The most likely
candidates (in decreasing order of likelihood) might be: The credit reporting system, but only after it
has been tested in practice; The right of access (but only in relation to public authorities); The
implementation of the security principle via both compensatory provisions (subject to how Section
43A is implemented) and offences; The provisions concerning opting out from direct marketing.
India is still at a very early stage of developing personal data protection, though some of the signs are
promising. Balanced against this must be the increases in surveillance powers.

Page | 123
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

Suggestions

From the above discussion the following suggestions have been made

1 Need for a Constitutional Amendment: There is need for a constitutional amendment whereby right
to privacy can be guaranteed expressly by insertion of a new provision. Such an amendment is
necessary so as to give recognition to the right to privacy. Only then personal liberty as guaranteed
by Art. 21 can be more meaningful.

2 Evolving National Policy: India needs a comprehensive policy guaranteeing individuals the right to
control the collection and distribution of their personal information. Legislation which incorporates
the basic tenets of fair information practices is a vital component of this policy. These tenets give
individuals the right to limit data collection, data transfers, and secondary uses of the data; the right
to access one's personal data and to make corrections; the right to have one's personal data
maintained securely; and the right to be informed of data collection and transfer. The legislation
would therefore place restrictions on the collection and use of personal data by the users of personal
information. Personal information users would be required to explicitly inform individuals when
personal information is being collected and how this information might be used. Legislation would
require that personal information users give individuals an opportunity to prevent further
dissemination of their personal information. Accordingly, there would be appropriate restrictions on
the online publication and collection of personal information. Informational privacy interests and
autonomy interests and data protection interests need to be safeguarded with appropriate legal
mechanisms to ensure security of data and exchange of confidential or personal sensitive information
in the cyberspace.
3 Freedom of speech and expression over internet ought to be maintained and development of
sophisticated technological and legal solutions shall pave way for securing online privacy and data.
Reasonable restrictions should remain reasonable on the anvil of law and should not fetter growth of
internet and communications. Internet censorship should only be invoked in the cases of dire
necessity on justifiable grounds such as preserving national sovereignty, public order and safety.

Page | 124
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

4 There is a need of a comprehensive law which would provide an enforcement mechanism, which
would establish sanctions against violators and offer redress for aggrieved individuals. Most
effective would be legislation providing a private right of action for aggrieved individuals along with
the administrative enforcement powers of a government regulatory authority.

5 Although such a comprehensive privacy policy is necessary to guarantee the individual's right to
control the collection and distribution of personal information, there is a need for the individuals
concerned to exercise this control. Online users will still need to take responsibility for their
electronic communications. They will need to be cautious about the content of these
communications, and use appropriate security measures, such as encryption, to safeguard their
security. Individuals will also need to decide how much personal information to reveal when
registering at Internet sites and participating in commercial transactions. By anticipating the hazards
of online use and utilizing the legal protections previously outlined, individuals will be able to take
full advantage of the many educational, social, and commercial opportunities available now, and in
the future, throughout cyberspace.

6 Online communications are not private unless one uses encryption software. But most encryption
programmes are not user friendly and can be inconvenient to use. No regulatory mechanism of the
state would be adequate to protect the right to privacy of the individuals. Hence, the individuals are
required to take certain precautions: Thus,

7 They should not provide sensitive personal information (phone number, password, address, credit
card number, social security number, health information, date of birth, vacation dates, etc.) in chat
rooms, forum postings, e-mail messages, or in your online biography.

8 While ‘surfing the internet’, sending electronic mail messages and participating in online forums,
it’s easy to be lulled into thinking that these activities are private. However, any step along the way,
online messages could be intercepted and activities monitored in the vast untamed world of
cyberspace.

9 If anyone thinks that the ‘delete’ command makes the e-mail messages disappear, it is a wrong
notion. Such messages can still be retrieved from back-up systems. Software utility programmes can
Page | 125
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

retrieve deleted messages from the user’s hard drive. If one is interested about permanently deleting
messages and other files on the programme, he should use a file erasing programmes.

10 Children who are online users must be taught by parents about appropriate online privacy
behaviour. Caution them against revealing information about themselves and their family.

11 User must be made aware of voluntarily sharing information and no data should be downloaded
without express consent. Always access secure websites at the time of transmitting sensitive personal
information such as credit card number over the internet. Always take advantage of privacy
protection tools.

12 Data protection and privacy rights are two of the most important rights conferred by any civilized
nation. Every individual and organisation has a right to protect and preserve her/its personal,
sensitive and commercial data and information. This is more so regarding health information and
details that is required to be kept secret by laws like Health Insurance Portability and Accountability
Act of 1996 (HIPA A) in United States. India does not have a dedicated law like HIPPA and
presently HIPPA compliances in India are not followed. Similarly, we have no dedicated medical
privacy law in India that can safeguard the sensitive health related information of the patients. In
short, we have no dedicated data protection laws in India, data privacy laws in India and privacy
rights and laws in India.

13 As a recommendation, it is proposed that a notice and take down procedure modelled after the
DMCA be established, including notice to specialized bodies within the Member States'
administrative structures or professional organizations. Regarding the second Achilles heel of the EU
Directive, in order to have a complete protection for all the parties involved, a "put back procedure"
should be initiated. Such a procedure should give the owners of disabled Web sites the chance to
exercise a defence and at least stave off an unwarranted blocking or removal of their content. Finally,
liability must be imposed upon persons who intentionally transmit false or unfounded notices which
lead to the removal of a Web page content.

14 The Indian position in the "cyberspace" legislation must be made more explicit. It must clearly
require an ISP to have actual knowledge of any infringing act to be held liable. To make it
convenient for ISPs, they could be asked to designate an agent with the requisite authority to receive
Page | 126
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

complaints regarding offenses committed on the Internet. This will ensure that the ISP has sufficient
knowledge of the abuses on the Internet. The Australian Act gives due importance to the financial
gain made by ISPs along with the nature of the relationship between an ISP and a third party
infringer. Similarly, the Indian Act must include sections that address the financial aspect of the
transaction, and the relationship between an ISP and a third party, because this is vital to determining
the identity of the violator. The American concept of contributory infringement can also be
incorporated into the Indian Act so that if any person "with knowledge of the infringing activity,
induces, causes, or materially contributes to the infringing conduct of another," the person can be
made liable.

15 And as in the Australian Act, an ISP must not be held liable unless it determines the content of the
material.

16 In order to be exempt from liability, the Indian Act requires the service provider to exercise "due
diligence" to prevent the commission of copyright infringement. The Act does not provide the
meaning of the term "due diligence." If "due diligence" means policing each and every aspect of the
Internet, it can lead to loss of privacy and can ultimately have a disastrous effect. There is a need for
a consensus on the meaning of the term due diligence because the primary function of ISPs is to
build the Internet, not to play the role of a policeman. Consequently, "due diligence" should be
interpreted narrowly. If the behaviour of an ISP is reasonable, then that ISP should not be held liable
for each and every activity on the Internet. The laws should be pragmatic because an ISP cannot be
expected to monitor all the activities on the Internet.

17 However, despite the importance of these fields, till now we lack legal frameworks in the fields of
data security, data protection and privacy protection. We urgently need to formulate data protection
law in India and privacy laws in India. At the policy level as well privacy rights and data protection
rights have been ignored in India. In fact, an Indian national privacy policy is missing till now. Even
legislative efforts in this regard are not adequate in India. A national privacy policy of India is
urgently required.

18 The ball is again in the court of judiciary and it has to play a proactive role once again. The
Supreme Court of India must expand privacy rights in India as that is the need of hour. Fortunately,
the issue is already pending before it and there would not be much trouble in formulating a privacy
framework for India. However, in the ultimate analysis, it is the constitutional duty of Indian
Page | 127
 Chapter : 3

REGULATORY FRAMEWORK OF DATA PROTECTION IN EUROPEAN UNION AND USA

Parliament to do the needful in this direction. Indian Parliament must enact sound and effective
privacy and data protection laws for India as soon as possible.

19 If the above suggestions are implemented through appropriate measures, it is sincerely hoped that
the right to privacy can be protected more effectively.

Page | 128