The present age is often considered as the digital age, we are blessed to be born in the internet era which is a four-decade-old creation now. As compared to other industry the world of cyber industry is booming and will be permanent till human life as the more the use of technology the more the growth opportunities.
Everything from study, to work, from shopping to entertainment can happen on the internet, so much so that it has made our life very easy, but it comes with certain threats also. This is why the concept of cyber security is spreading widely and significant steps have been taken into effect in order to prevent the misuse of technology.
This is, in turn, have raised the demand of experts/professional who by using their valuable knowledge may advise, assist every individual, organization, platforms to make the best possible use of technology and at the same time protect them from external threat to their data stored on digital platforms.
Some core subjects the cyber field revolves around to:
2. Digital signature
3. Intellectual property rights more particularly Copyright and Trademark
4. The Information Technology Act, 2000
5. Evolving personal data protection bill 2019, non-personal data compliance regime
6. GDPR compliance
7. Personal data protection laws compliance
8. Non-personal data compliance
9. Setting up strong cyber security department-compliance
10. COBIT compliance
11. Electronic Fund Transfer fraud
12. Credit card transfer
13. The cyber threat to personal data
14. Regulation of cybercrime
15. International cyber law regime
16. Online defaming
18. Privacy infringement
19. Industry-wise specialization – banking, insurance, etc.
20. Use of social media for business and professional growth
One can rightly assert that the new digital age is unfolding never-ending professional opportunities scope for professionals like chartered accountants turning them into data protection specialists thereby adding value to their core area of expertise.
Few Lucrative professional opportunities in the cyber security field
1. Advisory to Government department/organization/ministry
2. Advisory to web developers, private organizations
3. Consultant to e-commerce companies and other tech companies
4. Cyber Consultant to firms, banks, police department
5. Cyber security manager
6. Security architect
7. Cyber security analyst
8. Cyber assistant
9. Social media risk management
10. Social media activities audit
11. Privacy regulation audit
12. IT contract management assessment
13. IT investment program risk
Personal Data and its Privacy
With computers and the internet being an integral part of the life of humans in this century, the 21st century has connected the world like never before. The individuals in general and the business, in particular, have benefited from the geography less environment where only the best can be purchased and only the best can be sold.
When the economies became digital the physical boundaries of markets vanished and the business became global. In the initial years, the internet was used for mundane jobs and to perform repetitive tasks. Since birth, computers and the internet itself have gone through major changes. Computers evolved from very large size machines to now being palm size. What started as a network for military operations has become World Wide Web. With these changes, information is exchanged like never before.
In initial years business used this information only as databases and was very passive in processing the information. They were mainly used for statistical purposes. But in recent times the information is being converted into data (i.e. into a format that can be used for a specific purpose) in a matter of seconds. In fact, these days an individual gives away data even without his own knowledge.
An act as simple as eating at restaurants, buying goods online, or even hailing a taxi gives out precious data about oneself. All the transactions that we enter into using either smartphones or computers require individuals to fill in personal data about date of birth, age sex, residential address, phone numbers, and financial information. This gives away information about individual choices about what color one likes to wear, what size fits him/her, what food he/she likes to eat etc. In other words an individual gives away his privacy even without his knowledge.
Businesses on the other hand are using this data for commercial purposes. The bombarding of advertisements about a product or services which you would have clicked upon while surfing through the internet hound you everywhere. Not just this there are websites, where if you have entered your date of birth and the size of the dress that fits you, the website runs an algorithm by which it puts before you analysis about what your age is, your ideal weight if you are near or far away from your healthy weight, what nutrition should you follow, exercise plan. It also would give you addresses of nutritionists and Gymnasiums near your area of residence.
Such kind of bombarding of information may not seem harmful in the first instance but it definitely affects an individual’s privacy. That is why economies all over the world are increasingly moving towards making laws that protect the privacy of individuals.
How is data collected?
Most of the information that is collected is given away by the individual by filling forms either online or offline. It can take the form of registration forms, KYC documents while you purchase, feedback forms, online surveys, downloading of various apps. Then with the help of computers, a vast quantity of information is processed in order to identify correlations and discover patterns in all fields of human activity.
What happens to the information that is collected?
The information is stored in vast databases and can be mined using technology. Algorithms are being used to comb data. Enterprises around the world are using technology for its proper mining and the use of data is evolving every day. Proprietary algorithms are being developed to comb this data and analyze the trends, patterns, and hidden nuances by businesses.
Many of these activities are beneficial to individuals, allowing their problems to be addressed with greater accuracy.
For instance, the analysis of very large and complex sets of data is done today through Big Data analytics. The results of this analysis can enable businesses and government to gain insights into areas such as health, transport system, farming, rural development, weather forecasts food security, etc…
The reality of the digital environment today, is that almost every single activity undertaken by an individual involves some sort of data transaction or the other.
The Internet has given birth to entirely new markets:
The one dealings in the collection, organization, and processing of personal information, whether directly, or as a critical component of their business model, etc Therefore, there are a large number of benefits to be gained by collecting and analyzing personal data from individuals. Pooled datasets allow quicker detection of trends and accurate targeting.
For instance, an individual‘s personal location data could be used for monitoring traffic and improving driving conditions on the road; banks can use Big Data techniques to improve fraud detection; insurers can make the process of applying for insurance easier by using valuable data from pooled data sets.
Huge data is processed by the government as well. In fact, the state is the largest processor of data. Such personal data is used by the government for such purposes as targeted delivery of social benefits, effective planning, and implementation, counter-terrorism operations, etc.
Need to protect Personal data
Sharing data may bring benefits, the products and services are tailor-made thus reducing the time and effort one spends in identifying what suits them. In today’s world often one cannot transact even simple tasks without giving away your personal information in one or the other form. But sharing data is not without risks. Your personal data reveals a lot about you, your thoughts, and your life. These data can easily be exploited to harm you, and that’s especially dangerous for vulnerable individuals and communities, such as journalists, activists, human rights defenders, and members of oppressed and marginalized groups.
That is why these data must be strictly protected.
When data that should be kept private gets in the wrong hands its misuse is bound to happen.
A data breach at a government agency can, for example, put top-secret information in the hands of an enemy state. A breach at a corporation can put proprietary data in the hands of a competitor.
Major sources of information which are compromised and are most prone to breaches are:
1. Healthcare records
2. Criminal justice investigations and proceedings
3. Financial institutions and transactions
4. Biological traits, such as genetic material
5. Residence and geographic records
6. Social media profiles and information
7. Location-based services
8. Web surfing behavior or user preferences using persistent cookies
This all has created a need for data privacy skills which is in high demand from experts and compliance professionals. These professionals may advise the organization/business who are to comply in terms of collecting consumer data.
1. What is cyber?
The word cyber is actually a prefix often used to describe characteristics of the culture of computers, information technology, and virtual reality. Having taken from the Greek word “Cybernetic” meaning “governor”, it became Cybernetics which means the science of communication and automatic control in both machines and living things. The term coined by Norbert Wiener (26th November 1894-18th March 1964) was an American mathematician and philosopher who is also considered as the originator of cybernetics.
What is Cyberspace?
The typical dictionary meaning of cyberspace is a notional environment in which communication over a computer network occurs. In simple words, it means a virtual world of the internet.
What are Cyber laws?
Cyber laws deal with the branch of law related to the internet. The increase in cybercrime has lead to the creation of special mechanisms dealing with the prevention of cybercrimes that are regulated by a set of cyber legislation. Therefore cyber laws are the laws governing this area.
Hence cyber law can be called a law that deals with legal issues related to using of inter-networked information technology, in short such govern the governing computers and the internet
The Internet is a global data communications system it provides connectivity between computers. The birth and rise of interest are considered to be the fourth industrial revolution also called industry 4.0. Let’s take a quick recap of all the industrial revolutions so far:
The United Nations Commission on International Trade Law (UNCITRAL) www.uncitral.org which was established vide United Nations General Assembly Resolution 2205 (XXI) dated 17th December 1966. It is the core legal body of the United Nations system in the field of international trade law. On 12th June 1996, the UNCITRAL Model Law on Electronic Commerce was adopted by UNCITRAL in 1996, the additional article 5b is adopted in 1998.
The Information Technology Act, 2000 which is the prime legislation dealing with cyber offenses and electronic commerce in India is based on the United Nations Model Law on Electronic Commerce.
Later UNICITRAL adopted the UNCITRAL Model Law on Electronic Signatures (2001) on 5th July 2001 that objected to enable and facilitate the use of electronic signatures by establishing criteria of technical reliability for the equivalence between electronic and hand-written signatures.
The Model Law on Electronic Signatures establishes criteria of technical reliability for the equivalence between electronic and hand-written signatures as well as basic rules of conduct that may serve as guidelines for assessing duties and liabilities for the signatory, the relying party, and trusted third parties intervening in the signature process (article 6 – compliance with a requirement of signature). It also contains provisions favoring the recognition of foreign certificates and electronic signatures based on a principle of substantive equivalence that disregards the place of origin of the foreign signature (article 12- recognition of foreign certificates and electronic signatures). The Legislation based on or influenced by the Model Law has been adopted in 36 States
The United Nations Convention on the Use of Electronic Communications in International Contracts (New York, 2005) was adopted by UNICITRAL on 23rd November 2005 that put into effect since 1st March 2013. It was adopted to facilitate the use of electronic communications in international trade by assuring that contracts concluded and other communications exchanged electronically are as valid and enforceable as their traditional paper-based equivalents.
1. The Information Technology Act, 2000 (hereafter IT Act, 2000)
The IT Act, 2000 is the legislation that regulated the computer, computer system, computer network, and information in electronic format. According to the preamble, the act meant to provide legal recognition to electronic transactions meaning transactions carried out through electronic communication also referred to as E-commerce that includes everything which is alternative to paper-based communication, for instance, email, messages through electronic platforms, etc. The act has spread over to 13 chapters and 90 sections [Sections 91, 92, 93, and 94 of the principal Act were omitted by the Information Technology (Amendment) Act 2008] and has 2 Schedules [Schedules III and IV were omitted by the IT (Amendment) Act, 2008]
1. Chapter – I – Preliminary (sections 1 & 2)
2. Chapter – II – Digital Signature and Electronic Signature (Sections 3 & 3A)
3. Chapter – III – Electronic Governance (Sections 4 to 10A)
4. Chapter – IV – Attribution, Acknowledgement, and Dispatch of Electronic Records (Sections 11 to 13)
5. Chapter – V – Secure electronic records and secure electronic signatures (Sections 14 to 16)
6. Chapter – VI – Regulation of Certifying Authorities (Sections 17 to 34)
7. Chapter – VII – Electronic Signature Certificates (Sections 35 to 39)
8. Chapter – VIII – Duties of Subscribers (Sections 40 to 42)
9. Chapter – IX – Penalties, Compensation, and Adjudication (Sections 43 to 47)
10. Chapter X – The Appellate Tribunal (Sections 48 to 64)
11. Chapter XI – Offences (Sections 65 to 78)
12. Chapter XII – Intermediaries not to be liable in certain cases (Section 79)
13. Chapter XIIA – Examiner of Electronic Evidence (Section 79A)
14. Chapter XIII – Miscellaneous (Sections 80 to 90)
What is a Digital and Electronic signature?
The Digital Signature is defined under Section 2 (P) of the act. The definition is reiterated below
“Digital signature” means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3;
Further, the Section 2 (q) defines “Digital Signature Certificate” as a Digital Signature Certificate issued under sub-section (4) of section 35;
Likewise the Section 2 (ta) of the act defines electronic signature and the same is reiterated below
“Electronic Signature” means authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature;
Further, the Section 2 (tb) of the act defines Electronic Signature Certificate means an Electronic Signature Certificate issued under section 35 and includes Digital Signature Certificate;]
The term electronic signature was added via amendment in the 2008 act, it is broader than a digital signature.
According to the UNCITRAL, electronic authentication and signature methods may be classified into the following categories –
According to the UNCITRAL MODEL LAW on Electronic Signatures, the following technologies are presently in use –
It should be noted that the IT Act, 2000 has been amended in years 2002, 2008, and 2017.
1. The Negotiable Instruments (Amendment and Miscellaneous Provisions) Act, 2002 effective from 26th Feb 2003:
2. The IT (Amendment) Act, 2008 effective from 27th October 2009:
3. The Finance Act, 2017 effective from 26th May 2017:
The definition has contained under sections 2 (1) (a) to (zh) of the act, some of the relevant definitions have explained under:
1. Certifying authority: Section 2 (1) (g) defines that a person who has been granted a license to issue a [Electronic Signature] Certificate under Section 24;
Under section 24 the controller after receiving the appropriate application and along with doctors will have to certify grant the
License or reject the application. Therefore such controller is to be defined as the certifying authority under the act. Here the “Controller” means the Controller of Certifying Authorities
2. Data: section 2 (1) (o) defines “data” means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and maybe in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
3. Electronic record: Section 2 (1) (t) “electronic record” means data, record or data generated, image or sound stored, received or sent in an electronic form or microfilm or computer generated micro fiche;
4. section 2 (1) (za) “originator” means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary;
5. section 2 (1) (zg) “subscriber” means a person in whose name the [Electronic Signature] Certificate is issued;
It should be noted that legal recognition to electronic records by virtue of section 4 is been provided the section reads as under:
“Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is—
Similarly for electronic signatures:
“Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of [electronic signature] affixed in such manner as may be prescribed by the Central Government”.
Use of electronic records and [electronic signatures] in Government and its agencies
Section 6 of the IT act states that if any law requires/provides for
Penal provision under the IT Act, 2000
The penalty provision has been provided under Chapter XI of the act covering ss 65 to 78.
1. Section 65. Tampering with computer source documents.
2. Section 66. Computer-related offenses.
3. Section 66A. Punishment for sending offensive messages through communication service, etc.
4. Section 66B. Punishment for dishonestly receiving stolen computer resources or communication devices.
5. Section 66C. Punishment for identity theft.
6. Section 66D. Punishment for cheating by personation by using computer resource.
7. Section 66E. Punishment for violation of privacy.
8. Section 66F. Punishment for cyber terrorism.
9. Section 67. Punishment for publishing or transmitting obscene material in electronic form.
10. Section 67A. Punishment for publishing or transmitting of material containing the sexually explicit acts, etc., in electronic form.
11. Section 67B. Punishment for publishing or transmitting of material depicting children in the sexually explicit acts, etc., in electronic form.
12. Section 67C. Preservation and retention of information by intermediaries.
13. Section 68. Power of Controller to give directions.
14. Section 69. Power to issue directions for interception or monitoring or decryption of any information through any computer resource.
15. Section 69A. Power to issue directions for blocking for public access of any information through any computer resource.
16. Section 69B. Power to authorize to monitor and collect traffic data or information through any computer resource for cyber security.
17. Section 70. Protected system.
18. Section 70A. National nodal agency.
19. Section 70B. Indian Computer Emergency Response Team to serve as the national agency for incident response.
20. Section 71. Penalty for misrepresentation.
21. Section 72. Penalty for Breach of confidentiality and privacy.
22. Section 72A. Punishment for disclosure of information in breach of lawful contract.
23. Section 73. Penalty for publishing electronic signature Certificate false in certain particulars.
24. Section 74. Publication for fraudulent purposes.
25. Section 75. Act to apply for offense or contravention committed outside India. 76. Confiscation
26. Section 77. Compensation, penalties, or confiscation not to interfere with other punishment
27. Section 77A. Compounding of offenses
28. Section 77B. Offenses with three years imprisonment to be bailable
29. Section 78. Power to investigate offenses
Below is a list of Rules and Regulations under the Information Technology Act, 2000
1. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 enacted vide subsection (1), clause (z) & (zg) of subsection (2) of section 87 of the IT Act, 2000
2. The Information Technology (Intermediary Guidelines) Rules, 2011 enacted vide clause (zg) of subsection (2) of section 87 r. w. subsection (2) of section 79 of the IT Act, 2000
3. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 enacted vide clause (ob) of subsection (2) of section 87 r. w. section 43A of the IT Act, 2000
4. The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (Clause (z) of subsection (2) of section 87, r. w. subsection (2) of section 69A of the IT Act, 2000
5. The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009 enacted vide Clause (y) of subsection (2) of section 87 r. w. subsection (2) of section 69 of the IT Act, 2000
6. The Information Technology (Guidelines for Cyber Café) Rules, 2011 enacted vide clause (zg) of subsection (2) of section 87 r. w. subsection (2) of section 79 of the IT Act, 2000
7. The Information Technology (Electronic Service Delivery) Rules, 2011 enacted vide clause (ca) of subsection (2) of section 87 r. w. sub-section 6A of the Information Technology Act, 2000
8. The Information Technology (Qualification And Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 enacted vide clauses (p) and (q) of subsection (2) of section 87 of the IT Act, 2000
9. The Information Technology ( the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 enacted vide clause (zf) of subsection (2) of section 87 r. w. subsection (5) of section 70B of the IT Act, 2000
Regulations under the IT Act, 2000
10. The Information Technology (Certifying Authorities) Regulations, 2001 enacted vide section 89 of the IT Act, 2000
11. The Information Technology (Recognition of Foreign Certifying Authorities operating under a Regulatory Authority) Regulations, 2013 enacted vide clause (a) of subsection (2) of section 89 of the IT Act, 2000
Following the 2008 Amendment, the government notified the following four Rules on April 11, 2011.
1. The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, prescribe security standards for personal information stored electronically
2. The IT (Intermediary Guidelines) Rules, 2011, provide due diligence requirements for intermediaries.
3. The IT (Guidelines for Cyber Café) Rules, 2011, require cyber cafés to identify users and maintain records of use.
4. The IT (Electronic Service Delivery) Rules, 2011, provide a framework for electronic delivery of services such as licenses, forms, and certificates.
5. GENERAL DATA PROTECTION REGULATION
The European Union’s GDPR is designed to “harmonize” data privacy laws across all of its member countries as well as providing greater protection and rights to individuals. GDPR was also created to alter how businesses and other organizations can handle the information of those that interact with them. There’s the potential for large fines and reputational damage for those found in breach of the rules.
The regulation has introduced big changes but builds on previous data protection principles. As a result, it has led many people in the data protection world, including UK information commissioner Elizabeth Denham, to liken GDPR to evolution, rather than a complete overhaul of rights. For businesses that were already complying with pre-GDPR rules the regulation should have been a “step change,” Denham has said.
Despite a pre-GDPR transition period taking place, which allowed businesses and organizations time to change their policies, there has still been plenty of confusion around the rules. Here’s our guide to what GDPR really means.
What is GDPR exactly?
GDPR can be considered as the world’s strongest set of data protection rules, which enhance how people can access information about them and place limits on what organizations can do with personal data. The GDPR contains 99 individual articles.
The regulation exists as a framework for laws across the continent and replaced the previous 1995 data directive. The GDPR’s final form came about after more than four years of discussion and negotiations – it was adopted by both the European Parliament and European Council in April 2016. The underpinning regulation and directive were published at the end of that month.
GDPR came into force on May 25, 2018. Countries within Europe were given the ability to make their own small changes to suit their own needs. Within the UK this flexibility led to the creation of the Data Protection Act, 2018, which superseded the previous 1998 Data Protection Act.
Personal data means any data identified and identifiable natural person. The regulation lays down fundamental norms to protect the privacy of personal data.
Consisting of total ninety-nine articles covered in X chapters the regulation provides a comprehensive set of provision applicable to all European residents.
Brief composition of EU GDPR 2016 for understanding:
|I. General Provision||1-4||1. Subject matter and objectives|
|2. Material scope|
|3. Territorial scope|
|II. Principles||5-11||5. Principles relating to processing personal data|
|6. Lawfulness of processing|
|7. Conditions of consent|
|8. Conditions applicable to child’s consent in relation to information society services|
|9. Processing of special categories of personal data|
|10. Processing of personal data relating to criminal convictions and offenses|
|III. Rights of the data subject||Section 1-5||Sections
1. Transparency and modalities
|2. Information and access to personal data|
|3. Rectification and erasure|
|4. Right to object and automated individual decision making|
|IV. Controller and Processor||Section 1-5||Sections
1. General obligations
|2. Security of personal data|
|3. Data protection impact assessment and prior consultation|
|4. Data protection officer|
|5. Codes of conduct and certification|
|V. Transfers of personal data to third countries or international organisations||Article 44-50||44. general principles for transfer|
|45. transfers on the basis of an adequacy decision|
|46. transfers subject to appropriate safeguards|
|47. binding corporate rules|
|48. transfers or disclosures not authorised by union law|
|49. derogations for specific situations|
|50. international cooperation for the protection of personal data|
|VI. Independent supervisory authorities||Section 1-2||Sections
1. Independent status
|2. Competence, tasks and powers|
|VII. Cooperation and consistency||Section 1-3||Sections
|3. European data protection board|
|VIII. Remedies, liability and penalties||Article 77-84||77. right to lodge a complaint with supervisory authority|
|78. right to an effective judicial remedy against a supervisory authority|
|79. right to an effective judicial remedy against a controller or processor|
|80. representation of data subjects|
|81. suspension of proceedings|
|82. right to compensation and liability|
|83. general conditions for imposing administrative fines|
|IX. Provisions relating to specific processing situations||Article 85-91||85. processing and freedom of expression and information|
|86. processing and public access to official documents|
|87. procession of national identification number|
|88. processing in the context of employment|
|89. safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes|
|90. obligation of secrecy|
|91. existing data protection rules of churches and religious associations|
|X. Delegated acts and implementing acts||Article 92-93||92. exercise of delegation|
|93. committee procedure|
|XI. Final provisions||Article 94-99||94. Repeal of directive 95/46EC|
|95. relationship with directive 2002/58/EC|
|96. relationship with previously concluded agreements|
|97. commission reports|
|98. review of other union legal acts on data protection|
|99. entry into force and application|
Interestingly recognizing the importance of data protection our country has taken a positive step in the form of the Personal Data Protection Bill, 2019 that was introduced in Loksabha on 11th December 2019. Although the enactment of the same is still on hold it incorporates crucial features of GDPR.
The key takeaway from the bill’s provision
Purpose: Provides for the protection of personal data of individuals, and establishes a Data Protection Authority for the same
Composition of the bill:
1. Total chapters: XIV
2. Total sections: 98
3. Total schedule: one
4. Total definition : Section 3 (1) to (40) = 40 definitions
The Authority may:
Protection, information technology or public administration.
1. Sensitive personal data: This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data as specified.
2. data fiduciary as the entity or individual who decides the means and purpose of processing personal data, and data principal as the individual to whom the data relates
In the landmark case of Justice K.S. Puttuswamy v. Union of India, (2017) 10 SCC 641. The apex court held that privacy being a fundamental right flows from the right to life and personal liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy. In July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India. The committee submitted its report titled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians” along with a draft in July 2018 to the M/o Electronic and Information Technology.
The personal data protection bill, 2019 is pending with the Joint parliamentary committee since March 2020, which has granted the fifth extension so far. It is likely to be submitted in the upcoming winter session 2021 of parliament.
Presently the usage and transfer of personal data of citizens is regulated by the IT Rules 2011. It holds the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data.
The Non-personal data as the name suggest is exactly as oppose to Personal data in other words a data without personally identifiable information.
To put it simply the non-personal data can be identified as data that was never related to a natural person. Currently as under the Personal Data Protection Bill, 2019, the government is empowered to direct any data fiduciary or data processor to provide any personal data anonymized or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government (subsection (2) of Section 91).
In an attempt to study issues relating to non-personal data the nodal ministry of electronics and information technology formed an expert committee around July 2020.
Observation of committee:
The non-personal data should be regulated to
Non-personal data authority: It will be established for putting in place the framework for the governance of non-personal data. The authority shall be entrusted with the framing of guidelines with reference to data sharing and risk associated with non-personal data
PERSONAL DATA PROTECTION APPROACHES WORLDWIDE
Realizing the need to protect data governments all over the world have taken measures to protect it. The government is entrusted with the task of protecting the business and allowing them the freedom to do business and at the same time to ensure that the privacy of individuals is protected.
The Right to privacy stems from the constitutions in some countries e.g. European Union and India while it is ensured by various legislations in countries like the United States of America, Australia, and China. For these reasons, there have been different approaches around the world while dealing with Personal data protection regulations.
In the case of the European Union, the need for the protection of personal data stems from the Right to Respect and personal Dignity. The right to dignity is ensured through the right to privacy. The European Union enacted the General Data Protection Regulation (GDPR) which all the member countries follow. The basis of the right to privacy is how an individual can control one’s public image. The EU regulations give the right to self –determination i.e. the ability to control the information that is disclosed about ourselves. It also ensures that personal data that is collected can be corrected and should be deleted with ease. An individual has to give consent to his/ her data being processed, and it should be equally easy to withdraw such consent.
Most of the countries in the world are affected by GDPR and have begun to comply with these regulations because it is applied to all the companies around the world that process data of citizens of the European Union.
Below is the list of legislation enacted in different countries which are on the similar footing that of GDPR
|Sr. no.||Name of the country||Legislation|
|1||Bahrain||Personal data protection law, 2019|
|2||Israel||Data security regulations, 2017|
|4||Turkey||Law on protection of personal data no. 6698 enacted in 2016|
|5||Kenya||Data protection act, 2019|
|6||Mauritius||Data protection act, 2017|
|7||Nigeria||Data protection regulation, 2019|
|8||South Africa||Protection of personal information (POP) act, 2020|
|9||Uganda||Data protection and privacy act, 2019|
|10||Japan||Act on the protection of personal information (APPI), 2020|
|11||New Zealand||Privacy act, 2020|
|12||South Korea||Personal information protection act, 2011|
|13||Argentina||Personal data protection act, 2001|
|14||Brazil||General data protection law, 2020|
|15||Uruguay||Act on the protection of personal data and habeas data action, 2008|
|16||Canada||Personal information protection and electronic documents act, 2000|
The United States of America
The core of privacy with Americans is the “Sanctuary of home”. The USA follows a Lizze Faire approach i.e. minimalistic interference from government. There is no single law to protect the privacy of the US citizens. However, the protection is ensured by enacting specific laws over specific subjects.
There is no specific authority for data protection but the federal trade commission ensures that the companies do not engage in unfair and deceptive trade practices.
China’s perspective on personal data protection has been primarily been from the perspective of averting National security risks. It protects the privacy of its citizens by enforcing strict regulations over the cross-border transfer of data.
Australia and Singapore
Privacy is not a fundamental right in these countries. Also, both these countries do not bring the government under the purview of data protection. Singapore in fact is a very business-friendly country and projects its self to be the global data processing destination.
The Indian constitution works on two planks one it states that the “state” is the facilitator of human progress and the second that the state is prone to excess. Hence it is checked by effectuating by vertical and horizontal separation of powers. Also, the constitution of India grants every individual fundamental right which it can exercise against the state.
The right to privacy had not been recognized as a fundamental right until the Supreme Court gave its decision in Justice K.S. Puttaswamy (Retd.) v. Union of India. Article 21 of the constitution states that “No person shall be deprived of his life or personal liberty except according to the procedure given by law. It means that even the state while exercising its right has to follow certain procedures as laid down by law. The right to privacy stems from the right to personal liberty. Liberty of every citizen within the frame of being lawful and constitutional
Hence India has followed an approach of being a facilitator to businesses and at the same time protecting the rights of its citizens.
The challenge for regulators is to frame mechanisms wherein it is possible to utilize data while simultaneously protecting an individual’s privacy preferences and their personally identifiable information. Hence, the laws and regulations related to Privacy and Data Protection are constantly changing, as lawmakers endeavor strict and diligent compliance with data privacy and security regulations.
The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act)
The Aadhaar Act enables the Government to collect identity information from citizens including their biometrics, issue a unique identification number or an Aadhaar Number on the basis of such biometric information132, and thereafter provide targeted delivery of subsidies, benefits, and services to them.
The requesting entity (government/public and private entities/agencies) is required to obtain the consent of the individual before obtaining her identity information for the purpose of authentication and must use her identity information only for the purpose of authentication.
Data protection norms for personal information collected under the Aadhaar Act are also found in The Aadhaar (Data Security) Regulations, 2016 (Aadhaar Security Regulations). The Aadhaar Security Regulations impose an obligation on the UIDAI to have a security policy that sets out the technical and organizational measures which will be adopted by it to keep information secure.
The primary legislation that addresses data protection in the financial sector are the Credit Information Companies (Regulation) Act, 2005 (CIC Act), the Credit Information Companies Regulation, 2006 (CIC Regulations)
There are multiple laws that operate in the telecom sector such as the Indian Telegraph Act, 1885 (Telegraph Act), the Indian Wireless Telegraphy Act, 1933, the Telecom Regulatory Authority of India Act, 1997 (TRAI Act), and various regulations issued thereunder.
Begin with a brief general statement on:
You may include encouragement for the user to read the policy carefully and contact you with any questions or concerns about your privacy practices.
2. Who we are?
Provide the name and contact details of the data controller. This will typically be your business or you if you are a sole trader. Where applicable, you should include the identity and contact details of the controller’s representative and/or the data protection officer.
3. What information do we collect?
Specify the types of personal information you collect, e.g. names, addresses, user names, etc. You should include specific details on:
4. How do we use personal information?
Describe in detail all the service- and business-related purposes for which you will process data.
For example, this may include things like:
Please note this list is not exhaustive. You will need to record all purposes for which you process personal data.
5. What legal basis do we have for processing your personal data?
Describe the relevant processing conditions contained within the law. There are six possible legal grounds:
Provide detailed information on all grounds that apply to your processing, and why. If you rely on consent, explain how individuals can withdraw and manage their consent. If you rely on legitimate interests, explain clearly what these are.
If you’re processing special category personal data, you will have to satisfy at least one of the six processing conditions, as well as additional requirements for processing under the GDPR. Provide information on all additional grounds that apply.
6. When do we share personal data?
Explain that you will treat personal data confidentially and describe the circumstances when you might disclose or share it. E.g, when necessary to provide your services or conduct your business operations, as outlined in your purposes for processing. You should provide information on:
7. Where do we store and process personal data?
8. How do we secure personal data?
Describe your approach to data security and the technologies and procedures you use to protect personal information. For example, these may be measures:
Please note this list is not exhaustive. You should record all mechanisms you rely on to protect personal data. You should also state if your organization adheres to certain accepted standards or regulatory requirements.
9. How long do we keep your personal data?
Provide specific information on the length of time you will keep the information for in relation to each processing purpose. The GDPR requires you to retain data for no longer than reasonably necessary. Include details of your data or records retention schedules or link to additional resources where these are published.
If you cannot state a specific period, you need to set out the criteria you will apply to determine how long to keep the data for (e.g. local laws, contractual obligations, etc) you should also outline how you securely dispose of data after you no longer need it.
10. Your rights in relation to personal data
Under the GDPR, you must respect the right of data subjects to access and control their personal data. In your privacy notice, you must outline their rights in respect of:
You should explain how individuals can exercise their rights, and how you plan to respond to subject data requests. State if any relevant exemptions may apply and set out any identity verifications procedures you may rely on. Include details of the circumstances where data subject rights may be limited, e.g. if fulfilling the data subject request may expose personal data about another person, or if you’re asked to delete data which you are required to keep by law.
11. Use of automated decision-making and profiling
12. How to contact us?
Explain how data subjects can get in touch if they have questions or concerns about your privacy practices, their personal information, or if they wish to file a complaint. Describe all ways in which they can contact you – e.g. online, by email, or postal mail.
If applicable, you may also include information on:
14. Linking to other websites / third-party content
If you link to external sites and resources from your website, be specific on whether this constitutes an endorsement, and if you take any responsibility for the content (or information contained within) any linked website.
It is said that nothing is permanent except change. And one who rides the wave of change survives. This is the theory of Survival of the Fittest. Evolution emphasizes that change is inevitable. It laid out that for anyone to survive adopting the change was the only means of survival. Incorporating a change makes you equipped to fight challenges of survival. This theory holds true for our profession too. The more we adapt to the new environment, learn new technology, understand new laws and procedures, the more we evolve to be the fittest to survive.
Lastly, I would like to conclude that every change brings opportunity, which will help us break through the traditional roles. With the opportunities in Cyberspace, we can transcend into global markets with our immense knowledge.
Let us march towards better horizons with confidence and utmost faith in ourselves
Quick links to refer to:
1. m/o electronics and information technology https://www.meity.gov.in/
2. department of administrative reforms and public grievance https://pgportal.gov.in/
3. open government data platform India https://data.gov.in/
4. government of India https://www.mygov.in/
5. biometric attendance system https://attendance.gov.in/
6. e-governance standards http://egovstandards.gov.in/
7. a national e-authentication service https://epramaan.gov.in/
8. PhD scheme for electronics and IT https://phd.dic.gov.in/
9. Invest India https://www.investindia.gov.in/
10. The national mobile governance initiative https://mgov.gov.in/
11. Digi locker https://www.digilocker.gov.in/dashboard
12. national voters service portal https://www.nvsp.in/
13. Indian computer emergency response team https://cert-in.org.in/
14. Digital India Corporation https://dic.gov.in/
15. National informatics centers services https://nicsi.com/
16. National internet exchange of India https://nixi.in/
17. Center for development of advance computing https://www.cdac.in/
18. Center for the material of electronics technology https://cmet.gov.in/
19. Education and research in computer networking https://ernet.in/
20. National Institute of electronics and information technology https://www.nielit.gov.in/
21. SAMEER sameer.gov.in
22. Software technology parks on India https://stpi.in/home
23. Unique Identification Authority of India https://uidai.gov.in/
24. UNCITRAL https://uncitral.un.org/
25. COMPLIANCE TO EU GDPR https://gdpr.eu/