The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by Enhelion, 2021-11-09 02:02:22

Module 4

Module 4

• The power to impose administrative fines
on controllers and processors.137

• WP29 has adopted guidelines on the application and setting of
administrative fines under the GDPR.138

The Controllers are required to notify any personal data breach to their
national supervisory authority without undue delay and in any event within
72 hours of becoming aware of such breach.139 Data subjects have a right to
be informed, by the controller, of their right to lodge a complaint with the
supervisory authority.140 Data subjects have a right to lodge a complaint with
the supervisory authority.141 They also have a right to an effective judicial
remedy against a supervisory authority and against infringing controllers and
processors.142

6) Appellate Tribunal – The Bill defines Appellate Tribunal143 [Hereinafter,
“The Tribunal”] as the Tribunal established under § 67[1]. The Tribunal
shall consist of a Chairperson who has been a Judge of the Supreme Court or
Chief Justice of a High Court.144 The appointed members should have held
the post of Secretary to the Government of India or any equivalent post in
the Central Government for a period of not less than two years or a person
who is well versed in the field of data protection, information technology,
data management, data science, data security, cyber and internet laws or any

137 Article 83, 2018 O.J. [L 127].
138 Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with regard
to the Processing of Personal Data [Oct. 3, 2017], file:///C:/Users/DELL/Downloads/20171020_wp253_enpdf.pdf.
139 Article 33[1], 2018 O.J. [L 127].
140 Article 13, 14, 2018 O.J. [L 127].
141 Article 77, 2018 O.J. [L 127].
142 Articles 78, 79, 2018 O.J. [L 127].
143 § 3[4], The Bill, 2019.
144 § 68[1][a], The Bill, 2019.

related subject.145 Any person aggrieved by the decision of the Authority,
may prefer an appeal to the Appellate Tribunal within a period of thirty days
from the receipt of the order.146 Any person aggrieved by the order of the
Tribunal can file an appeal in the Supreme Court.147

International Approach –
According to GDPR, Data Subject has the right to approach the court where
the supervisory authority does not handle a complaint or does not inform the
data subject within 3 months on the progress or outcome of the complaint.148
It also provides a specific right for data subjects to have an effective judicial
remedy where the supervisory authority fails to handle a complaint
properly.149

7) Data Protection Impact Assessment- Data protection impact assessments
[DPIAs] help organizations identify, assess and mitigate or minimize
privacy risks with data processing activities. They're particularly relevant
when a new data processing process, system or technology is being
introduced.
§.27150 addresses the need of DPIA if upon commencement of any
processing, that involves new technologies, large scale profiling or use of
sensitive personal data or use of sensitive personal data such as genetic data
or biometric data, or any other processing, which carries a risk of significant
harm to Data Principals, such processing shall not be commenced and is

145 § 68[1][b], The Bill, 2019.
146 § 72[1], The Bill, 2019.
147 § 75, The Bill, 2019.
148 Article 78, 2018 O.J. [L 127].
149 Article 79[2], 2018 O.J. [L 127].
150 §. 27, The Bill, 2017.

subject to the significant data fiduciary151 conducting a Data Protection
Impact Assessment. Based on the impact assessment, if the Data Protection
Authority finds that such processing is likely to cause harm to the data
principal, then the Data Protection Authority can direct the data fiduciary to
modify the processing or even to cease processing altogether.

International Approach-
Under Art. 35152 of the GDPR where processing operations are likely to
result in a high risk to the rights and freedoms of natural persons, the
controller mandatorily needs to carry out a data protection impact
assessment to evaluate, in particular, the origin, nature, particularity and
severity of that risk.
That impact assessment should include the measures, safeguards and
mechanisms envisaged for mitigating the risks, ensuring the protection of
personal data and demonstrating compliance with GDPR.
DPIA should be conducted as soon as a new technology comes into effect,
so as to incorporate the measures identified by it, into the updated policies of
the organization.

DPIA assesses the following:

• A systematic description of the envisaged processing operations and the
purposes of the processing, including, where applicable, the legitimate
interest pursued by the controller.

• The necessity and proportionality of the processing operations in relation
to the purposes.

151 §.26, The Bill, 2019.
152 Article 35, 2018 O.J. [L 127].

• The data protection risks and risks related to the rights and freedom of the
data subjects [impact on data subjects].

• The measures that will address the risks to the rights and freedom of the
data subjects along with issues such as cross border transfers.

Whenever a DPIA is conducted, it indicates that the processing of data in
absence of accurate security measures would result in high risk to the rights
and freedoms of data subjects. In such cases, the controller may be of the
opinion that he might not be able to mitigate those risks and that the
Supervisory Authority may need to be consulted before the start of such
processing activities.

The Supervisory Authority shall make two kinds of lists public and
communicate the same to the Board:

• All the processing activities that are subject to requirement of a DPIA
• All the processing activities that are not subject to requirement of a

DPIA.

The decisions taken after the assessment should be documented as part of the
DPIA process. Where necessary, the controller will carry out a review to
assess if processing is performed in accordance with the data protection
impact assessment at least when there is a change of the risk represented by
processing operations.153

8) Cross Border Transfer and Data Localisation-

153 MANISH SEHGAL, Deloitte India, GDPR: Understanding Data Protection Impact Assessment, June 7, 2018,
https://cfo.economictimes.indiatimes.com/news/gdpr-understanding-data-protection-impact-
assessment/64495822.

Restrictions on Transfer of Personal Data outside India have been discussed
at length in Chapter VII [§. 33 and §. 34] of the Bill.
• Data localisation restrictions and apply to only sensitive and critical

personal data.
• No provision for mandatory storage of all personal data in the country.
• Sensitive Personal Data can be transferred outside India, but such data

has to be stored in India as well.154
• Sensitive Personal Data can be transferred abroad only for the purpose

of processing after obtaining explicit consent from the data principal.155
• Additionally, sensitive personal data may be transferred abroad if the

data is to be accorded an adequate level of protection in that jurisdiction
and shall be accessible by the authorities having jurisdiction for the
enforcement of relevant laws, when required.156
• All processing of Critical Personal Data outside India is prohibited.157
• Transfer of Critical Personal Data is permitted to a person or entity
engaged in provision of health services or emergency services in
specified circumstances158 or to any country or entity or class of entity
approved by the Central Government subject to the satisfaction of
certain conditions, and where such transfer in the opinion of the Central
Government does not prejudicially affect the security and strategic
interest of India.159

154 §.33 [1], The Bill, 2019.
155 §.34 [1], The Bill, 2019.
156 §.34 [1][b], The Bill, 2019.
157 §. 33 [2], The Bill, 2019.
158 §.34 [2][a], The Bill, 2019.
159 §. 34 [2][b], The Bill, 2019.

• Any transfer of Critical Personal Data made shall be notified to the
Authority within such period as may be specified by regulations.160

PERSONAL DATA SENSITIVE CRITICAL

PERSONAL DATA PERSONAL DATA

No provision for • Data has to be • Prohibition on

mandatory storage or stored in India. processing of Data

processing of all • Data can be abroad.
personal data in the transferred outside
country. India only for the • Transfer of Data

permitted in

purpose of provision of health

processing after services or

obtaining explicit emergency

consent from the services in

Data Principal. circumstances as

• Data to be specified under

transferred outside §.34[2].

India in • Any transfer Data

accordance with made shall be

§.34[1]. notified to the

Authority within

stipulated period.

TABLE 6: CROSS BORDER TRANSFER OF DATA

160 §. 34 [2][c], The Bill, 2019.

9) Data Anonymisation- ‘Anonymisation’ in relation to personal data, means
such irreversible process of transforming or converting personal data to a
form in which a data principal cannot be identified, which meets the
standards of irreversibility specified by the Authority.161 The provisions of
the Bill shall not be applied to anonymised data except Anonymised Data as
specified in §.91 of the Bill.162

International Approach

According to Recital 26163, “The principles of data protection should
therefore not apply to anonymous information, namely information which
does not relate to an identified or identifiable natural person or to personal
data rendered anonymous in such a manner that the data subject is not or no
longer identifiable.”

The GDPR aims to give individuals control over their personal data, not to
prevent companies and organizations from reaping the benefits that
analysing big data can offer. By fully understanding the GDPR requirements
regarding the anonymization of data, organizations can continue to process
data and reduce their exposure to GDPR fines.

Taxa 4x35 Case

• Recently, Taxa 4×35 a Danish service that allows its users to hail cabs in
Copenhagen with an app, similar to Uber, faced a fine of 1.2 million
kroner for not deleting or anonymizing its users’ data.

161 §. 3[3], The Bill, 2019.
162 §. 2[B], The Bill, 2019.
163 Recital 26, 2018 O.J. [L 127].

• When a user hails a taxi, the Taxa system collects an assortment of data,
including the customer’s name, telephone number, the date of the trip, the
start and end time of the trip, the number of kilometres driven, the
payment, the GPS coordinates of the beginning and end of the trip, as
well as written address and other coordinates.

• Danish data protection agency, Datatilsynet, found that Taxa had kept the
data from nearly 9 million taxi rides for five years, well after they were
still needed. This hoarding of records goes against Article 5 of the EU’s
GDPR.

• Taxa 4×35’s management thought they were exempt from any liability
under GDPR which represent the principles of data minimization and
storage limitation, because they were anonymizing the data by deleting
the names associated with the trip records from their database after two
years. [The remaining data was then deleted after five years.]

• Datatilsynet found this attempt at data anonymization to be inadequate,
pointing out that even without the user’s name, Taxa 4×35 still had
enough personal information to identify an individual

• Taxa 4×35 failed to meet the high standard that the GDPR sets for data
anonymization. Recital 26, it states that not only must an organization
consider whether it can identify an individual using the data it has within
its database, but it must also consider. Because the records are not
anonymous, they are still subject to the full protections listed in the
GDPR.

The case set standards for the Effective data anonymization is made up of
two parts: [i] It is irreversible; [ii] It is done in such a way that it is
impossible [or extremely impractical] to identify the data subject.164

COMPLIANCE REQUIREMENTS UNDER THE BILL

i) Scope of the Bill.

RELEVANT SUBJECT ACTIONS TO BE TAKEN BY
PROVISION ORGANIZATION

Sections 2, Scope • Identify if they process any personal data of
an individual.
26, 36
• Identify if their data processing activity is
exempted under the Bill.

• Understand whether they are data fiduciaries
[they determine the purpose and means of
data] or data processors [process data on
behalf of others].

• Understand if they are ‘significant data
fiduciaries.

Sections 2, 37 Territorial • Identify if any part of their data processing
Scope activity takes place in India.

• If they process data outside India, identify if
Indian citizens are involved or if the activity
is conducted in connection with any business
in India or offering of goods and services in
India.

Section 91 Non-Personal • Understand and identify types of non-
Data personal data they hold and process.

• Develop a process to respond to government

164RICHIE KOCH, Data anonymization and GDPR compliance: the case of Taxa 4×35, GDPR.eu, https://gdpr.eu/data-
anonymization-taxa-4x35/.

directions for nonpersonal data.
TABLE 7: COMPLIANCE REQUIREMENTS SS PER SCOPE OF THE BILL

ii) Accountability and Transparency

RELEVANT SUBJECT ACTIONS TO BE TAKEN BY
PROVISION ORGANIZATION

Section 22 Privacy by • Develop a privacy by design policy.

design policy • Ensure that the policy identifies risk of harm

to data principals and formulate ways to

mitigate them.

• Ensure fulfilment of data protection

obligations in daily business practice.

• Ensure that the technology being used is

commercially accepted and well certified.

• Conduct programs to educate the personnel

about the data protection regime and PDP

Bill.

• Ensure that the privacy of all the employees

is well protected.

Section 22 Personnel • Ensure that the senior management is well
aware of the compliance requirement and the
repercussions of failure to comply.

• Allocate budget for data protection
compliance.

Section 23 Transparency • Take necessary steps to ensure transparency
in processing personal data.

• Employees should be made aware about the
personal data that is collected from them,
manner of the collection and the purpose.

Section 24 Security • Develop procedures to assess risks associated
Safeguards with processing and the likelihood and
severity of harm to individuals from their
data processing activities.

• Develop mechanisms to mitigate those risks.
• Review the security safeguards regularly and

maintain a record of the review.

Section 25 Reporting of • Develop data breach response procedures to
Personal Data notify the Data Protection Authority [DPA]
Section 29
Section 30 Breach as soon as possible in case of a breach.
Section 32
• Review contracts with third parties and

processors to ensure the fiduciary will be

able to notify the DPA in time.

• Review liability provisions in third party

contracts for breaches caused by third

parties.

Data Audits • Develop processes to enable third party
audits.

• Develop internal processes to ensure
compliance with obligations under the Bill.

Data Protection • Significant data fiduciaries should appoint

Officer [DPO] DPO who is based in India.

• Ensure that the DPO essentially performs all

the obligations required from him.

Grievance • Develop procedures and mechanisms to
Redressal redress of data principles, efficiently.

• The complaint should be resolved within 30
days from the date of receipt.

• Appoint a person to handle such grievances.

TABLE 8: COMPLIANCE REQUIREMENTS RELATING TO TRANSPARENCY AND
ACCOUNTABILITY

iii) Lawful processing of data

RELEVANT SUBJECT ACTIONS TO BE TAKEN BY
PROVISION ORGANIZATION

Sections 11, Consent • Obtain ‘explicit’, free and specific consent
before processing any data.
23
• Maintain proper record of the consent
obtained from the data principals

• Develop mechanisms to assist data principals
to withdraw their consent.

Sections 7, 23 Privacy Notice • Provide a notice to the data principals, at the
time of collecting the data.

• Notice should be clear about the purpose of
the collection of data along with other details
as mentioned in the Bill.

Sections 12, Legal Basis for • Document the legal basis for processing any
13 Processing of category of data.
Data •
Explain the bases of processing in the
privacy policies/ notices.

Sections 14 Reasonable • Understand if processing is for any of the

Purpose for reasonable purposes specified by the DPA.

processing of • Assess whether processing is ‘necessary’ for
Data a listed reasonable purpose, having regard to

factors such as interest of the data fiduciary

in that processing, any public interest in

processing, and the reasonable expectation of

the data principal with respect to the

processing.

Sections 16 Processing of • Identify proportion of personal data likely to

Personal Data be of children and assess possibility of harm

of Children to children arising out of processing.

• Develop appropriate methods to verify age.
• Create forms for seeking parental consent.

TABLE 9: COMPLIANCE REQUIREMENTS FOR LAWFUL PROCESSING OF DATA
iv) Rights of Data Principal

RELEVANT SUBJECT ACTIONS TO BE TAKEN BY
PROVISION ORGANIZATION

Sections 17 Right to • Create templates for summaries of personal

Confirmation data and processing activities to be provided

and Access to data principals, upon request.

• Maintain a list of entities with whom the

personal data of is shared.

Section 18 Right to Seek • Develop internal processes that enable

Correction correction of inaccurate data, completion of

incomplete data, and update old data in a

timely manner.

• Create a system whereby relevant

stakeholders are notified of any change to the

data pursuant to such requests.

Section 19 Right to Data • Classify personal data according to

Portability automated processing and nonautomated

processing.

• Develop processes to enable secure data

transfer to other data fiduciaries.

Section 20 Right to be • Develop processes to determine the
Forgotten relevance of the data to the purpose of
collection.

• Data fiduciaries should restrict or prevent
disclosure of personal data of individuals, if

Section 21 Exercise required to do so by the adjudicating officer.
Rights
of • Rights exercised upon a request made to the
data fiduciary except §.20.

• Upon refusal of request of the Data Principal,
the Data Fiduciary must provide for proper
reasons to removal.

TABLE 10: COMPLIANCE REQUIREMENTS REGARDING RIGHTS OF DATA PRINCIPALS

[v] Transferring Data outside India

RELEVANT SUBJECT ACTIONS TO BE TAKEN BY
PROVISION ORGANIZATION
• Ensure that critical personal data is stored
Sections 33 Data
and processed in India only.
Localisation • Ensure local storage of sensitive personal

Sections 34 Cross-Border data.
Transfers
• Identify the type of data that can be
transferred outside India for processing.

• Obtain ‘explicit’ consent before processing
such data.

• Create a template for request for specific
approval from DPA

TABLE 11: COMPLIANCE REQUIREMENTS REGARDING TRANSFER OF DATA OUTSIDE
INDIA

EXEMPTIONS

The Bill sets out several exemptions165 for processing of data without complying
with the provisions mentioned in the Bill. The exemptions are:

Exemptions

Any agency of For certain types Personal or Journalistic Research, Manual Sandbox
the Government of processing of Domestic Purpose Archiving, Processing Provision
purpose Statistic Purpose
personal data

FIG 4: EXEMPTIONS UNDER THE BILL

b) Exemption to any agency of Government - If the Central Government, by a
written order, is satisfied that it is necessary in the interest of or for preventing
incitement to the commission of a cognisable offence relating to the [i]
sovereignty and integrity of India, [ii] security of the State, [iii] friendly
relations with foreign states, [iv] public order, direct that the provisions of the
Act will not apply to any agency of the government for processing personal
data.166

c) Exemptions for certain types of processing of personal data - Certain
specified provisions will not apply where personal data is [i] processed in the
interest of prevention, detection, investigation and prosecution of any offence
or any other contravention of law, [ii] disclosed for inter alia enforcing a legal
right, [iii] processed by any court or tribunal, [iv] exempted by the Central
Government where processing of personal data of data principals not within

165 Chapter VIII, The Bill, 2019.
166 § 35, The Bill, 2019.

the territory of India, [v] processed by a natural person for any personal or
domestic purpose, [vi] processed for a journalistic purpose, [vii] processed for
research, archiving or statistical purposes, [viii] processed manually by a
small entity.167

d) Personal or Domestic purposes - The PDP Bill provides that a natural person
processing personal data for purely personal or domestic purposes, will not be
subject to certain substantive data protection requirements under the PDP
Bill.168

e) Journalistic purpose - Where the processing of personal data is necessary for
or relevant to a journalistic purpose, certain substantive data protection
requirements under the PDP Bill will not be applicable to such processing.169

f) Research, Archiving, Statistical Purpose - The PDP Bill allows the DPA to
specify different categories of research, archiving or statistical purposes and
exclude the applicability of certain provisions of the Bill to such categories.170

g) Manual Processing - The PDP Bill exempts small entities who are carrying
out manual processing from the following requirements: [i] the requirement to
provide notice for collection of personal data, [ii] the obligation to ensure
quality of data, [iii] the limitations on storage of personal data, [iv] the
obligation to provide a summary of processing activities to data principals, [v]
the requirement to facilitate a data principal's right to data portability and the
right to be forgotten, [vi] the obligations regarding privacy by design,

167 § 36, The Bill, 2019.
168 § 36[d], The Bill, 2019.
169 § 36[e], The Bill, 2019.
170 § 38, The Bill, 2019.

transparency, security safeguards, personal data breach notification, data
protection impact assessment, maintenance of records, data audits, data
protection officer and grievance redressal.171

h) Sandbox Provision - The PDP Bill empowers the DPA to create a sandbox to
encourage innovation in artificial intelligence, machine learning or any other
emerging technology in public interest.172 This provision has been introduced
in order to ensure that the new privacy regime offers opportunities for data
fiduciaries to innovate and utilise emerging technologies.173

PENALTIES AND COMPENSATION

Penalties

For contravening For failure to For failure to For failure to For contravention
provisions of the comply with Data furnish report, comply with where no separate
Principal requests returns, info., etc. Authority's penalty is provided
Act direction/order

FIG 5: PENALTIES UNDER THE BILL

The Bill has laid down certain penalties for the Data Fiduciary in case of violation
of the provisions.174 For this purpose, an Adjudicating Officer shall be appointed175
and he shall conduct an inquiry to look into the matter by giving the parties
reasonable opportunity of being heard.176 Apart from this inquiry, the Data

171 § 39, The Bill, 2019.
172 ANALYSIS – THE PERSONAL DATA PROTECTION BILL, 2019, TRILEGAL [Dec. 12, 2019],
https://www.trilegal.com/index.php/publications/analysis/the-personal-data-protection-bill-2019.
173 § 40, The Bill, 2019.
174 Chapter X, The Bill, 2019.
175 § 62, The Bill, 2019.
176 § 63, The Bill, 2019.

Principal may seek receive compensation by making a complaint to the
Adjudicating Officer as per the terms of the provisions of the Act.177

OFFENCES178

Offences

Processing or Failure to conduct a
transferring personal data audit
data in violation of

the Bill

Fine of Rs. 15 cr. or 4% Fine of Rs. 5 cr. or 2%
of annual turnover of of annual turnover of
Data Fiduciary, the Data Fiduciary,
whichever is higher whichever is higher

FIG 6: OFFENCES UNDER THE BILL
Re-identification and processing of de-identified personal data without consent is
punishable with imprisonment of up to three years, or fine, or both. And such
offences are cognizable and non- bailable. However, the saving clear states that the
cognizance of such offences would be taken by the court only upon the complaint
made by Data Protection Authority.

177 § 64, The Bill, 2019.
178 Chapter XIII, The Bill, 2019.

AAROGYA SETU

• The Government of India launched the Aarogya Setu application on April 2,
2020 to help India track and tackle the global pandemic of COVID-19.

• This app, inter alia, tracks the location of an infected individual and notifies the
application users of their proximity to such individuals.

• The Data Protection Laws only provide a basic framework on data protection
and not specifically contemplate measures to be taken by the public authorities
in relation to protection of data during public health emergencies.

• Pursuant to KS Puttaswamy179, the Supreme Court of India has observed that if
the state preserves the anonymity of an individual it could legitimately assert a
valid state interest in preservation of public health to design appropriate policy
interventions on the basis of the data available to it.

• The app requires its users to switch the GPS and Bluetooth tracking on and
provides for a scope that it could violate its users' privacy and could act as a
surveillance tool in the hands of the government.
Sprinklr and the Government of Kerala

• Similar applications are being used by the State Governments of Goa,
Karnataka, Maharashtra and Tamil Nadu.

• The use by the State Government of Kerala of the Sprinklr application has also
been criticized on the ground that sensitive personal information is being
accessed by entity that is not based in India.

• In a recent petition180 challenging the contract between the State Government of
Kerala and Sprinklr, the High Court of Kerala issued an interim order asking
the State Government, inter alia, to anonymize all data collected with respect to

179 Justice KS Puttaswamy [Retd.] v. U.O.I. & Ors., [2017] 10 SCC 1 [India].
180 Balu Gopalakrishnan & Ors. vs. State of Kerala & Ors., W.P.[C]. Temp. NO.84 OF 2020, Kerala HC.

COVID-19 before sharing it with Sprinklr and to inform all citizens from whom
data is taken that such data can be shared with Sprinklr or any third party and
obtain the consent of such citizens.
• Further, the HC of Kerala has restrained Sprinklr from committing any act that
may result in breach of confidentiality of data collected under the contract with
the State Government of Kerala and exploiting such data directly or indirectly
for commercial purposes or advertising or representing to any third party that
they have access to data relating to COVID-19 cases.
• The Government of India will need to strike the right balance between
protection of public interest and maintaining the fundamental right to
privacy.181

Recent Updates
• Data collected and processed by Aarogya Setu is governed by the app’s privacy

policy and a ‘protocol’ released on May 11 by an Empowered Group
constituted under the National Disaster Management Act 2005 [NDMA].
• Centralized systems [All collected data can be stored and processed either in a
‘centralized’ manner [on government-controlled servers] or in a ‘decentralized’
manner [on the users’ device], or both.]
• Centralized system allows the governments to access such data. However,
anonymised unique IDs may be generated for such storage and processing. In a
centralized system, if a user tests positive the central server sends alerts to all
Bluetooth proximity contacts of that user. In a decentralized system, the user’s
device directly sends these alerts.

181 SHIVAJI BHATTACHARYA & ANINDHYA SHRIVASTAVA, COVID-19: Implications On The Data Protection Framework In India,
Data Protection [May, 2020], https://www.mondaq.com/india/data-protection/928998/covid-19-implications-on-
the-data-protection-framework-in-india.

• The app in India uses GPS and Bluetooth tracking along with a hybrid
[centralized plus decentralised] model to enable contact tracing. Data will
remain in user’s phone only and will be deleted after 40 days. If the user tests
positive then the data shall be sent to the Central system.

• France & UK are likely to use centralized model while Germany & Italy have
opted for a decentralized system.

• The government declared the app to be ‘open source’ and even launched a ‘bug
bounty’ rewards programme for researchers and developers to identify and
propose corrections to security vulnerabilities and other bugs in the app. This
bolsters its case of robustness and ‘privacy by design’.

• The protocol mandates that the data collected can only be shared with central
and state governmental departments, ministries and health institutions in
anonymised form and strictly for the purpose of formulating or implementing a
health response.

• Initially, the app was released for voluntary use, but was subsequently made
mandatory under the NDMA for all public and private employees and The
NDMA overrides other legislation. The authority of an executive group [even
under NDMA] to issue directions which potentially impede upon the
fundamental right to privacy of citizens, without a specific and explicit
parliamentary legislation on the subject was a matter of grave uncertainty and
therefore the government retracted the decision on May 17.

• A mandatory app collecting personal data also negates the aspect of user
consent and the right to seek erasure of personal data. Although current Indian
laws allow users to withdraw consent to the processing of their personal data [if
the app is not mandatory], a well-defined framework permitting users to seek
erasure of personal data is missing. Such a framework is proposed under the

Personal Data Protection Bill of 2019, which is yet to be enacted. However,
erasure rights proposed under the bill are not unconditional. It draws from the
GDPR, but the European law arguably allows a broader right to request erasure.

4.4.5 Are we at risk of Robots invading privacy?

The rapid growth of AI and robotic systems has implications on a wide variety of
fields. It can prove to be a boon to disparate fields such as healthcare, education,
global logistics, and transportation, to name a few. However, these systems will
also bring forth far-reaching changes in employment, economy, and security.
Technology around us is ever-changing and in the current state we are surrounded
by gadgets that have access to our personal information all the time, they have
access to our location, to the places we visit, places we are going to visit, they have
the capability of guessing what we are going to do next to better than any human
being we know. These robots and AI study our day to day life pattern, what we do
how we do it, they maintain a record of all the activities of our daily schedule
which they analyze and provide us much better response whenever we search for
something. They work on the algorithm of self-improvement where they correct
and learn from their own actions and mistakes.
Consensus opinion has it that robots will take over human jobs by the millions;
however, well before that happens workplace privacy might well be long gone.
Workplace privacy is already being threatened by privacy-invasive monitoring
such as closed-circuit video monitoring, Internet monitoring, and filtering, e-mail
monitoring, instant-message monitoring, phone monitoring, location monitoring,
etc.

4.5.1 Cases of invasion of privacy:

Edward Snowden is a former National Security Agency subcontractor who made
headlines in 2013 when he leaked top-secret information about NSA surveillance
activities182. NSA is a National security agency of the U.S. who had been keeping
a tab on the citizens worldwide, anyone with a phone and access to the internet via
the cameras on their devices or the microphones and they tracked every movement
of any person under surveillance at any point, remotely.

More recently, in 2018 the most popular and populous social media website
Facebook was hacked and personal data of more than a million users was leaked
and put online to which everyone had access right before it was taken down by the
authorities. Of those more than a million people around 85,000 were Indians.

2018: Year of Privacy

February

• Telefonica-funded Wibson is launched as a blockchain-based
“Personal Data Marketplace”183, following the steps of prior initiatives
in the Personal Information Management space
like Citizen.me, Digi.me, People.io, or Datum.

March

• The Cambridge Analytica scandal hits Facebook, eventually affecting
an estimated 87 million users184.

May

182 Edward Snowden: Biography, 2019, [https://www.biography.com/activist/edward-snowden], as accessed on
22.07.2020
183 Alex Behrens, “Telefonica-Funded Wibson Launches Decentralized Ad-Data Marketplace at MWC 2018”, 2018,
[https://www.the-blockchain.com/2018/02/27/telefonica-funded-wibson-launches-decentralized-ad-data-
marketplace-mwc-2018/], as accessed on 22.07.2020
184 “Facebook scandal 'hit 87 million users'”, 2018, [https://www.bbc.com/news/technology-43649018], as
accessed on 22.07.2020

• The EU’s General Data Protection Regulation [“GDPR”] comes into
force on May 25, 2018

• Vienna-based non-profit NOYB [“None Of Your Business”] files
initial claims against Facebook, Whatsapp, Instagram, and Google
[Android] under the GDPR [with the French, Belgian, Austrian, and
Hamburg state Supervisory Authorities, most likely dragging the Irish
Data Protection Agency into all of them]185

• Under Armour discloses a major data breach affecting an estimated
150 million people in the United States186.

June

• Facebook suffers its biggest-ever data breach, through the Nametests
app using its Login feature. It reportedly affected 120 million
people187.

• Adidas discloses a data breach potentially affecting “millions”, related
to online customers in the USA188.

• The California Consumer Privacy Act [“CCPA”] is signed into law on
June 28, 2018189.

July

185 “Data privacy activist wastes no time in filing GDPR complaints against Facebook, Google, Instagram, and
WhatsApp”, Business Insider, [https://www.businessinsider.com/max-screms-gdpr-complaints-facebook-google-
2018-5?IR=T], as accessed on 22.07.2020

186 Chloe Aiello, “Under Armour says data breach affected about 150 million MyFitnessPal accounts”, CNBC, 2018,
[https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html], as
accessed on 23.07.2020
187 Jason Murdock, “What is NameTests? Facebook Quiz App ‘Exposed Data of 120 Million Users’”, Newsweek,
2018, [https://www.newsweek.com/facebooks-new-leak-nametests-quiz-apps-120-million-users-exposed-user-
data-999261], as accessed on 23.07.2020
188 “ADIDAS US breach may have exposed millions of customers’ personal info”, The Register, 2018,
[https://www.theregister.com/2018/06/29/adidas_breach/]
189 Title 1.81.5, California Consumer Privacy Act of 2018,
[http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5]

• PrivacyCloud [founded on March 8th] launches its first mobile
application on July 14th, reaching 2,000 installs in its test markets
[Spain & Ireland] in a single week190.

August

• Google is faced with a major scandal with regards to how its apps
collect the user’s location history regardless of the user’s choice to
disable such tracking191.

September

• Facebook suffers a new security breach affecting 50 million people192.
• The first private lawsuit is filed against Google under the location

history revelations193.
• A new update to Google Chrome [69] forces users into a browser-

level login, resulting in public outcry and a subsequent amendment194
• The French data protection agency [CNIL] issues its first formal

warning against an AdTech firm: the DSP Vectaury happened to be

190 Michael Mcloughlin, “Free Netflix in exchange for your personal data: what are you willing to tell?”, El
Confidencial, 2018, [https://www.elconfidencial.com/tecnologia/2018-07-28/netflix-gratis-venta-datos-
personales_1597295/]
191 Associated Press, “Google records your location even when you tell it not to”, 2018, The Guardian, 2018,
[https://www.theguardian.com/technology/2018/aug/13/google-location-tracking-android-iphone-mobile]
192 Mike Isaac & Sheera Frenkel, Facebook Security Breach Exposes Accounts of 50 Million Users, The New York
Times, 2018, [https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html], as accessed
on 23.07.2020
193 Matt Binder, “Google sued over tracking locations even when ‘Location History’ is off”, Mashable, 2018,
[https://mashable.com/article/google-location-history-tracking-lawsuit/]
194 Zack Whittaker, “Security experts say Chrome 69’s ‘forced login’ feature violates user privacy”, 2018,
[https://techcrunch.com/2018/09/24/security-experts-say-chrome-69s-forced-login-feature-violates-user-
privacy/], as accessed on 23.07.2020

using the IAB Consent Framework [publicly disclosed on November
9th]195
• Tim-Berners-Lee announces the launch of Inrupt, a private venture
built on top of Solid, a decentralized web platform he and others had
been working on at MIT196
• Hu-manity.co launches a mobile app for people to claim their data as
property [a “31st human right”]197.

October

• Google announces closure of its Google+ social network after a
second undisclosed data breach affecting 50million users198.

November

• Facebook confirms having engaged a lobby firm to link negative
public perceptions of the firm to the billionaire George Soros199.

• A separate Facebook leak shows that selling user data was pondered
as an initial business model200.

195 “Mobile Applications: warnings for lack of consent to process geolocation data for advertising targeting”, CNIL,
2018, [https://www.cnil.fr/fr/applications-mobiles-mise-en-demeure-absence-de-consentement-geolocalisation-
ciblage-publicitaire-2]
196 Katrina Brooker, “Exclusive: Tim Berners-Lee tells us his radical new plan to upend the World Wide Web”, Fast
Company, 2018, [https://www.fastcompany.com/90243936/exclusive-tim-berners-lee-tells-us-his-radical-new-
plan-to-upend-the-world-wide-web], as accessed on 23.07.2020
197 “Hu-manity.co Launches World’s First Conumer App Empowering People to Claim their Data as Property”,
Business Wire, 2018, [https://www.businesswire.com/news/home/20180906005412/en/Hu-manity.co-Launches-
World%E2%80%99s-Consumer-App-Empowering-People], as accessed on 23.07.2020
198 Greg Sandoval, “Google shutters the Google+ social network after Wall Street Journal reports a huge security
lapse”, Business Insider, 2018, [https://www.businessinsider.com/google-shutters-google-social-network-after-
wsj-reports-a-huge-security-lapse-2018-10?IR=T], as accessed on 23.07.2020
199 Julia Carrie Wong, “Facebook policy chief admits hiring PR firm to attack George Soros”, The Guardian, 2018,
[https://www.theguardian.com/technology/2018/nov/21/facebook-admits-definers-pr-george-soros-critics-
sandberg-zuckerberg], as accessed on 23.07.2020
200 Olivia Feld, “Facebook's plans to sell user data revealed in email”, The Telegraph, 2018,
[https://www.telegraph.co.uk/technology/2018/11/29/facebooks-plans-sell-user-data-revealed-email/]

• Complaints are filed by Privacy International against Criteo, Experian,
Quantcast, Tapad, Acxiom, Oracle, and other
major AdTech players201.

• Marriott discloses the world's largest-ever data breach, affecting some
500 million people202.

December

• Facebook, it now emerged, bent its data rules for major customers,
allowing Apple, Amazon, Sony, or Netflix to read, edit, or delete
private messages203.

4.5.2 Coming to the Indian Aspect:
In February 2019, the Kerala police inducted a robot for police work. The same
month, Chennai got its second robot-themed restaurant, where robots not only
serve as waiters but also interact with customers in English and Tamil. In
Ahmedabad, in December 2018, a cardiologist performed the world’s first-in-
human telerobotic coronary intervention on a patient nearly 32 km away. All these
examples symbolize the arrival of AI in our everyday lives. AI has several positive
applications, as seen in these examples. But the capability of AI systems to learn
from experience and to perform autonomously for humans makes AI the most

201 “Our complaints against Acxiom, Criteo, Equifax, Experian, Oracle, Quantcast, Tapad”, Privacy International,
2018, [https://privacyinternational.org/advocacy/2426/our-complaints-against-acxiom-criteo-equifax-experian-
oracle-quantcast-tapad], as accessed on 23.07.2020
202 David Volodzko, “Marriott Breach Exposes Far More Than Just Data”, Forbes, 2018,
[https://www.forbes.com/sites/davidvolodzko/2018/12/04/marriott-breach-exposes-far-more-than-just-
data/#25c3e1046297], as accessed on 23.07.2020
203 Alex Hern, “Facebook shared private user messages with Netflix and Spotify”, The Guardian, 2018,
[https://www.theguardian.com/technology/2018/dec/19/facebook-shared-user-data-private-messages-netflix-
spotify-amazon-microsoft-sony], as accessed on 23.07.2020

disruptive and self-transformative technology of the 21st century. If AI is not
regulated properly, it is bound to have unmanageable implications204.

Predicting and analyzing legal issues and their solutions, however, is not that
simple. For instance, criminal law is going to face drastic challenges. What if an
AI-based driverless car gets into an accident that causes harm to humans or
damages property? Who should the courts hold liable for the same? Can AI be
thought to have knowingly or carelessly caused bodily injury to another? Can
robots act as a witness or as a tool for committing various crimes205?

All the above questions are rather about the usages of AI but for the same usages
we have to provide all our personal information to all these robots and how do we
know how secure our personal data is going to be, that no one is going to hack into
my autonomous car to track my movements or might even cause a crash.

The Ministry of Home Affairs issued an order granting authority to 10 Central
agencies, including the Delhi Commissioner of Police, the Central Bureau of
Investigation [CBI], and the Directorate of Revenue Intelligence, to pry on
individual computers and their receipts and transmissions “under powers conferred
on it by sub-section 1 of Section 69 of the Information Technology Act, 2000 [21
of 2000], read with Rule 4 of the Information Technology [Procedure and
Safeguards for Interception, Monitoring, and Decryption of Information] Rules,
2009”. It has authorized these “security and intelligence agencies” to intercept,
monitor and decrypt any “information generated, transmitted, received or stored in
any computer resource”. This is seen as an extreme measure to deny people their
right to privacy — more so because agencies such as the Delhi Police, the CBI, and

204 G.S. Bajpai & Mohsina Irshad, “Artificial Intelligence, the law and the future”, The Hindu, 2019,
[https://www.thehindu.com/opinion/op-ed/artificial-intelligence-the-law-and-the-future/article27766446.ece],
accessed on 23.07.2020
205 Ibid.

the Directorate of Revenue Intelligence cannot be strictly termed as organizations
concerned with homeland security. Internal security is the main excuse being given
for issuing such a directive. 206
The sole fascination of the government seems to be a collection of data. With an
unquenchable thirst for information, the government at the Centre and most
governments in the States have set out on a surveillance race207.
The little hope we had gained in AADHAR- PAN linkage case seems to be lost as
well, there are several big questions which need to be answered. How are they
going to invade our privacy? It can be a big leak by the social media sites whom
we very carefreely hand over our personal information or is it going to be the
secret government operation of surveillance keeping tab on everyone, you can
never know but can only be cautious.

206 Tathagata Satpathy, Karnika Seth & Anita Gurumurthy, “Are India’s laws on surveillance a threat to privacy?”,
The Hindu, 2018, [https://www.thehindu.com/opinion/op-ed/are-indias-laws-on-surveillance-a-threat-to-
privacy/article25844250.ece], as accessed on 23.07.2020
207 Tathagata Satpathy’s comment, “Are India’s laws on surveillance a threat to privacy”, The Hindu, 2018,
[https://www.thehindu.com/opinion/op-ed/are-indias-laws-on-surveillance-a-threat-to-
privacy/article25858338.ece], as accessed on 23.07.2020


Click to View FlipBook Version