Legislation Updates

The borderless nature of the Internet raises several jurisdictional issues in data protection. A single act of processing of personal data could very easily occur across multiple jurisdictions. Traditional principles of sovereignty and territorial jurisdiction have evolved in circumstances where such cross-border actions were uncommon. As such, it is not easy to determine the kind of application clause in which a data protection legislation is a must have.

1. Context-Setting: Several jurisdictions have deliberated on the applicability of a data protection law to individuals as well as corporate entities/juristic persons. For instance, the EU General Data Protection Regulation (GDPR) applies to ‘natural persons’, as the definition of ‘personal data’ is specifically linked to individuals and not legal/juristic persons. Data related to juristic persons such as confidential business information and corporate strategies should be protected against various types of processing activities on such data. Further, such data should be subject to data security safeguards in order to ensure that the legitimate interests of juristic persons are protected.

Most key principles of data protection such as lawful processing and individual participation are intrinsically derived from the object of protecting the autonomy and dignity of the individual. It would be difficult to extend these principles to data relating to a juristic entity.

2. Nature of Personal data: This distinction between data and information in its ordinary usage is perhaps not determinative in data protection. As the object of the law is to demarcate the sphere of information relevant to the protection of the identity of an individual, the choice of the term “data” or “information” may not matter as these terms would not be used in their ordinary sense. The definition will have to cover both data and information if it bears a connection to the identity of the individual.

This is reflected in international practice as well. It further deals with identified or identifiable individual, pseudonymisation and anonymisation, personal data and new technologies.

3. Several Exemptions: There are some activities which cannot be brought under the purview of a data protection law. In other words, a data controller can be exempted from certain obligations of a data protection law based on the nature and purpose of the processing activity. For instance, if a law enforcement officer wants to collect or use personal information for the purpose of an investigation, seeking the consent of the data subjects or allowing them to access or rectify their data would delay the process and may even defeat its purpose. Specific exemptions include personal or household purpose, journalistic/artistic/literary purposes, research/historical and statistical purposes, investigation and detection of crime, national security or security of State and other similar grounds.

4. Cross-Border Flow of Data: With the advent of the Internet, huge quantities of personal data relating to employees and customers are being transferred internationally. Such data transfers often occur between and among units of the same corporate enterprise that are located in different countries as many of these global enterprises have customer databases and storage facilities in a number of regional locations. Cross-border flow of data is vital to accessing valuable digital services.

There are two tests identified for the formation of laws related to cross-border data flow – the adequacy test and the comparable level of protection test, for personal data. In order to implement the adequacy test, there needs to be clarity as to which countries provide for an adequate level of protection for personal data. The data protection authority should be given the power to determine this. The adequacy test is particularly beneficial because it will ensure a smooth two-way flow of information, critical to a digital economy.

5. Data Localization & related Issues: Data localization requires companies to store and process data on servers physically located within national borders. Governments across the globe driven by concerns over privacy, security, surveillance and law enforcement have been enacting legislation that necessitates localization of data. A nation has the prerogative to take measures to protect its interests and its sovereignty, but it must carefully evaluate the advantages and dangers of locally storing data before taking a firm decision on an issue that has the potential to cause a major ripple effect across a number of industries. Issues such as protecting rights of data subjects, preventing foreign surveillance, easy access of data in support of law enforcement and national security, IT-BPO/BPM industrial growth, digitisation of product and service offerings, India as a capital of analytics services, cloud services brokerage, global in-house centers (GICs), etc. have been dealt with in the report.

6. Grounds of Processing, Obligation on Entities and Individual Rights (Informational Privacy): The report deals with grounds of processing, the obligation on entities and individual rights. Consent forms the foundation of data protection law in many jurisdictions. There is great value in using consent as a validating mechanism for data processing. It satisfies two needs. First, consent is intuitively considered the most appropriate method to ensure the protection of an individual’s autonomy. Allowing an individual to have autonomy over her personal information allows her to enjoy “informational privacy”. Informational privacy may be broadly understood as the individual’s ability to exercise control over the manner in which her information may be collected and used. Second, consent provides a “morally transformative” value as it justifies conduct, which might otherwise be considered wrongful.

 The report also deals with the concept of ‘Child consent’.

7. Consent: The report further throws light on the idea of ‘consent’ as is operationalised through the mechanism of “notice and choice”. The underlying philosophy is that consent through notice puts the individual in charge of the collection and subsequent use of her personal information. Notice purports to respect the basic autonomy of the individual by arming her with relevant information and placing in her hands the ultimate decision of whether or not her personal information is to be used.

8. Other grounds of Processing: Lawfulness of processing is a core principle under data protection law. The Organisation for Economic Cooperation and Development (OECD) Guidelines recognise lawfulness of processing under the collection limitation principle, which provides that collection of personal data must be limited, and any such collection should be done only by lawful and fair means, and where appropriate, with the consent of the concerned individual. Issues such as ‘requirement to have additional grounds of processing, along with consent’ and ‘lack of clarity with respect to certain grounds of processing, such as “public interest”, “vital interest” and “legitimate interest” have been dealt with.

9. Purpose specification and Use Limitation: An entire chapter deals with the Purpose Specification and Use Limitation. Purpose Specification is an essential first step in applying data protection laws and designing safeguards for the collection, use and disclosure of personal data.

10. Sensitive Personal Data: Definitions of “sensitive data”  is as per the Sensitive Personal Data Rules, 2011. The need to further examine the rationale behind certain categories of personal data, difficulty in determining the context of use which could make data sensitive, have been covered in the report.

11. Individual Participation rights: Two specific chapter deals with individual participation rights such as right to confirmation, right to access, and right to rectification, right to object to processing, right to object to processing for purpose of direct marketing, right to not be subject to a decision based solely on automated processing, right to data portability, and, right to restrict processing. Following these two, there is another chapter that deals entirely with ‘right to be forgotten’.

12. Enforcement Models: Part IV of the work deals with enforcement models. The enforcement of data protection norms is complicated primarily by two factors: first, the application of the norms across different fields, sectors, industries and contexts and, second, the rapid pace of development and change in data processing technologies. These factors produce unique enforcement problems not found in other regulatory fields. Model types such as command and control regulation, self-regulation, co-regulation are explained in brief.

13. Data Protection: Central to accountability are the concepts of ‘privacy by design’ and ‘privacy by default’ which oblige businesses to consider data privacy at the initial design stages of a project as well as throughout the life cycle of the relevant data processing. In this sense, accountability does not redefine data protection, nor does it replace existing law or regulation, since accountable organisations must comply with existing applicable law. Instead, accountability shifts the focus of privacy governance to an organisation’s ability to demonstrate its capacity to achieve specified privacy objectives.

14. The last part of the report throws light on Personal Data Breach notification, categorisation of data-controllers, Data Protection Authority.

15. Penalties: The last chapter deals with the provision of penalties. In the context of a data protection law, civil penalties may be calculated in a manner to ensure that the quantum of civil penalty imposed not only acts as a sanction but also acts as a deterrence to data controllers, which have violated their obligations under a data protection law.

Hot Off The PressNews

On the 13th Day of the Aadhaar Hearing, Senior Advocate Gopal Subramanium consluded his arguments before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ, after which Senior Advocate Arvind Datar took the center stage and began with his arguments.

Below are the highlights from Day 13 of the Aadhaar Hearing:

  • Privacy judgment talks about identifying eligible recipients but the present Act does not identify eligible recipients, instead it provides proof of identity.
  • Sans criminality or any offence being committed, people cannot be asked to give their biometrics. Biometric authentication was considered only in the case of commission of crime.
  • Launching of electoral rolls for purification-linking it with Aadhaar: A 3-Judge Bench of the same court had issued a note, post which the programme was suspended.
  • Aadhaar Bank linking:
    • Aadhaar bank linking is for money laundering but NPCI is making the database available to private parties. Anyone can get a profile of an individual from the State Resident Data Hubs. Says there’s no limitation on what info can be stored in SRDH.
    • Rakesh Dwivedi: SDRH were established under MoU under the UPA regime. After the act was enacted, the data was destroyed.
  • The authentication agents are not govt. agents. They’re private players. Aadhaar bridge is an invitation to business which would be done through this agent.
  • Chandrachud, J: Section 57 only allows authentication by the private parties then how do they get access to the data.
  • Gopal Subramanium: Due to seeding of Aadhaar with multiple databases, the entity can gain access to the profile of the individuals.
  • The burden of updating the information in CIDR is on the individuals.
  • Chandrachud, J: The govt. can’t be expected to keep a track of all the changes.
  • Gopal Subramanium: Demographic is another thing, but how will an individual get to know that she’s due for biometric updation?
  • Khanwilkar, J: In case of an authentication failure, the person can go for updation.
  • Gopal Subramanium: An authentication failure is viewed as the person being a ghost, fake nowadays.
  • In case the biometric info is lost or changes subsequently, the individual will have to request UIDAI to make alterations in his records.
  • In case authentication fails, the entitlements may be annulled, resulting in permanent disablement. Due to technology, the possibilities of profiling are very strong.
  • The algorithms are unpredictable in nature. UIDAI is not the algorithm writer. What guarantees do we have then?
  • With big data, we can get the details of the individuals, especially if combined with other data sets. It can even give geographical data of the individuals.
  • In the absence of a data protection law, the injury or vulnerability is heightened. No assurance can lessen that.
  • The data retention should also follow reasonable and substantive reasonableness. It cannot be for all the people. That’s very broad.
  • There’s an uncertainty associated with biometric systems. They’re probabilistic in nature. There is a risk of error.
  • (Refers to the interim orders of the SC) Everyone including the govt. is bound by the orders of the Court. But, after 2016 Act, the govt. did not obey those orders. There has been a continuous violation. Petitioners have brought to the notice of the Court continuously. Now in 2018 we have starvation deaths. Court must grant exemplary damages and compensation to those who lost lives or were otherwise excluded.

Senior Advocate Gopal Subramanium concluded his submissions and Senior Advocate Arvind Datar began his arguments. However, CJI asked him to submit a note on points to be covered and then elaborate on those 6th March onwards.

The Bench will now hear the matter on 6th March 2018 after Holi break.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click here and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin

Hot Off The PressNews

On the 12th Day of the Aadhaar Hearing, Senior Advocate Gopal Subramanium resumed his arguments before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ. On the day before, he had argued that identification of citizen through a number was completely destructive of dignity. He said:

“State is treating people like they are a flock of sheep. Even a flock of sheep requires someone more transcendental to lead.”

Below are the highlights from Gopal Subramanium’s arguments on Day 12 of the hearing:

  • Constitutional value of human dignity:
    • To live is to live with dignity. (Refers to the case of Subramanian Swamy which talks about the concept of reputation as a natural right- a facet of dignity)
    • Lack of authentication has led to deprivation which has led to debt. It is an accountable State architecture. The insignia is some kind of probity and rectitude which should be assured.
    • I agree that people should have a political identity. However, there are two expressions- ‘identity’ & ‘identification’ and it is the former which has constitutional relevance. Minimal, regulatory identification is fine but identification for availing rights is not.
    • State has a duty to be citizen friendly.
    • Aadhaar Act, 2016 has an element of objectification. It depersonalises an individual. It eliminates any form of transaction except through the medium of this Act.
    • Unique identity cannot be given by a number. Identity is as natural as the life itself. State is obliged under Article 13 to respect the rights of the individuals.
    • State cannot use this present mechanism to find out the ghost people. State needs to have a better mechanism which make it accountable and follows due procedure.
    • Opacity is antagonistic to rationality. The law must be able to rationalize its objectives.
  • Informational privacy:
    • The statute itself gives evidence that there is an aggregation of data including the metadata.
    • (Chandrachud, J asks to read para 309 of the privacy judgment which talks about monitoring web for national security.) It is different. It talks about monitoring of web not aggregation. In case of aggregation of data, if somebody hacks into the database, what will become of the individuals.
  • Section 59 of Aadhaar Act, 2016:  
    • The expression ‘by law’ under Section 59 of the Aadhaar Act means law in present time and not retrospection.
    • If there’s an invasion of fundamental rights, what is without the authority of law cannot be deemed to have been done under the authority of law.
    • Interface of accountability takes place at the lowest level, state and then union level. Says Aadhaar violates the federal nature. (Refers to proviso to Article 73(1) of the Constitution. Enlists the entries in the concurrent list concerning Aadhaar)
    • To examine Section 59, two points will have to be considered i.e. absence of law and invasion of rights.
      • A law cannot subsequently cure the invasion of rights. De-facto and de-jure invasion has taken place here. It is complete. And in such a case, a law cannot retrospectively cure such actions.
      • Chandrachud, J: In context of section 57 that whether, prior to 2016, State govt. also utilised Aadhaar?
      • Gopal Subramanium: State govts. entered into MoUs to establish State Resident Data Hubs.
      • Why should the beneficiaries of the schemes beg the State to get their entitlements?
      • The heart and soul of this Act is authentication. If authentication fails, consequence is disablement. In such a case, there’s no form of substantive or procedural redressal.
      • This Act doesn’t even provide for retrieval of core biometric information. To compensate it gives provision of update. But how will an individual come to know that his biometrics need updation?

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin