Legal Framework for Protecting Privacy while Undertaking Online Transactions And Cyber Security

The General Data Protection Regulation (GDPR)

It  is a comprehensive data protection law that came into effect in the European Union in 2018. It aims to give individuals more control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR imposes strict rules on how organisations collect, store, process, and protect personal data, with severe penalties for non-compliance. It is crucial for data protection as it enhances transparency, accountability, and the rights of individuals over their data.

Application 

GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’. The definitions of each are laid out in Article 4 of the General Data Protection Regulation.

GDPR Controller

A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”. If you were subject to the UK’s Data Protection Act, for example, you’ll likely need to be GDPR compliant, too.

“You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR,” says the UK’s Information Commissioner’s Office, the authority responsible for registering data controllers, taking action on data protection and handling concerns and mishandling data.

GDPR ultimately places legal obligations on a processor to maintain records of personal data and how it is processed, providing a much higher level of legal liability should the organisation be breached.Controllers are also forced to ensure that all contracts with processors are in compliance with GDPR.

Personal Data under GDPR

The types of data considered personal under the existing legislation include name, address, and photos. GDPR extends the definition of personal data so that something like an IP address can be personal data. It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.

Governance:

To ensure that organisations place data governance at the heart of what they do. As a result, the GDPR introduces a number of requirements to ensure that compliance is a serious focus for companies. Within the organisation, it is important to raise awareness of privacy issues and embed privacy compliance into decision makers and rank-and-file alike so that the business is proactive not reactive.(Articles 5,27, 37-39).

 Record of Processing:

The GDPR requires organisations to maintain a detailed record of all processing activities, including purposes of processing, a description of categories of data, security measures, comprehensive data flow map, etc. A number of stakeholders will need to be involved in creating and maintaining this data record..(Article 30)

Accountability:

One of the threads which runs through the GDPR is the requirement for organisations to have documentation to be able to demonstrate how they comply with the GDPR. Compliance should be integrated within the audit framework to ensure policies, processes and controls are working(Articles 5,24,25,30).

Consent:

In order to lawfully process Personal Data, one of the conditions of processing, as set forth in the GDPR, must be satisfied. While the grounds for processing are broadly the same as those set out in the current Data Privacy Directive, the GDPR imposes new requirements to gain valid consent: consent must be freely given, specific, informed, and unambiguous. There must be positive optin (consent cannot be inferred from silence), consent must be separate from other terms and conditions, and simple options to withdraw consent must be available. Under the GDPR, privacy notices must state the processing ground relied upon, and if relying on legitimate interests, state the nature of the legitimate interest. This will be important as individuals’ rights will be different depending on the lawful basis for processing, e.g., there will be a stronger right to be forgotten where consent is used as the lawful basis. Consider whether the specific requirements relating to consent from children apply to your organisation (see Children)..(Articles 5,6,7,9,10,85-91)

Notices:

● There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Employees must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided. Criminal records can no longer be processed unless authorised by member state law.(Articles 10,12-14)

● There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Customers must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided, e.g., the legal basis for the processing of personal data. Notices must also be compliant with the new Consent requirements where relying on consent as your lawful ground of processing.(Articles 12-14)

● The GDPR requires parental consent for the processing of data related to information society services offered to a “child” (ranging from 13 to 16 years old depending on member state). The GDPR eaves a lot to the discretion of the member states as to how children must be treated under this provision..(Articles 8,12 )

Data Subjects Rights:

Rights to request access to data or require it to be rectified or deleted have been expanded to include a much broader right to require deletion (“the right to be forgotten”). Organisations should consider how they would execute a request to delete all of the requestor’s personal data. A right to data portability is also new (a right not just to access your data but have it provided in a machine readable and commonly used format free of charge). Versions of the existing right to object to any processing undertaken on the basis of legitimate interests or for direct marketing and the right not to be subject to decisions based on automated processing are also included and expressly refer to a right to object to profiling. These must be clearly communicated in the notices given to data subjects, e.g. privacy policy.(Articles 16, 17, 18, 19, 20, 21, 22, 23)

Privacy by design and default:

To bring privacy considerations to the forefront of organisation organisational decision making, the GDPR requires data protection requirements to be considered when new technologies are designed or onboarded or new projects using data are being considered. Privacy impact assessments should be used to ensure compliance in any event, but these will be mandatory for projects where data processing is likely to result in a high risk to individuals, e.g., projects that involve processing on a large scale of sensitive personal data or criminal convictions, monitoring of a public area, or systematic and extensive evaluation by automated means including profiling. Where data processing is high risk, and the risk cannot be sufficiently addressed, the regulator must be consulted as to whether the processing is in compliance with the GDPR.(Articles 25,35,36)

Compliant Contracting And Procurement:

Procurement processes and vendor contracts will need to be updated to ensure they reflect the new GDPR requirements and flow down obligations which must be complied with by parties processing European Personal Data on your behalf (Articles 28)

Data Breach Procedures:

The GDPR introduces a new data breach notification regime. The process requires organisations to act quickly, mitigate losses and, where mandatory notification thresholds are met, notify regulators (within 72 hours) and affected data subjects (if merited, without undue delay).(Articles 32-34)

Data Export:

The GDPR only permits exports data to entities of its group and third party vendors outside the European Economic Area if the country in which the recipient of such data is established offers an adequate level of protection.(Articles 44-50)

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) 

It has been passed by both the Houses of Parliament, has received the President of India’s assent and has been published in the official gazette on August 11, 2023. The DPDP Act is a result of the fifth iteration of the proposed personal data protection legislation and appears to be based on the draft Bill released by the Ministry of Electronics and Information Technology on November 18, 2022, titled Digital Personal Data Protection Bill, 2022, which was open for public consultations. The DPDP Act focuses on digital personal data and does not apply to non-personal data. Once provisions of the DPDP Act are brought into force, the DPDP Act will replace Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (“SPDI Rules”). The DPDP Act is proposed to come into force in a phased manner, i.e., as and when the Central Government notifies the provisions of the DPDP Act from time to time.

Applicability

  • Only applies to digital personal data- The DPDP Act only applies to personal data, whether collected in digital form or non-digital data which is digitized subsequently
  • Overseas applicability- The DPDP Act applies to digital personal data that is processed outside India, only if such processing is in connection with any activity related to offering of goods or services to data principals (data subjects) in India.
  • Exclusions – The DPDP Act does not apply to: (i) personal data processed by an individual for any personal or domestic purpose; or (ii) personal data made publicly available by the data principal herself or any other person under a legal obligation.

Data Protection Principles- The DPDP Act encapsulates the following essential principles:

  • Purpose limitation – Personal data should only be processed for a lawful purpose for which the data principal has given her consent and in accordance with the DPDP Act; and
  • Collection limitation – Only such personal data should be collected which is necessary.

No sub-classification of personal data 

 The provisions of the DPDP Act apply to all kinds of personal data and does not envisage sub-categories of personal data, such as sensitive personal data or critical personal data. Accordingly, the requirements of the DPDP Act will be applicable equally to all forms of personal data agnostic of the nature or type of the personal data. This approach deviates from the current Indian data protection law contained under the SPDI Rules, which make a distinction between ‘personal information ‘ and ‘ sensitive personal data or information’ and prescribes incremental compliance requirements for processing of sensitive personal data or information.

Consent & Notice

  • Affirmative Consent- Consent is the underlying basis for processing personal data and needs to be free, specific, informed, unconditional and unambiguous. Such consent has to be provided by a clear affirmative action, and signify the data principal’s agreement for processing of her personal data for the specified purpose.
  • Withdrawal of Consent -The data principal has the right to withdraw consent at any time with same level of ease with which she gave her consent. Such withdrawal of consent will not affect the legality of processing of the personal data based on consent before its withdrawal.
  • Notice – A notice needs to be provided to the data principal, along with or preceding every request for consent, informing the data principal about the personal data and the proposed purpose of processing; and the manner in which she may exercise her rights to withdraw consent, avail the grievance redressal mechanism and make a complaint to the DPB (defined below). Where the data principal has given consent for processing her personal data before the law comes into force, a similar notice needs to be provided to her, as soon as it is reasonably practicable and the data fiduciary may continue processing the data principal’s data, till such time that they withdraw the prevalent consent in response to the aforesaid notice.
  • Notice & Consent in multiple languages- The data principal should have the option to view the notice and consent form in English or in any other language specified in the Eighth Schedule of the Constitution of India (which includes Urdu, Tamil, Telugu, Sanskrit, Punjabi, Marathi, Hindi, Kannada, Bengali, Gujarati, Kashmiri, etc.).
  • Legitimate Uses (for processing without consent) – The DPDP Act has rechristened the concept of ‘deemed consent’, which was envisaged in the draft bill released in 2022 for processing of personal data for certain special use cases without the consent of the data principal and now termed it as ‘legitimate uses’. The legitimate uses for which a data fiduciary may process personal data of a data principal without obtaining her consent include specified purposes for which the data principal has voluntarily shared personal information without objecting to such processing, processing for purposes of employment, for responding to medical emergencies, for performing any function under law or the State providing any service or benefit to the data principal, for compliance with any judgment or order issued under any law, etc.

Obligations of Data Fiduciary

Data fiduciaries are responsible for compliance with the DPDP Act, including for processing of personal data undertaken by a data processor on their behalf. Where the data fiduciaries are processing personal data that is likely to be used to make a decision that affects the data principal or is to be shared with another data fiduciary, they are required to ensure accuracy and completeness of such personal data. Data fiduciaries are also required to delete personal data, if the data principal withdraws her consent or if it is reasonable to assume that the specified purpose is no longer being served, unless such retention is necessary for compliance with law.

Notification of personal data breach

 Personal data breaches need to be intimidated by the data fiduciary to the DPB (defined below) and each affected data principal in such manner as may be prescribed.

Cross-border transfer of personal data

 Personal data can be transferred by a data fiduciary to any other country or territory for processing, unless the Central Government restricts such transfer to any notified countries. In other words, the DPDP Act adopts a blacklisting approach which implies that personal data is freely transferable unless the transfer is proposed to be made to a territory or a country which is ‘blacklisted’ by the Central Government. That said, the DPDP Act clarifies that if there is any other law or sectoral regulation, which provides for a higher degree of protection for, or restriction on, transfer of personal data outside India, whether it is in relation to certain personal data or a class of data fiduciaries, such law or regulation will apply.

Significant data fiduciaries

The Central Government may notify any or a class of data fiduciaries as significant data fiduciaries taking into account multiple factors (such as volume and sensitivity of personal data processed, risk to the rights of the data principal, security of state, etc.). Significant data fiduciaries need to comply with additional requirements such as – appoint an individual as a data protection officer based in India, appoint an independent data auditor for evaluating compliance with the DPDP Act, conducting periodic audit and data protection impact assessment, and undertake other measures including periodic data protection impact assessments.

Data of Children and Persons with Disability

 Verifiable consent of parent/ lawful guardian is required to process personal data of children and persons with disabilities. The DPDP Act prohibits tracking or behavioral monitoring of, and targeted advertising directed at, children, and processing of children’s data that is likely to cause any detrimental effect on the well-being of a child. Notably, the DPDP Act provides an enablement for the Central Government to exempt classes of data fiduciaries and processing for certain purposes from the requirement of obtaining parental consent and prohibiting behavioral monitoring. It also empowers the Central Government to exempt data fiduciaries for processing data of children above a certain age but under 18 years in certain situations without the specific obligations attached to processing children’s data.

Rights of data principals

 The DPDP Act provides certain rights to data principals, which include right to access information about personal data including a summary of personal data being processed, the underlying processing activities and any other information as prescribed, and identities of all data fiduciaries and data principals with whom such data was shared; right to correction and erasure of personal data; right to nominate an individual to exercise rights on their behalf in the event of their death or incapacitation etc. As per the DPDP Act, the data fiduciaries need to offer readily available grievance redressal mechanisms to data principals. In this regard the data principal must exhaust all options for grievance redressal before approaching the DPB (defined below).

Data Protection Board of India

The DPDP Act contemplates the establishment of a Data Protection Board (“DPB”), as an enforcement body, which will have powers, inter alia, to direct any urgent remedial or mitigation measures on receipt of intimation regarding a personal data breach, inquire into such breach, impose penalties for non-compliances, inspect any document, summon and enforce attendance of any person etc. An appeal may be preferred against an order of the DPB before the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) established under the Telecom Regulatory Authority of India Act, 1997 within specified timelines, and in the prescribed manner. An appeal against the order of the TDSAT may be preferred before the Supreme Court of India.

Power to call for information and block access

 The DPDP Act empowers the Central Government to call for any information from the DPB, the data fiduciary or any intermediary. Where the Central Government receives a reference from the DPB that it has imposed monetary penalties on a data fiduciary in two or more instances and advises blocking of access by public to any information transmitted on any computer resource, it may by way of a written order, direct blocking of access by public to such information on the grounds of public interest. This order has to be passed in writing and after giving the data fiduciary an opportunity to be heard.

Penalties

  • Monetary penalties for breach- Depending on the nature of contravention, monetary penalties up to INR 250 crores may be levied by the DPB on the conclusion of an inquiry. Several factors may be taken into account to determine the quantum of penalties including – nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, and whether as a result of a breach, the defaulting person has realized a gain or avoided any loss etc.
  • No Compensation – The DPDP Act does not provide for payment of compensation to data principals whose personal data has been compromised. This is a deviation from the IT Act which allows affected data principals to claim compensation from a data fiduciary who failed to implement reasonable security safeguards and as a consequence, have caused wrongful loss or gain. That said, the DPDP Act casts certain duties on the data principals, amongst others, to furnish only verifiably authentic information, not to impersonate another person while providing personal data for a specified purpose, not to register a false or frivolous grievance or complaint with a data fiduciary or the DPB, etc. For any breach in observance of such duties, the data principals may be penalized up to INR 10,000.

Voluntary Undertaking – The DPDP Act also allows the DPB to accept from a person facing action for non-observance under the law a voluntary undertaking, which may include a commitment – (a) to take action within a time frame as determined by the DPB, or (b) to refrain from taking specified action, and/ or (c) to publicise the voluntary undertaking. Once such voluntary undertaking is accepted by the DPB, it will constitute a bar on proceedings under the law as far as it relates to the contents of the voluntary undertaking.

Exemptions

The DPDP Act exempts from applicability, (a) all of its provisions, in case of processing by certain notified instrumentalities of State, in the interests of sovereignty and integrity of India, maintenance of public order, etc., and (b) some of its provisions, in case processing is necessary for enforcement of a legal right or claim, merger or amalgamation, investigation or prosecution of an offence, etc. The DPDP Act also provides an enablement for the Central Government to exempt by notification certain data fiduciaries including startups from specified obligations such as notice and retention requirements, those applicable to significant data fiduciaries, etc.

To download this note as a PDF and have a handy reference for future use

Attention to all law students!
Are you missing out on internships, job opportunities, and essential law notes?
Don’t worry! Join over 45,000 students who are already part of the largest legal community. Don’t get left behind!
Become a member of our WhatsApp Groups (Click Here) and Telegram Channel (Click Here) for instant update

If you want to add something or just say thank you,