1. ‘Enforcing’ the Information Technology Act:
Regulating Cyberspace – Version 2.0
Rodney D. Ryder
Rodney D. Ryder
Scriboard
1
2. Internet Security and Legal Compliance:
Regulating Cyberspace – Version 2.0
Part 1 – Internet Law and Policy
•
Information Technology Act, 2000
•
•
Structuring a policy
Current law in India
Part 2 – Data Privacy and Information Security [Challenges and
Strategies]
•
Data Protection legislation around the world [European
Commission Directive and the UK Act; Data Protection model:
the United States]
Rodney D. Ryder
Scriboard
2
3. The need for a national strategy
Internet Law and Policy: New
Media Regulation and India
Rodney D. Ryder
Scriboard
3
4. The Rise [and fall?] of Cyberspace
•
The Importance of Internet Architecture – ‘decentralised routing system’ – designed
to carry messages from point to point even if intermediate communication exchanges
are blocked, damaged or destroyed. <the dumb network>
•
‘The net interprets censorship as damage, and routes around it’. John Gilmore,
Lawless, The Economist, July 1995.
•
<Cyberspace>; <Neuromancer> and the “Network” [A place governed by its own laws
- as introduced by William Gibson ]
•
“Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David
Johnson, Stanford Law Review]
•
Benkler’s layers – the physical, the code and content [in communications theory]
•
Lessig <Code and other laws of Cyberspace>
•
Ryder <Regulating ‘Indian’ Cyberspace>
•
Goldsmith and Wu <Who Controls the Internet? The Illusions of a Borderless World>
Rodney D. Ryder
Scriboard
4
5. The ‘New Medium’ and the Law
•
The Information Technology Act, 2000 – in a phrase: ‘functional
equivalence’
•
‘Electronic Commerce’ as an objective
•
Understanding the role of the medium – incidental [blackmail,
stalking]; content [obscene or sensitive material]; integrity
[unauthorised access and/or modification]
•
Adaptability and Enforcement of Indian law – lessons from the
American experience [Adobe Systems v. Dmitry Skylarov]
Rodney D. Ryder
Scriboard
5
6. Structuring Information Systems Management
•
The Basics: the “machine” and the “medium” – What is a Cybercrime?
•
The criminal act – discovery [detection] and analysis
•
The Cybercrime Manual – fostering preparedness
•
Focussing on ‘relevant’ issues and appropriate classification of
offences
•
Cyber forensics and the collection of evidence
•
Crisis management [internal and external]
Rodney D. Ryder
Scriboard
6
7. The Information Technology Act, 2000
•
Chapter I: Preliminary [Definitions]
•
Chapter II: Digital Signatures and Electronic Signatures
•
Chapter III: Electronic Governance
•
Chapter IV: Attribution, Acknowledgement and Dispatch of Electronic
Records
•
Chapter V: Secure Electronic Records and Secure Electronic
Signatures
•
Chapter VI: Regulation of Certifying Authorities
•
Chapter VII: Electronic Signature Certificates
Rodney D. Ryder
Scriboard
7
8. The Information Technology Act, 2000
•
Chapter VIII: Duties of Subscribers
•
Chapter IX: Penalties, Compensation and Adjudication
•
Chapter X: The Cyber Appellate Tribunal
•
Chapter XI: Offences
•
Chapter XII: Intermediaries not to be liable in certain cases
•
Chapter XIIA: Examiner of Electronic Evidence
•
Chapter XIII: Miscellaneous
Rodney D. Ryder
Scriboard
8
9. ‘Offences’ under the Indian Information Technology Act, 2000
•
Tampering with computer source documents/‘code’ [Section 65];
•
Transmission of Offensive Messages through Communication [Section 66A];
•
Dishonest receipt of stolen computer resource or communication device [Section
66B];
•
Punishment for Identity Theft [Section 66C];
•
Cheating by personation using computer resource [Section 66D];
•
Violation of Privacy [Section 66E]
•
Cyber Terrorism [Section 66F];
•
Publishing or transmitting obscene material in electronic form [Section 67]; Publishing
or transmitting of material containing sexually explicit act in electronic form [Section
67A]; Publishing or transmitting of material depicting children in sexually explicit act in
electronic form [Section 67B].
Rodney D. Ryder
Scriboard
9
10. ‘Duties’ under the Indian Information Technology Act
•
Duty of the Organisation “… maintain reasonable security practices
and procedures” [Section 43A] – What is a reasonable Corporate
Security System? [ISO 27001/27002]
•
“Offences by Companies” [Section 85] – “… every person who, at the
time the contravention was committed, was in charge of, and was
responsible to, the company for the conduct of business of the
company as well as the company…”
•
Use of Organisation’s IT Resources should be governed by Internal IT
Use and Security Policies
Rodney D. Ryder
Scriboard
10
11. E-Commerce and the Model Law - I
•
New Terms [and Issues]: Virtual Goods, Web hosting, Server
[essence of business transactions remains the same]
•
Conventional law has not become obsolete... [a] ‘Online’ contracts are
not different from ‘off line’; [b] Medium of a transaction is generally
irrelevant for the law.
•
Traditional Legal concepts based on the existence of a tangible
medium: ‘instrument’, ‘document’, ‘original’, ‘signature’…
•
Legal concepts based on geographic
‘dispatch’, ‘surrender’…
Rodney D. Ryder
Scriboard
location: ‘delivery’, ‘receipt’,
11
12. E-Commerce and the Model Law - II
Model Law: [a] to facilitate rather than regulate electronic commerce;
[b] to adapt existing legal requirements; [c] to provide basic legal
validity and raise legal certainty.
Functional Equivalence: [a] Analyse purposes and functions of
paper-based requirements [‘writing’, ‘record’, ‘signature’, ‘original’];
[b] consider criteria necessary to replicate those functions and give
electronic data the same level of recognition as information on
paper.
Media and Technology Neutrality: [a] Equal treatment of paperbased and electronic transactions; [b] Equal treatment of different
techniques [EDI, e-mail, Internet, telegram, telex, fax]
Rodney D. Ryder
Scriboard
12
13. E-Commerce and the Model Law - III
– Party Autonomy: [a] Primacy of party agreement on whether and how to
use e-commerce techniques; [b] Parties free to choose security level
appropriate for their transactions
– Article 7 [Signature]: Legal requirement is met in relation to a data
message if: [a] a method is used to identify the signatory and to indicate
his approval of the information contained in the data message; and [b]
that method is as reliable as was appropriate for the purpose for which
the data message was generated or communicated.
– Article 8 [Original] Legal requirement is met by a data message if: [a]
there exists a reliable assurance as to the integrity of the information
from the time when it was first generated in its final form, as a data
message or otherwise; and [b] information is capable of being displayed
to the person to whom it is to be presented.
Rodney D. Ryder
Scriboard
13
14. E-Commerce and the Model Law - IV
•
Article 9 [Evidence]: In any legal proceedings, nothing in the rules of
evidence shall apply so as to deny the admissibility of a data message in
evidence solely because it is a data message.
Article 11 [Use of data messages in contract formation]
Article 12 [Non-repudiation]
Article 13 [Attribution of data messages]
Article 14 [Acknowledgement of receipt]
Article 15 [Time and place of dispatch and receipt]
Articles 16 and 17 [Electronic commerce and carriage of goods]
Rodney D. Ryder
Scriboard
14
15. E-Commerce and the Model Law - V
A data message is deemed to be sent when it enters an information system
outside the control of the originator.
A data message is deemed to be received: [a] If the addressee has
designated an information system to receive the message, when the
message enters the designated system; or [b] If the message is sent to an
information system other than the designated system, when the addressee
retrieves the message.
Rodney D. Ryder
Scriboard
15
16. ‘Jurisdiction’: Reading the Information Technology Act [I]
•
The relevance of physical location
•
Technology and the elimination of physical contact
•
Indian jurisdiction in cyberspace: a ‘simpler’ reading of section
75 [Indian Information Technology Act, 2000]
•
Wired [August 2000]: “Welcome to Sealand,…”
Rodney D. Ryder
Scriboard
16
17. ‘Jurisdiction’: Reading the Information Technology Act [II]
•
The simplistic view: is Cyberspace a place?
•
Direct interaction or through an agent [bot]?
•
The arcane exercise: where to sue?
•
Blurring vision: product or service
•
The basic paradigm: the absoluteness of boundaries
•
The relevance of physical location [‘lex situs’]
•
Targeting
Rodney D. Ryder
Scriboard
17
18. ‘Jurisdiction’: Reading the Information Technology Act [III]
•
Zippo Manufacturing Co. v. Zippo.com Inc. 952 F Supp 1119 [1997] the sliding scale test [‘… the nature and quality of commercial activity’]
•
Sliding – [a] entering into a contract, subsequently uploading files,
Compuserve Inc. v. Patterson 89 F 2d 1257 (1996); [b] website,
targeting users of a jurisdiction, Maritz Inc. v. Cybergold Inc 947 F
Supp 1328 (1996)
•
Sliding – [a] Website not interactive, only contained general
information Bensusan Restaurant Corp v King 937 F Supp 296
(1996); [b] ‘U-Hell’ website that described their experience with ‘UHaul’ U-Haul International Inc v. Osborne 1999 Us Dist LEXIS 14466
(1999); [c] Server only point of contact Pres-Kap Inc v. System One
Direct Access Inc 636 So 2d 1351 (1994).
Rodney D. Ryder
Scriboard
18
19. ‘Jurisdiction’: Reading the Information Technology Act [IV]
•
Calder v. Jones 465 US 783 (1984) – ‘targeting’ [emerging as the
dominant test – direct relationship or referral]
•
Metro-Goldwyn Mayer Studios Inc. v. Grokster Ltd. 243 F Supp 2d
1073 (2003) – ‘… the software had an impact or effect…’
•
‘Free Speech’ and the Internet: Dow Jones & Company v. Gutnick,
(2002) 77 AJLR 255; [2002] HCA 256. [Callinan J, ‘… American legal
hegemony’ [‘accessibility’; ‘reputation’]
•
Publication – a bilateral act?
•
Reasonableness – reputation in the forum, whether the publisher
knew or ought to have known this, ‘extent’ of publication, extent to
which the plaintiff is a subject.
Rodney D. Ryder
Scriboard
19
20. Internet Cases in India [I]
•
Vodafone Essar Ltd v Raju Sud [Bombay High Court; Summary Suit No. 3264/2009
Dated : 22 November, 2011] - subscriber, challenged the authenticity of computer
generated bills which contained the charges. The Court held that, “printouts taken
from the computer/server by mechanical process as contemplated under Sections 65
and 65-A of the Evidence Act is permitted, irrespective of the compliance with the
requirement of Section 65-B of the Act”.
•
State v. Navjot Sandhu [Supreme Court of India, Case No. : Appeal [Crl.] 373-375 of
2004, Date of Judgement : 04/08/2005] - The Hon’ble Supreme Court when
examining Section 65B, held that even when an affidavit/certificate under Sec. 65B is
not filed it would not foreclose the Court from examining such evidence provided it
complies with the requirements of Section 63 and 65 of the Evidence Act.
•
Super Cassettes v. MySpace Inc. [Delhi High Court; CS [OS] No. 2682/2008] - One
of India’s first judgments on the issue of intermediary liability specifically on the point
of copyright infringement of recordings of the plaintiff.
•
Rodney D. Ryder
Scriboard
20
21. Internet Cases in India [II]
•
Vinod Kaushik v. Madhvika Joshi [Adjudication Officer, Maharashtra. Complaint Case
No. 2/2010] - the legality of accessing a spouse’s email account without their
permission. Whether unauthorised access?
•
Eastern Book Company v. DB Modak [Supreme Court of India. Appeal [Civil] 6472 of
2004] - copyright protection available to electronic databases in India.
•
Dharambir v. Central Bureau of Investigation [Delhi High Court. 148 [2008] DLT 289]
- the admissibility and reliability of digital evidence.
•
Societe des Products Nestle SA v/s Essar Industries, 2006 [33] PTC 469] –
Admissibility of Electronic Evidence
•
Rodney D. Ryder
Scriboard
21
22. Legal Issues and the ‘Cloud’ – I [Scenarios and Situations]
•
‘Physical Location’ of the Data – [a] where is the data stored?
[jurisdiction and legal governance of the data] [b] Dispute Resolution –
in the event of conflict
•
Responsibility for the Data – Disaster Management [Indemnification?
Insurance?] Is there liability coverage for the breach of privacy? What
if the data center is hacked?
•
Intellectual Property – [a] Is the data protected under Intellectual;
Property Law? How secure are trade secrets? What are the
conditions under which the vendor grants third parties access to your
data?
Rodney D. Ryder
Scriboard
22
23. Legal Issues and the ‘Cloud’ – II [Contracts and Enforcement]
•
Privileged User Access – Who has access and their backgrounds
•
Regulatory Compliance – Vendors must be willing to undergo audits
and security certifications
•
Data Location
•
Security: the legal responsibility [Security Breach?] – [a] physical
security; [b] operational security – ‘private cloud’ or the ‘utility model’;
[c] programmatic or code-based security
•
Data Segregation and the use of Encryption
•
Recovery
Rodney D. Ryder
Scriboard
23
24. Privacy and the Internet
Data Privacy and Information
Security
Rodney D. Ryder
Scriboard
24
25. Privacy concerns
A fundamental human right
the right of the individual to be let alone
•
Information Privacy [data protection] - personal data
•
Bodily privacy - invasive procedures - search, drug testing; genetic
testing; etc
•
Communications Privacy - mail, telephone, e-mail etc
•
Territorial privacy - domestic privacy; CCTV; ID checks etc
“Public” aspects - surveillance, police powers and national security
Rodney D. Ryder
Scriboard
25
26. Growth of Importance of Privacy
Overview - major International and US regulations
HUMAN RIGHTS
1948
UN Universal Declaration of Human Rights
1970
US Fair Credit Reporting Act
1974
US Privacy Act
1976
International Covenant on Civil and Political Rights
1980
OECD Guidelines on Protection of Privacy
1980
US Privacy Protection Act
1995
European Commission Directive on Data Protection
1994
US Communications Assistance to Law Enforcement Act
1996
US Health Insurance Portability and Accountability Act
1998
US Children's Online Privacy Protection Act
1998
European Member States implement Directive
1999
US Financial Services Modernization Act
Rodney D. Ryder
Scriboard
BUSINESS ISSUES
26
27. Privacy and Data Protection law in India
There is no general privacy or data protection law in India:
•
Constitution Article 21
Right to life and liberty, interpreted by Supreme Court as including the
“right to be let alone”
•
International Covenant on Civil and Political Rights 1966 Article 17:
No one shall be subject to arbitrary or unlawful interference with his
privacy, family, home or correspondence, nor to unlawful attacks on his
honour and reputation. Everyone has the right to the protection of the law
against such interference or attacks.
•
Law of privacy [Tort Law] – Action for unlawful invasion of privacy
Rodney D. Ryder
Scriboard
27
28. The [Indian] Information Technology Act, 2000
Information Technology Act 2000
•
Section 43 [a]
Penalty for unauthorised access to a computer system
•
Section 43 [b] Penalty for unauthorised downloading or copying of data without permission
•
Section 72 Offence of accessing any electronic record, book, register, correspondence,
information, document or other material and, without the consent of the
person concerned, disclosing such information to another person
Rodney D. Ryder
Scriboard
28
29. Current law in India
•
Public Financial Institutions Act of 1983 codifies confidentiality of
bank transactions
•
ISPs prohibited from violating privacy rights of subscribers by virtue
of the licence to operate granted by the Department of
Telecommunications
•
A general data protection law in India?
National Task Force on IT and Software Development 1998
Submitted “IT Action Plan” calling for “National Policy on Information
Security, Privacy and Data Protection Act for handling of
computerised data” but no Act introduced to date
Rodney D. Ryder
Scriboard
29
30. Possible approaches to Data Protection
Data Protection
Worldwide
Rodney D. Ryder
Scriboard
30
31. Data Protection legislation worldwide
NONE
PENDING
AFGHANISTAN
CENTRAL AFRICAN REPUBLIC
CHAD
CHILE
CHINA
CHRISTMAS ISLAND
COCOS [KEELING] ISLANDS
COLOMBIA
COMOROS
CONGO
ALBANIA
ALGERIA
AMERICAN SAMOA
ANDORRA
ANGOLA
COOK ISLANDS
COSTA RICA
COTE D'IVOIRE
CROATIA
CUBA
CYPRUS
CZECH REPUBLIC
DENMARK
DJIBOUTI
DOMINICA
DOMINICAN REPUBLIC
EAST TIMOR
ECUADOR
EGYPT
EL SALVADOR
EQUATORIAL GUINEA
ERITREA
ESTONIA
ETHIOPIA
FALKLAND ISLANDS [MALVINAS]
FAROE ISLANDS
FIJI
FINLAND
FRANCE
FRENCH GUIANA
FRENCH POLYNESIA
FRENCH SOUTHERN TERRITORIES
GABON
GAMBIA
GEORGIA
GERMANY
GHANA
ANGUILLA
ANTARCTICA
ANTIGUA AND BARBUDA
ARGENTINA
ARMENIA
ARUBA
AUSTRALIA
AUSTRIA
AZERBAIJAN
BAHAMAS
BAHRAIN
BANGLADESH
BARBADOS
BELARUS
BELGIUM
BELIZE
BENIN
BERMUDA
BHUTAN
IN PLACE
GIBRALTAR
GREECE
GREENLAND
GRENADA
GUADELOUPE
GUAM
GUATEMALA
GUINEA
GUINEA-BISSAU
GUYANA
HAITI
HEARD ISLAND AND MCDONALD ISLANDS
HOLY SEE [VATICAN CITY STATE]
HONDURAS
HONG KONG
HUNGARY
ICELAND
INDIA
INDONESIA
IRAN
IRAQ
IRELAND
ISRAEL
ITALY
JAMAICA
JAPAN
JORDAN
KAZAKSTAN
KENYA
KIRIBATI
KUWAIT
KYRGYZSTAN
LAO PEOPLE'S DEMOCRATIC REPUBLIC
LATVIA
LEBANON
LESOTHO
LIBERIA
LIBYAN ARAB JAMAHIRIYA
LIECHTENSTEIN
EUD or ‘ADEQUATE’
LITHUANIA
OURG
LUXEMBOURG
MACAU
MACEDONIA
MADAGASCAR
MALAWI
MALAYSIA
MALDIVES
MALI
MALTA
MARSHALL ISLANDS
MARTINIQUE
MAURITANIA
MAURITIUS
MAYOTTE
MEXICO
MICRONESIA, FEDERATED STATES OF
MOLDOVA, REPUBLIC OF
MONACO
MONGOLIA
MONTSERRAT
MOROCCO
MOZAMBIQUE
MYANMAR
NAMIBIA
NAURU
NEPAL
NETHERLANDS
NETHERLANDS ANTILLES
NEW CALEDONIA
NEW ZEALAND
NICARAGUA
NIGER
NIGERIA
NIUE
NORFOLK ISLAND
NORTH KOREA
NORTHERN MARIANA ISLANDS
NORWAY
OMAN
PAKISTAN
PALAU
PALESTINIAN TERRITORY, OCCUPIED
PANAMA
PAPUA NEW GUINEA
PARAGUAY
PERU
PHILIPPINES
PITCAIRN
POLAND
PORTUGAL
PUERTO RICO
QATAR
REUNION
ROMANIA
RUSSIAN FEDERATION
RWANDA
SAINT HELENA
SAINT KITTS AND NEVIS
SAINT LUCIA
SAINT PIERRE AND MIQUELON
SAINT VINCENT AND THE GRENADINES
SAMOA
SAN MARINO
SAO TOME AND PRINCIPE
SAUDI ARABIA
SENEGAL
SEYCHELLES
SIERRA LEONE
SINGAPORE
SLOVAKIA
SLOVENIA
SOLOMON ISLANDS
SOMALIA
SOUTH AFRICA
SOUTH GEORGIA
SOUTH KOREA
SPAIN
SRI LANKA
SUDAN
SURINAME
SVALBARD AND JAN MAYEN
SWAZILAND
SWEDEN
SWITZERLAND
SYRIAN ARAB REPUBLIC
TAIWAN
TAJIKISTAN
TANZANIA, UNITED REPUBLIC OF
THAILAND
TOGO
TOKELAU
TONGA
TONGA
TRINIDAD AND TOBAGO
TUNISIA
TURKEY
TURKMENISTAN
TURKS AND CAICOS ISLANDS
TUVALU
UGANDA
UKRAINE
UNITED ARAB EMIRATES
UNITED KINGDOM
UNITED STATES [safe harbor]
US MINOR OUTLYING ISLANDS
URUGUAY
UZBEKISTAN
VANUATU
VENEZUELA
VIET NAM
VIRGIN ISLANDS, BRITISH
VIRGIN ISLANDS, U.S.
WALLIS AND FUTUNA
WESTERN SAHARA
YEMEN
YUGOSLAVIA
ZAMBIA
ZIMBABWE
BOLIVIA
BOSNIA AND HERZEGOVINA
BOTSWANA
BOUVET ISLAND
BRAZIL
BRITISH INDIAN OCEAN TERRITORY
BRUNEI DARUSSALAM
BULGARIA
BURKINA FASO
BURUNDI
CAMBODIA
CAMEROON
CANADA
CAPE VERDE
CAYMAN ISLANDS
Rodney D. Ryder
Scriboard
31
32. Industrialised Countries Legislation timeline
Norway
Personal D Reg Act
Finland
Personal DP Act
In force 14 April 2000
In force 1 June 1999
Sweden
Personal Data Act
Denmark
Act on Processing f PD
In force 24 October 1998
In force 1 July 2000
Belgium
Data Protection Act
Ireland
-
In force 1 Sep 2001
Germany
Data Protection Act
United Kingdom
Data Protection Act
In force 23 May 2001
In force 1 March 2000
Austria
Data Protection Act
Luxembourg
-
In force 1 January 2000
Canada
PIP&ED Act
Commenced 1 Jan 2001
Italy
Data Protection Act
Mexico
eCommerce Act
Netherlands
Law on Protection PD ct
In force 8 May 1997
In force 7 June 2000
In force 1 Sep 2001
France
-
United States [includes]
CPP Act 1984
VPP Act 1988
COPP Act 1998
Hong Kong
Personal Data [Privacy]
Australia
Privacy Act
Spain
Data Protection Act
In force 20 Dec 1996
In force 21 Dec 2001
In force 13 January 2000
In force 21 April 2000
Taiwan
Computer Processed DP
New Zealand
Privacy Act
Portugal
Personal DP Act
In force 11 August 1995
In force 1 July 1993
In force 27 October 1998
Switzerland
Data Protection Act
South Korea
eCommerce Act
In force 1 June 1999
In force January 1999
Eastern Europe
Estonia [96] Poland [98] Solovak [98] Slovenia [99]
Hungary [99] Czech [00] Latvia [00] Lithuania [00]
HIPA Act
In force 14 April 2001
GLB Act
In force 1 July 2001
‘General’ Act
Rodney D. Ryder
Scriboard
Under consideration
Greece
Protection Processing
In force 10 April 1997
32
33. Possible approaches to Data Protection
Data Protection
in Europe
Rodney D. Ryder
Scriboard
33
34. European Data Protection Directive
•
Directive 95/46/EC of the European Commission
•
Now implemented in almost all Member States
e.g. UK
previously - UK Data Protection Act 1984
now - UK Data Protection Act 1998 [in force March 2000]
[“DPA”]
Rodney D. Ryder
Scriboard
34
35. UK DPA 1998 - The Eight Principles
1. Personal data must be processed fairly and lawfully
2. Personal data must be collected and used only for notified purposes.
3. Personal data must be adequate, relevant and not excessive.
4. Personal data must be accurate and, where necessary, kept up-todate.
5. Personal data must only be retained for as long as is necessary to
carry out the purposes for which it is collected.
6. Personal data must be processed in accordance with the rights of
data subjects as set out under the 1998 Act.
Rodney D. Ryder
Scriboard
35
36. UK DPA 1998 - The Eight Principles
7. Appropriate technical and organisational measures must be in place
to protect against unauthorised access, amendment or loss of
personal data. There must be a contractual obligation, in writing, upon
any data processor to comply with the relevant legislation and to
ensure that such measures have been put in place.
8. Personal information must not be transferred out of the European
Economic Area ["EEA"] unless the receiving country ensures "an
adequate level of protection" for the rights and freedoms of the data
subjects vis-à-vis the processing of personal data.
Rodney D. Ryder
Scriboard
36
37. Transfers of Personal Data
from Europe to India
The Eighth Principle
Personal information must not be transferred out of the European
Economic Area ["EEA"] unless the receiving country ensures "an
adequate level of protection" for the rights and freedoms of the data
subjects vis-à-vis the processing of personal data.
Rodney D. Ryder
Scriboard
37
38. Alternative Grounds: “Seventh-Principle” type contract
Notwithstanding lack of country adequate status, a Data Controller can
nevertheless conclude there is adequate protection in respect of a particular
transfer if:
There is sufficient protection for individual data subjects
Having regard to: - nature of data being transferred;
- purposes for processing;
- security measures in place;
- individual rights to redress if things go wrong
Note - all of these could be covered in a Seventh-Principle type contract
Rodney D. Ryder
Scriboard
38
40. Legal Services
Technology, Media and Communications
Technology, Media and Communications
‘Enforcing’ the Information
Technology Act
Regulating Cyberspace – Version 2.0
Rodney D. Ryder
rodney@scriboard.com