Data has emerged as one of the most important resources of today's world. However, there does not exist clear rules on how to make use of this resource. There are spillover effects and negative externalities in the form of privacy breaches while exploiting this resource. In such a situation, what should be the legal remedy?
The law should find a balance between the interests of the customers and the corporations. The customers want safety and privacy, whereas corporations want commercial use of data which risks the customer's interests.
Nirala Nagar / Cheap Call Girls In Lucknow Phone No 9548273370 Elite Escort S...
Privacy issues in data analytics
1. Business Law Report
Privacy regulations for data
driven businesses
Team
Contents
1. Problem description
• Data Analytics and Privacy
• Challenges posed by IoT, Big Data, Cloud
• Pros and Cons of strong regulation
2. Privacy laws around the globe
• Timeline of data protection laws
• Challenges in enactment and enforcement
3. Personal Data Protection Bill
• Evolution of the bill
• Features of the bill
• Critical analysis of the bill
• Industry's view
• Opposition's view
• International opinion
• Civil Society’s perspective
• Miscellaneous
5. Conclusion
• The way forward
Kanchan Kalra 1916024
Saurabh Kanaujia 1916025
Shekhar Kanodia 1916026
Shashikumar Kulkarni 1916027
Devishree Shekar 1916058
2. Problem Description: Data Analytics and Privacy
• Data has emerged as one of the most important resources of today's world. However there does not exist
clear rules on how to make use of this resource.
• There are spillover effects and negative externalities in the form of privacy breaches while exploiting this
resource. In such a situation, what should be the legal remedy?
• The law should find a balance between the interests of the customers and the corporations. The
customers want safety and privacy, whereas corporations want commercial use of data which risks the
customer's interests.
• Although a relatively new area, there have been some standards which have evolved to balance the
interests of the stakeholders. Anonymization, de-identification, privacy by design and security by design
have been accepted as norms.
• However, still there are some contentious issues such as the principles of data minimization, data
retention and data localization that need closer scrutiny.
• Similarly operational and contractual safeguards have also been accepted by all the stakeholders. They
include privacy impact assessment, encryption of data and legally enforceable confidentiality obligations.
3. Challenges posed by IoT, Big Data, Cloud
• The move to build artificial intelligence(using big data, IoT and Cloud), requires collection and analysis of a
lot of data.
• The challenge here is that when data is collected, one knows neither the exact regression which will be run
nor the data interpolation as analysis starts with no preset agenda. One cannot predict what will be
inferred and what might be outcome.
• This poses problem that, data collection cannot be kept minimal and even if data is anonymized, when
data is collected from different sources and analyzed or regressed together, one cannot rule out the
possibility that an individual can be identified.
• Suggestions like calling out purpose of data collection at the time of collection, Anonymization, de-
identification, privacy by design and security by design is difficult to enforce/ensure besides this would
hinder progress in critical areas such as healthcare.
4. Pros of strong regulation
• Curbs ‘big brother’, ‘creepy’, ‘spooky’
activities
• Could have prevented the below:
• Facebook - Cambridge Analytica scandal
• WhatsApp - Pegasus snooping row
• Cyber crimes and frauds can be prevented
• Prevents breaches that hurt businesses
and data subjects/principals
• Maintains and improves brand value and
competitive advantage for businesses
• Builds public, investor and customer trust
and loyalty
Cons of strong regulation
• Compliance costs would increase
• Curb innovation and startups
• Global expansion would be difficult, would
act like a trade barrier
• Criminal provisions would deter
investments
• Weak regulatory body can be misused
• Bona fide purposes such as public service
delivery would be impacted
• Less data and poor-quality data would
impact data models
6. USA
• Has no all-encompassing federal data
privacy law
• Has only sector specific laws: Example
healthcare HIPPA
• There are a bunch of state privacy laws :
example California online privacy
protection act 2003
• Any unfair and deceptive practices are
enforced by FTC (Federal Trade
Commission)
• Some Examples:
COPPA: Children's Online privacy
protection act
CAN-SPAM: For e marketing
regime
FCRA: Fair credit reporting act
Gramm leach Bliley: For personal
info held by financial institutions
HIPPA: Health insurance
portability and accountability act
EU
• Data protection directive(95/46) and e privacy
directive (2002/58) only provides directive to
member states
• National implementation must be done by each
member state
• There are separate Data protection authority for
each member state
• EU has simpler data protection narrative by which
Personally identifiable information (PII) includes
cookies, IP address etc.
• GDPR: General data protection regulation
A regulation in EU law on data protection
and privacy for all individual citizens of the
European Union and the European
Economic Area.
It also addresses the transfer of personal
data outside the EU and EEA areas.
Hospitals, Government Agencies and
journalists are exempted
Citizens have the right to be forgotten if
they are irrelevant/inadequate
Others
• Singapore: PDPA (Personal Data
Protection Act) 2014: regulates way
personal data is collected, stored and
used. Apart from establishing a
general data protection regime, the
Act also regulates telemarketing
practices
• Hong Kong Personal Data Ordinance:
users must be informed of the
purpose of any personal data
collection and the classes of people
the data may be transferred to
• Malaysia’s Personal Data Protection
Act: Requires users consent before
collecting personal data or sharing it
with any third parties
• Australia’s Privacy Principles: 13
principles guiding handling of
personal data.
Privacy Laws around the globe
8. Source: UNCTAD
Challenges in enactment and enforcement of data protection laws
Enactment Challenges Enforcement Challenges
9. Personal Data Protection Bill - Evolution
• The SC has declared privacy as a fundamental right under Article 21 of the constitution;
subsequently, the government of India constituted a "Committee of Experts on Data Protection" to
examine the issues relating to data protection.
• On the basis of the recommendations received, it proposed to enact the Personal Data Protection
Bill, 2019 - to bring a strong and robust data protection framework for India and to set up an
authority for protecting personal data and empowering the citizens' with rights relating to their
personal data ensuring their fundamental right to privacy.
• The Data Protection Act will provide guidance and best practices for organizations and the
government on data protection and usage. Broadly it is expected to cover the following:
• Regulating the processing of personal data
• Protecting the rights of the data subjects
• Enabling the Data Protection Authority to enforce rules
• Holding organizations liable to fines in the event of a breach of the rules
10. Features of the bill
• To promote the concepts such as consent
framework, purpose limitation, storage
limitation and the data minimization. Lay down obligations on entities collecting
personal data (data fiduciary) to collect only
required data and with the express consent of
the individual (data principal).
Right to obtain personal data, correct
inaccurate data, erase data, update the data,
port the data to other fiduciaries and the right
to restrict or prevent the disclosure of
personal data.
data, ensure compliance with the provisions of
the proposed legislation and promote
awareness about the data protection.
Establish "Data
Protection Authority of
India” which shall
protect the interests of
data principals, prevent
any misuse of personal
To specify a provision relating
to "social media intermediary”
to empower the GOI, with the
Authority, to notify the said
intermediary as a significant
data fiduciary.
To empower the Central Government to
exempt any agency of Government from
application of the proposed Legislation.
• Confer a "right of grievance"
on data principal to make a
complaint against the
grievance to the data
fiduciary
1. Appoint the "Adjudicating Officer" for adjudging
the penalties to be imposed.
2. Establish an "Appellate Tribunal”
3. Imposes severe "fines and penalties" for
contravention
4. Empower the Authority to specify the "code of
practice" for data protection.
11. Critical analysis of the bill
Industry’s view:
• IMAI (Industry body Internet and Mobile Association of
India) has expressed concerns over upcoming data
protection authority and its roles.
• Industries are not happy with the clause of getting
repeated consent at every step of data processing. They
are of opinion that if the purpose of data processing is
not violated then repeated consent may not necessary.
• Every discrimination is not bad. Industries discriminate
among the users using the data for creating the balance
between customer’s interest and business interest. The
new law considers discrimination caused by data harmful
and heavy penalty can be imposed on businesses.
• Industry finds ambiguity in the definitions of types of
data and types of consent etc.
• Compliance cost will increase for the industry especially
for startups.
• As per Oracle, the bill will create the new opportunities
for cloud services companies since sensitive data needs
to be resided in country.
Opposition’s view:
• Opposition parties have expressed concerns over the
growing snooping industry under government watch and
want the bill to be thoroughly reviewed by a
parliamentary committee.
• Some of the opposition parties have demanded the wider
public consultation of bill.
International opinion:
• US tech companies such as Google, Mastercard, Visa and
Amazon have expressed the concern on increasing costs
due to mandatory data localization.
• US has raised concerns over fair treatment and level playing
field for its companies.
• Bilateral strain is going to increase as per some of the joint
INDO-US think tanks.
• As per US treasury secretary, America has no problem if
countries want to have local data for regulatory purposes if
they do not eliminate it outside.
12. Critical analysis of the bill
• The biggest criticism about this bill is that the
government at any given time can exempt any
investigation agency and enforcement agency
from this bill. This defeats the point of data
protection. Even security crisis definition is
narrow and vague which can be misused by
the government
• Justice Srikrishna himself has criticized the bill
saying “There should be restrictions on access
to data of citizens without his consent.
Government has got the blank cheque in this
case leading to breach of privacy.” As per him,
this bill can turn India into ‘Orwellian State’.
• Threat of surveillance from government is high since
government can ask any type of data from
companies.
• Government can also take the non personal data
from the companies. Some of the critics say that this
provision could allow government to get the access
of intellectual property of various organizations.
• As per the CEO of Nasscom’s Data Security Council of
India, data localization will likely make India an
infeasible market for services.
Civil Society’s perspective:
13. Critical analysis of the bill
• Data ownership is not clearly spelt out in the bill.
• Right to be forgotten:
• It only restricts the organization from using
the data, it should allow complete deletion of
personal data.
• Process of exercising this right should be easy.
• Data principal has no right to compensation. The
penalties are given to DPA.
• There is no provision to notify or inform the data
principal about data breach. There should be a
provision for public disclosure of data breaches.
• The bill suggests to amend the RTI Act for
nondisclosure of harmful information related to
the Data Principal, the conditions should be clearly
spelt out.
• In the security safeguards, the encryption
standards should be updated on a timely basis.
That should be one of the mandates of the DPA.
Miscellaneous
14. • The DPA has been given extreme powers of
arresting and detaining without approval of
courts.
• If the data fiduciary is not registered in India,
then accessing the local data (for law
enforcement) may not be possible in certain
cases.
• The onus of proving that damage has been
done due to the violation of the provisions of
the law, lies on the data principal. This seems
to be a regressive step.
Critical analysis of the bill
• The bill mentions that the legal consequences of
withdrawal of consent should be borne by the
data principal. The DPA should make sure that
this does not act as deterrent for bona-fide
withdrawal and the consequences should be
clearly spelt out in the contract itself and proper
details should be provided to the data principal
while entering the contract.
• The proposed bill is silent on individual rights
around processing activities involving automated
profiling and decision making.
15. Conclusion…the way forward
• Peer review and periodic auditing can bring checks and
balances.
• Use of blockchains can help in implementation of privacy
provisions.
• At international level, World Data Organization (on similar
lines as the World Trade Organization) can be
conceptualized. It can help in the international
standardization of regulations and consensus-building
among nations.
• Bilateral or multilateral data protection treaties & MoUs
would also build trust and promote data monetization.
• Chief Privacy Officer(CPO) or Data Protection Officers (DPO)
roles may be strengthened by the companies.
• Government should refrain from taking the non-personal
data under normal circumstances from company.
• Data makes accurate prediction and reduces costs. This enable
companies to sell things at lower prices and in most of the cases
user experience is improved due to data. Hence the guiding force
behind the legislations should enable the commercial use of data by
companies.
• Starts ups should be provided safeguards from this law for the initial
5 years since it will be huge cost burden on them. Once enough
awareness and required skill force are there, the law can be made
applicable to start ups.
• Single time consent from user is enough. Repeat consent will add
cost and reduce user experience.
• Types of harm, types of data, security reasons should be defined
clearly by the Data Protection Authority.