Meta Title: - the purpose is to write and introduce on the matter of data protection acts around the world through legislation is to give a brief about the acts and by telling the site of the data protection rules in the field of economy and advance technology in the pubic-domain around the world. There are few countries who have participated in the progression of the data protection acts and relevant conventions via taking them up to a reach where these acts and their rules and regulations are mending with the advance economic platforms and technologies.
Meta Description: -The topic of the discussion around the world is to provide a safe harbour to the financial institutions and organisations with the data privacy rules which will protect the individual from false and illegal activities in the domain of economy and tech world. Allude to the countries and what are their different privacy rules through legislation via which these countries are forming and providing the safe and protected environment to the business controller, organisations/associations and financial employers. And how the litigation is helping them to improve the acts by adding certain rules and regulation to it.
INDIA based data protection acts.
INTRODUCTION: -Information Technology Act 2000, has been introduced on 17th October 2000 by the Indian Parliament which look after the matters related to the cybercrimes and electronic commerce. Under the Subordinate legislation for the IT act incorporates two things - Intermediary Guidelines Rules 2011 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
Keywords – Data privacy, Acts, Compliance, Cybercrime, Data protection, Federal agencies, Authorities, Framework, Legislations, Globalisation, privatisation, liberalisation.
Background: - The establishment of the law framed by the bill which was passed in the Budget session of 2000 and signed by the President K. R. Narayan. The original act has 94 sections which is divided into 13 chapters and 4 schedules in which the third and fourth schedule has removed. The act enables the legal framework in the areaof cybercrimes by prescribing the penalties for them. The act gives the recognition to the electronic records and digital signatures as well. There is a Cyber Appellate Tribunal disputes that has been arisen from the environment. The act has also amended the sections from the Indian Penal Code 1860, The Evidence Act 1891, The Reserve Bank of India Act 1934. The act has made a prominent change by taking seriously into the matters related to the pornography, child porn, cyber terrorist and voyeurism. Further amendment that has been passed in Lok Sabha on 22nd December 2008 without any debate. President Pratibha Patil on 5th February 2009 signed the law.
Salient features- The act was amended and become effective from the date 5th February 2009. This act is based on the UNITRAL (United Nation's Commission on International Law). There are some salient features which are said to be following: -
- The act gives the legal recognition to the e-commerce for the e-transaction facilities.
- The records which are kept under the electronic and other documentary records brings the electronic transaction as per with the paper transaction in documentary form.
- The act gives the legal recognition to the digital signatures which are important and authenticated by the certified authorities.
- For the crimes related to the cyber-crimes and other cyber related, technology related crimes are dealt under the Cyber Appellate Tribunal law to hear appeals against the adjudicated authorities.
- The act does not provide any application for the negotiable instruments regarding -power of attorney, any contracts for sale, will, or any immovable property.
- The has the broad jurisdiction of over any cyber offence or any infringement which took place outside of the India by a person irrespective of his/her nationality.
- The State Government said under the Section 90 of the act provides the notification in 'Official Gazette' to make rules which will carry forward the provisions of the act.
- SEBI announced that the trading of the securities on the internet will be valid in India, but at the outset of the provisions, there was no specific act or provisions that has been specifically for the provisions of the protection of the confidentiality and net trading. So, this has been removed by the IT act (amendment) on 2008.
Digital Personal Data Protection Bill 2022
Every individual's personal data or any personal information which is related to the identified or identifiable individual's data. Every organisation, business even the government entities process the personal data for the delivery of goods and services. Processing of any kind of personal information may lead to the law enforcement and if it may lead to any individual's personal loss, loss of reputation and profiling.
How the bill was introduced?
Under the chairmanship of Justice B.N. Srikrishna for the examination on the issues related to the data protection in the country, in 2017 Central government has introduced the committee on experts on Data Protection, the committee submitted the report on July 2018, the Personal Data Protection Bill was introduced in Lok Sabha on December 2019 based on the committee recommendations. Then the Bill was referred to the Joint Parliamentary Committee who submitted its report on December 2021, the Bill was withdrawn from the Parliament and on November 2022 a Draft Bill was released for public consultation and on August 2023, the Digital Protection Bill was introduced in Parliament.
Salient Features –
Applicability – It consists of the collection of the storage, use and the sharing of the data in the form of goods and services, in or outside the India. The data which is collected it is in the form of online as well as offline way.
Consent – Personal Data which provided and submitted is in the form of information by the consent of the individual for a lawsuit purpose only.
Rights and Duties of Data Principal - Any individual whose data has been processed has the certain rights which are: -
- He/she may obtain the information about the processing.
- Seeking out of correction and deletion of the personal data.
- The person can nominate the other person to avail or use the rights in the circumstances of death or incapacity.
- Providing the grievance redressal.
- Violation of any duties will be punishable under the act with the said penalty up to Rs. 10,000/-
Exemption- Prevention and investigation of the cases of false data fiduciaries and enforcement of illegal rights or claim.
Data Protection Board of India
The Central Government establishes the Data Protection Board of India for monitoring of work in the field of compliance and imposing penalties if any, and any data breached by the individual then the prevention and measures should be followed. Hearing of the grievances made by the affected individual. The tenure of the Board members and appointment are of the 2 years and will be eligible for re-appointments.
Rights to Data Portability
Under the Srikrishna Committee (2018) it says to the extent it is possible to give the information without revealing the trade secrets, there right must be guaranteed. The Joint Parliamentary Committee had observed that the trade secrets cannot be of the grounds to refuse data portability and it may only be rejected on the grounds of technical feasibility.
INFORMATION TECHNOLOGY ACT 2011
A new data prevention law that has been introduced through which was keenly awaiting of the outcome of the consultation process for the draft Personal Data Protection Bill 2019. Which is recently initiated by the Joint Parliamentary Committee. The preamble of the act says – provide legal recognition for transactions carried out by means of 'electronic commence', which involve the use of alternatives to paper-based methods of communications.
In accordance to the law given by the Central Government under Section 43A, the 2011 Rules was framed and for the very first time with the due effect from 28th March 2012, India gets a legal regime for data privacy. Section 43A deals with the sensitive personal data or information.
What is meant by Sensitive Personal Data?
Rule 3 of the Information Technology Act 2011 established the 8 types of personal data which is sensitive data by the term those data are following": -
- Financial, bank information e.g. – credit cards, debit card or any payment instrument details.
- Any kind of mental health conditions.
- Any kind of sexual intention.
- Medical records and data history.
- Biometric information.
- Any details which are relating to the above clause/points by the body corporate for processing, stored pr processed may be received would be under lawful contract pr otherwise.
- Any detail relating to the above clauses is as presuming to body corporate for providing services.
The above mentioned 8 types of sensitive personal data which is provided under Rule 3 of the Information Act 2011 is a complete list which is the subject to the exception is that any kind of information that is independently or freely accessible in the public domain under the Right to Information 2005, or any other law for the time being would be considered as the sensitive personal data or information for the motive of 2011.
Section 87 of the act says the Central Government may by the notification of the official gazette and of the Electronic Gazette make rules to implement the certain provisions of this act.
USA Based Data protection acts.
1. Gramm – Leach – Bliley Act
The act establishes the financial institution companies who provide the consumer financial products or services e.g., loans, financial or investment advice and insurance advices. Where the data is to be protected and safeguard which is being processed or shared among their customers. The act Gramm-Leach-Bliley act is also formerly known as the Financial Services Modernization act 1999. The act was primarily enacted on 12th November 1999 as an act of 106th United States Congress. (1999-2001). The act repealed the part of the Glass – Steagall Act of 1933 and the Bank Holding company act of 1956, removed the hurdles of the market among banking companies, securities, companies and insurance companies that prohibited any one institution from acting as blend of an investment bank, commercial bank, and an insurance bank. The law was passed by the sign of the President Bill Clinton and the act was come into legislation. Although has failed to provide to the SEC or any other financial regulatory agency the authority to modulate large investment bank holding companies.
Insights of the act
The Gramm-Leach-Bliley Act comprising the three sections which are namely: -
- Collection and Revelation of the private financial information.
- Specifying of the financial institution that must implement the security programs to pressure the information.
- Also, pretexting provisions which forbids the practice of pretexting or retrieving the information using false or illegal action.
2. FedRAMP – Federal Risk and Authorisation Management Program
It is a government-aided program that ensures the uniform approach towards the security assessments, granting permissions and continuous monitoring or observing for the cloud product and services. The program was framed by the Office of Management and Budget in reply of the 2011 U.S. government's Cloud First Policy. FedRAMP sanctions the power and authorities to the agencies to utilize the modern cloud technology with the focus on security and protection of federal information and be able to keep helping in the acceleration of the adoption of secured and cloud solutions for it.
FedRAMP consisting of the two main components which are following: -
- The Joint Authorization Board (JAB)
- The Program Management Office
Recruitments in the JAB are considering from the following departments
- CIO (Chief Information Officer) from the Defence department also from the Department of Homeland Security and General Service Administration.
- The purpose of the (JAB) is to provide the primary governance and the decision-making body for FedRAMP.
FedRAMP authorises the cloud services which are namely: -
- Agency Authority to operate.
- Tailored Authorization
Who is associated with the FedRAMP authorization?
a) Federal Agencies
b) CSPs who supplies the cloud services that allows federal agencies to meet their mission needs surely and fast.
c) 3PAOs carryout the formal and periodic assessments of cloud systems to guarantee the meet at FedRAMP requirements.
3. FISMA- Federal Information Security Management Act
The Federal Information Security Management Act 2002 is governed under United States Federal law. The purpose of the act applies where each federal agencies in the US government are to enlarge, document and execute an agency-wide information security program to protect sensitive data and information system that hold up the operations and assets or control by another agencies, third party, vendor or service providers. It provides the specific responsibilities to the federal agencies namely –
- National Institute of Standards and Technology
- Office of Management and Budget (OMB). It is to build up the information security systems and the prime responsibility of the OMB is to regulate and assist the oversight to prepare an annual report to Congress on agency compliance with FISMA.
Later in the year 2014, FISMA got replaced with the Federal Information Security Modernization Act 2014 and propose the need for cyber security with the federal government by accentuate the need for "a risk-based policy for cost-effective security."
- Setting out the department of Homeland Security authority to manage the performance of Information Security federal Executive Branch systems as well as including technical assistance.
- FIPS 199 and NIST SP 800-60 are the guides for the types of Information and Information systems to the security categories to give the modified guidelines.
- The security controls on FISMA ensures the federal information systems to reach out to the minimum-security requirements stated in the FIPS 200. NIST SP 800-53 suggested security controls for the Federal Information systems.
- Continuous monitoring over all FISMA-certified systems must be observed under their selected security controls, with the proper documentation updates to consider the changes and alterations to the systems.
4. Health Insurance Portability and Accountability Act (HIPAA) 1996
The Health Insurance Portability and Accountability Act of 1996 was introduced as the federal law to safeguard of the health information of the sensitive patients that would not be revealed with the patient's consent or will. The HIPAA provides the security rule for the protection of the collection of information covered by the privacy rule. The privacy rules consisting of the quality of the information or data of the individual's health and how it is being used and what are the public disclosures.
Healthcare provides who is regardless through the electronic method will pass on the information in connection with the certain transaction which are consisting of claims, benefits in eligibility inquires, transfer of authorise request and other transaction the HIPAA transaction rules.
- Instituting Health Plans on the topic- Dental, vision, and order of drug insurers.
- Health Maintenance Organisation.
- Medicare, Medicare+ choice and supplement insurers.
- Employer sponsored group health plans also including the government and church sponsored related health plans and multi-employer plans.
EXCEPTION – It says any entity who are being solely and establishing the business for health plans and considering fewer than the 50 participants will not be covered under the HIPAA.
- Business associations regarding says if any person or an organisation (rather than a member of an offset entity's workforce) utilizing or revealing individual's identity as a health information to carry out or give functions activities or services for a covered entity and these functions services including – claims processing, data analysis, utilization review or of the billing are permitted.
- The information and data preserve under the privacy rule patient's health are protected under the e-PHI or Electronic Protected Health Information.
5. U.S.- EU Safe Harbour framework
On July 12, 2016 the European Commission emanate an adequate decision to the EU – U.S. Privacy Shield Framework and released a new policy regarding the EU safe harbour which demonstrated to transfer the individual's data from the European Union to the United States. The FTC will provide the privacy shield work. The new framework replaced the Safe Harbour Program. General Data Protection Regulation governing the EU around the world to allow creating the safe harbour to share the information over the cross-boarders data and carry on to prohibit personal data transfer to the other countries with an in-adequate data protection laws including the United States.
Case reference – Maximillian Schrems vs data protection commissioner, case c -326/14
Principles of the safe harbour agreement?
The Safe Harbour Agreement was initiated to secure the data transfer between the European Union and the U.S. and abide by the European data directives in 1995. It covers the 7 basic principles that are following: -
- Notice that will specify in which it states how to contact the data holders for any inquiries and to know how to collect the data?
- Choice defines, that data should be collected correctly and should transfer to the third party accurately with the pure relevancy.
- Onward transfer explains that the third party should have the credibility of the data and before transferring the data to the third party it should be fallen under the right credibility of the protection rules.
- Security ensures the sensible efforts for the recovery of the loss/theft data.
- Data integrity, data should be original and material should be applicable enough for the purpose of the collection.
- Access the permission should be granted for the proper excess of the information.
- Enforcement describes that there should be an effective measure to process and rules to be implemented.
SOX – Sarbanes-Oxley Act
SOX issues the deadlines in conformity and produce rules on requirements. The act was well drafted under the guidance of two Congressmen namely Paul Sarbanes and Michael Oxley with the sole purpose under which it is stated that to improve the corporate guidance and responsibility. The act was framed to focus on the topic of financial scandals and corporate frauds that took place in Tyco, WorldCom, and Euron and among the others. In 2002, Sarbanes-Oxley Act was passed by the United States Congress to safeguard the shareholders and general public from accounting errors and deceitful practice in the venture or company. Now every company should adhere with the SOX, by both on the financial and on the IT side. In the due process of compliance with SOX companies must save all the records including electronic messages and for not less than 5 years and if not then the consequences for non-compliances will be fine or imprisonment or both.
What section 906 say?
Section 906 of the SOX act talks about the submission of the written statement by the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) of the public-held companies. This statement specifies the periodic report of the company which contains the financial statement and is fully complied with the requirements of the section 13(a) or 15(d) of the Securities Exchange Act of 1934 and the report should fairly present in all respect and fit to all the financial conditions and output of the issuer.
Fine under section 906 describes: -
- In paragraph (c) of the Section 906, fine should not be more than $1,000,00 and imprisonment of not more than 10 years or both.
- Wilful violation may lead to the fine of not more than $5,000,000 and imprisonment of not more than 20 years or both.
Sections prevailing under this act are following: -
- Section 302 and 305 talks about the data protection and the significant relations to all the U.S. public-held companies and firms.
- Section 404 talks about the two major requirements which says, companies should make an accountable-reports of proper and an accurate financial year and assess the view on every fiscal year on an internal control report.
- Firms should make or prepare the report on yearly audits and attest it with the yearly assessment report.
- Section 409 says if any changes may occur in regard to the financial condition of the company thenthe compliance should immediately be ensure that.
- Section 802 specifies that if any documents or reports may get tampered by any chance by any employee, accountant or any auditor will fully then it would be under the surveillance.
- Section 806 says if any complaints may come under any corporate frauds by any employee should be taken seriously alsoif, any requital over whistleblower took place then it would be considered as under the said criminal charges.
- Section 906, any fraud and deceptive financial reports may lead to the criminal penalty of fine $5 million and imprisonment of not more than 20 years.
European Union based data protection act.
The General Data Protection Regulation Act is known for being the toughest privacy and security law in the world. The act was drafted by the European Union for the collection of data and information of the European Union citizens. It can force an obligation upon organisation anywhere in the world. The act came into an existence on 28th May 2018. Harsh penalties will be fined against who will be going to violate any privacy and security levels at any point.
Everyone has the right to privacy and everyone has the right to respect and protect other person right to privacy if it will be in correspondence to his personal life, family life and considering any such information which is private on its own. In 1950 under the European Convention on Human Rights there is an insight of protection of every individual's private data and information. Later on, in due process of rising in the discoveries of the modern technologies the European Union start making the and converting the act more secure and put the slight change on the modern rules and regulations for the protection guidance. GDPR has come into force in 2016after it got passed in European parliament and till 25th May 2018 all the organisations and institutions were in need to be compliant.
Scope of the act
The concept of the GDPR is broad to understand in reference to the data privacy of the individual. The data and information of the EU citizens could not be easily by any third party (country outside the EU) or by any organisation or business association. Under the purview of the scope of GDPR is broadly classified into the two parts.
- Territorial Scope.
- Material Scope.
Territorial Scope –Under Article 3 of the GDPR it talks about the territorial scope and it is divided into two parts mainly: -
- Article 3(1)
- Article 3(2)
Territorial scope lies under the parameters of the practice of the profession inside the European Union region and further processing of the data and information article 3 is divided into two categories of processing of the personal data.
- Establishment criteria
- Targeting criteria
Under the Establishment criteria it says that if the controller is said to be a third party (outside country of European union and processing of the data or any search activities as a third party then it is said to be Establishment criteria.
CASE LAW – Google Spain vs Mr. Costeja Gonzalez
In the case law, the company of Google Spain was a U.S.A based company and the data controller is about to make the search that is affecting the certain individual's privacy. The authorities request him to take down the search results. The case was happened in 2013 and the establishment and founders of the GDPR arise this act as a critic point.
Targeting criteria means the process of any personal data which is in the subject not to process or establish any union but to establish the frame work to offer the data and information of an individual. Article 2 stated the collection of the data inside the business and using of that data and information for any, marketing or business-related programs and as per the data automated decision making all the data which is being stored can be alter, or destroyed if needed.
Main elements of the GDPR
The act talks about the data privacy rights of an individual and how it should be protected under the broad prospectus will all be summarised here. European convention on Human Rights laid down the provisions as well as rules and regulations under which individual's data should be protected. Article 8 of the act serves the right to respect for individual's private as well as family life, the convention was founded as a law in Sweden. Article 6 talks about the processing and releasing of the data with the due respect of the individual's privacy and protection of the information or source.
- There should be an obvious consent from an individual.
- Before entering into any kind of business or any contract there should be a proper execution of the data and resources.
- Also refer to the legal obligations before submitting of the information or passing off any data anywhere.
Conclusion:-The data and its privacy acts remarkably setting up the goal to provide the protection of individual's data and information in technology and economic field at worldwide. As the world is coming to the era where Globalisation, Privatisation and Liberalisation has put their feet on the economic developments around the world. Federal agencies and different business controllers must need a privacy act at which it is going to save and prevent them from any illegal operations. Gradually world is going to put forward his step on the filed of advance technology and its use in the economic field and it is very vast in anyone's understanding. These acts provide a shield to the business owners, employees, private firms, organisations/associations around the world and protect their data with the total credibility.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.