Short Q & A: Big data ecosystem.

Hello law knowledge seekers. In this blog again there are short Q and A for you based on data protection.

Image credit: www.tibco.com

Q. Enlist parts of Big Data Ecosystem?

Ans. Other technological developments such as artificial intelligence, machine learning, the Internet of Things are all part of the Big Data ecosystem and their use is becoming increasingly commonplace.

Q. What are the two different models of the data protection?

Ans. 1) European Union (EU) model and 2) American Marketplace Model

Q. What are the tree main perspectives of Data protection?

Ans. Protection of personal data -

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

Q. What is main base of EU model?

Ans. The EU model or European Union Model of Data protection is completely based on the principle that right to privacy and right to protection of personal data are fundamental rights recognised by Article 765 and Article 866 of European charter of Fundamental Rights (EU charter).

Q. Enlist the sensitive personal data?

Ans. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health and sex life etc. are sensitive personal data and should be collected in limit.

Q. Which principles must be complied for lawful and fair processing of personal data by an entity?

Ans. For processing to be lawful and fair, the entity collecting personal data must comply with an extensive range of principles such as that of purpose specification, data minimisation, data quality, security safeguards, etc.

Q. What are the individual participation rights guaranteed under law?

Ans. a) the right to confirm if data about oneself is being collected, b) the right to access data, c) the right to rectification of data, d) the right to data portability, e) the right to restrict processing, f) the right to erasure, g) the right to object to processing, h) the right to object to processing for the purpose of direct marketing, i) the right to object to automated decisions.

Q. What is the base of United States privacy policy?

Ans. In United States, privacy protection is essentially a liberty protection i.e. protection of the personal space from government.

Q. What are two trends in US model of data protection?

Ans. The US approach to data protection thus has two discernible trends— stringent norms for government processing of personal information; and notice and choice based models for private sector data processing.

Thanks for reading. On which subject you want notes - please comment. For more law notes please follow and share this blog.

Short Q & A: Aadhaar Act

Here are some short Q and A on Aadhaar Act.

Image Credit: economictimes.indiatimes.com

Q. What is full name of Aadhaar Act?

Ans. The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act)

Q. What is purpose of Aadhaar Act?

Ans. The Aadhaar Act enables the Government to collect identity information from citizens including their biometrics, issue a unique identification number or an Aadhaar Number on the basis of such biometric information, and thereafter provide targeted delivery of subsidies, benefits and services to them.

Q. What is Aadhaar based authentication?

Ans. The Aadhaar Act also provides for Aadhaar based authentication services wherein a requesting entity (government / public and private entities / agencies) can request the Unique Identification Authority of India (UIDAI) to verify / validate the correctness of the identity information submitted by individuals to be able to extend services to them.

Q. Which type of consent is required in Aadhaar based authentication?

Ans. For Aadhaar Based Authentication the requesting entity is required to obtain the consent of the individual before obtaining his / her identity information for the purpose of authentication and must use his / her identity information only for the purpose of authentication.

Q. Which authority is established by Aadhaar Act?

Ans. The Aadhaar Act establishes an authority, namely, the UIDAI, which is responsible for the administration of the said Act.

Q. Which database is governed by Aadhaar Act?

Ans. It also establishes a Central Identities Data Repository (CIDR) which is a database holding Aadhaar Numbers and corresponding demographic and biometric information.

Thanks for reading till the end. Please share this blog and follow it for more law notes. Please comment the subject on which you want notes below.

Short Q & A: Privacy

Hello my law professionals and law knowledge seekers. This is short Q & A collection on Privacy law. Privacy is deeply related to data protection.

Image Credit: cipher.com

Q. Does data protection affects all types of privacy?

Ans. Basically data protection is linked with informational privacy but also indirectly has impact on decisional privacy and physical privacy.

Q. How information privacy is a freedom to an individual?

Ans. Informational privacy is often understood as the freedom of individuals ―to determine for themselves when, how, and to what extent information about them is communicated to others and this freedom allows for individuals to protect themselves from harm.

Q. What is a key difference between defamation law and privacy law?

Ans. Laws on defamation generally prohibit disclosure of personal information only if it is false. Privacy, on the other hand, would even protect against disclosure of truthful personal information.

Q. What is a subjective harm to an individual?

Ans. A subjective harm is one where an individual has not actually suffered any tangible loss but anticipates such loss after personal information is collected. The uncertainty, anxiety and fear of potential observation are the identified harms in this situation.

Q. What is an objective harm to an individual?

Ans. Objective harms are separately identified when the use of one’s personal information actually results in some damage, whether through loss of reputation or through some other change in the treatment of the individual by society. Data protection must account for both these kinds of harms which arise as a result of unregulated collection and use of personal information.

Q. Which committee initialised the data protection need in United States?

Ans. Advisory Committee in the Department of Health, Education and Welfare (HEW Committee) of United States examined the various legal and technological issues raised vis-a-vis increasingly automated processing of data during 1970s.

Q. Name the landmark report of HEW committee of United States?

Ans. Records, Computers and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems

Q. What are FIPPS?

Ans. The HEW committee’s report suggested Code of Fair Information Practices based on Fair Information Practices Principles (FIPPS). The FIPPS are a set of principles which prescribe how data should be handled, stored and managed to maintain fairness, privacy and security in a rapidly growing global technology environment. FIPPS are now deemed to be the bedrock of modern data protection laws across the world.

Thanks for reading. Please comment the subject on which you want notes. Please share and follow this blog for more law notes.

Short Q and A: IT Act

Here are some short Q and A on IT Act and SPDI rules.

Image Credit: previewtech.net

Q. Which Act governs the rules for and laws for data protection in India?

Ans. The general data protection rules under the Information Technology Act, 2000 (IT Act) as well as various sector specific laws on data protection.

Q. Why right to privacy is not an absolute right?

Ans. The right to privacy is fundamental right of a citizen of India but it is subjected to some restrictions and has expressly recognised protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits as certain legitimate aims of the State – as held in case of Puttaswami by Supreme Court.

Q. What is mean by SPDI Rules?

Ans. SPDI rules means The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011.

Q. Under which section of which Act SPDI rules were issued?

Ans. Under Section 43A of Information Technology Act, 2000 (for short IT Act) SPDI rules were issued.

Q. What is Section 43A of IT Act?

Ans. Section 43A, relates to Compensation for Failure to Protect Data and enables the enactment of reasonable security practices and procedures for the protection of sensitive personal data.

Q. Which OECD guidelines were incorporated in SPDI rules?

Ans. The OECD guidelines incorporated in SPDI rules are collection limitation, purpose specification, use limitation and individual participation.

Q. To whom the SPDI rules are applicable?

Ans. The SPDI Rules apply only to corporate entities and leaves the government and government bodies outside its ambit.

Q. Which tribunal was to hear appeals under IT Act?

Ans. Cyber Appellate Tribunal (CyAT). But it has given it’s last order in 2011. There is absence of effective machinery for enforcement of law related to digital sector.

Thanks for reading. Please comment the subject on which you want notes. Please follow and share this blog for more law notes.

Short Q & A: Data protection law

Hello law professionals and law knowledge seekers. This blog is comprising of short Q and A on Data protection law history and introduction.

Q. Why data protection law is necessary in any country?

Ans. Data protection law is necessary in any country to ensure growth of the digital economy while keeping personal data of citizens secure and protected.

Image Credit: www.marketingweek.com

Q. What do you mean by data protection?

Ans. Data protection is synonym to protection of information privacy.

Q. What are the objectives of the data protection law?

Ans. The objectives of the data protection law are: 1) to provide protection of information privacy; 2) to provide a foundation for datadriven innovation and entrepreneurship for empowerment, experiment and equal access committed by the digital future.

Q. Where can be data analytics used by organisations and government?

Ans. The data analytics can be used by organisations and government to gain remarkable insights into areas such as health, food security, intelligent transport systems, energy efficiency and urban planning.

Q. What does digital India initiative involves?

Ans. Digital India initiative involves the incorporation of digitisation in governance; healthcare and educational services; cashless economy and digital transactions; transparency in bureaucracy; fair and quick distribution of welfare schemes etc to empower citizens.

Q. Why Indian government uses personal data?

Ans. In India, the state uses personal data for purposes such as the targeted delivery of social welfare benefits, effective planning and implementation of government schemes, counter-terrorism operations, etc. Such collection and use of data is usually backed by law, though in the context of counter-terrorism and intelligence gathering, it appears not to be the case.

Q. How right to privacy is a fundamental right of a citizen of India?

Ans. Right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution and as a part of the freedoms guaranteed by Part III of the Constitution. Well explained in Puttaswamy case.

Q. Why data protection is necessary for an individual or for a community?

Ans. The usage of personal information not only reaps many benefits but is also capable of causing considerable harm. The need to prevent such harms, and hinges on the question of who should be permitted to use personal information and how; the data protection is necessary for an individual. The protection of privacy permits individuals to plan and carry out their lives without unnecessary intrusion.

Q. What are the types of privacy?

Ans. Three broad types of privacy have been identified: 1) the privacy pertaining to physical spaces, bodies and things (spatial privacy); 2) the privacy of certain significant self-defining choices (decisional privacy); 3) and the privacy of personal information (informational privacy).

Thanks for reading. Please comment subject on which you want notes. Please share and follow the blog.

AADHAAR Act: Introduction

Hello law knowledge seekers. In this article you will find some introductory information about AADHAAR Act.


Image Credit: www.businesstoday.in

The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act):

Main purpose of the Act:

The Aadhaar Act enables the Government to collect identity information from citizens including their biometrics, issue a unique identification (UID) number or an Aadhaar Number on the basis of such biometric information, and thereafter provide targeted delivery of subsidies, benefits and services to them. 

Aadhaar Based Authentication Service:

The Aadhaar Act also provides for Aadhaar based authentication services wherein a requesting entity (government / public and private entities / agencies) can request the Unique Identification Authority of India (UIDAI) to verify / validate the correctness of the identity information submitted by individuals to be able to extend services to them. The requesting entity is required to obtain the consent of the individual before obtaining his / her identity information for the purpose of authentication and must use his / her identity information only for the purpose of authentication.

The Aadhaar Act establishes an authority, namely, the UIDAI, which is responsible for the administration of the said Act. It also establishes a Central Identities Data Repository (CIDR) which is a database holding Aadhaar Numbers and corresponding demographic and biometric information. Under the Aadhaar Act, collection, storage and use of personal data is a precondition for the receipt of a subsidy, benefit or service. Though the Aadhaar Act does not per se make application for an Aadhaar Number mandatory (it is specifically provided as an entitlement under Section 3) except for availing of certain benefits, subsidies and services funded from the Consolidated Fund of India, in practice, taking of Aadhaar Number is becoming mandatory for availing most services through a range of cognate laws.

Data Protection Principles:

The Aadhaar Act and its regulations recognise various data protection principles, to ensure the security of information and privacy of Aadhaar Number holders.

1) There is an obligation on the UIDAI to ensure security and confidentiality of the identity information and authentication records of individuals which includes taking all necessary steps to protect such information against unlawful access, use or disclosure, and accidental or intentional destruction, loss or damage.

2) The Aadhaar Act prohibits the sharing of core biometric information, and the use of it for a purpose other than the generation of Aadhaar Numbers and authentication.

3) The sharing of information other than core biometric information is permissible under certain conditions.

4) The Aadhaar Act also permits an individual to make a request to the UIDAI to provide his / her access to his / her identity information (excluding his / her core biometric information) and his / her authentication records.

5) Individual can also seek rectification of his / her demographic data if it changes or is incorrect, and his / her biometric information if it is lost or changes.

6) Finally, the UIDAI will have no knowledge of the purpose of any authentication.

Aadhaar (Data Security) Regulations:

Data protection norms for personal information collected under the Aadhaar Act are also found in the Aadhaar (Data Security) Regulations, 2016 (Aadhaar Security Regulations). The Aadhaar Security Regulations impose an obligation on the UIDAI to have a security policy which sets out the technical and organisational measures which will be adopted by it to keep information secure.

Criticism:

Despite its attempt to incorporate various data protection principles, Aadhaar has come under considerable public criticism. Such as

1) though seemingly voluntary, possession of Aadhaar has become mandatory in practice, and has been viewed by many as coercive collection of personal data by the State. Concerns have also been raised vis-a-vis the provision on Aadhaar based authentication which permits collection information about an individual every time an authentication request is made to the UIDAI.

2) despite an obligation to adopt adequate security safeguards, no database is 100% secure.

In light of this, the interplay between any proposed data protection framework and the existing Aadhaar framework will have to be analysed.

Thanks for reading. Please share this blog and follow this. You can comment your subject of interest below.

SPDI rules

The Puttaswamy judgment is a landmark legal development in the discourse on privacy, especially informational privacy; prior legislative attempts have been made to secure informational privacy in various sectors in India. These includes the general data protection rules under the Information Technology Act, 2000 (IT Act) as well as various sector specific laws on data protection.


Image Credit: ccgdelhi.org

The SPDI Rules have been issued under Section 43A of the IT Act. Section 43A, relates to Compensation for Failure to Protect Data and enables the enactment of reasonable security practices and procedures for the protection of sensitive personal data. The SPDI Rules incorporate, the OECD Guidelines such as collection limitation, purpose specification, use limitation and individual participation.

The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules):

Key features of SPDI rules are:

1) It mandates certain requirements for the collection of information,

2) It is insisted that data collection be done only for a lawful purpose connected with the function of the organisation.

3) every organisation is required to have a detailed privacy policy.

4) instructions for the period of time information can be retained,

5) it gives individuals the right to correct their information.

6) Disclosure is not permitted without consent of the provider of the individual, or unless such disclosure is contractually permitted or necessary for legal compliance.

7) the consent of the provider is not required for sharing the personal information collected by any organisation with Government  

8) personal information can be shared for purposes such as verification of identity, prevention, detection and investigation including of cyber incidents, prosecution, and punishment of offences.

9) The SPDI Rules apply only to corporate entities and leaves the government and government bodies outside its ambit

10) the rules are restricted to sensitive personal data which includes attributes like sexual orientation, medical records and history, biometric information etc. and not to the larger category of personal data.

Thanks for reading till the end. Please follow and share this blog for more such law notes.

Right to privacy and Constitution of India

Right to privacy is need of today's digital era. Here are some judgments discussed in the view of Constitution of India and right to privacy. Though these are overruled by Supreme Court in case of Puttaswami they are still necessary to be known by a law aspirant. 

M.P. Sharma v. Satish Chandra (M.P. Sharma)  

The Supreme Court in M.P. Sharma examined whether the constitutionality of search and seizure of documents pursuant to a FIR would violate the right to privacy. A majority decision by an eight-judge Constitution bench observed that the right to privacy was not a fundamental right under the Constitution.

Kharak Singh v. State of Uttar Pradesh (Kharak Singh):

i) In Kharak Singh, the issue at hand was whether regular surveillance by police authorities amounted to an infringement of constitutionally guaranteed fundamental rights. A Constitution bench of six judges analysed this issue in the backdrop of the validity of the regulations governing the Uttar Pradesh police which legalised secret picketing, domiciliary visits at night and regular surveillance. The Supreme Court struck down night-time domiciliary visits by the police as violative of ordered liberty. 

ii) Further, the Supreme Court held that Article 21 of the Constitution of India is the repository of residuary personal rights and it recognised the common law right to privacy. However, the Court observed that privacy is not a guaranteed fundamental right. It must be noted though, dissenting judge, Justice Subba Rao, opined that even though the right to privacy was not expressly recognised as a fundamental right, it was an essential ingredient of personal liberty under Article 21 and thus fundamental. 

iii) The approach of the Supreme Court of putting the freedoms given under Part III of the Constitution of India under distinct compartments was also rejected. Instead, it was held that these rights are overlapping and the restriction of one freedom affects the other, as was also held previously in the Maneka and Cooper judgments. Therefore, a law restricting a freedom under Article 21 of the Constitution of India would also have to meet the reasonableness requirements under Article 19 and Article 14 of the Constitution of India.

A. K. Gopalan v. State of Madras 

i) The approach of the Supreme Court of putting the freedoms given under Part III of the Constitution of India under distinct compartments was also rejected. Instead, it was held in Puttaswami case that these rights are overlapping and the restriction of one freedom affects the other, as was also held previously in the Maneka and Cooper judgments. Therefore, a law restricting a freedom under Article 21 of the Constitution of India would also have to meet the reasonableness requirements under Article 19 and Article 14 of the Constitution of India.

Thanks for reading till the end. Please share and follow this blog for more such law notes.

Data protection law in India: Puttaswami case

Image credit: www.iab.org.uk

Puttaswami case:

The Supreme Court of India noted following points: -

i) Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. Intrinsically, a regime for data protection is synonymous with protection of informational privacy.

ii) “Uber”, the world’s largest taxi company, owns no vehicles. “Facebook”, the world’s most popular media owner, creates no content. “Alibaba”, the most valuable retailer, has no inventory. And “Airbnb”, the world’s largest accommodation provider, owns no real estate.

iii) The right to privacy as a fundamental right. Right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution and as a part of the freedoms guaranteed by Part III of the Constitution. 

iv) Further, it went on to recognise informational privacy as a facet of the right to privacy and directed the Union Government to put in place a robust data protection regime to ensure protection against the dangers posed to an individual‘s privacy by state and non-state actors in the information age.

v) The Supreme Court in Puttaswamy overruled its previous judgments of M.P. Sharma v. Satish Chandra (M. P. Sharma) and Kharak Singh v. State of Uttar Pradesh (Kharak Singh) which appeared to observe that there was no fundamental right to privacy enshrined in the Constitution of India. 

vi) Justice Subba Rao in Kharak Singh, opined that even though the right to privacy was not expressly recognised as a fundamental right, it was an essential ingredient of personal liberty under Article 21 and thus fundamental. Following this approach of Justice Subba Rao, the nine-judge bench of the Supreme Court in Puttaswamy recognised the right to privacy as an intrinsic part of the fundamental right to life and personal liberty under Article 21 of the Constitution of India in particular, and in all fundamental rights in Part III which protect freedoms in general, and overruled the aforementioned judgments to this extent.

vii) Notably, it was held that the Constitution of India must evolve with the circumstances of time to meet the challenges thrown up in a democratic order governed by the rule of law and that the meaning of the Constitution of India cannot be frozen on the perspectives present when it was adopted.

viii) The right to privacy was grounded in rights to freedom under both Article 21 and Article 19 of the Constitution of India encompassing freedom of the body as well as the mind. It was held that privacy facilitates freedom and is intrinsic to the exercise of liberty and examples of the freedoms enshrined under Article 25, Article 26 and Article 28(3) of the Constitution of India were given to show how the right to privacy was necessary to exercise all the aforementioned rights. 

xi) The Supreme Court acknowledged that the concept of the right to privacy, as seen from jurisprudence in India and abroad has evolved from the basic right to be let alone, to a range of negative and positive rights. Thus it now includes the right to abort a foetus; rights as to procreation, contraception, general family relationships, child rearing, education, data protection, etc. The Court recognised informational privacy as an important aspect of the right to privacy that can be claimed against state and non-state actors. The right to informational privacy allows an individual to protect information about oneself and prevent it from being disseminated. 

x) Further, the Court recognised that the right to privacy is not absolute and may be subject to reasonable restrictions. In order to limit discretion of State in such matters, the Court has laid down a test to limit the possibility of the State clamping down on the right the action must be sanctioned by law, it must be necessary to fulfil a legitimate aim of the State, the extent of the State interference must be proportionate to the need for such interference, there must be procedural safeguards to prevent the State from abusing its power. It has expressly recognised protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits as certain legitimate aims of the State.

Thanks for reading till the end. Please follow and share this blog for more law notes.