1) IT Act, 2000 is solely focused on data collection and usage of data. GDPR focuses on both data collection and data processing.
2) Protection of privacy rights or protection of natural persons during data processing is absent from the objectives of the IT Act.
3) While GDPR has dedicated passages dealing with data protection, IT Act is restricted only to data protection, in relation to body corporate.
4) GDPR features additional principles:
a. Data integrity
b. Protection from unlawful processing or damage
c. Fairness and transparency in processing
d. Principle of accountability, wherein the controller has been given the responsibility of upholding and demonstrating compliance to the principles.
5) The principles under Rule 5 of the IT Act only apply to body corporate in direct contract with natural persons who provide sensitive personal data.
6) Conditions on necessity and legality of processing such as:
a. Performance of contract to which data subject is party
b. Compliance with legal obligation to which controller is subject
c. Protecting vital interest of data subject or another natural person
d. Protecting public interest or in exercise of official authority vested in controller
e. Fulfilling legitimate interests of controller or third party
Are absent in IT Act, 2000. GDPR further confers member states of the EU to introduce specific requirements for processing functions. No equivalent stipulation exists for Indian states under the IT Act, 2000.
7) Rule 3 of the IT Act excludes
a. Racial or ethnic information
b. Political opinions
c. Religious or philosophical beliefs
d. Trade union membership
and includes passwords and financial information within the category of sensitive personal data (SPD).
8) Though both legislations stipulate consent of provider of information/data subject prior the data collection and an option to withdraw such consent, IT Act lacks a definition of consent and a requirement for demonstration of consent by the provider.
9) IT Act excludes certain rights, or a considerable explanation of them, such as:
• Right of access
• Right to restrict processing
• Right to data portability
• Right to object
• Right to erasure (although it can be inferred from Rule 5, IT Rules)
• Right in relation to automated decision-making and profiling
10) GDPR contains additional and elaborate measures for security of data processing. Rule 4, IT Rules, 2011, makes mention of adoption of internal policies, security audit, adherence to voluntary code of conduct and certificate mechanism, which are common to GDPR.
11) Compensation is not a right under the IT Act, though provisions exist, that award compensation arising due to infringement. There is also a clause for exemption from liability under certain conditions.
12) As per Sec.43A of the IT Act, it is necessary to show “wrongful loss” or “wrongful gain” caused to another person due to negligence in maintain and implementing reasonable security practices and procedures.
13) IT Act imposes criminal liability along with civil liability
14) Redress is not treated as a right under the IT Act. There is no clarity over which authority to approach. A competent court must be approached to claim compensation above Rs. 5 Crore, but it is not clear whether such a court has the competent jurisdiction to decide cases filed under Sec.43A (Failure to protect data). More crucially, Sec.72A casts disclosure of information in breach of a lawful contract as a penal provision, making the procedure to claim compensation ambiguous.
On the other hand, right to lodge complaint against non-compliance in data processing and right to effective judicial remedy against infringement of data subject rights are available as per Art. 77, 78 & 79.
15) IT Act neglects various parameters for valid data transfer such as:
• Adequacy decision
• Appropriate safeguards
• Judgement of a court of third country
As listed in Art.44-50 by the GDPR
In the United States, certain legislations such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) regulate the data protection and accountability for the data-associated functions of their respective industry. On the other hand, the IT Act, 2000 is the general law governing the same across all industries.
The IT Rules, as per Rule 8, provide that security procedures can be either:
• International Standard IS/ISO/IEC 27001 (Information Technology – Security Techniques – Information Security Management System – Requirements).
• A code prescribed by an industry association and approved by the central government. To date, no such code has been approved by the central government.
The IT Rules do not set out any mandatory security procedures and the above procedures are merely options that can be followed.
The GDPR strikes a more even balance between data controllers and processors by making them jointly and severally liable according to their respective responsibility for the harm caused by a breach of data protection law.
Compliance requirements and implications for Controllers and Processors
According to Art.5 (2), data controllers should be able to demonstrate how they comply with the data protection principles laid down under the GDPR, in accordance with the accountability principle. They can demonstrate compliance with the GDPR by implementing a data protection policy (Article 24(2)) and adhering to approved codes of conduct or approved certification mechanisms (Article 24(3)).
Article 30 of the GDPR requires organisations to maintain a record of the processing activities under their responsibility. The records must contain: –
(a) The name and contact details of the controller and, if applicable, the joint controller, the controller’s representative and the data protection officer
(b) The purposes of the processing
(c) A description of the categories of data subjects and categories of personal data
(d) The categories of recipients to whom the personal data has been (or will be) disclosed (including to third countries/international organisations)
(e) Where applicable, transfers of personal data to a third country or an international organisation, including their identity and documentation of suitable safeguards (if applicable)
(f) Where possible, the envisaged time limits for erasure of the different categories of data
(g) Where possible, a general description of the technical and organisational security measures
The above must be documented by all controllers, with processors being required to record points (a), (e) and (g) along with the processor’s name, contact details and the categories of processing carried out on behalf of each controller.
Processors are subject to direct enforcement by supervisory authorities, serious fines and direct liability to data subjects for any damage caused by breaching the GDPR, as per Art. 82 & 83.
Art. 28 (3) states that all processing activity shall be governed by a contract legally binding on the processor with regard to the controller that sets out:
• All personal data to be processed at the explicit instructions of the controller
• Timely reporting of the legal requirement of such processing to the controller
• All those involved in data processing commit to confidentiality
• The processor to assist the controller in technical and organisational measures, in fulfilment of the controllers’ obligation towards data subject rights
• Deletion or return of all copies of personal data at the end of data processing activities, at the request of the controller
• Demonstrating compliance and contribution to timely audits by sharing necessary information with the controller
Art. 32 lay down appropriate technical and organisational measures that ensure data security against possible risks. These include:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Art. 33(1) stipulates a time period of 72 hours for the detailed notification of personal data breach to the supervisory authority.
Compliance for Data Controllers in the Indian legal framework
Data controllers have the following main obligations to ensure data is processed properly:
• Consent and notification. A data controller cannot collect SPDI unless it obtains the prior consent of the data subject. A business must also, before collecting the information, give the data subject the option not to provide such information. If this is the case, the business has the option to cease providing goods and services for which the information is sought. A business must also ensure that the data subject is aware:
o that the information is being collected;
o of the proposed use of the information; and
o of the name and address of the agency collecting or receiving the information.
• Use, retention and withdrawal. Data controllers can only use personal information for the purpose for which it was collected. They cannot retain SPDI for longer than is required for the purposes for which the information can lawfully be used or as otherwise required under any other law. The data subject of the SPDI has the right to review the information provided, and to ask for inaccurate or deficient information to be corrected. The data subject also has the right to withdraw his consent to the collection and use of the SPDI.
• Disclosure. Disclosure of SPDI to a third party is possible if:
o it has been agreed in a contract with the data subject;
o it is necessary for compliance with a legal obligation; or
o prior permission is given by the data subject.
• Transfer. A data controller can only transfer SPDI to a third party, whether in India or overseas, if the receiving party ensures the same level of protection as that provided under Indian rules. Additionally, SPDI can only be transferred if it is necessary for the performance of a lawful contract with the data subject, or if the data subject has consented to the transfer. The provisions on disclosure and transfer appear to overlap, and the difference between the two provisions is unclear.
According to Art.37(1), data controllers or processors are mandatorily required to appoint a Data Protection Officer (DPO) if they are a public body or handle regular and systematic monitoring of data subjects on a large scale or large scale processing of sensitive data and data relating to criminal convictions as part of their core activities.
Recital 97 clarifies that for a controller operating in a private-sector, processing personal information as an ancillary service does not count as a “core activity”.
Article 39 of the GDPR enlists the responsibilities of a Data Protection Officer (DPO)- an enterprise security leadership role responsible for overseeing data protection strategy and implementation to ensure compliance.
Consequences and Costs of non-compliance/ breach
IT Act imposes criminal liability while the GDPR stipulates the imposition of high administrative fines for infringement and lacks any penal provisions.
Any person that is negligent in using reasonable security practices and procedures (RSPPs) in protecting sensitive personal data or information (SPDI) is liable to pay compensation for any wrongful loss or wrongful gain (section 43A, IT Act).
Additionally, a person is liable to criminal punishment, if he discloses personal information in breach of contract or without the consent of the concerned party and disclosure is made with the intention to cause, or knowing that disclosure is likely to cause, wrongful loss or wrongful gain, faces three years’ imprisonment or a fine of up to INR500, 000, or both (section 72A, IT Act).
Examples of Legitimate Interest Grounds for Processing of Personal Data
1. Fraud Detection and Prevention, in organisations where the processing function should comply with industry standards, regulators’ requirements and other requirements related to fraud prevention and anti-money laundering.
2. Compliance with foreign law, law enforcement, court and regulatory bodies’ requirements.
3. Organisations in credit industry, banking, finance, insurance, retail that often need to
a. process certain personal data to protect and develop industry standards;
b. share intelligence about individuals or concerns that may have a negative or detrimental impact;
c. set pricing; and
d. follow industry best practices.
4. All organisations that need to monitor, detect and protect the organisation, its systems, network, infrastructure, computers, information, intellectual property and other rights from unwanted security intrusion, unauthorised access, disclosure and acquisition of information, data and system breaches, hacking, industrial espionage and cyber attacks.
Processing of personal data could be necessary for the legitimate interest of a controller where it is necessary:
» For the purposes of preventing fraud (Recital 47);
» For direct marketing purposes (Recital 47);
» For the transmission of personal data within a group of undertakings for internal administrative purposes, including the processing of client and employee data (Recital 48);
» For the purposes of ensuring security (Recital 49); or
» For reporting possible criminal acts or threats to a competent authority (Recital 50).