Data protection refers to a collection of laws, policies, and practices designed to reduce the impact on individual privacy resulting from the gathering, storage, and sharing of personal information. "Personal data" encompasses any details that can identify a specific individual. Typically, this information is collected by government entities, private companies, or agencies. Essentially, data protection serves as a safeguard against unauthorized access to personal information. The approaches and levels of data protection can differ significantly between individuals, businesses, and government organizations.

Data Protection Law in India:

In India, the issue of privacy has sparked significant discussion within judicial courts, with some viewing it as a fundamental right while others have not recognized it under Article 21 of the Indian Constitution. On August 24, 2017, the Supreme Court of India made a pivotal ruling in the case of Justice K.S. Puttaswamy and Anr. v. Union of India And Ors., declaring the right to privacy as a fundamental right. This landmark decision prompted demands for legislation to safeguard the personal data and privacy of citizens. In response, the Central Government of India established a data protection committee in August 2017, led by retired Supreme Court judge Justice Srikrishna.

Key developments include:

• On July 27, 2018, the committee published an in-depth white paper highlighting the necessity of a data protection law in the country.
• The Personal Data Protection Bill, 2018 was drafted and released in July 2018.
• The modified Personal Data Protection Bill, 2019 was introduced in the Lok Sabha.
• On December 12, 2019, this bill was sent to a Joint Parliamentary Committee for further consideration.
• After nearly two years, the committee presented its report with several recommendations and amendments.
• On August 11, 2023, the Personal Data Protection Bill was enacted into law after receiving the President of India's assent.

Applicability

• The DPDP Act, 2023 applies only to personal data, whether collected in digital form or non-digital data that is digitised subsequently.

Overseas Applicability

• The DPDP Act applies to digital personal data processed outside India, only if such processing is in connection with any activity related to offering of goods or services to data principals (data subjects) in India.

Exclusions

• Personal data processed by an individual for any personal or domestic purpose; or
• Personal data made publicly available by the data principal herself or any other person under a legal obligation.

Key Principle:

Transparency: According to Section 4 of the DPDP Act, it is necessary to disclose the intended purpose of data processing, and obtain consent from the Data Principal beforehand. Maintaining transparency is essential in securing this consent. Lawful basis for processing: As per Section 4(1), there are two lawful bases:

• For which the Data Principal has given her consent; or
• For certain legitimate uses.

Section 4(1) of the DPDP Act clearly states that the personal data of a Data Principal will be collected only for a lawful purpose. This is further explained in Section 4(2), which clarifies that lawful purpose means "any purpose which is not expressly forbidden by law". Purpose limitation: Section 5(1)(i) of the DPDP Act mandates that the Data Processor must inform the Data Principal about the personal data being collected and the specific purpose of its processing. Therefore, once consent is granted for a particular purpose, the data can only be utilized for that intended use. Data minimisation: Data minimization is specifically articulated in the context of consent used as the legitimate basis for processing. Section 6 outlines that consent must include specific elements, one of which is that it must be restricted to personal data that is necessary for the defined purpose. Proportionality: In the context of the General Data Protection Regulation (GDPR), proportionality refers to ensuring any collected personal data is adequate, relevant, and restricted to what is necessary for its processing purpose. This principle is echoed in the DPDP Act's requirements for having a clearly defined purpose and limiting data collection to what is essential. Retention: In terms of the DPDP Act, the Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force:

• Erase personal data upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and
• Cause its Data Processor to erase any personal data made available by the Data Fiduciary for processing to such Data Processor.

Accuracy: Where personal data processed by a Data Fiduciary is likely to be:

• Used to make a decision that affects the Data Principal; or
• When personal data is shared with another Data Fiduciary, the fiduciary responsible for processing that data must guarantee its completeness, accuracy, and consistency.

Additionally, Section 15(c) of the DPDP Act assigns a similar duty to the Data Principal, emphasizing that the accuracy of the personal data provided must also be ensured by them. Therefore, any information shared by the Data Principal must be precise and disclose all relevant details without omitting any significant facts.

Individual Rights under DPDP Act

• Right of access to (copies of) data/information about processing: Section 11 of the DPDP Act gives the Data Principal the right to access a summary of the data being processed, the purpose for which it is being processed and with which other Data Fiduciary or Data Processors the data is being shared.
• Right to rectification of errors: Section 12(1) of the DPDP Act states that the Data Principal has a right to get the data corrected in case any changes have happened since the collection of data which render the data inaccurate or there has been some error in the recording of the data at the time of sharing.
• Right to deletion/right to be forgotten: As per Section 12(1) of the DPDP Act, Data Principals have the right to request corrections, updates, or deletions of their personal data previously consented to for processing. This right is subject to the procedures outlined by applicable laws.
• Right to object to processing: If personal data is processed without the Data Principal's consent or for a purpose that was neither consented to nor requested, the Data Principal is entitled to object to the data processing. Upon withdrawal of consent, the Data Fiduciary must cease all use of the data and delete related records.
• Right to restrict processing: The concept of Restriction of Processing, as under the GDPR, has yet to be clearly defined in Indian laws.
• Right to data portability: This right is not properly articulated and may be included in the upcoming Rules.
• Right to withdraw consent: Section 6(4) of the DPDP Act allows withdrawal of consent at any time. Section 6(7) allows management or revocation via a Consent Manager.
• Right to object to marketing: Section 6(4) limits the use of personal data to the purpose for which consent was given, allowing objection to any marketing or profiling activities.
• Right protecting against solely automated decision-making and profiling: This is inadequately articulated currently, but Section 9(2) and 9(3) prohibit harmful data processing and targeted advertising directed at children.
• Right to complain to the relevant data protection authority: Under Section 13(1), the Data Principal can avail grievance redressal via the Data Fiduciary or Consent Manager. Section 13(3) permits appeal to the Data Protection Board if unsatisfied.
• Right to nominate: Section 14(1) allows the Data Principal to nominate someone to exercise their rights in case of death or incapacity.
• Right to compensation: The DPDP Act does not include compensation provisions. However, penalties imposed by the Data Protection Board will be credited to the Consolidated Fund of India as per Section 34.

Data of Children and Persons with Disabilities

• A "child" is defined as someone under 18 years. Data Fiduciaries must obtain verifiable consent from a parent or guardian before processing personal data.
• They are prohibited from processing personal data that could harm a child's well-being or from tracking, behavior monitoring, or targeted advertising aimed at children.
• The Central Government may exempt certain Data Fiduciaries from consent requirements if they meet specified safety criteria for children's data handling.
• The Act also requires verifiable consent from a legal guardian for processing data of persons with disabilities.

Data Protection Board

The Bill establishes the Data Protection Board of India, a specialized tribunal empowered to handle non-compliance and impose penalties. It may act in the following situations:

• An intimation of a personal data breach;
• A complaint made by a Data Principal regarding a personal data breach or a breach of obligations by a Data Fiduciary;
• A complaint made against a Consent Manager;
• Receipt of an intimation of breach of any registration condition of a Consent Manager;
• A reference by the Central Government in case of a breach of provisions under Section 36(2) by an intermediary.

Every order made by the Board will be enforceable just like a civil court decree. Persons who are aggrieved by any orders/directions passed by the Board would be able to file an appeal against the same before the Telecom Disputes Settlement and Appellate Tribunal, and thereafter to the Supreme Court.

Penalties
The legislation stipulates penalties for various infractions by Data Fiduciaries. If reasonable security measures are not implemented, leading to a personal data breach, fines can reach as high as 250 Crores. Failing to inform the Board and affected Data Principals about a breach, as well as not meeting additional requirements related to Children, could incur penalties up to 200 Crores. Furthermore, Significant Data Fiduciaries may face fines of up to 150 Crores for non-compliance with their obligations. Data Principals who violate their responsibilities under Section 15 may be penalized with fines of up to Rs 10,000.

Penalties are also applicable for breaching any term of a voluntary undertaking accepted by the Board under Section 32. Furthermore, a penalty of up to 50 Crores may be imposed for any other breach of the provisions of this Act or the rules established under it.

Data Protection Law in EU

The General Data Protection Regulation (GDPR) is a legal framework that establishes rules for the collection and processing of personal data from individuals both within and outside of the European Union. Recognized as the most stringent privacy and security regulation globally, the GDPR was created and enacted by the European Union (EU), but it applies to organizations worldwide that target or gather data on EU residents. This regulation came into effect on May 25, 2018.

The GDPR imposes severe fines for violations of its privacy and security requirements, with penalties potentially reaching into the tens of millions of euros. By implementing the GDPR, Europe is demonstrating its strong commitment to data privacy and security, especially during a time when many individuals are sharing their personal information with cloud services amid frequent data breaches. The regulation is extensive, far-reaching, and somewhat vague in its details, which can make compliance particularly challenging, especially for small and medium-sized businesses.

History of GDRP

The right to privacy is enshrined in the 1950 European Convention on Human Rights, which affirms that "Everyone has the right to respect for his private and family life, his home and his correspondence." Building on this principle, the European Union has aimed to protect this right through various legislative measures. With the evolution of technology and the advent of the Internet, the EU acknowledged the necessity for updated protective measures.

In 1995, the EU enacted the European Data Protection Directive, which set forth essential standards for data privacy and security that each member state would implement in its own laws. However, by that time, the Internet was rapidly transforming into the extensive data collection platform we see today. The first online banner advertisement appeared in 1994, followed by online banking being offered by many financial institutions by 2000. In 2006, Facebook became publicly accessible to users.

A significant legal case arose in 2011 when a Google user filed a lawsuit against the company for reviewing her emails. Shortly thereafter, Europe's data protection authority concluded that a comprehensive strategy for personal data protection was essential, leading to efforts to revise the 1995 directive. The General Data Protection Regulation (GDPR) was enacted in 2016 after being approved by the European Parliament, and from May 25, 2018, all organizations were mandated to comply with its provisions.

What Data Does GDPR Protect?

Users must give consent to any company or organization that wishes to collect and use personal data. As defined by the GDPR, personal data is information that relates to "an identified or identifiable natural person" -- referred to as a data subject.

Personal data includes the following types of information:

• Name.
• Identification number.
• Location data.
• Any information that is specific to "the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
• Biometric data that's acquired through some form of technical process, such as facial imaging or fingerprinting.
• Information related to a person's health or healthcare.
• Racial or ethnic information of an individual.
• Political opinions or religious beliefs.
• Union membership.

Principles of GDPR:

1. Lawfulness, Fairness, and Transparency: According to Article 5(1)(a), personal data shall be "processed lawfully, fairly and in a transparent manner in relation to the data subject." Lawfulness is related to two things: choosing a proper lawful basis for processing personal data and avoiding illegal activities when processing personal data. There are six lawful bases for processing personal data, according to Article 6(1):
   • Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
   • Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
   • Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
   • Protection of vital interest: processing is necessary in order to protect the vital interests of the data subject or of another natural person;
   • Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
   • Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child.
   If an individual cannot establish a legal basis for their data processing actions, such processing is deemed unlawful. Fairness means that organizations should not exploit personal data in a manner that could harm individuals. The principle of transparency mandates that companies communicate openly and clearly with individuals regarding the usage of their personal data, including informing them about the sources of that information, whether it is gathered directly from them or acquired from other means.
    
2. Purpose Limitation: Organizations must have legitimate reasons for collecting and processing personal information. According to Article 5(1)(b), personal data shall be: "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…"
    
3. Data Minimization: This principle means collecting only the minimum data needed. According to Article 5(1)(c), personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
    
4. Accuracy: Companies must ensure that the personal data they collect is correct and accurate. According to Article 5(1)(d), personal data shall be "accurate and, where necessary, kept up to date… inaccurate data must be erased or rectified without delay."
    
5. Storage Limitation: Personal data should only be kept as long as necessary. According to Article 5(1)(e), data shall be: "kept in a form which permits identification of data subjects for no longer than is necessary..."
    
6. Integrity and Confidentiality: Organizations should have security measures to protect data from unlawful use, loss, or destruction (Article 5(1)(f)). This includes both technical and organizational safeguards.
    
7. Accountability: The data controller is responsible for demonstrating GDPR compliance. According to Article 5(2): "The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1." Compliance documentation includes:
   • Processing activities
   • Technical and organizational measures
   • Data protection policies
   • Data protection impact assessments
   • Appointment of a DPO
      

Who is Subject to GDPR Compliance?

All organizations that collect personal data of any citizen of an EU member state must comply with the GDPR. This includes non-EU organizations collecting such data. The GDPR defines the roles:

• Data subject: Owner of personal data.
• Data controller: The one who determines what and how data is collected.
• Data processor: The one processing data on behalf of the controller.
   

Penalties

There are two tiers of GDPR fines:

• First tier: Up to €10 million or 2% of annual revenue (whichever is higher).
• Second tier: Up to €20 million or 4% of annual revenue (whichever is higher).

In addition to fines, individuals may seek compensation for damages caused by GDPR violations.
 

Data Protection Law in UAE

The UAE enacted Federal Decree-Law No. 45 of 2021 on personal data protection on November 27, 2021, creating a framework for protecting individuals' privacy. The UAE Data Office will oversee enforcement.
 

Who Does the UAE Law Apply To?

• Individuals or businesses located in the UAE
• Businesses outside the UAE that process the data of UAE residents
   

Who Is Exempt?

• Government data
• Government authorities
• Judicial/security authorities' data
• Individuals processing their own data for personal use
• Health and banking data covered by separate laws
• Businesses in DIFC or ADGM
   

Key Provisions of PDPL:

1. Consent: Consent is mandatory for processing personal data. Conditions of valid consent are as follows:
   • Consent can be given in writing or electronic form.
   • It must be clear, simple, unambiguous and easily accessible.
   • The consent must indicate that the Data Subject can withdraw it at any time and must be easy to withdraw.
   • Additionally, the withdrawal of consent must not impact the legality and law.
      
2. Control Governing Data Processing:
   • Lawfulness, Transparency & Fairness.
   • A procedure for erasing or correcting inaccurate Personal Data must be in place.
   • Data must be collected only for a specific and clear purpose.
   • Processing of Personal Data must be protected from a breach, infringement, or illegal or unauthorized processing.
   • Processed personal data should be sufficient for the purpose for which they are collected and limited to that specific purpose.
   • The retention of personal data is prohibited following the fulfillment of the purpose for which it was processed, and can only be retained if the data controller uses the anonymization feature.
   • An individual's personal data must be accurate, updated, and complete at all times.
   • Any other control which may be set by Executive Regulations.
      
3. Record of Processing Activities: Article 7(4) of the PDPL requires entities processing personal data to maintain a special record of personal data, which must be provided to the Office by the Controller upon request. Key Elements:
   • Description of categories of personal data possessed
   • Details of controller and data protection officer
   • Duration of the processing
   • Details of persons granted authorised access, the purpose of processing, cross-border transfers, technical and organisational measures etc.
      
4. Security Measure: The PDPL necessitates that both the controller and the processor establish measures to safeguard the personal data of data subjects. The controller and processor are required to implement the following technical and organizational measures.
     The Controller:
   • Establish appropriate technical and organizational measures and procedures to apply the necessary standards to protect and secure the confidentiality and privacy of personal data and safeguard it.
   • Apply measures like pseudonymization both while defining as well as during the processing of data.
   • Apply the measures in respect of default settings as well to ensure that the processing is limited to the intended purpose.
   • Maintain proper Records of Processing Activities.
   • Appoint a Processor who can implement technical and organizational measures with appropriate guarantees.
      
   The Processor:
   • Protect and secure processing operations.
   • Protect and secure the media and electronic devices used in the processing.
   • Erase or hand over the data to controller post expiry of the processing period.
   • Establish appropriate technical and organizational measures and procedures to safeguard personal data when defining and undertaking the processing of Personal Data.
   • Processing should be limited to purpose and set period.
   • Refrain from taking actions that could result in the disclosure of personal data or processing of the same.
   • If more than one processor is involved, set in place a contract defining their processing-related obligations, responsibilities and roles.
      
5. Data Protection Impact Assessment (DPIA): According to the PDPL, both data controllers and processors must establish safeguards to protect the personal information of data subjects. Key Elements of DPIA:
   • A clear description of what the processing activity is and its purpose.
   • Analysing the necessity of the processing in light of its meaning.
   • Risk assessment of the protection of personal information of data subjects.
      
6. Data Breach: Article 1 of the PDPL defines a data breach as illegal or unauthorised access to information security or personal data.
   • The controller upon becoming aware of a data breach incident is obligated to inform the Data Office of the same.
   • The notification to the Data Office must include the following information:
     • The nature, category, reasons, approximate number and records of the data breach.
     • An explanation of what may result from the data breach.
     • Data breach measures and remedial action was taken by the controller.
        
7. Cross-Border Data Transfer: Similar to the GDPR, the cross-border transfer provisions under the PDPL can be classified based on the existence of an adequate level of protection.
   • An adequate level of protection is said to be available if there is special legislation on personal data protection or if there is a bilateral or multilateral agreement between the UAE and the recipient country.
   • In the absence of an adequate level of protection, data can be transferred if:
     • A contract or agreement lays down obligations related to data protection,
     • The transfer is based on the express consent of the data subject,
     • The transfer is necessary to fulfil legal obligations, establish, exercise or defend legal rights,
     • It is necessary for the execution of a contract, international judicial cooperation, or the protection of the public interest.
        

Rights of Individuals:

• Right to obtain information: Individuals have the right to be informed about how their Personal Data is being processed.
• Right to access: Individuals have the right to obtain access to their Personal Data.
• Right to request Personal Data transfer: Individuals can request that their data be moved from one business to another.
• Right to correction or erasure: Individuals can require inaccurate information to be corrected or erased.
• Right to restrict or stop processing: Individuals may require businesses to restrict or stop processing their data.
• Right to file a complaint: Individuals can file a complaint with the UAE Data Office.
• Right to withdraw consent: Individuals can withdraw consent given to a business at any time.
   

Data Protection Officer (DPO):

Companies will need to appoint a DPO under certain circumstances. The DPO may be an employee or an external party, based inside or outside the UAE.

Responsibilities of a DPO:

• Ensure legal and regulatory compliance by the controller or the processor.
• Ensure the existence and effectiveness of the measures implemented.
• Provide appropriate advice regarding existing measures, conduct periodic assessments, and document the results of these assessments.
• Respect the confidentiality of personal information when performing duties.
• Receive data subject requests and act as a point of contact.

Penalties
The Data Protection Law does not expressly state the penalties that will apply for breaches of the Law. The level of sanctions will be specified in subsequent executive regulations, including any administrative penalties that may be imposed.

Conclusion
The global framework of data protection regulations is undergoing rapid changes, reflecting a growing acknowledgment of personal privacy as a fundamental right. Notable examples of this shift include the introduction of the Data Protection Bill in India, the General Data Protection Regulation (GDPR) in the European Union, and the Data Protection Law in the United Arab Emirates. These legislative efforts highlight a worldwide commitment to defending individual rights and providing safeguards against unauthorized data handling and breaches.

In India, the Data Protection Bill establishes a thorough legal framework to regulate the collection, storage, and use of personal information. The GDPR in the EU outlines stringent obligations for data controllers and processors while empowering individuals with greater control over their personal data. The UAE's Data Protection Law similarly stresses the necessity of protecting personal information in our digital era.

These regulations are built on shared fundamental principles, including the requirement for clear consent for data processing, transparency in data handling practices, and strict accountability standards. By focusing on these principles, the laws aim to empower individuals and promote a culture that respects privacy regarding personal data. It is vital for both individuals and organizations to understand these regulations for compliance and to foster an environment that prioritizes and protects personal information.

In today's digital landscape, data protection transcends basic legal adherence; it represents a broader ethical duty to respect and safeguard personal data. As online interactions become increasingly prevalent, prioritizing data protection is crucial for maintaining trust and accountability in our interconnected world.

Reference:

• https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
• https://secureprivacy.ai/blog/india-digital-personal-data-protection-act-2023-guide-protected-data
• https://iclg.com/practice-areas/data-protection-laws-and-regulations/india
• https://www.khaitanco.com/sites/default/files/2023-12/Data%20Protection%20in%20India%20Overview%20(w-013-9999)_0.pdf
• https://corporate.cyrilamarchandblogs.com/2023/08/the-dpdp-bill-overviewa-new-dawn-for-data-protection-in-india/
• https://www.cloudflare.com/en-in/learning/privacy/what-is-the-gdpr/
• https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp
• https://gdpr.eu/what-is-gdpr/
• https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR
• https://www.delphix.com/glossary/what-is-gdpr-compliance-requirements
• https://www.consilium.europa.eu/en/policies/data-protection/data-protection-regulation/
• https://tsaaro.com/wp-content/uploads/2023/03/UAE-Personal-Data-Protection-Law.pdf
• https://www.whitecase.com/insight-alert/uae-issues-first-federal-sector-wide-data-protection-law
• https://iclg.com/practice-areas/data-protection-laws-and-regulations/united-arab-emirates
• https://www.herbertsmithfreehills.com/insights/2021-12/new-data-protection-law-introduced-in-the-uae-%E2%80%93-10-key-takeaways
• https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2024/uae/trends-and-developments