Assignment Cyber.docx
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Assignment Cyber.docx as PDF for free.
More details
- Words: 1,090
- Pages: 4
Nandhinee E BA0150028
COMPARISON BETWEEN EU GDPR AND DATA PROTECTION BILL, 2018 1. SENSITIVE PERSONAL DATA
A. Under EU GDPR Sensitive personal data does not include financial data or passwords: Article 9 (1) - special categories of personal data are data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. B. Under the Data Protection Bill, 2018 Sensitive personal data includes financial data and passwords: Section 3 (35)- “Sensitive Personal Data” means personal data revealing, related to, or constituting, as may be applicable— (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe; (xii) religiousor political belief or affiliation; or (xiii) any other category of data specified by the Authority under section 22.
2. DATA CONTROLLER/FIDUCIARY A. Under EU GDPR Data Controller is defined under Article 4(7): ‘controller’ means the natural or legal person, public authority, agency or other body which, 1
Nandhinee E BA0150028 alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law B. Under the Data Protection Bill, 2018 Data Fiduciary is defined under: Section 3(13)- “Data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;
3. DATA LOCALIZATION FOR CROSS BORDER TRANSFER OF DATA A. Under EU GDPR no data localization is required B. Under the Data Protection Bill, 2018 data localization is compulsory: Section 40- Restrictions on Cross-Border Transfer of Personal Data. — (1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies. (2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
4. AUTHORIZATION FOR CROSS BORDER TRANSFER OF DATA A. Under EU GDP no special authorization is required for cross border transfer to a country that provides equal protection: Recital 103: The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. B. Under the Data Protection Bill, 2018 authorization is compulsory: Section 41Conditions for Cross-Border Transfer of Personal Data. —
2
Nandhinee E BA0150028 (1) Personal data other than those categories of sensitive personal data notified under subsection (2) of section 40 may be transferred outside the territory of India where— (a) the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Authority; or (b) the Central Government, after consultation with the Authority, has prescribed that transfers to a particular country, or to a sector within a country or to a particular international organisation is permissible; or (c) the Authority approves a particular transfer or set of transfers as permissible due to a situation of necessity;
5. REMEDY FOR DATA BREACH A. Under the EU GDPR: Articles 77 to 80 provide for remedies available to the data subjects in case of any infringement of the Regulations during the processing of personal data. Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. Article 82 provides for compensation as well. B. Under the Data Protection Bill, 2018: Section 75 provides for compensation to a data principal in case any of his rights under the Bill is violated. A data processor shall be liable only where it has acted outside or contrary to the instructions of the data fiduciary pursuant to section 37, or where the data processor is found to have acted in a negligent manner, or where the data processor has not incorporated adequate security safeguards under section 31, or where it has violated any provisions of this Act expressly applicable
3
Nandhinee E BA0150028 to it. Any data principal who has suffered harm as a result of any violation of any provision under this Act, or rules prescribed or regulations specified hereunder, by a data fiduciary or a data processor, shall have the right to seek compensation from the data fiduciary or the data processor, as the case may be. 6. NOTICE A. Under the EU GDPR notice is given under Article 12, 13 and 14 when data is collected with all necessary details to ensure fair and transparent processing. Since financial data is not included in sensitive personal data, notice is not given when financial data is collected. B. Under the Data Protection Bill, 2018: Under Section 8, notice is to be given to the data principal at the time of the collection of all data including financial data. 7. CRIMINAL BREACH A. Under the EU GDPR penalties under Article 84 does not provide for any imprisonment. It only provides for fines. B. Under the Data Protection Bill, 2018 under Section 91 any person who knowingly or intentionally or recklessly, in contravention of the provisions of this Act— (a) obtains sensitive personal data; or (b) discloses sensitive personal data; or (c) transfers sensitive personal data to another person; or (d) sells or offers to sell sensitive personal data to another person shall be punishable with imprisonment for a term not exceeding five years or shall be liable to a fine which may extend up to rupees three lakhs or both.
4
COMPARISON BETWEEN EU GDPR AND DATA PROTECTION BILL, 2018 1. SENSITIVE PERSONAL DATA
A. Under EU GDPR Sensitive personal data does not include financial data or passwords: Article 9 (1) - special categories of personal data are data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. B. Under the Data Protection Bill, 2018 Sensitive personal data includes financial data and passwords: Section 3 (35)- “Sensitive Personal Data” means personal data revealing, related to, or constituting, as may be applicable— (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe; (xii) religiousor political belief or affiliation; or (xiii) any other category of data specified by the Authority under section 22.
2. DATA CONTROLLER/FIDUCIARY A. Under EU GDPR Data Controller is defined under Article 4(7): ‘controller’ means the natural or legal person, public authority, agency or other body which, 1
Nandhinee E BA0150028 alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law B. Under the Data Protection Bill, 2018 Data Fiduciary is defined under: Section 3(13)- “Data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;
3. DATA LOCALIZATION FOR CROSS BORDER TRANSFER OF DATA A. Under EU GDPR no data localization is required B. Under the Data Protection Bill, 2018 data localization is compulsory: Section 40- Restrictions on Cross-Border Transfer of Personal Data. — (1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies. (2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
4. AUTHORIZATION FOR CROSS BORDER TRANSFER OF DATA A. Under EU GDP no special authorization is required for cross border transfer to a country that provides equal protection: Recital 103: The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. B. Under the Data Protection Bill, 2018 authorization is compulsory: Section 41Conditions for Cross-Border Transfer of Personal Data. —
2
Nandhinee E BA0150028 (1) Personal data other than those categories of sensitive personal data notified under subsection (2) of section 40 may be transferred outside the territory of India where— (a) the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Authority; or (b) the Central Government, after consultation with the Authority, has prescribed that transfers to a particular country, or to a sector within a country or to a particular international organisation is permissible; or (c) the Authority approves a particular transfer or set of transfers as permissible due to a situation of necessity;
5. REMEDY FOR DATA BREACH A. Under the EU GDPR: Articles 77 to 80 provide for remedies available to the data subjects in case of any infringement of the Regulations during the processing of personal data. Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. Article 82 provides for compensation as well. B. Under the Data Protection Bill, 2018: Section 75 provides for compensation to a data principal in case any of his rights under the Bill is violated. A data processor shall be liable only where it has acted outside or contrary to the instructions of the data fiduciary pursuant to section 37, or where the data processor is found to have acted in a negligent manner, or where the data processor has not incorporated adequate security safeguards under section 31, or where it has violated any provisions of this Act expressly applicable
3
Nandhinee E BA0150028 to it. Any data principal who has suffered harm as a result of any violation of any provision under this Act, or rules prescribed or regulations specified hereunder, by a data fiduciary or a data processor, shall have the right to seek compensation from the data fiduciary or the data processor, as the case may be. 6. NOTICE A. Under the EU GDPR notice is given under Article 12, 13 and 14 when data is collected with all necessary details to ensure fair and transparent processing. Since financial data is not included in sensitive personal data, notice is not given when financial data is collected. B. Under the Data Protection Bill, 2018: Under Section 8, notice is to be given to the data principal at the time of the collection of all data including financial data. 7. CRIMINAL BREACH A. Under the EU GDPR penalties under Article 84 does not provide for any imprisonment. It only provides for fines. B. Under the Data Protection Bill, 2018 under Section 91 any person who knowingly or intentionally or recklessly, in contravention of the provisions of this Act— (a) obtains sensitive personal data; or (b) discloses sensitive personal data; or (c) transfers sensitive personal data to another person; or (d) sells or offers to sell sensitive personal data to another person shall be punishable with imprisonment for a term not exceeding five years or shall be liable to a fine which may extend up to rupees three lakhs or both.
4
Related Documents
Assignment
November 2019 71
Assignment
July 2020 45
Assignment
November 2019 56
Assignment
November 2019 57
Assignment
June 2020 28
Assignment
June 2020 20More Documents from ""
Assignment Cyber.docx
December 2019 10
Abstract ,criminology.docx
December 2019 5
Twists And Turns In The Journey Of The India
November 2019 20
Bss Assignment.docx
May 2020 10
Great Depression.docx
December 2019 15