The Aadhaar Verdict and the Surveillance Challenge - Ananth Padmanabhan & Vasudha Singh
Conventional responses to privacy protection, such as the notice-and-consent framework, are inapposite to a datafied world where ubiquitous data collection is facilitated by a range of advanced technologies. Such traditional frameworks also commonly vest the State with more leeway than private companies to access personal data, which amplifies privacy harms in case of State use of data. Despite the ominous possibility of State surveillance, the Indian judiciary has thus far grappled with the right to privacy through a narrow lens focused on individual privacy risks rather than structural moves towards a surveillance society. This article explores a different viewpoint by studying the structural effects of the Aadhaar project on privacy, which drastically differ from the individual harms that Indian privacy jurisprudence is equipped to address. It first introduces the Supreme Court’s engagement with the right to privacy through prior verdicts. It then explores the surveillance concerns raised by the petitioners in the Aadhaar verdict. This part examines the Supreme Court’s response to these surveillance challenges and its failure to address structural inroads on privacy through architectural design choices that deliberately prescribe low baseline protection. Finally, the article contrasts this approach with the more holistic perspective on citizen-State interaction evident in Justice Chandrachud’s minority view.
Web 2.0 and the Concept of ‘Data Controller’: Recent Developments in EU Data Protection Law Maria - Berger & David Eisendle
In order to operationalise the fundamental right to privacy, as reaffirmed by the Supreme Court in the landmark K.S. Puttaswamy judgment, the Indian government has recently introduced a draft data protection legislation. The present draft is inspired — to a considerable extent — by the EU’s GDPR and defines numerous key notions in largely identical terms. In view of these similarities, this paper seeks to examine the recent developments in the EU regarding the concept of ‘data controller’ and its application to what may be termed as a ‘Web 2.0 setting’. The paper commences with a review of the obligations imposed on controllers under the GDPR. Next, it introduces the ‘Web 2.0 setting’ and traces the evolution of the ‘data controller’ concept with the emergence of the internet. The paper then turns to a substantive analysis of the understanding of data controllers in a Web 2.0 context by examining the case of Wirtschaftsakademie Schleswig-Holstein, which concerns the potential joint controllership of Facebook and the administrator of a Facebook fan page. The final section challenges the interpretations of the concept previously adopted by the ECJ and provides suggestions to better realise the objectives of data protection law.
The Weight of Secrets: Assessing the Regulatory Burden for Informational Privacy in India - Lalit Panda
Given the galloping pace at which information technology continues to develop and penetrate our lives, it is inevitable that the aspirations of data protection will sometimes appear like hollow promises that the law cannot keep. This makes it essential to study the precise regulatory conditions that can allow for the effective enforcement of legal protections for informational privacy. This Article provides a holistic account of the likely breadth and regulatory burden of an effective data protection regime and attempts to flesh out various regulatory tools that can go into the design of a Data Protection Authority for India so as to account for the weighty duties it must bear. Touching on the proposals of the Srikrishna Committee while drawing on the experiences of other jurisdictions, it justifies the idea of a unified, cross-sectoral data protection regulator with a broad mandate, examines the limits of sectoral regulation, and clarifies the significance of and outlook for models such as co-regulation and responsive regulation, as well as the role of the much-vaunted principle of accountability. In assessing the enforcement burdens created by the substantive rights and duties of data protection, the article also provides pointers as to what we should expect from a privacy watchdog in India and how these expectations can best be met in practice.
Law Enforcement Access to Data in India: Considering the Past, Present, and Future of Section 91 of the Code of Criminal Procedure, 1973 - Tarun Krishnakumar
Developments in modern technology and the Internet have resulted in vastly greater quantities of information being stored in electronic form. In addition to gains for convenience, innovation, and the economy, this trend also means that law enforcement and other government agencies are required to increasingly turn to the digital domain to gather evidence for investigative or enforcement purposes. In the Indian context, this usually means having to rely on pre-digital era procedural powers such as Section 91 the Code of Criminal Procedure, 1973. Drawing from existing literature, case law, and developments in policy, this article seeks to conduct an analysis of Section 91 with a view towards adding to the discourse surrounding calls for its reform. It concludes that, in its current form, the provision neither adequately accounts for privacy concerns nor provides clear and certain procedures for law enforcement agencies to compel production of evidence stored in electronic form. Several principles which have developed around the provision are no longer relevant in the digital age, others have the potential to excessively invade privacy, while several others internally conflict. It would be in the interests of both individuals and law enforcement agencies to seek timely review and reform of this provision to account for modern realities.
PDF Download Link
PDF Download Link
Accountability and Enforcement Aspects of the EU General Data Protection Regulation - Methodology for the Creation of an Effective Compliance Framework and a Review of Recent Case Law -Paolo Balboni, Martim Taborda Barata, Anastasia Botsi & Kate Francis
The General Data Protection Regulation (GDPR), which has been applicable within the EU/EEA since 18 May 2018, has brought about reinforced rules on personal data protection which have dramatically shifted the paradigm for all organisations bound by them. This includes not just those which actively handle personal data as a core part of their business model, but also those which are required to handle personal data (on employees, customers or suppliers, for example) as part of their day-to-day activities – in other words, all organisations falling under the GDPR’s scope. By holding organisations responsibile for their own compliance, and requiring those organisations to carefully assess the risks to the rights, freedoms, and legitimate interests of individuals when implementing measures to address these rules, the GDPR demands a higher level of accountability from all organisations concerned – the ability to not only comply with the rules, but to also demonstrate that compliance has been achieved. To help organisations understand how they can address the practical implications brought about by the GDPR, this article seeks to break down a proposed Data Protection Compliance Framework – six overarching steps which, if correctly and comprehensively implemented by those organisations, will allow them to make the necessary adjustments to their internal practices to align with the GDPR’s requirements. To highlight the importance of implementing such a Framework, the article also explores the different types of powers granted to supervisory authorities in order to enforce the Regulation, and includes a selection of relevant supervisory authority decisions to allow insight into common types of GDPR breaches, and common enforcement responses (including fines) taken by those authorities.