DATA PROTECTION LAWS:

INTERNATIONAL PROSPECTIVE
Project submitted to

Mr. Atul S. Jaybhaye

Faculty: Cyber Law

Project submitted by

Rahul sharma

(Section-B, Roll No. 125, Sem. -7)

HIDAYATULLAH NATIONAL LAW

UNIVERSITY
NAYA RAIPUR, C.G.

1
 ACKNOWLEDGEMENTS

The successful completion of any task would be, but incomplete, without the mention of
people who made it possible and whose constant guidance and encouragement crowned my
effort with success.

I would like to thank my course teacher Mr. Parvesh Rajput for providing me the topic of my
interest. Also I would like to thank our Vice Chancellor for providing the best possible
facilities of I.T and library in the university.

I would also like to extend my warm and sincere thanks to all my colleagues, who
contributed in innumerable ways in the accomplishment of this project.

Rahul sharma
Roll No.125
Semester VII

2
 Table of Contents

TOPIC PAGE
NO.

Introduction 4

Research methodology 5
o Methodology to Project
o Objectives

Introduction 6

International Perspective of Data Protection Laws 10

European Union Laws

History, Development and Current Position In 1ndia 12

Data Protection Laws in UK 19

Data protection Laws In USA 22

Conclusion 26

Webliography 27

3
 INTRODUCTION

Information privacy, or data privacy (or data protection), is the relationship between the

collection and dissemination of data, technology, the public expectation of
privacy, legal and political issues surrounding them.

Privacy concerns exist wherever personally identifiable information or other sensitive

information is collected, stored, used, and finally destroyed or deleted – in digital form or
otherwise. Improper or non-existent disclosure control can be the root cause for privacy
issues. Data privacy issues may arise in response to information from a wide range of
sources, such as

 Healthcare records
 Criminal justice investigations and proceedings
 Financial institutions and transactions
 Biological traits, such as genetic material
 Residence and geographic records
 Privacy breach
 Location-based service and geolocation
 Web surfing behaviour or user preferences using persistent cookies
 Academic research

The challenge of data privacy is to utilize data while protecting an individual's privacy
preferences and their personally identifiable information.[3] The fields of computer
security, data security, and information security design and utilize software, hardware, and
human resources to address this issue. Since the laws and regulations related to Privacy and
Data Protection are constantly changing, it is important to keep abreast of any changes in the
law and to continually reassess compliance with data privacy and security regulations.
[4]
 Within academia, Institutional Review Boards function to assure that adequate measures
are taken to insure both the privacy and confidentiality of human subjects in research.

4
OBJECTIVES

The main objectives are:

 To study the concept of Data protection.

 To study and analyse various Data protection laws across the globe primarily
emphasizing upon :
 European Laws
 UK Laws
 Indian Laws
 USA laws

RESEARCH METHODOLOGY

This is a doctrinal research project. This research paper is based on secondary and electronic
sources. Other references as guided by Faculty of Corporate Law have been primarily helpful
in giving this project a concrete shape. Websites and articles have also been referred.
Footnotes have been provided wherever needed, to acknowledge the source.

5
 CHAPTER 1

INTRODUCTION
Information privacy, or data privacy (or data protection), is the relationship between the
collection and dissemination of data, technology, the public expectation of
privacy, legal and political issues surrounding them.

Privacy concerns exist wherever personally identifiable information or other sensitive

information is collected, stored, used, and finally destroyed or deleted – in digital form or
otherwise. Improper or non-existent disclosure control can be the root cause for privacy
issues. Data privacy issues may arise in response to information from a wide range of
sources, such as

 Healthcare records
 Criminal justice investigations and proceedings
 Financial institutions and transactions
 Biological traits, such as genetic material
 Residence and geographic records
 Privacy breach
 Location-based service and geolocation
 Web surfing behavior or user preferences using persistent cookies
 Academic research

The challenge of data privacy is to utilize data while protecting an individual's privacy
preferences and their personally identifiable information. The fields of computer
security, data security, and information security design and utilize software, hardware, and
human resources to address this issue. Since the laws and regulations related to Privacy and
Data Protection are constantly changing, it is important to keep abreast of any changes in the
law and to continually reassess compliance with data privacy and security regulations. Within
academia, Institutional Review Boards function to assure that adequate measures are taken to
insure both the privacy and confidentiality of human subjects in research.

6
INFORMATION TYPES

Various types of personal information often come under privacy concerns.

Internet

The ability to control the information one reveals about oneself over the internet, and who
can access that information, has become a growing concern. These concerns include
whether email can be stored or read by third parties without consent, or whether third parties
can continue to track the websites that someone has visited. Another concern is if the
websites that are visited can collect, store, and possibly share personally identifiable
information about users.

The advent of various search engines and the use of data mining created a capability for data
about individuals to be collected and combined from a wide variety of sources very
easily. The FTC has provided a set of guidelines that represent widely accepted concepts
concerning fair information practices in an electronic marketplace called the Fair Information
Practice Principles.

In order not to give away too much personal information, emails should be encrypted.
Browsing of web pages as well as other online activities should be done trace-less via
"anonymizers", in case those are not trusted, by open-source distributed anonymizers, so
called mix nets, such as I2P or Tor – The Onion Router.

Email isn't the only internet content with privacy concerns. In an age where increasing
amounts of information are going online, social networking sites pose additional privacy
challenges. People may be tagged in photos or have valuable information exposed about
themselves either by choice or unexpectedly by others. Caution should be exercised with
what information is being posted, as social networks vary in what they allow users to make
private and what remains publicly accessible. Without strong security settings in place and
careful attention to what remains public, a person can be profiled by searching for and
collecting disparate pieces of information, worst case leading to cases of cyberstalking or
reputational damage.

Cable television

This describes the ability to control what information one reveals about oneself over cable
television, and who can access that information. For example, third parties can track IP TV

7
programs someone has watched at any given time. "The addition of any information in a
broadcasting stream is not required for an audience rating survey, additional devices are not
requested to be installed in the houses of viewers or listeners, and without the necessity of
their cooperation’s, audience ratings can be automatically performed in real-time."[12]

Medical

People may not wish for their medical records to be revealed to others. This may be because
they have concern that it might affect their insurance coverages or employment. Or, it may be
because they would not wish for others to know about any medical or psychological
conditions or treatments that would bring embarrassment upon themselves. Revealing
medical data could also reveal other details about one's personal life. There are three major
categories of medical privacy: informational (the degree of control over personal
information), physical (the degree of physical inaccessibility to others), and psychological
(the extent to which the doctor respects patients’ cultural beliefs, inner thoughts, values,
feelings, and religious practices and allows them to make personal decisions). Physicians and
psychiatrists in many cultures and countries have standards for doctor-patient relationships,
which include maintaining confidentiality. In some cases, the physician-patient privilege is
legally protected. These practices are in place to protect the dignity of patients, and to ensure
that patients will feel free to reveal complete and accurate information required for them to
receive the correct treatment. To view the United States' laws on governing privacy of private
health information, see HIPAA and the HITECH Act.

Financial

Information about a person's financial transactions, including the amount of assets, positions
held in stocks or funds, outstanding debts, and purchases can be sensitive. If criminals gain
access to information such as a person's accounts or credit card numbers, that person could
become the victim of fraud or identity theft. Information about a person's purchases can
reveal a great deal about that person's history, such as places he/she has visited, whom he/she
has contacted with, products he/she has used, his/her activities and habits, or medications
he/she has used. In some cases, corporations may use this information to target individuals
with marketing customized towards those individual's personal preferences, which that
person may or may not approve.

Locational

8
As location tracking capabilities of mobile devices are advancing (location-based services),
problems related to user privacy arise. Location data is among the most sensitive data
currently being collected. A list of potentially sensitive professional and personal information
that could be inferred about an individual knowing only his mobility trace was published
recently by the Electronic Frontier Foundation.[17] These include the movements of a
competitor sales force, attendance of a particular church or an individual's presence in a
motel, or at an abortion clinic. A recent MIT study [18][19] by de Montjoye et al. showed that
four spatio-temporal points, approximate places and times, are enough to uniquely identify
95% of 1.5 million people in a mobility database. The study further shows that these
constraints hold even when the resolution of the dataset is low. Therefore, even coarse or
blurred datasets provide little anonymity.

Political

Political privacy has been a concern since voting systems emerged in ancient times.

The secret ballot is the simplest and most widespread measure to ensure that political views
are not known to anyone other than the voters themselves—it is nearly universal in
modern democracy, and considered to be a basic right of citizenship. In fact, even where
other rights of privacy do not exist, this type of privacy very often does.

Educational

In the United Kingdom in 2012, the Education Secretary Michael Gove described

the National Pupil Database as a "rich dataset" whose value could be "maximised" by making
it more openly accessible, including to private companies. Kelly Fiveash of The Register said
that this could mean "a child's school life including exam results, attendance, teacher
assessments and even characteristics" could be available, with third-party organizations being
responsible for anonymizing any publications themselves, rather than the data being
anonymized by the government before being handed over. An example of a data request that
Gove indicated had been rejected in the past, but might be possible under an improved
version of privacy regulations, was for "analysis on sexual exploitation".

9
 CHAPTER 2

DATA PROTECTION LAWS INTERNATIONAL LEVEL

As the strongest data protection laws to date come into force for citizens in the European
Union, Consumers International looks at the key components of the new EU General Data
Protection Regulation and takes a snapshot of data protection regulations for consumers
across the globe.

the EU General Data Protection Regulation

The EU’s General Data Protection Regulation (or GDPR) came into effect on the 25 May
2018, replacing the previous minimum standards for processing data provided in the Data
Protection Directive of 1951. Though many of the main concepts and principles from the
Directive underpin the GDPR, there are critical updates intended to address the implications
of the digital age and the ways in which consumers’ and citizens’ data is collected, analysed
and transmitted by new types of business practices and models, such as social networks,
mobile applications and e-commerce

 For the consumer, GDPR has strengthened rights. Individuals now have the power to
demand companies reveal or delete the personal data they hold.
 For regulators, GDPR makes provisions which stipulate that data protection law will
become identical throughout all EU member states. This should encourage partnership
working and create a more harmonious environment for regulators, who previously
worked independently and had to launch separate actions in each jurisdiction.
 GDPR requires businesses to be more accountable to the people whose data they
collect and imposes much tougher punishments for those who fail to comply. All
businesses handling EU citizens’ data, whether based in the EU or outside, must
comply with GDPR. Any business found not doing so could be charged fines of up to
€20 million or 4% of the company’s global annual turnover.1

The main changes

Audit trail: Companies must have a record of when and how an individual has given consent.

1
https://www.dlapiperdataprotection.com/

10
 Right to be forgotten: In some circumstances, GDPR gives individuals the power to
get their personal data erased ie where it is no longer necessary for the purpose it was
collected, if consent is withdrawn, there’s no legitimate interest, or if it was
unlawfully processed. In this instance the controller and the people they have shared
your information with will need to ensure it is permanently deleted.Automated
decision-making: In some cases, individuals have the right not to be subject to
decisions based on automated processing without any human intervention 1 EU, Rules
for the protection of personal data inside and outside the EU GDPR will replace the
EU’s previous data law adopted in 1995 – before Google was even registered as a
domain name.
 Data portability: A new right under the GDPR, this enables individuals to request the
transmission of their data to another controller to allow the data subject to make
further use of the data. The further use could be to analyse bank transaction data for
spending patterns and insights, or to move contacts from one network to another.
 Transparency of data collection and transmission: Companies must make clear how
they collect people’s information, what purposes they use it for, and the ways in
which they process the data. This must be done in clear, easy to understand language.
 Accessing your data: People will a) no longer be charged to access their data and b)
have the right to access any information a company holds on them within one month
of asking. They can also ask for that data, if incorrect or incomplete, to be rectified.
 Mandatory breach notification: Companies’ monitoring protocols must be able to
recognise and act on breaches as soon as they happen. Companies must alert both
their data protection authority and the people affected by the data breach within 72
hours of becoming aware of it, giving full details of the breach and an incident
recovery plan proposal for mitigating its effects.
 Data Protection Officer: Companies over a certain size who regularly and
systematically monitor or process data on a large scale must employ a data protection
officer who will act as a point of contact for employees and customers with data
protection queries.
 Children: Businesses will need to seek parental consent to process children’s data.

11
 CHAPTER 3

Data Protection Laws in India

Data Protection refers to the set of privacy laws, policies and procedures that aim to minimise
intrusion into one's privacy caused by the collection, storage and dissemination of personal
data. Personal data generally refers to the information or data which relate to a person who
can be identified from that information or data whether collected by any Government or any
private organization or an agency.

The Constitution of India does not patently grant the fundamental right to privacy. However,
the courts have read the right to privacy into the other existing fundamental rights, i.e.,
freedom of speech and expression under Art 19(1)(a) and right to life and personal liberty
under Art 21 of the Constitution of India. However, these Fundamental Rights under the
Constitution of India are subject to reasonable restrictions given under Art 19(2) of the
Constitution that may be imposed by the State. Recently, in the landmark case of Justice K S
Puttaswamy (Retd.) & Anr. vs. Union of India and Ors., the constitution bench of the Hon'ble
Supreme Court has held Right to Privacy as a fundamental right, subject to certain reasonable
restrictions.

India presently does not have any express legislation governing data protection or privacy.
However, the relevant laws in India dealing with data protection are the Information
Technology Act, 2000 and the (Indian) Contract Act, 1872. A codified law on the subject of
data protection is likely to be introduced in India in the near future.

The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of
compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse
of personal data and violation of contractual terms in respect of personal data.

Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who
is possessing, dealing or handling any sensitive personal data or information, and is negligent
in implementing and maintaining reasonable security practices resulting in wrongful loss or
wrongful gain to any person, then such body corporate may be held liable to pay damages to
the person so affected. It is important to note that there is no upper limit specified for the
compensation that can be claimed by the affected party in such circumstances.

12
The Government has notified the Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only
deals with protection of "Sensitive personal data or information of a person", which includes
such personal information which consists of information relating to:-

 Passwords;
 Financial information such as bank account or credit card or debit card or other
payment instrument details;
 Physical, physiological and mental health condition;
 Sexual orientation;
 Medical records and history;
 Biometric information.

The rules provide the reasonable security practices and procedures, which the body corporate
or any person who on behalf of body corporate collects, receives, possess, store, deals or
handle information is required to follow while dealing with "Personal sensitive data or
information". In case of any breach, the body corporate or any other person acting on behalf
of body corporate, the body corporate may be held liable to pay damages to the person so
affected.

Under section 72A of the (Indian) Information Technology Act, 2000, disclosure of
information, knowingly and intentionally, without the consent of the person concerned and in
breach of the lawful contract has been also made punishable with imprisonment for a term
extending to three years and fine extending to Rs 5,00,000 (approx. US$ 8,000).

It is to be noted that s 69 of the Act, which is an exception to the general rule of maintenance
of privacy and secrecy of the information, provides that where the Government is satisfied
that it is necessary in the interest of:

 the sovereignty or integrity of India,

 defence of India,
 security of the State,
 friendly relations with foreign States or
 public order or

13
  for preventing incitement to the commission of any cognizable offence relating to
above or
 for investigation of any offence,

It may by order, direct any agency of the appropriate Government to intercept, monitor or
decrypt or cause to be intercepted or monitored or decrypted any information generated,
transmitted, received or stored in any computer resource. This section empowers the
Government to intercept, monitor or decrypt any information including information of
personal nature in any computer resource.

Where the information is such that it ought to be divulged in public interest, the Government
may require disclosure of such information. Information relating to anti-national activities
which are against national security, breaches of the law or statutory duty or fraud may come
under this category.

Information Technology Act, 2000

The Information Technology Act, 2000 (hereinafter referred to as the "IT Act") is an act to
provide legal recognition for transactions carried out by means of electronic data interchange
and other means of electronic communication, commonly referred to as "electronic
commerce", which involve the use of alternative to paper-based methods of communication
and storage of information to facilitate electronic filing of documents with the Government
agencies.

Grounds on which Government can interfere with Data

Under section 69 of the IT Act, any person, authorised by the Government or any of its
officer specially authorised by the Government, if satisfied that it is necessary or expedient so
to do in the interest of sovereignty or integrity of India, defence of India, security of the State,
friendly relations with foreign States or public order or for preventing incitement to the
commission of any cognizable offence relating to above or for investigation of any offence,
for reasons to be recorded in writing, by order, can direct any agency of the Government to
intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any
information generated, transmitted, received or stored in any computer resource. The scope of
section 69 of the IT Act includes both interception and monitoring along with decryption for

14
the purpose of investigation of cyber-crimes. The Government has also notified
the Information Technology (Procedures and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009, under the above section.

The Government has also notified the Information Technology (Procedures and Safeguards
for Blocking for Access of Information) Rules, 2009, under section 69A of the IT Act, which
deals with the blocking of websites. The Government has blocked the access of various
websites.

Penalty for Damage to Computer, Computer Systems, etc. under the IT Act

Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, doing any of
the following acts:

1. accesses or secures access to such computer, computer system or computer network;

2. downloads, copies or extracts any data, computer data base or information from such
computer, computer system or computer network including information or data held or stored
in any removable storage medium;

3. introduces or causes to be introduced any computer contaminant or computer virus into

any computer, computer system or computer network;

4. damages or causes to be damaged any computer, computer system or computer network,

data, computer data base or any other programmes residing in such computer, computer
system or computer network;

5. disrupts or causes disruption of any computer, computer system or computer network;

6. denies or causes the denial of access to any person authorised to access any computer,
computer system or computer network by any means; (g) provides any assistance to any
person to facilitate access to a computer, computer system or computer network in
contravention of the provisions of this Act, rules or regulations made thereunder;

7. charges the services availed of by a person to the account of another person by tampering
with or manipulating any computer, computer system, or computer network, he shall be liable
to pay damages by way of compensation to the person so affected.

15
8. destroys, deletes or alters any information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means;

9. steel, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any
computer source code used for a computer resource with an intention to cause damage.

Tampering with Computer Source Documents as provided for under the IT Act, 2000

Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals,
destroys, or alters any computer source code used for a computer, computer programme,
computer system or computer network, when the computer source code is required to be kept
or maintained by law for the time being in force, shall be punishable with imprisonment up to
three years, or with fine which may extend up to Rs 2,00,000 (approx. US$3,000), or with
both.

Computer related offences

Section 66 provides that if any person, dishonestly or fraudulently does any act referred to in
section 43, he shall be punishable with imprisonment for a term which may extend to three
years or with fine which may extend to Rs 5,00,000 (approx. US$ 8,000)) or with both.

Penalty for Breach of Confidentiality and Privacy

Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The
Section provides that any person who, in pursuance of any of the powers conferred under the
IT Act Rules or Regulations made thereunder, has secured access to any electronic record,
book, register, correspondence, information, document or other material without the consent
of the person concerned, discloses such material to any other person, shall be punishable with
imprisonment for a term which may extend to two years, or with fine which may extend to Rs
1,00,000, (approx. US$ 3,000) or with both.

Amendments as introduced by the IT Amendment Act, 2008

Section 10A was inserted in the IT Act which deals with the validity of contracts formed
through electronic means which lays down that contracts formed through electronic means

16
"shall not be deemed to be unenforceable solely on the ground that such electronic form or
means was used for that purpose".2

The following important sections have been substituted and inserted by the IT Amendment
Act, 2008:

1. Section 43A – Compensation for failure to protect data.

2. Section 66 – Computer Related Offences

3. Section 66A – Punishment for sending offensive messages through communication

service, etc. (This provision had been struck down by the Hon'ble Supreme Court as
unconstitutional on 24th March 2015 in Shreya Singhal vs. Union of India)

4. Section 66B – Punishment for dishonestly receiving stolen computer resource or

communication device.

5. Section 66C – Punishment for identity theft.

6. Section 66D – Punishment for cheating by personation by using computer resource.

7. Section 66E – Punishment for violation for privacy.

8. Section 66F – Punishment for cyber terrorism.

9. Section 67 – Punishment for publishing or transmitting obscene material in electronic

form.

10. Section 67A – Punishment for publishing or transmitting of material containing sexually
explicit act, etc, in electronic form.

11. Section 67B – Punishment for publishing or transmitting of material depicting children in
sexually explicit act, etc, in electronic form.

2
https://www.pwc.in/assets/pdfs/publications/2018/an-overview-of-the-changing-data-privacy-landscape-in-

india.pdf

17
12. Section 67C – Preservation and Retention of information by intermediaries.

13. Section 69 – Powers to issue directions for interception or monitoring or decryption of

any information through any computer resource.

14. Section 69A – Power to issue directions for blocking for public access of any information
through any computer resource.

15. Section 69B – Power to authorize to monitor and collect traffic data or information
through any computer resource for cyber security.

16. Section 72A – Punishment for disclosure of information in breach of lawful contract.

17. Section 79 – Exemption from liability of intermediary in certain cases.

18. Section 84A –Modes or methods for encryption.

19. Section 84B –Punishment for abetment of offences.

20. Section 84C –Punishment for attempt to commit offences.

18
 CHAPTER 4

Data Protection Laws in UK

Data Protection Act 2018

The Data Protection Act 2018 (c 12) is a United Kingdom Act of Parliament that updates data
protection laws in the UK. It is a national law which complements the European Union's
General Data Protection Regulation (GDPR).

The Act introduces new offences that include knowingly or recklessly obtaining or disclosing
personal data without the consent of the data controller, procuring such disclosure, or
retaining the data obtained without consent. Selling, or offering to sell, personal data
knowingly or recklessly obtained or disclosed would also be an offence.

Essentially, the Act implements the EU Law Enforcement Directive, it implements those

parts of the GDPR which 'are to be determined by Member State law' and it creates a
framework similar to the GDPR for the processing of personal data which is outside the
scope of the GDPR. This includes intelligence services processing, immigration services
processing and the processing of personal data held in unstructured form by public
authorities.

The GDPR will, by S3 of the European Union (Withdrawal) Act 2018, be incorporated
directly into domestic law immediately after the UK exits the European Union.3

The Data Protection Act

The Data Protection Act 2018 controls how your personal information is used by

organisations, businesses or the government. The Data Protection Act 2018 is the UK’s
implementation of the General Data Protection Regulation (GDPR).

3
http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

19
Everyone responsible for using personal data has to follow strict rules called ‘data protection
principles.’ They must make sure the information is:

 used fairly, lawfully and transparently

 used for specified, explicit purposes
 used in a way that is adequate, relevant and limited to only what is necessary
 accurate and, where necessary, kept up to date
 kept for no longer than is necessary
 handled in a way that ensures appropriate security, including protection against
unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

 race
 ethnic background
 political opinions
 religious beliefs
 trade union membership
 genetics
 biometrics (where used for identification)
 health
 sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and
offences.

Your rights

Under the Data Protection Act 2018, you have the right to find out what information the
government and other organisations store about you.4 These include the right to:

4
http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

20
 be informed about how your data is being used
 access personal data
 have incorrect data updated
 have data erased
 stop or restrict the processing of your data
 data portability (allowing you to get and reuse your data for different services)
 object to how your data is processed in certain circumstances

21
 CHAPTER 5

Data Protection Laws in US

In the US, there is no single, comprehensive federal (national) law regulating the collection
and use of personal data. However, each Congressional term brings proposals to standardise
laws at a federal level. Instead, the US has a patchwork system of federal and state laws and
regulations that can sometimes overlap, dovetail and contradict one another. In addition, there
are many guidelines, developed by governmental agencies and industry groups that do not
have the force of law, but are part of self-regulatory guidelines and frameworks that are
considered "best practices". These self-regulatory frameworks have accountability and
enforcement components that are increasingly being used as a tool for enforcement by
regulators.

There are already a panoply of federal privacy-related laws that regulate the collection and
use of personal data. Some apply to particular categories of information, such as financial or
health information, or electronic communications. Others apply to activities that use personal
information, such as telemarketing and commercial e-mail. In addition, there are broad
consumer protection laws that are not privacy laws per se, but have been used to prohibit
unfair or deceptive practices involving the disclosure of, and security procedures for
protecting, personal information.5

Law and the regulatory authority

The US legislative framework for the protection of PII resembles a patchwork quilt. Unlike
other jurisdictions, the US does not have a dedicated data protection law, but instead
regulates primarily by industry, on a sector-by-sector basis. There are numerous sources of
privacy law in the US, including laws and regulations developed at both the federal and state
levels. These laws and regulations may be enforced by federal and state authorities, and many

5
https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa

22
provide individuals with a private right to bring lawsuits against organisations they believe
are violating the law.

Data protection authority

There is no single regulatory authority dedicated to overseeing data protection law in the US.
At the federal level, the regulatory authority responsible for oversight depends on the law or
regulation in question. In the financial services context, for example, the Consumer Financial
Protection Bureau and various financial services regulators (as well as state insurance
regulators) have adopted standards pursuant to the Gramm-Leach-Bliley Act (GLB) that
dictate how firms subject to their regulation may collect, use and disclose non-public personal
information. Similarly, in the health-care context, the Department of Health and Human
Services is responsible for enforcement of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) against covered entities. Outside of the regulated
industries context, the Federal Trade Commission (FTC) is the primary federal privacy
regulator in the US. Section 5 of the FTC Act, which is a general consumer protection law
that prohibits ‘unfair or deceptive acts or practices in or affecting commerce,’ is the FTC’s
primary enforcement tool in the privacy arena. The FTC has used its authority under section 5
to bring numerous privacy enforcement actions for a wide-range of alleged violations by
entities whose information practices have been deemed ‘deceptive’ or ‘unfair.’ Although
section 5 does not give the FTC fining authority, it does enable the Commission to bring
enforcement actions against alleged violators, and these enforcement actions typically have
resulted in consent decrees that prohibit the company from future misconduct and often
require audits biennially for up to 20 years. Under section 5, the FTC is able to fine
businesses that have violated a consent decree. At the state level, attorneys general also have
the ability to bring enforcement actions for unfair or deceptive trade practices, or to enforce
violations of specific state privacy laws. Some state privacy laws allow affected individuals
to bring lawsuits to enforce violations of the law.

Other laws

23
Identify any further laws or regulations that provide specific data protection rules for related
areas. In addition to the laws set forth above, there are numerous other federal and state laws
that address privacy issues, including state information security laws and laws that apply to:

• consumer report information: Fair Credit Reporting Act (FCRA) and Fair and Accurate
Credit Transactions Act of 2003 (FACTA);

• children’s information: Children’s Online Privacy Protection Act (COPPA);

• driver’s information: Driver’s Privacy Protection Act of 1994 (DPPA);

• video rental records: Video Privacy Protection Act (VPPA); and

• federal government activities: Privacy Act of 1974.

Breaches of data protection

In general, violations of federal and state privacy laws lead to civil, not criminal, penalties.
The main exceptions are the laws directed at surveillance activities and computer crimes.
Violations of the federal Electronic Communications Privacy Act (ECPA) (which is
composed of the Wiretap Act, the Stored Communications Act, and the Pen Register Act) or
the Computer Fraud and Abuse Act (CFAA) can lead to criminal sanctions and civil liability.
In addition, many states have enacted surveillance laws that include criminal sanctions, in
addition to civil liability, for violations. Outside of the surveillance context, the US
Department of Justice is authorised to criminally prosecute serious HIPAA violations. In
circumstances where an individual knowingly violates restrictions on obtaining and
disclosing legally cognisable health information, the DOJ may pursue criminal sanctions.

Scope of legislation

The FTC Act. This applies to most companies and individuals doing business in the US,
other than certain transportation, telecommunications and financial companies (because these
industries are primarily regulated by other national agencies). The FTC's Behavioural
Advertising Principles are voluntary in nature, although many companies consider them "best
practices". They apply to website operators that engage in behavioural advertising (contextual
advertising and targeted advertising).

24
The GLB Act. This applies to financial institutions, defined to include a range of institutions
engaging in financial activities, such as banks, securities firms and insurance companies.
According to the FTC, the primary enforcer of GLB, an institution must be significantly
engaged in financial activities to be considered a financial institution. Whether a financial
institution is significantly engaged in financial activities to come under GLB. Whether an
institution is significantly engaged in financial activities is a flexible standard that takes into
account all the facts and circumstances.

GLB also applies to third parties that are not financial institutions but that receive non-public
personal information from non-affiliated financial institutions.

The HIPAA. This applies to covered entities and business associates. Covered entities
include health plans, health care clearinghouses, and health care providers who conduct
certain financial and administrative transactions electronically. A business associate is a
person or entity that performs certain functions or activities that involve the use or disclosure
of PHI on behalf of, or provides services to, a covered entity. These activities include:

 Claims processing or administration.

 Data analysis and processing.
 Quality assurance.
 Billing.
 Benefit management.
 Practice management.
 Re-pricing.

The California Security Breach Notification Law. This applies to any person or business
that conducts business in California and that owns or licenses computerised data that includes
personal information.

The California Online Privacy Protection Act. This applies to an operator of a commercial

website, online service or mobile app, that collects personally identifiable information
through the internet about individual consumers residing in California who use or visit its
commercial website or online service.6

6
https://www.huntonprivacyblog.com/wp-content/uploads/sites/28/2011/04/DDP2015_United_States.pdf

25
26
 CONCLUSION

Technology is one of the major forces transforming our lives. However, its misuse causes

detrimental effects. The digital era has opened up a Pandora’s box of various concerns such

as Data Theft, Scams, Eavesdropping, Cyberbullying, to name a few, with the overarching

concern on the intrusion to the privacy of Individuals. In an Indian context, various factors

such as Nuclear families and cultural views, have for ages, stifled the need for personal

space and privacy. However, urbanization, digitization and changing lifestyles have resulted

in a growing demand amongst Indians for Privacy and protection of the Information they

share, specifically on digital platforms. In the wake of recent developments and the

Supreme Court holding 'Right to privacy' as a fundamental right lays the corner stone for a

strong data privacy regime in India. The data protection framework, proposed by the

Committee of Experts under the chairmanship of former Supreme Court judge Shri B N

Srikrishna, is the first step in India's Data Privacy journey. While it is not possible to deter

the growth and use of technology, it is important to strike the right balance between the

digital economy and privacy protection which is the key objective of the Data Privacy

Framework.

27
 BIBLIOGRAPHY

 https://searchdatabackup.techtarget.com/definition/data-protection

 https://www.dlapiperdataprotection.com/

 https://www.pwc.in/assets/pdfs/publications/2018/an-overview-of-the-changing-data-

privacy-landscape-in-india.pdf

 http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

 http://www.straightlineinternational.com/docs/Data-Protection-Full.pdf

 https://www.consumersinternational.org/media/155133/gdpr-briefing.pdf

 https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa

 https://www.cfr.org/report/reforming-us-approach-data-protection

 https://www.gov.uk/data-protection/find-out-what-data-an-organisation-has-about-

you

 https://content.next.westlaw.com/Document

 https://www.hg.org/data-protection.html

 https://www.huntonprivacyblog.com/wpcontent/uploads/sites/28/2011/04/DDP2015_

United_States.pdf

28