PART IV - Regulation and Enforcement

Chapter- 1: Enforcement Model

After codification of data protection law, there is need to develop structured enforcement mechanism in order
to ensure compliance with substantive provisions. Effective enforcement requires a good institutional design
and an overall approach and to align with individual elements of the framework. Enforcement models consist
of:

(i) Command and control; (ii) Self-regulation; and (iii) Co-regulation.

(i)Command and control: -This approach requires the State to provide legal rules or clear prescriptions for
regulated entities, with no room for discretion. If the rules are not followed, then the state can impose a
sanction. There are several issues raised regarding this approach like whether the state machinery involved
should be unified, how independent it should be from governmental control and industry influence, whether
it should have regional spread, what regulatory tools and forms of sanction it should have at its disposal etc.
This approach is too rigid and lags rapid technological changes.

(ii)Self-regulation: In this approach there is no interference from state government and private organization
are to comply with the standard that they made. The US is a good example of a jurisdiction with largely self-
regulatory elements, though a few sector-specific and state-specific laws are also in place. On the other hand,
a pure self-regulation approach may lack enforcement and may lead to a situation where the objectives sought
to be achieved by a data protection law are not effective.

(iii)Co-regulation: - This involves a mixture of both command and control and self-regulation. It also
involves sharing of responsibility between government and private organization for drafting and enforcing
regulations. Even the Justice AP Shah Committee suggested the co-regulation approach. Co-regulation may
seem like an appropriate middle path that combines the flexibility of self-regulation with the rigour of
government rule-making.This report suggests that co-regulation may be appropriate to pursue such a model
that may be moulded to meet the circumstances as they emerge in the Indian context.

Chapter- 2: ACCOUNTABILITY AND ENFORCEMENT TOOLS

The protection law must incorporate the principle of accountability. The data controller can be held
accountable for breach of data protection obligations. Even they can be held liable in certain well-defined
conditions where they cause harm to an individual without proof of violation of any other harms. This white
paper asked to identify such harms for which the data controller should be held liable. It elaborately discussed
the EU’s principle of accountability which includes two-fold approach. First, a data controller should take
appropriate measures to implement data protection principles. Second, a data controller must be in a position
to demonstrate, when asked by a supervisory authority, that such measures have been adopted.

The data controller must consider the relevant standards in the law which apply to the processing before
commencing any type of data processing. They have to frame policy or procedure in order to show their
intention that how they are going to implement such standard. When there is harmed suffered in regard to
data processing then data controller has the burden of proof that its organization has policy or procedure for
prevention of harm caused to individuals. If such policy does not exist or not implemented strictly then data
controller will be liable for damages. In any case data subject should not leave without recourse. Even if the
data controller has shown that data subject has given consent, or it has taken measures, this is not sufficient
to disclaim its liability. The principle of strict liability is also considered by this white paper.

It is essential to define that what constitutes harm in order to determine the liability of data controller. Harm
suffer by data subject are like loss of reputation or financial loss. The white paper suggests that there should
be a categorization of harm in material and non-material one. If nature of processing is inherently risky then
there will be strict liability on data controller. If harm is occasional then, the appropriate measure has to be
taken by data controller. But when it comes to modern data handling then it is complex to processing. In most
of the cases application programming interface (API) is responsible for providing primary data collected
from data subject to the secondary data controller. If in this condition harmed is suffered, then it would be
difficult to allocate liability. While the principle of joint and several liabilities may be applied, it could be
unfair to the controllers who have genuinely taken all care and diligence to safeguard the individual from
harm. So, there should be an adequate effort made that who have given access to take care of data does not
harm such data. In many cases harm suffered due to improper processing of data is not immediately evident
unless such harm is suffered by a large number of people. Such delay is not acceptable. This white paper
suggests that there must be proactive measures that detect these harms early stages. A requirement of audit
would mean that the data controller must maintain records of measures and processes which could provide
proof of compliance of data protection principles. With the increase in cyber-attack there is high risk to keep
personal data safe so there is need of appropriate technical and organisational measures to ensure the security
of personal data are central to the principle of accountability. This white paper suggests the EU General
Data Protection Regulation (GDPR) approach for general security obligations for data controller has to
follow. The EU GDPR focuses on a ―risk-based approach for continual assessment and adoption of
mitigation measures. It does not mention whether the organisation should adopt a specific risk assessment
industry standard (e.g. ISO 27001, ISO 31000 etc). The only security practice it recommends is the use of
pseudonymisation of personal data. Under the existing privacy framework in India, Rule 8 of the SPDI Rules,
mentions security practices which contain managerial, technical, operational and physical security control
measures that are commensurate with the information assets being protected with the nature of business. It
also mentions making use of international Information Technology Security Standards such as ISO 27001
and the use of code of best practices created by self-regulatory bodies, once approved and duly notified by
the government.

The expert committee says that risk-based approach of dealing with potential security and associated privacy
incidents could be the general norm. So, it suggests that approach should define the risk criteria, mitigation
measures and mechanisms to ensure reporting and continual improvement.

The various international practices have been considered regarding accountability principle.

EU GDPR’s obligation requires data controllers to implement appropriate technical and organizational
measures to ensure and be able to demonstrate that data processing activities are performed in accordance
with the data protection obligations. To ensure that data controller has complied with a standard set by EU
GDPR, it has to implement internal data protection policies; maintain relevant documentation of processing
activities; and use data protection impact assessments where appropriate. Whereas South Africa’s
Protection of Personal Information (POPI) act sets out conditions for lawful processing of personal data-
accountability, processing limitation, purpose specification, further processing limitation, information
quality, openness, security safeguards, and data subject participation. It says that responsible party (data
controller) must ensure that it secures the integrity and confidentiality of personal information in its
possession by taking appropriate and reasonable technical and organisational measures in order to prevent
loss, damage, or unauthorised destruction of personal information. The responsible party must also prevent
unlawful access to, and unlawful processing of personal information. POPI act has included third-party
obligation which process data on behalf of the responsible party. This act provides that such third party must
have the authorization to handle such processing of data and treat such data as confidential. If there is
unauthorized access to personal information of an individual, then such responsible party must inform
information regulator and individual and take a step to restore. Further, Australian privacy act has no
specific provision regarding accountability principle but it addresses this by Australian Privacy Principles
(APP). For example in APP 1 it is mandatory for an entity to take reasonable steps to ensure the
implementation of privacy practices within the entity and ensure compliance with other data protection
obligations under the Privacy Act. Entities have obligation to destroy personal information which is no longer
required by an entity for any purpose. Even Office of Australian Information Commissioner (OAIC) issue
guide to securing personal information. In Canada, Schedule 1 of Personal Information Protection and
Electronic Documents (PIPEDA) Act sets out that an organisation is responsible for any personal
information that is under its control. Here, information under its control is not the only situation where such
organisation is responsible but if such organisation transfer information to the third party then in such case
organisation can also be held responsible. It is expected to ensure from such organisation to ensure that
provides a comparable level of protection while processing personal information. Further act state that
organisation must provide higher level security for sensitive information.

ENFORCEMENT TOOLS
The white paper has suggested that there is a need for determination of appropriate regulatory tools and
mechanism which suits best in the Indian context. For this expert committee has discussed following :

A. Codes of Practice, B. Personal Data Breach Notification, C. Categorisation of Data Controllers,

D. Data Protection Authority

A. Code of practice or conduct – It is essential to introduce a code of conduct to have workable co-
regulatory data protection framework. A well-written code of conduct clarifies an organization's mission,
values and principles and create transparency. In a co-regulatory system, a code of conduct or practice is
integrated into the broader regulatory scheme through recognition of different types in the general statute.
While adoption of a code remains voluntary and its formulation still involves industry participation.

Various countries around the world include such code of conduct in their data protection framework.The
white paper discussed provisions of the code of conduct of countries like Australia, Canada, UK, EU, South
Africa. EU GDPR has defined five subjects on which code of conduct can be formulated. After preparation
of a draft of a code of conduct by representative bodies it is submitted to supervisory authority to give an
opinion and check that such code is in compliance with EU GDPR. After that such code of conduct is
approved and published. Whereas in the UK, section 51(3) of Data Protection Act (DPA) says that
Information Commissioner may himself prepare and disseminate codes of practice with consultation. Further,
Information Commissioner has to encourage the preparation of such codes by trade associations as per section
51(4) of UK DPA. Draft of the prepared code of conduct by trade association is submitted to Information
commissioner for consideration and give an opinion that code whether promoting good practice. In Canada
section 24(c) of PIPEDA requires the Privacy Commissioner to encourage organizations to develop detailed
including organizational codes of practice, towards compliance with processing obligations. Of all these
counties Australia has extensive provisions of the code of conduct like Australian Privacy Principle(APP)
Code and Credit Reporting Code. This code can be developed by entities or group of entities or representative
party. Office of the Australian Information Commissioner (OAIC) has authority to approve such code made
by entities. Even OAIC can make such code directly. In South Africa, Chapter 7 of Protection of Personal
Information (POPI) Act lays down detailed provisions for codes of conduct. A failure in compliance with
codes of conduct is deemed to be a breach of lawful processing conditions.

B. PERSONAL DATA BREACH NOTIFICATION

Data breaches can take many forms including; hackers gaining access to data through a malicious attack;
lost, stolen, or temporarily misplaced equipment; employee negligence; system failure. It essential to deal
with these breaches and establish a process in order cope up with the breach. A breach can be classified into
confidentially, integrity and availability on basis of fundamental principles of information security. It may
be the case where these three breaches can occur at same time. For that first the white paper tries to define
data breach and compare the definition of data breaches of different countries.

EU GDPR defines a ―personal data breach as “a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or
otherwise processed”. All personal data breaches are security incidents, not all security incidents are
necessarily personal data breaches. So, only a security incident that hampers the security, confidentiality or
integrity of personal data would result in a personal data breach. In the US, personal data breaches are defined
under sector-specific statutes or specific state laws. The provisions like Health Insurance Portability and
Accountability Act (HIPAA), Privacy Technical Assistance Centre (PTAC), California Security Breach
Notification Act, 2016 and North Dakota Century Code define security breach. US sector-specific laws and
a comprehensive privacy legislation like the EU GDPR, both recognise the cause and effect relationship
between a security incident and a breach that may hamper personal data.

C. Data Breach Notifications: This is a process of altering or informing data subject to breach of data.
Whenever there are data breaches then the individual has to notified by organisation. Where there is breach
of sensitive data then organization is required to inform data subject as soon as possible as per EU GDPR.

Breach Detection and Notification Duration: - after the discovery of breach organisation has 72 hours to
notify data subject as per EU GDPR. There has been huge conflict regarding what should be an appropriate
time to be notified of the data subject. Detection has been more challenging when data is shared with third
parties. So, there is need to define that when data subject has to be notified about breach - whether when
third-party discover breaches or when such data controller get notified of the data breach. It is very much
difficult and took lots of time to find a breach of data. A research conducted by Ponemon Institute, sponsored
by Arbor Networks and found that the average security breach (in North America and EMEA regions) in the
retail services sector takes 197 days to detect and 98 days in the financial service sector. As per Section 6 of
the New Mexico Data Breach Notification Act, 2017 (New Mexico Data Breach Act) when there is a breach
of personal information of a resident of New Mexico then one who owns such data has to notify resident
within 45 days. All the situation has been different in Indian context from EU and US as there is different
privacy awareness. It is important to fix a time for breach notification and magnitude of the leak. The white
paper has discussed that if data breach affects millions of people then it may be as per EU GDPR i.e within
72 hours. Whereas big organisation may use automated notification process, but this will difficult for small
organisations. The expert committee on white paper has come up with a solution that building a notification
matrix based on the size of the organisations could be a way to tackle this problem, providing different time
limits for notifying individuals. At the same time the expert committee also doubtful that above-said solution
has a risk of complicating the notification mechanism greatly. Once a personal data breach is established the
organisation must notify the competent authority. Depending upon the nature of the breach, magnitude of
the breach and to whom the notification is addressed, the format of the notification has to be adapted. Media
has to be involved only when breach affected a large number of people.

A standard format for notification could be drafted for administrative ease. But the content should reflect the
type of personal data breach, the estimated date of the breach (could be in the form of a range), general
description of the security incident, the estimated number of individuals affected by the breach, the steps
being taken to minimise the impact of the breach and future resolution.

C. CATEGORISATION OF DATA CONTROLLERS

It is essential to categorise data controllers as not all processing activities pose risks of similar gravity and
the nature or volume of the data being processed. Some organisations are exempted on nature of entity like
in Australia privacy act, where ―small businesses (with an annual turnover AUD 3 million or less) are
exempt from obligations under the Privacy Act. Different jurisdictions have categorised data controllers for
the purposes of certain additional obligations and have made this categorization on varying criteria.

I. Registration – the entity who is collecting data is required to get registered under competent authority. In
the UK, as per Section 17 of the UK DPA, no processing of personal data can be done by any data controller
unless an entry on that entity is included in the register maintained by the Information Commissioner. It
exempts if processing is not harmful.

II. Data Protection Impact Assessment – it is process aimed to evaluate new initiated activity by data
controller regarding processing activity, assessing the necessity and proportionality of such an activity and
helping manage the risks. Many countries use this impact assessment prior to data processing such as
Australia, Canada and EU. Under Article 35 of the EU GDPR it is mandatory to undertake a compulsory
data protection impact assessment prior to data processing where a type of processing is likely to result in a
high risk for the rights and freedoms of individuals. In Australia, Section 33D of the Privacy Act empowers
the Office of the Australian Information Commissioner (OAIC) to direct an agency to carry out and submit
a privacy impact assessment. In Canada, the Treasury Board of Canada Secretariat has released a directive
making privacy impact assessments mandatory for all governmental bodies covered under Section 3 of the
Canada Privacy Act.

III. Data protection audits: It is process taken by the entity itself through external auditor whether overall
policies of the entity are par with data protection law. EU GDPR envisages a role for data protection audits
within controller-processor contracts, as a responsibility of a data protection officer. Under the UK DPA, the
Information Commissioner is permitted to conduct audits with the consent of the data controller. In Canada,
Section 18 of the PIPEDA enables the Privacy Commissioner to carry out an audit of the personal information
management practices of an organisation after giving reasonable notice and at a reasonable time. Further,
Australia also requires a regular audit. In South Africa, under section 89 of the POPI Act, Information
Regulator is required to assess ―whether an instance of processing of personal information complies with
the provisions of Act in the prescribed manner.

IV. Data Protection Officer (DPO): This expert committee has suggested to the appointment of grievance
officer for grievance redressal purposes as per Rule 5(9), SPDI Rules. Under the EU GDPR, only certain
data controllers are required to designate a DPO. The task of such officer is to be informing, advising, and
monitoring. In Canada, under the PIPEDA organisation has authority to designate such officer. Further,
South Africa POPI Act adopts the designation of an information officer from the Promotion of Access to
Information Act, 2000. This white paper suggests that substantial need for designating individuals who are
made centres of accountability through their position in the data controller’s organisation. Such individuals
have not only advisory function but also function like receiving complaints, requests and the fulfilling
requirements of a data protection authority

D. Data Protection Authority

The BN Krishna committee suggests that there is a need in India for separate and independent data protection
authority for enforcement of a data protection legal framework. There are three broad categories of functions,
powers and duties which may be performed by a data protection authority: monitoring, enforcement and
investigation; standard-setting; and awareness generation. There is provision under EU GDPR that each
member of EU has one or more supervisory authorities. It has other provisions regarding appointment,
dismissal and duration of members of the supervisory authority. All the countries like UK, Canada, South
Africa and Australia have elaborately discussed provisions regarding provisions for appointment, tenure and
duties of data protection authority and name of such authority in various countries are- information
commissioner in the UK, Privacy officer in Canada, information regulator in South Africa and Office of the
Australian Information Commissioner(OAIC) in Australia. The functions, duties and powers of the
supervisory authority under provisions of different countries, which has been discussed in this white paper
are - Monitoring, enforcement and investigation, Advisory powers, Standard setting powers, Awareness
generation, laying down codes of conduct and facilitating cross-border cooperation, Guidance related
functions.

CH 3 -ADJUDICATION PROCESS
Adjudication is a very important aspect in order to determine rights and obligation of parties involved in
disputes. Under data protection framework, adjudication determines the extent of infringement made by the
data controller to the data subject, the loss suffered and remedies available to the data subject. In the Indian
context, IT law made a provision for adjudication officer. They are appointed for hearing and adjudicating
cases pertaining to violations of the provisions of the IT Act. Cyber Appellate Tribunal (CyAT) has been set
up as per section 48 of IT act, to hear appeals on matters where the jurisdiction of civil courts was barred, i.e.
where the claim for injury or damage does not exceed Rs. 5crores. Since its inception in 2006 it has passed
merely 17 judgments till March 20017. The expert committee raised concern about vacancies, resources,
capacity and infrastructure in CyAT. Section 43 of IT Act mandated that person who commits any specific
act under said provision has pay compensation to affected person. There does not appear to be any specific
limit on the amount of compensation payable under this provision until it exceeds 5 Crores. No penalty has
been prescribed separately, the defaulting person shall be liable to pay a penalty not exceeding Rs. 25,000 or
compensation not exceeding Rs. 25,000. The expert committee has discussed adjudication provisions in
countries like Australia, Canada, South Africa, UK and EU. The provisions regarding adjudication in these
countries are somehow similar to each other like data subject can file a complaint to supervisory authority
and afterwards such authority investigate the matter. Then in EU and UK the supervisory authority may after
stratifying that there is breach can impose a penalty on the data controller. Whereas in Canada and Australia,
investigated a report by supervisory authority has to submit to the court for further hearing. Even the
supervisory authority can Suo motto take action or cognization of matter. Even data controller has right to
file an appeal in the tribunal.

The white paper suggests that such adjudicating officer should be made independent because such officer has
to investigate the matter in which data controller is the government itself. It further says that if data of an
individual is breached then it must approach first to the data controller or a specific grievance redressal
officer. When such data controller failed to resolve the complaint then it can file a complaint with data
protection authority. Such authority can take matter Suo motto also. The expert committee of white paper
recommends that Data Protection may be given the power to impose civil penalties as well as order the
defaulting party to pay compensation. Specifically, in case of compensation claims, the consumer fora set up
under the Consumer Protection Act, 1986 (COPRA) typically act as avenues for filing such claims. Moreover,
if all compensation claims lie with the consumer fora, it may not incentivise individuals to file complaints
with the data protection authority for enforcement and instead file claims relating to compensation with the
consumer fora. Consequently, the white paper has proposed that matters in which compensation claims for
injury or damage does not exceed a prescribed threshold, may lie with the data protection authority. Further,
an appeal from an order of the data protection authority granting such compensation and matters in which
compensation claims for injury or damage exceeds such threshold may lie with the National Commission
Disputes Redressal Commission (National Commission).

CH-4 REMEDIES
A. Penalties

The expert committee has recommended three possible models for the calculation of civil penalties, which
are as follows:

(i) Per day basis- Civil penalty may be imposed on the data controller for each day such violation continues,
which may or may not be subject to an upper limit.

(ii) Discretion of the adjudicating body subject to a fixed upper limit – an adjudicating authority may decide
the quantum of civil penalty leviable subject always to a fixed upper limit as prescribed under applicable law.

(iii) Discretion of adjudicating body subject to an upper limit linked to a variable parameter - an
adjudicating authority may decide the quantum of civil penalty leviable subject always to an
upper limit which is linked to a variable parameter. the EU GDPR adopts a similar standard and sets the
upper limit of a civil penalty that may be imposed on a defaulting data controller as a percentage of the total
worldwide turnover of the preceding financial year of the defaulting data controller.

The white paper also raised concern on the point that per day basis penalty is deterrent on small scale or start-
up data controllers. So, it is not feasible and it has to be left to decide by adjudicating body. the highest form
of deterrence in relation to civil penalties may be where a per day civil penalty is imposed subject to a fixed
upper limit or a percentage of the total worldwide turnover of the defaulting data controller of the previous
financial year, whichever is higher.

B. Compensation
An individual has right to seek compensation when from a data controller in case she has suffered any loss
or damage due to a violation of the data controller’s obligations under a data protection legal framework. The
expert committee has pointed out the limitation of the section- 43 A of IT Act in its nature and scope. Firstly,
it is applicable where a body corporate fails to maintain and implement reasonable security practices and
procedures. It does not appear to impose any liability to pay compensation on a government body/public
authority. Section 43A of the IT Act does not appear to impose any liability to pay compensation on a
government body/public authority in case of breach of data protection obligations by such entities. Second,
Section 43A of the IT Act appears to be applicable only when a body corporate has failed to maintain
reasonable security practices and procedures. It is unclear whether ―reasonable security practices and
procedures referred to in Section 43A of the IT Act includes the various obligations under the SPDI Rules or
only the security practices and procedures specified in Rule 8 of the SPDI Rules.

Under the EU GDPR, Data processor shall only be liable where it has acted in violation of any obligation
specifically applicable to data processors or has acted outside or contrary to any lawful instruction provided
by the data controller. In UK DPA, if individual claims a certain amount of compensation, she will be
required to demonstrate how the data controller’s failure. In Canada under PIPEDA, the court award damage
to the complainant including damages for any humiliation that the complainant has suffered. In South Africa
under the POPI Act, the Information Regulator may institute a civil action for damages in a court against the
responsible organization for breach of the provisions of this Act.

C. OFFENCES

The law may treat certain actions of a data controller as an offence and impose criminal liability. This may
include instances where any person recklessly obtains or discloses, sells, offers to sell or transfers personal
data to a third party without adhering to relevant principles of the data protection law, particularly without
the consent of the data subject. The quantum of penalty and term of imprisonment prescribed may be used as
per provision of IT Act. The power to investigate such an offence may lie with a police officer not below the
rank of Inspector. A more stringent penalty may be prescribed where the data involved is sensitive personal
data. Further various countries around have both monetary liability and criminal liability. In South Africa,
there is the provision of both fine and imprisonment whereas in Canada has only monetary punishment CAD
100,00 to CAD 100,000. In the Indian context, the quantum of penalty and term of imprisonment prescribed
may be enhanced as compared to the provisions of the IT Act. The white paper suggests that more stringent
penalty may be prescribed where the data involved is sensitive personal data.