The day’s top stories from around the world
Where the real conversations in privacy happen
Original reporting and feature articles on the latest privacy developments
Alerts and legal analysis of legislative trends
Exploring the technology of privacy
A roundup of the top Canadian privacy news
A roundup of the top European data protection news
A roundup of the top privacy news from the Asia-Pacific region
A roundup of the top privacy news from Latin America
A roundup of US privacy news
Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.
Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.
Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.
Locate and network with fellow privacy professionals using this peer-to-peer directory.
Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.
Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.
Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.
Develop the skills to design, build and operate a comprehensive data protection program.
Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.
Introductory training that builds organizations of professionals with working privacy knowledge.
Learn the legal, operational and compliance requirements of the EU regulation and its global influence.
Meet the stringent requirements to earn this American Bar Association-certified designation.
The global standard for the go-to person for privacy laws, regulations and frameworks
The first and only privacy certification for professionals who manage day-to-day operations
As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.
Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.
The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.
The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.
Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.
Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
Access all reports and surveys published by the IAPP.
Access all white papers published by the IAPP.
IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
The IAPP’s EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you’re meeting your obligations.
This chart maps several comprehensive data protection laws to assist our members in understanding how data protection is being approached around the world.
This interactive tool provides IAPP members access to critical GDPR resources — all in one location.
Join DACH-region data protection professionals for practical discussions of issues and solutions. Presented in German and English.
P.S.R. 2022 is the place for speakers, workshops and networking focused on the intersection of privacy and technology.
Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy programme.
Gain exclusive insights about the ever-changing data privacy landscape in ANZ and beyond.
Explore the full range of U.K. data protection issues, from global policy to daily operational details.
Concentrated learning, sharing, and networking with all sessions delivered in parallel tracks — one in French, the other in English.
The world’s top privacy conference. Whether you work in the public or private sector, anywhere in the world, the Summit is your can’t-miss event.
View our open calls and submission instructions.
Increase visibility for your organization — check out sponsorship opportunities today.
Review upcoming IAPP conferences to see which need to be included in your schedule for the year ahead.
Start taking advantage of the many IAPP member benefits today
See our list of high-profile corporate members—and find out why you should become one, too
Don’t miss out for a minute—continue accessing your benefits
Review current member benefits available to Australia and New Zealand members
In 2017, the Supreme Court of India pronounced a landmark judgment declaring the right to privacy as a fundamental right under the framework of the right to life (Article 21) as per our Constitution. However, a standalone and comprehensive privacy law does not exist in India. Currently, the Information Technology Act 2000 read with supplementary Rules, acts as the legal cornerstone to ensure the protection of personal information.
Lawmakers and regulators progressively recognize the importance of data for economic and technological growth. Hence, 2021 witnessed key developments in the data privacy and personal data protection space across various sectors.
In terms of legislation, the Joint Parliamentary Committee’s report on the proposed data protection law has given the Data Protection Bill of 2021 a new tone and tenure. The Reserve Bank of India developed restrictions for payment aggregators and lending applications, while the Bureau of Indian Guidelines formulated data privacy standards as an assurance framework for enterprises. The central government also pushed out due-diligence rules for internet intermediaries to regulate.
These developments result from the meteoric adoption of technology, powered by enormous data sharing networks created by private and public entities. These networks depend on the personal data of individuals. In the absence of adequate privacy safeguards, there is a risk that personal data may be subjected to unauthorized access.
The JPC’s report paved the way for India’s data privacy and protection legal regime. The bill is yet to be tabled in the Parliament. However, a key point of discussion is that the bill in its current form proposes deviations from its earlier two predecessors (2018 and 2019 drafts).
A noteworthy change is in the form of exemptions extended to government agencies with respect to data processing. This exemption may be examined in the light of the recent Supreme Court judgment in the Pegasus spyware case, which involves allegations against the central government for conducting surveillance on Indian citizens. The Hon’ble Court constituted a committee to assess the violation of the right to privacy and make recommendations on the current surveillance laws to boost data protection practices. Hence, a prudent approach would be to consider bringing government agencies under the umbrella of DPB to ensure individual privacy and enhance cybersecurity.
Under the latest draft, the DPB seeks to regulate the collection, storage, transfer and use of personal data. In addition, it extends the provision to foreign-based entities in case Indians are subjected to their data processing activities.
The bill’s main tenets include: Individual consent, data breach notification, transparency (prior notice and privacy policy describing data processing practices), purpose-based processing, technical security, and rights of individuals who part away with personal data such as name and email ID, or sensitive personal data such as a social security number. Individuals would have more control over the processing of their data with these rights, as they would be able to remove, correct and access their data easily.
In August 2021, jurisprudence in privacy rights management was formulated. The Madras High Court dismissed a petitioner’s right to be forgotten, seeking to have his criminal and court records expunged following his acquittal from the case. The court issued the dismissal because the fulfillment of a task in public interest trumped the individual’s right to privacy. The court further stated that these rights would be more effectively implemented after India passed a data privacy law.
Several requirements set forth by the JPC’s report and revised DPB are worth ruminating over. Take, for instance, the data localization norms applicable to sensitive personal data and critical personal data (yet to be defined by the central government). The flow of data from India to a country abroad would be restricted.
These norms are perhaps a manifestation of India’s economic, national security and data protection concerns. Data of Indians is to be stored primarily in India and may be transferred if the individual provides consent, a contract duly approved by the DPA is in place, or the receiving entity can demonstrate compliance with applicable data protection laws. The receiving entity could also implement adequate technical (e.g., encryption and access control) and administrative (e.g., privacy policy and breach management process) safeguards for validating such data transfers.
The glaring concerns with localization norms are the costs and technical capabilities required to segregate data and create a single point of failure, as data would have to be stored only in a server-based in India, as opposed to the conventional practice of utilizing distributed servers across various jurisdictions.
The bill relies heavily on consent as a parameter for processing data, mandating organizations to enable individuals to put in place a consent manager platform to gain, withdraw, review, and manage consent in an accessible, transparent, and interoperable manner. Though the idea seems novel, it falls in uncharted waters.
As we await the passage of this bill in the Parliament, we can deduce that it requires organizations to revamp their operational practices in relation to data-related processes and embed privacy within their business procedures.
Building on the privacy principle of data minimization, wherein only those data elements are to be collected and stored that are aligned for processing; the RBI released “Guidelines on Regulation of Payment Aggregators and Payment Gateways.” These guidelines seek to restrict payment aggregators who facilitate payments between users and merchants using electronic/online payment modes from storing cards and associated data (e.g., card number and CVV).
RBI also recognized the growing dearth of data security and privacy in the digital lending sector. Since there has been an exponential penetration of digital lending applications, RBI formulated a working group to assess the maturity of privacy practices implemented and recommended that data should only be stored in Indian servers.
The scope of the assessment would include transparency of data processing activities, whether a privacy notice or policy is in place, consent mechanism, and rights management to help users amend or delete their data. The working group would also study the breach of purpose limitation requirements, as often customers’ data is used to harass them.
IS 17428 is the latest standard issued by BIS to govern data privacy assurance practices of organizations. This standard will provide a framework to establish, implement, maintain and update data privacy management practices. The standard has two parts to it. The first provides for technical and administrative requirements to protect the privacy of personal and sensitive data right when designing a product or service that would involve the collection of an individual’s data. The second part enumerates certain guidelines to augment the implementation of the requirements in the first part of the standard.
While the first part is mandatory to ensure compliance with the standard, the second part is merely a suggestion. Since India does not have a comprehensive data privacy law, it would be noteworthy to read this standard in conjunction with the compliance requirements under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to develop secure data privacy practices as per standards such as IS0 27001.
The grey area here is the lack of guidance on whether implementing the latest standard would be sufficient to comply with SPDI Rules. Therefore, organizations would be obligated to implement IS 17428 and treat it as a reference point to comply with SPDI Rules and the upcoming data protection law.
In attempting to balance privacy rights on the weighing scale of national security and public order, the Ministry of Electronics and Information Technology codified Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules provide due diligence requirements, and the idea is to identify the first originator of any information transmitted over social media and messaging platforms. However, this requirement does not extend to the contents of electronic messages. Currently, this traceability requirement is being reviewed by the Delhi High Court to adjudicate its constitutionality vis-à-vis the right to privacy. Although the government has clarified that it has no intentions of violating the right to privacy, it remains to be seen if the extent of mandated disclosures would impinge on the actual contents of the messages being communicated, as the basis for tracking is State sovereignty and security.
Technology and finance writer Byrne Hobart famously remarked that “the whole point of communicating is to violate your own privacy in a controlled way.” Perhaps these words have inspired WhatsApp, currently under legal scrutiny for the terms of an amended privacy policy. According to the policy, users can “opt-in” to share data with Facebook to continue using WhatsApp services. The Competition Commission of India launched an investigation into the potential impact of WhatsApp’s new rules on the Indian market. The main concern is that the opt-in violates the essential characteristics of legitimate consent (transparent, withdrawable and free of consequences such as denial of services).
Regulators, legislators, the judiciary and industry can expect 2022 to be a busy year. It’s been more than three years since the EU General Data Protection Regulation went into effect, and India is on the verge of following the EU’s lead and streamlining its data protection regulations, even though there are reports on a possible re-draft of the bill. The interplay of sector-specific regulations and a general law on data protection would possibly trigger deliberations and actions on a wide array of privacy concerns. Moreover, with the rapid adoption of cutting-edge technologies such as blockchain and AI, it would be a worthy endeavor to track and study how the current bunch of regulations would be applied to frameworks based on decentralization and anonymization. Meanwhile, organizations should consider conducting periodic audits and assessments of their privacy procedures to better visualize the types of data they collect, its flow within the company, storage timelines and locations, and initiate remediation steps to close any gaps they observe.
Photo by Srikanth D on Unsplash
Submit for CPEs
If you want to comment on this post, you need to login.
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.
© 2022 International Association of Privacy Professionals.
All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200