CIPP/A Study Guide

Modern Privacy Principles
- The Organization of Economic Cooperation and Development ‘Guidelines Governing the Protection of Privacy and Trans-border Data Flows of Personal Data.” (1980)
  Not legally binding, no DPA or other supervisory body.
  
  Proposed minimum standards for:
  
  Protection of privacy and individual liberty: (Generally viewed as minimum principles common to all four international frameworks (EU, CoE, OECD, APEC).)
  - Collection limitation – limited, lawful, fair means; with consent or knowledge.
  - Data quality – relevant, accurate, up-to-date.
  - Purpose specification – at time of collection.
  - Use limitation – limited to purposes specified or compatible.
  - Security safeguards – reasonable.
  - Openness – concerning data practices.
  - Individual participation – right of access and correction.
  - Accountability – data controllers accountable for implementation.
  Free flow of personal data:
  - Members consider implications for other member countries of domestic processing and re-export of personal data.
  - Members take all reasonable steps to ensure that trans-border flows of personal data (including transit through member) are uninterrupted and secure.
  - Refrain from restricting trans-border flows of personal data between member and another member, except where latter does not substantially observe guidelines or where re-export would circumvent its domestic privacy legislation.
    
    Don’t develop laws, policies, practices in name of privacy and individual liberties that create obstacles to trans-border flows that would exceed requirements for protection.
  - Show Source Text
    
    OECD Guidelines
    
    PART TWO. BASIC PRINCIPLES OF NATIONAL APPLICATION
    
    Collection Limitation Principle
    
    7. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
    
    Data Quality Principle
    
    8. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
    
    Purpose Specification Principle
    
    9. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
    
    Use Limitation Principle
    
    10. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:
    
    a) with the consent of the data subject; or
    
    b) by the authority of law.
    
    Security Safeguards Principle
    
    11. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
    
    Openness Principle
    
    12. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
    
    Individual Participation Principle
    
    13. An individual should have the right:
    
    a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
    
    b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him;
    
    c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
    
    d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
    
    Accountability Principle
    
    14. A data controller should be accountable for complying with measures which give effect to the principles stated above.
    
    PART THREE. BASIC PRINCIPLES OF INTERNATIONAL APPLICATION: FREE FLOW AND LEGITIMATE RESTRICTIONS
    
    15. Member countries should take into consideration the implications for other Member countries of domestic processing and re-export of personal data.
    
    16. Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.
    
    17. A Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection.
    
    18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.
- The Asia Pacific Economic Cooperation privacy principles
  APEC includes 21 separate economies, including Singapore and Hong Kong
  - Nine from East Asia; 12 from Pacific Rim (incl. U.S., Canada).
  - 1/3 world’s population, ½ world’s GDP, about ½ world trade.
  Preventing Harm: remedies should prevent misuse of information and be proportionate to likelihood and severity.
  
  Notice: Fact of collection, purposes, to whom disclosed, ID and location of controller, choices for limiting, access, and correction.
  - May not be appropriate to give notice about collection and use of public info.
  Collection Limitation: Limited to info relevant to purpose; obtained by lawful and fair means with notice/consent where appropriate.
  
  Uses of PI: Only used to fulfill purposes of collection and compatible/related purposes except:
  - With consent of PI data subject.
  - When necessary to provide service or product requested by individual.
  - By authority of law.
  Choice: Requires consent, prominent, effective and affordable mechanisms for choice and review.
  
  Integrity of PI: PI should be accurate, complete and kept up-to-date within the scope of purpose of use.
  
  Security safeguards: Safeguards against risk should be proportional to likelihood and severity of harm.
  
  Access and correction: Individuals should be able to obtain PI and challenge accuracy (with correction/deletion), all in reasonable cost/time.
  - Except where burden or expense would be unreasonable or disproportionate to risks to individual’s privacy, legal issues, or would violate privacy of others.
  Accountability (and data export limitations):
  - Domestic accountability: Data controller should be accountable for security measures, no requirement for further obligations on processor.
    
    Transfer to third party requires consent of data subject and that discloser exercise due diligence – once due diligence is exercised, no further liability to controller.
  - Export accountability (recipient overseas)
    
    If data exported to jurisdiction without applicable privacy laws, there’s no right of action for data subject against exporter and importer, unless some other enforceable mechanism exists.
    
    Contractual clauses requiring APEC compliance will not provide remedy unless importer is in jurisdiction where consumer can enforce such clauses benefiting third parties.
    
    Allows exports, requiring only that exporter will exercise due diligence and take reasonable steps to ensure that recipient will protect information consistently with the Principles.
    
    If diligence exercised, no further liability on exporter.
    
    APEC’s Cross-Border Privacy Rules
  - Show Source Text
    
    APEC Privacy Framework
    
    The purpose of Part II of the APEC Privacy Framework is to make clear the extent of coverage of the Principles.
    
    Preventing Harm 14.
    Recognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information. Further, acknowledging the risk that harm may result from such misuse of personal information, specific obligations should take account of such risk, and remedial measures should be proportionate to the likelihood and severity of the harm threatened by the collection, use and transfer of personal information.
    
    II. Notice 15.
    Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information that should include: a) the fact that personal information is being collected; the purposes for which personal information is collected; c) the types of persons or organizations to whom personal information might be disclosed; d) the identity and location of the personal information controller, including information on how to contact them about their practices and handling of personal information; e) the choices and means the personal information controller offers individuals for limiting the use and disclosure of, and for accessing and correcting, their personal information. 16. All reasonably practicable steps shall be taken to ensure that such notice is provided either before or at the time of collection of personal information. Otherwise, such notice should be provided as soon after as is practicable. 17. It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information.
- Fair Information Privacy Practices
  Efficiency Principle: Helps make information systems operate more fairly in the interests of both data controllers and subjects
  
  Surveillance Principle: limits the surveillance capacity of information systems in ways that are not necessarily in the commercial or administrative interests of data controllers.
  - Four conditions for acceptable surveillance:
    
    Personal data is kept accurate, complete, and up to date
    
    Openly promulgated rules of due process govern working of data systems, including decision making;
    
    Organizations collect and use for legitimate goals only;
    
    Persons described in data have the right to attest adherence to these principles.
  Finality Principle: OECD Guidelines and CoE Convention 108 and almost all of the national laws passed have added the requirement that organizations may only use or disclose the personal information they collect for the purpose which they collected it.
- Universal Declaration of Human Rights (1948)
  UDHR Article 12 – No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to protection of the law against such interference or attacks.
  - Similar to International Covenant on Civil and Political
Adequacy and the rest of the world
- Europe and the General Data Protection Regulation
  Personal data defined as any information that could be used on its own or in conjunction with other data to ID an individual.
  - Could include phone number without a name or address.
  Notice
  - Must disclose intended use and duration of storage.
  - Must re-solicit permissions for each new use.
  Individual rights
  - Opt in to storage use, management of PI.
  - Right to access, amend or request deletion.
  - Object to certain types of processing, e.g., profiling.
  Breach Notification
  - Mandatory breach notification to individuals.
  - To supervisory authority within 72 hours.
  Enforcement
  - Violations up to 4 percent of global turnover or 20M EUR, whichever is higher.
  - Joint liability for data processors and data controllers.
  The following list identifies the legality of data transfers between the EU and foreign countries:
  - Adequacy and cross-border data transfer
    
    Adequate countries:
    
    Personal data can flow between EU and these countries without any further safeguarding.
    
    Adequate countries include: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.
    
    United States and the EU-U.S. Privacy Shield:
    
    The EU-U.S. Privacy Shield ensures an adequate level of protection (according to EU).
    
    Self-certification
    U.S. organizations commit (yearly) to set of privacy principles issued by U.S. Department of Commerce. Applies to both controllers and processors, and processors must be contractually bound to act only on instructions from the EU controller.
    
    Either self-assessment or outside compliance.
    
    Four requirements for an organization
    
    Fall under enforcement authority of the FTC (Sec. 5) or other U.S. agency that can ensure compliance.
    
    Publicize commitment to adhere to Privacy Shield.
    
    Publicly disclose its privacy policy.
    
    Must actually implement the principles.
    
    Principles
    
    Notice – type of data collected, purpose, right of access and choice, conditions for onward transfer, liability.
    
    Data integrity and purpose limitation (also choice) – personal data limited to what is relevant for the purpose of the processing, reliable for its use, accurate, complete, current. May not use for incompatible purposes.
    
    New/changed purpose, but still compatible with original – right to opt out. Sub-processing must include contract.
    
    Security – reasonable and appropriate security measures.
    
    Access – right for non-excessive fee – to obtain confirmation of processing data and have data communicated.
    
    Recourse, enforcement, & Liability – organizations must have effective redress systems.
    
    Third party dispute resolution bodies.
    
    Alternatively, may appoint panel of DPA from EU Member States.
    
    Accountability for onward transfer – contract same level of protection.
    
    Deemed not adequate:
    
    Personal data can not flow between EU and these countries without further safeguarding.
    
    Countries deemed inadequate by the EU include: Australia, Mexico, Korea, Taiwan
  - Show Source Text
    
    GDPR Statement on Adequacy
    
    The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.
Elements of Personal Information
- Personal Data (EU) (HK) (SG)
  EU – Any information that could be used on its own or in conjunction with other data to ID an individual.
  
  HK – Must relate directly or indirectly to a living individual and from which it must be practicable for the individual to be ID’d, directly or indirectly, in a form in which access to or processing is practicable. Data also defined as being in a document.
  
  SG – Data, whether true or not, about an individual who can be ID’d (a) from that data or (b) from that data and other information to which the organization has or is likely to have access.
  - Show EU Source Text
    
    GDPR: Personal Data
    
    “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  - Show HK Source Text
    
    Hong Kong Personal Data Ordinance
    
    1) The information which relates to a living person and can be used to identify that person.
    
    (2) It exists in a form in which access or processing is practicable.
    
    Examples of personal data protected by the Ordinance include names, phone numbers, addresses, identity card numbers, photos, medical records and employment records.
  - Show SG Source Text
    
    Singapore Personal Data Protection Act
    
    “personal data” means data, whether true or not, about an individual who can be identified —
    
    from that data; or
    
    From the data and other information to which the organization has or is likely to have access;
- Personally Identifiable Information (US)
  US – (PII) Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means
  - Show Source Text
    
    US Department of Labor Guidance on the Protection of Personally Identifiable Information
    
    Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
- Sensitive Personal Information (IN)
  IN– Password; financial info; physical, physiological, or mental health; sexual orientation; medical records and history; biometrics; any detail of the above as provided to a corporate entity for providing services; any of the info receive above for storing or processing under lawful contracts.
  
  PUBLIC DOMAIN INFO IS EXEMPT.
  - Show Source Text
    
    India Information Technology Act 2000
    
    Information Classification
    
    Information assets must be classified according to their sensitivity and their importance to the organization. Since it is unrealistic to expect managers and employees to maintain absolute control over all information within the boundaries of the organization, it is necessary to advise them on which types of information are considered more sensitive, and how the organization would like the sensitive information handled and protected. Classification, declassification, labeling, storage, access, destruction and reproduction of classified data and the administrative overhead this process will create must be considered. Failure to maintain a balance between the value of the information classified and the administrative burden the classification system places on the organization will result in long-term difficulties in achieving success.
    
    Confidential is that classification of information of which unauthorized disclosure/use could cause serious damage to the organization, e.g. strategic planning documents.
    
    Restricted is that classification of information of which unauthorized disclosure/use would not be in the best interest of the organization and/or its customers, e.g. design details, computer software (programs, utilities), documentation, organization personnel data, budget information.
    
    Internal use is that classification of information that does not require any degree of protection against disclosure within the company, e.g. operating procedures, policies and standards inter office memorandums.
    
    Unclassified is that classification of information that requires no protection against disclosure e.g. published annual reports, periodicals.
    
    While the above classifications are appropriate for a general organization view point, the following classifications may be considered :
    
    Top Secret: It shall be applied to information unauthorized disclosure of which could be expected to cause exceptionally grave damage to the national security or national interest. This category is reserved for Nation’s closest secrets and to be used with great reserve.
    
    Secret: This shall be applied to information unauthorized disclosure of which could be expected to cause serious damage to the national security or national interest or cause serious embarrassment in its functioning. This classification should be used for highly important information and is the highest classification normally used.
    
    Confidentiality: This shall be applied to information unauthorized disclosure of which could be expected to cause damage to the security of the organisation or could be prejudicial to the interest of the organisation, or could affect the organisation in its functioning. Most information will on proper analysis be classified no higher than confidential.
    
    Restricted: This shall be applied to information which is essentially meant for official use only and which would not be published or communicated to anyone except for official purpose.
    
    Unclassified: This is the classification of information that requires no protection against disclosure.
- Pseudonymisation, de-identification and anonymization
  
  Pseudonymization – Separation of data from direct identifiers. May have re-identification risk.
  
  Anonymization – Process, not event.
Singapore Privacy Laws and Practices
- Legislative History and Origins
  Singapore government and legal system
  - Executively appointed Data Protection Advisory Committee oversees the Personal Data Protection Commission, which administers the Personal Data Protection Act.
    
    In effect in 2014.
    
    PDPA only has jurisdiction over private sector, not public.
    
    Many exceptions and exemptions.
  - One of last economically advanced countries to adopt comprehensive privacy protection.
  - Almost all privacy based on PDPA (see below).
    
    No explicit constitutional protections.
    
    Not party to any enforceable international treaties – not party to ICCPR.
  - Political structure
    
    Semi-democratic.
    
    Court systems renowned for efficiency and lack of corruption.
  Social Attitudes Toward Privacy and Data Protection
  - Few legal protections for human rights, but strong anti-corruption and rule-of-law traditions.
  - Privacy law motivated by economic rather than civil liberties or consumer protection.
  - Low level of press freedom.
  - Strict anti-defamation law.
  - No “public figure” doctrine.
  Surveillance and identification
  - Extensive and sophisticated surveillance of the population.
  - PDPA does not apply to government or public authorities.
  National Registration Identity Card and number
  - Not compulsory to carry, but production required for government services, hotels, bank accounts and private-sector physical access.
  - In private use:
    
    Individuals must be informed and consent to purposes for which NRIC numbers are collected, used, and disclosed by organizations
    
    Organizations should use appropriate security measures to protect information.
    
    Avoid over-collecting.
    
    Restricted use of ID numbers as user names or membership numbers to prevent disclose to third parties without consent.
    
    Collecting the cards themselves would also be governed by PDPA.
    
    Restrictions on publications of complete ID numbers
  SingPass
  - User-created password for access to electronic govt services.
  - Includes patient records from all hospitals and clinics.
  - Electronic Road Pricing for monitoring and charging for road usage.
  Constitutional protections
  
  Very little regarding privacy in constitution; some protection for individual liberties, generally.
  
  Common law protections
  
  Harassment Tort:
  - Malcomson Case (High Court 2001). Harassment = “a course of conduct by a person, whether by words or action, directly or through third parties, sufficiently repetitive in nature as would cause, and which he ought reasonably to know would cause, worry emotional distress or annoyance to another person.”
    
    Comprehensive injunction restraining defendants from contacting prosecutors.
  - BUT – Axa Insurance (High Court 2013) was not convinced of tort’s existence.
  Protection from Harassment Act (2014):
  
  Legislative solution covering stalking, online sexual harassment, bullying, and may apply even if accused or victim is outside SG.
  - Direct result of the court’s confusion regarding harassment.
  Sector-specific protections
  
  All sector-specific rules on privacy override PDPA protections.
  - See Singapore Harassment Act Source Text
    
    No person shall, with intent to cause harassment, alarm, or distress to another person, by any means-
    
    a. use any threatening, abusive, or insulting words or behaviour; or
    
    b. make any threatening, abusive, or insulting communication,
    
    thereby causing that other person or any other person (each referred to for the purposes of this section as the victim) harassment, alarm, or distress.
    
    (2) Any person who contravenes subsection (1) shall be guilty of an offence and subject to section 8, shall be liable on the conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both.
    
    (3) In any proceedings for an offence under subsection (2), it is a defence for the accused person to prove that his conduct was reasonable
    
    Singapore Harassment Act
- Personal Data Protection Act of 2012
  - Key Concepts and Practices
    
    Generally
    
    Closely follows OECD guidelines, not including the Openness guideline.
    
    Principles concerning collection, use (including secondary), and disclosure based on intersection:
    
    Collection Limitation
    
    Purpose Specification
    
    Notice
    
    Subject Consent
    
    Prohibits requiring individual to consent to collection, use, disclosure that is more than necessary to reasonably provide product or service.
    
    These requirements are tested by asking whether a reasonable person would consider the collection and or processing appropriate in the circumstances.
    
    Lacking in PDPA:
    
    No opt-out for direct marketing.
    
    No deletion right on request.
    
    No right to block use of data.
    
    No data breach requirements
    
    No concept of “sensitive data” categories.
    
    Data Protection Officer
    
    Organizations must designate one or more individuals to be responsible for ensuring compliance with PDPA.
    
    Must have info available to public.
    
    Simply designating an official does not relieve the Organization of responsibilities.
    
    Staff Training
    
    Organizations must develop policies and practices necessary for org to meet obligations under PDPA.
    
    Must communicate info to its staff about the organization’s policies and practices.
    
    Consent and exceptions to consent
    
    Organizations shall not collect, use, or disclose PD about an individual unless (a) individual gives or is deemed to have given consent, or (b) collection, use, disclosure, without consent, is authorized under PDPA or by other law.
    
    Individuals are deemed to have consented to collection, use, or disclosure by voluntarily providing their personal data to the organization for that purpose, where it is reasonable to do so.
    
    Cannot require consent beyond what is reasonable to provide product or service.
    
    Neither the requirement for consent nor notice applies for the lengthy schedules of exemptions:
    
    Where necessary, in interest of individual; whose consent cannot be timely obtained and could be expected; emergencies threatening life, health, safety; contacting next of kin for injured or deceased; publicly available personal data; national interest; investigation; (collection only) for artistic or literary; news org solely for news activity; by educational institutions about students to government bodies; for debt recovery; law enforcement; domestic and personal services; managing or terminating employment; business asset transactions; archival, historic.
    
    Second Schedule = exceptions to collection.
    
    Third Schedule = exceptions to use.
    
    Fourth Schedule = exceptions to disclosure.
    
    Where actual consent is required, failure to opt-out will not be regarded as consent in all situations, but will depend on actual facts and circumstances.
    
    Use
    
    Organization may only use for purposes of collection that were described in their notice.
    
    Disclosure
    
    If data given to third party, then controller must provide third party with info about purpose of collection so third party can make its own decision about whether disclosure is permitted.
    
    Safeguarding/Security
    
    Accuracy – Organizations must make reasonable effort to ensure personal data is accurate and complete if (and only if):
    
    It is likely to be used to make decisions about data subject.
    
    Or likely to be disclosed.
    
    Security – Organizations must make reasonable security arrangements.
    
    PDPC guidelines include administrative, physical, and technical measures depending on factors indicating seriousness.
    
    Accountability and Openness
    
    Openness
    
    Orgs must develop policies and practices to meet PDPA obligations.
    
    Must make info about privacy policies and complaint resolution available on request.
    
    Does not require publication of privacy policies.
    
    Does not require disclosure of all processing practices suggested by OECD.
    
    Accountability
    
    Requires designation of person responsible for compliance with PDPA and also requires business contact info.
    
    Does NOT require privacy officer with specific qualifications and obligations.
    
    Requires development of a process to receive and respond to complaints and make info about that process available.
    
    Access and Correction
    
    Access
    
    Access to personal data is required “as soon as reasonably possible” only for the year preceding the request.
    
    Fifth Schedule – organizations that need not provide access.
    
    Conditions where access is prohibited.
    
    E.g. protecting privacy of others, unless redaction satisfies condition.
    
    Correction
    
    Required unless organization considers on reasonable grounds that no correction should be made.
    
    Must be sent to third-party recipients who have received data in the last year, unless they do not need the correction for legal or business purposes.
    
    Sixth Schedule has exemptions.
    
    Corrections requested but not made must be annotated on person’s file; no requirement to alter opinions.
    
    Retention and Deletion
    
    Organizations must cease to retain (or de-identify, anonymize) personal data once reasonable that:
    
    Data no longer serves purpose of collection.
    
    Retention no longer necessary for business/legal purposes.
    
    Note: While business retention must be “legitimate,” it would be hard to prove that an action was not a legitimate interest.
    
    Where contracts are involved, businesses may retain records for 6 years after termination of contract.
    
    Anonymization
    
    Anonymized data is not personal data.
    
    Anonymization satisfies “ceases to retain.”
    
    If data can be re-identified (either on its own or in combination with other data), not anonymous.
    
    Transfer Out
    
    Local “data intermediaries” (third party processors)
    
    No obligations on intermediaries processing data on behalf of another org pursuant to a written contract except:
    
    Obligations concerning data security and data retention.
    
    Broad definition of Processing includes recording.
    
    Party for whom processing is done (data controller) is vicariously liable for breaches of PDPA by intermediary, provided they are done for its purposes.
    
    Difficult for data subject to determine who is liable because controller not obligated to give notice of using intermediaries.
    
    If intermediary is insolvent, data subject has no recourse against controller.
    
    PDPC suggests good practice for controller to do due diligence – especially because of vicarious liability.
    
    Extraterritorial scope
    
    Prohibition on transfer of personal data outside SG except in accordance with PDPA.
    
    Must take appropriate steps to ascertain whether recipient (outside SG) is bound by legally enforceable obligations to provide a standard of protection comparable to PDPA (e.g. laws, contracts, BCRs, etc.)
    
    PDPC has no whitelist of countries.
    
    No specific provision in PDPA.
    
    PDPA only applies to actions that take place in SG.
    
    Foreign companies without physical presence can still be liable under PDPA for actions in SG – e.g. collection or disclosure.
    
    International intermediaries
    
    Intermediary rules do not explicitly exclude intermediaries outside SG, however limitation on territorial obligations may exclude liability anyways.
    
    Data imports to SG processor.
    
    Only PDPA data security and deletion applies.
    
    PDPA does not apply to overseas controller.
    
    Probably no vicarious liability because controller is outside SG.
    
    Probably need to rely on controller’s country law.
  - Key Concepts and Practices Source Text
    
    Purpose
    
    The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
    
    (3)  An organisation shall designate one or more individuals to be responsible for ensuring that the organisation complies with this Act.
    
    (4)  An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that designation.
    
    (5)  An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4).
    
    (6)  The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act.
    
    Policies and practices
    
    An organisation shall —
    
    develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act;
    
    develop a process to receive and respond to complaints that may arise with respect to the application of this Act;
    
    communicate to its staff information about the organisation’s policies and practices referred to in paragraph (a); and
    
    make information available on request about —
    
    the policies and practices referred to in paragraph (a); and
    
    the complaint process referred to in paragraph (b).
    
    Link to Source Text
  - Background
    
    PDPA predecessor: National Internet Advisory Committee (NIAC) 2002 Report, Report on a Model Data Protection Code for the Private Sector.
    
    No legislation in Singapore dealt comprehensively with privacy or data protection.
    
    Computer Misuse Act generally criminalized unauthorized access to data, whether personal or not.
    
    Feb 2002, publication of Model Code did not resolve basic problem of incoherent patchwork for statute, case law, and guideline
  - Application and Scope
    
    Exemptions are potentially unlimited in scope because agency/PDPC, with approval of Minister, by order published in Gazette, may exempt anybody and anything as it wishes.
    
    PDPA inferior to all other written law, even law before PDPA was passed and possibly common law.
    
    Only Applicable to Private Sector
    
    Applies to any organization, given a wide definition – individuals and all types of associations
    
    Extraterritorial reach
    
    Like the GDPR, PDPA exerts extraterritorial reach and is explicitly extended to those who may not have any presence in Singapore.
    
    The primary requirement is that the contravention occurred in Singapore.
  - Application of Scope Source Text
    
    The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
    
    (6) Regulations may be made to provide for the application of any provision of this section, with such modifications as the Minister considers appropriate, to any body corporate or unincorporated association formed or recognised under the law of a territory outside Singapore.
    
    Source Text Link
  - Definitions
    
    Personal data
    
    Data, whether true or not, about an individual who can be ID’d (a) from that data or (b) from that data and other information to which the organization has or is likely to have access.
    
    ‘Business contact information’
    
    “[A]n individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes”
    
    ‘Data intermediary’
    
    “[A]n organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation”
    
    Publicly available
    
    “in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event — at which the individual appears; and that is open to the public”
    
    What is “generally available”?
    
    Not unlimited, must have meaning.
    
    Difficult questions:
    
    Paid content.
    
    Only certain individuals have access (e.g. Facebook page).
    
    Content available solely because of data breach, especially if it can be removed.
    
    What is “observed by reasonably expected means”?
    
    PDPC considers the following exempt from the Act:
    
    CCTV footage in a store.
    
    Paid public events.
    
    But what about:
    
    Private party at public restaurant
    
    Interior of hired taxi?
    
    Survivorship
    
    PDPA does NOT apply to:
    
    Old Info.
    
    Does not apply to persons deceased for more than 10 years.
    
    Does not apply to records in existence for at least 100 years.
    
    Business contact information, except where specifically mentioned.
    
    Publicly available data.
    
    Public sector, e.g. agencies.
    
    No right to know if private company is working on behalf of public agency in collecting info.
    
    Individuals acting in personal or domestic capacity.
    
    Employee acting in the course of his employment.
  - Definitions Source Text
    
    “Personal Data” means data, whether true or not, about an individual who can be identified –
    
    from that data;
    
    from that data and other information to which the organisation has or is likely to have access;
    
    business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes;
    
    “data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;
    
    publicly available”, in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event —
    
    at which the individual appears; and
    
    that is open to the public
    
    Source Text Link
  - Do Not Call Registry
    
    Subscribers may register (or remove) their phone number with DNC Registry.
    
    No person shall send a specified message to a Singapore number unless the person checks the registry first.
    
    Callers may not require consent to specified messages beyond what is reasonably necessary to provide goods, services, etc. Consent not valid if false/misleading .
    
    Consumers may withdraw consent.
    
    S$10k fine per violation.
    
    Specified Message:
    
    Having regard to content, number, presentational aspects –
    
    one purpose of the message is to offer, supply, promote, or advertise –goods, services, supplier, land, business opportunity, provider.
    
    Does NOT include anything in Eighth Schedule, including: Public agencies to promoting noncommercial programs, Individuals in personal or domestic capacity, emergency services, ongoing business.
    
    Person who authorizes another to offer, advertise, or promote said goods, services, etc. – shall be deemed to have authorized the message unless person took reasonable steps to stop the sending of the message.
    
    ‘Specified message’ must include:
    
    ID and contact of sender.
  - DNC Source Text
    
    “No Fax Message Register” means the register listing Singapore telephone numbers to which a specified fax message shall not be sent;
    
    “No Text Message Register” means the register listing Singapore telephone numbers to which a specified text message shall not be sent;
    
    “No Voice Call Register” means the register listing Singapore telephone numbers to which a specified voice message shall not be sent;
    
    “register” means a Do Not Call Register called the No Fax Message Register, No Text Message Register or No Voice Call Register, as the case may be;
    
    “relevant telecommunication service”, in relation to a Singapore telephone number in respect of which a subscriber registration application under regulation 3 or a subscriber confirmation application under regulation 5, as the case may be, is made, means the telecommunication service to which the Singapore telephone number is allocated;
    
    “relevant telephone number” means a telephone number notified, from time to time, by the Commission on the specified website for the purpose of receiving a subscriber registration application under regulation 3 or a subscriber confirmation application under regulation 5, as the case may be, in respect of one or more registers;
    
    “SMS message” means a text message that is sent using a short message service;
    
    “specified fax message” means a specified message that is sent, or intended to be sent, to a Singapore telephone number by way of a facsimile transmission;
    
    “specified text message” means a specified message in any text, sound or visual form that is sent, or intended to be sent, to a Singapore telephone number, but does not include a specified fax message or a specified voice message;
    
    “specified voice message” means a specified message that is sent, or intended to be sent, to a Singapore telephone number by way of a voice call or video call using a telephone service, data service or any other electronic means;
    
    “specified website” means the Internet website of the Commission at http://www.dnc.gov.sg.
    
    Source Text Link
  - PDPA in an Employment Setting
    
    Employees generally protected when acting on behalf of the employer
    
    Defense for employer to prove that he took steps to prevent employee from doing bad act or conduct in the course of employment.
  - PDPA Employment Source Text
    
    Defence for Employee
    
    48. -(1) In any proceedings for an offence under this Part brought against any employee in respect of an act or conduce alleged to have been done or engaged in, as the case may be, by the employee, it is a defence for the employee to prove that he did the act or engaged in the conduct in good faith –
    
    in the course of his employment; or
    
    in accordance with instructions given to him by or on behalf of his employer in the course of his employment
    
    – (2) Subsection (1) does not apply to an employee who, at the time the act was done or the conduct was engaged in, was an officer and it is proved –
    
    the act was done or the conduce was engaged in with the consent or connivance of that officer; or
    
    the act done or the conduct engaged in was attributable to any neglect on the part of that officer.
    
    – (3) In subsection (2), “officer” has the same meaning as in section 52(5).
    
    See Source Text
  - Journalism and Media
    
    News organizations solely in relation to news activities.
    
    “Activities” is broad.
    
    BUT “news organization” is limited to newspapers, newswire services, or broadcasting.
    
    Probably excludes online publications not otherwise licensed as a news organization.
    
    Therefore, PDPA may apply to bloggers if they collect PI without consent.
    
    Exception for requirement to consent to collection.
  - Journalism and Media Source Text
    
    Collection of Personal Data Without Consent
    
    An organisation may collect personal data about an individual without the consent of the individual or from a source other than the individual in any of the following circumstances:
    
    …
    
    (h) subject to paragraph 2, the personal data is collected by a news organisation solely for its news activity;
    
    “news activity” means —
    
    (a) the gathering of news, or the preparation or compilation of articles or programmes of or concerning news, observations on news, or current affairs, for the purposes of dissemination to the public or any section of the public; or
    
    (b) the dissemination, to the public or any section of the public, of any article or programme of or concerning —
    
    (i) news;
    
    (ii) observations on news; or
    
    (iii) current affairs;
    
    “news organisation” means —
    
    any organisation —
    
    (a)
    
    (i) the business of which consists, in whole or in part, of news activity carried out in relation to a relevant broadcasting service, a newswire service or the publication of a newspaper; and
    
    (ii) which, if the organisation publishes a newspaper in Singapore within the meaning of section 8(1) of the Newspaper and Printing Presses Act (Cap. 206), is required to be a newspaper company within the meaning of Part III of that Act; or
    
    (b) any organisation which provides a broadcasting service in or from Singapore and holds a broadcasting licence granted under section 8 of the Broadcasting Act;
    
    See Source Text
  - Exemptions
    
    Public-sector
    
    Response to emergency
    
    National interest
    
    e.g. defense, security, international affairs, etc.
    
    Investigations in legal proceedings
    
    Evaluative purposes
    
    E.g. employment, education, insurance, etc.
    
    Determining suitability for employment, promotion, termination, education, athleticism, social assistance, etc
  - Exemption Source Text
    
    FIFTH SCHEDULE
    
    Section 21(2)
    
    EXCEPTIONS FROM ACCESS REQUIREMENT
    
    1. An organisation is not required to provide information under section 21(1) in respect of —
    
    (a) opinion data kept solely for an evaluative purpose;
    
    (b)any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
    
    (c) the personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust;
    
    (d) personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre;
    
    (e) a document related to a prosecution if all proceedings related to the prosecution have not been completed;
    
    (f) personal data which is subject to legal privilege;
    
    (g) personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
    
    (h) personal data collected, used or disclosed without consent, under paragraph 1(e) of the Second Schedule, paragraph 1(e) of the Third Schedule or paragraph 1(f) of the Fourth Schedule, respectively, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed;
    
    the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act —
    
    (i) under a collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration;
    
    (i)
    
    (ii) under any written law; or
    
    (iii) by a court, arbitral institution or mediation centre; or
    
    any request —
    
    (i) that would unreasonably interfere with the operations of the organisation because of the repetitious or systematic nature of the requests;
    
    (ii) if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual’s interests;
    
    (j)
    
    (iii) for information that does not exist or cannot be found;
    
    (iv) for information that is trivial; or
    
    (v) that is otherwise frivolous or vexatious.
    
    SIXTH SCHEDULE
    
    Section 22(7)
    
    EXCEPTIONS FROM CORRECTION REQUIREMENT
    
    1. Section 22 shall not apply in respect of —
    
    (a) opinion data kept solely for an evaluative purpose;
    
    (b) any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
    
    (c) the personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust;
    
    (d) personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre; or
    
    (e) a document related to a prosecution if all proceedings related to the prosecution have not been completed.
    
    See Source Text
- Enforcement
  - Monetary Authority of Singapore
    
    Regulations and Guidance
    
    Organizations must perform customer due diligence.
    
    Notices on Prevention of Money Laundering and Countering the Financing of Terrorism
    
    Collect data to ID, know, and verify customers.
    
    Conduct regular account reviews.
    
    Monitor and report suspicious transactions.
    
    Individual’s Access and Rights
    
    Rights of access and correction are only available to data provided by the data subject.
    
    No right of access to how personal information may have been used or disclosed by FI.
    
    Protection of customer data
    
    The commission may, with the consent of both the complainant and the organization, bring issues to mediation.
    
    The commission, without the consent of the complainant and organization, has the power to review, provide directions, and enforce directions through District Courts.
  - Monetary Authority Source Texts
    
    ENFORCEMENT OF PARTS III TO VI
    
    Alternative dispute resolution
    
    7. —(1)  If the Commission is of the opinion that any complaint by an individual against an organisation may more appropriately be resolved by mediation, the Commission may, with the consent of the complainant and the organisation, refer the matter for mediation.
    
    (2)  Subject to subsection (1), the Commission may, with or without the consent of the complainant and the organisation, direct a complainant or the organisation or both to attempt to resolve the complaint of the individual in the way directed by the Commission.
    
    Power to review
    
    8. —(1)  On the application of a complainant, the Commission may review —
    
    (a) a refusal to provide access to personal data requested by the complainant under section 21, or a failure to provide such access within a reasonable time;
    
    (b) a fee required from the complainant by an organisation in relation to a request by the complainant under section 21 or 22; or
    
    (c) a refusal to correct personal data in accordance with a request by the complainant under section 22, or a failure to make such correction within a reasonable time.
    
    (2)  Upon completion of its review under subsection (1), the Commission may —
    
    (a) confirm the refusal to provide access to the personal data, or direct the organisation to provide access to the personal data, within such time as the Commission may specify;
    
    (b) confirm, reduce or disallow a fee, or direct the organisation to make a refund to the complainant; or
    
    (c) confirm the refusal to correct the personal data, or direct the organisation to correct the personal data, in such manner and within such time as the Commission may specify.
    
    Power to give directions
    
    9. —(1)  The Commission may, if it is satisfied that an organisation is not complying with any provision in Parts III to VI, give the organisation such directions as the Commission thinks fit in the circumstances to ensure compliance with that provision.
    
    (2)  Without prejudice to the generality of subsection (1), the Commission may, if it thinks fit in the circumstances to ensure compliance with Parts III to VI, give the organisation all or any of the following directions:
    
    (a) to stop collecting, using or disclosing personal data in contravention of this Act;
    
    (b) to destroy personal data collected in contravention of this Act;
    
    (c) to comply with any direction of the Commission under section 28(2);
    
    (d) to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit.
    
    (3)  Subsection (2)(d) shall not apply in relation to any failure to comply with a provision of this Act, the breach of which is an offence under this Act.
    
    (4)  The Commission shall, in any direction requiring the payment of a financial penalty, specify the date before which the financial penalty is to be paid, being a date not earlier than the end of the period within which an application for reconsideration of the direction, or an appeal against the direction, may be brought under section 31 or 34, respectively.
    
    (5)  The interest payable on the outstanding amount of any financial penalty imposed under subsection (2)(d) and for payment by instalment (as may be directed by the Commission in its discretion) of any financial penalty imposed under subsection (2)(d) shall be at such rate as the Commission may direct, which shall not exceed the rate prescribed in the Rules of Court in respect of judgment debts.
    
    (6)  Any interest ordered to be paid under subsection (5) shall form part of the penalty payable and be enforced in accordance with section 30.
    
    Enforcement of directions of Commission in District Court
    
    1. —(1)  For the purposes of enforcement of any direction made by the Commission under section 28(2) or 29, the Commission may apply for the direction to be registered in a District Court in accordance with the Rules of Court and the District Court shall register the direction in accordance with the Rules of Court.
    
    (2)  From the date of registration of any direction under subsection (1), the direction shall be of the same force and effect, and all proceedings may be taken on the direction, for the purposes of enforcement as if it had been an order originally obtained in the District Court which shall have power to enforce it accordingly.
    
    (3)  A District Court shall have jurisdiction to enforce any direction in accordance with subsection (2) regardless of the monetary amount involved and may, for the purpose of enforcing such direction, make any order —
    
    (a) to secure compliance with the direction; or
    
    (b) to require any person to do anything to remedy, mitigate or eliminate any effects arising from —
    
    (i) anything done which ought not, under the direction, to have been done; or
    
    (b)
    
    (ii) anything not done which ought, under the direction, to have been done, which would not have occurred had the direction been complied with.
    
    Reconsideration of directions or decisions
    
    1. —(1)  An organisation or individual aggrieved by —
    
    (a) any direction made by the Commission under section 27(2) or section 29(1) or (2); or
    
    (b) any direction or decision made under section 28(2),
    
    may, within 28 days after the issue of the direction or decision concerned, make a written application to the Commission to reconsider the direction or decision.
    
    (2)  Unless the Commission decides otherwise in any particular case, an application for reconsideration shall not suspend the effect of the direction or decision to be reconsidered except in the case of an application for reconsideration of a direction to pay a financial penalty or of the amount thereof.
    
    (3)  The application for reconsideration shall be made in such form and manner as the Commission may require and shall set out the grounds on which the applicant is requesting the reconsideration.
    
    (4)  If any application for reconsideration is made in accordance with this section, the Commission shall —
    
    (a) reconsider the direction or decision;
    
    (b) affirm, revoke or vary the direction or decision as the Commission thinks fit; and
    
    (c) notify the applicant in writing of the result of the reconsideration.
    
    (5)  There shall be no application for reconsideration of a decision made under subsection (4)(b).
    
    Right of private action
    
    2. —(1)  Any person who suffers loss or damage directly as a result of a contravention of any provision in Part IV, V or VI by an organisation shall have a right of action for relief in civil proceedings in a court.
    
    (2) If the Commission has made a decision under this Act in respect of a contravention specified in subsection (1), no action accruing under subsection (1) may be brought in respect of that contravention until after the decision has become final as a result of there being no further right of appeal.
    
    (3)  The court may grant to the plaintiff in an action under subsection (1) all or any of the following:
    
    (a) relief by way of injunction or declaration;
    
    (b) damages;
    
    (c) such other relief as the court thinks fit.
    
    Source Text Link
  - Personal Data Protection Commission
    
    Structure
    
    Up to 17 members, appointed by Minister.
    
    8-person Advisory Committee but PDPC not bound by suggestions.
    
    PDPC has administration, enforcement, advisory, educational, international cooperation functions.
    
    PDPC can issue guidelines indicating how it will interpret the PDPA.
    
    NOT independent – government authority.
    
    Powers
    
    May investigate non-compliance with PDPA upon complaint or its own motion.
    
    No requirement for grounds or suspicion.
    
    No power to award compensation to Claimant.
    
    May order:
    
    Review decisions refusing to provide access or correction.
    
    If not complying with privacy principles, may give directions to ensure compliance, including to destroy data; to stop collecting, using, or disclosing data; to comply with directions on access and correction; to pay financial penalty not exceeding S$1m.
    
    Where no other penalty provided, max fine up to S$10k and 3 years in prison.
    
    + S$1k for each day offense continues.
  - Decision in appealed commissioner rulings, complaints
    
    Decisions of PDPC, enforceable through district court, may be appealed to the Data Protection Appeal Panel, with further appeal to High Court.
  - Commissioner guidance and published positions
    
    Research
    
    Where research activities by org require collection, use, or disclosure of personal data, org must comply with PDPA.
    
    Some research allowed without consent.
    
    CCTV
    
    Should post notice of CCTV unless not required by Schedules.
    
    May be required to provide access to video (if not excepted in Schedules) except also need to pay attention to privacy of other people on video – may charge a reasonable fee to redact the other people.
    
    If too costly to copy, offer to show in person.
    
    Need not show if it would compromise security.
    
    PDPA does not require deletion upon request – but must cease to retain after business purpose complete.
    
    Employment
    
    When individual submits a job application, he may be deemed to consent to collecting, using, disclosing for the purpose of assessing the application. If he is employed, reasonable for org to continue using data to manage employment relationship. For other purposes, should get consent.
    
    Job applicant info should be deleted when no longer necessary. Applicants have right under PDPA to access and correct.
    
    Reason for not hiring is “evaluative” and excluded. No need for notice for evaluative purposes.
    
    Need not obtain consent for using Facebook, Twitter of job applicant.
    
    Information on a business card is “business contact information” and excluded from PDPA protection.
    
    Unless solely provided for personal (non-business) purposes.
    
    Recruitment agencies that are data intermediaries have less requirements.
    
    Message sent solely to promote an employment opportunity is not a “specified message” for “do not call” provisions.
    
    Consent not required for purpose of managing or terminating employee relationship. But notice is required.
    
    Example: using employee bank account to issue salaries, monitoring employee’s use of computer network, posting photo on staff directory, managing benefit schemes.
    
    Example: ABC Co engages courier to deliver parcel to XYZ Co. XYZ requires name and NRIC number of courier’s delivery employee to allow on premises. Courier must obtain employee consent, but can do so through employment contract.
    
    IP Addresses
    
    May not be personal data in isolation, but can ID individuals in context. The more data points collected, the more likely the IP address is personal data.
    
    Cookies – PDPA applies.
    
    May be deemed consent for some activities, like effecting online commc’ns and purchases, or by configuring browser to accept/reject cookies.
    
    Consent required for behavioral targeting via cookies.
    
    Photography
    
    Image of identifiable individual is personal data. Consent required if not personal or domestic.
    
    Professional photog must obtain consent (unless taking photo on behalf and for purposes of other org pursuant to contract in writing).
    
    Org must obtain consent.
    
    BUT: if photo is in public place, no consent required because publicly available info.
    
    Public = few or no restrictions.
    
    Best practice is in writing. But deemed consent if individual poses for photo.
    
    Need consent for background people if they are recognizable.
    
    Contract may make photog an intermediary.
    
    Artistic and literary purposes are an exception to PDPA, but be careful.
    
    If consent withdrawn, photo must be removed.
  - PDPA Commission and Administration Source Text
    
    PERSONAL DATA PROTECTION COMMISSION AND ADMINISTRATION
    
    Personal Data Protection Commission
    
    —(1)  The Info‑communications Media Development Authority is designated as the Personal Data Protection Commission.
    
    (2)  The Personal Data Protection Commission is responsible for the administration of this Act.
    
    [Act 22 of 2016 wef 01/10/2016]
    
    Functions of Commission
    
    The functions of the Commission shall be —
    
    (a) to promote awareness of data protection in Singapore;
    
    (b) to provide consultancy, advisory, technical, managerial or other specialist services relating to data protection;
    
    (c) to advise the Government on all matters relating to data protection;
    
    (d) to represent the Government internationally on matters relating to data protection;
    
    (e) to conduct research and studies and promote educational activities relating to data protection, including organising and conducting seminars, workshops and symposia relating thereto, and supporting other organisations conducting such activities;
    
    (f) to manage technical co-operation and exchange in the area of data protection with other organisations, including foreign data protection authorities and international or inter‑governmental organisations, on its own behalf or on behalf of the Government;
    
    (g) to administer and enforce this Act;
    
    (h) to carry out functions conferred on the Commission under any other written law; and
    
    (i) to engage in such other activities and perform such functions as the Minister may permit or assign to the Commission by order published in the Gazette.
    
    Advisory committees
    
    7. —(1)  The Minister may appoint one or more advisory committees to provide advice to the Commission with regard to the performance of any of its functions under this Act.
    
    (2)  The Commission may consult such advisory committees in relation to the performance of its functions and duties and the exercise of its powers under this Act but shall not be bound by such consultation.
    
    Delegation
    
    8.—(1)  The Commission may appoint, by name or office, from among public officers and the employees of the Authority —
    
    (a) the Commissioner for Personal Data Protection; and
    
    (b) such number of Deputy Commissioners for Personal Data Protection, Assistant Commissioners for Personal Data Protection and inspectors, as the Commission considers necessary.
    [Act 22 of 2016 wef 01/10/2016]
    
    (2)  Where any function, duty or power of the Commission under this Act is delegated to the Commissioner under section 38 of the Info-communications Media Development Authority Act 2016 —
    
    (a) the Commissioner must perform that function or duty, or exercise that power, in his name;
    
    (b) the Commission must not perform that function or duty, or exercise that power, during the period when the delegation is in force; and
    
    (c) the Commission must, as soon as practicable after the delegation, publish a notice of the delegation in the Gazette.
    [Act 22 of 2016 wef 01/10/2016]
    
    (3)  In exercising any of the powers of enforcement under this Act, an authorised officer shall on demand produce to the person against whom he is acting the authority issued to him by the Commission.
    
    (4)  [Deleted by Act 22 of 2016 wef 01/10/2016]
    
    Conduct of proceedings
    
    9. —(1)  An individual appointed under section 8(1) or an employee of the Authority, who is authorised in writing by the Chief Executive of the Authority for the purpose of this section, may conduct, with the authorisation of the Public Prosecutor, proceedings in respect of an offence under this Act.
    
    (2)  A legal counsel of the Commission who is an advocate and solicitor may —
    
    (a) appear in any civil proceedings involving the performance of any function or duty, or the exercise of any power, of the Commission under any written law; and
    
    (b) make all applications and do all acts in respect of the civil proceedings on behalf of the Commission or an authorised officer.
    
    [Act 22 of 2016 wef 01/10/2016]
    
    Co-operation agreements
    
    1. —(1)  For the purposes of section 59, a co-operation agreement is an agreement for the purposes of —
    
    (a) facilitating co-operation between the Commission and another regulatory authority in the performance of their respective functions in so far as those functions relate to data protection; and
    
    (b) avoiding duplication of activities by the Commission and another regulatory authority, being activities involving the enforcement of data protection laws.
    [Act 22 of 2016 wef 01/10/2016]
    
    (2)  A co-operation agreement may include provisions —
    
    (a) to enable the Commission and the other regulatory authority to furnish to each other information in their respective possession if the information is required by the other for the purpose of performance by it of any of its functions;
    
    (b) to provide such other assistance to each other as will facilitate the performance by the other of any of its functions; and
    
    (c) to enable the Commission and the other regulatory authority to forbear to perform any of their respective functions in relation to a matter in circumstances where it is satisfied that the other is performing functions in relation to that matter.
    
    (3)  The Commission shall not furnish any information to a foreign data protection body pursuant to a co-operation agreement unless it requires of, and obtains from, that body an undertaking in writing by it that it will comply with terms specified in that requirement, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the Commission.
    
    (4)  The Commission may give an undertaking to a foreign data protection body that it will comply with terms specified in a requirement made of the Commission by the foreign data protection body to give such an undertaking where —
    
    (a) those terms correspond to the provisions of any law in force in the country or territory in which the foreign data protection body is established, being provisions which concern the disclosure by the foreign data protection body of the information referred to in paragraph (b); and
    
    (b) compliance with the requirement is a condition imposed by the foreign data protection body for furnishing information in its possession to the Commission pursuant to a co‑operation agreement.
    
    (5)  In this section —
    
    “foreign data protection body” means a body in whom there are vested functions under the law of another country or territory with respect to the enforcement or the administration of provisions of law of that country or territory concerning data protection;
    
    “regulatory authority” includes the Commission and any foreign data protection body.
    
    Source Text Link
  - Freedom of Information Legislation
    
    Singapore does not currently have freedom of information legislation.
Hong Kong Privacy Laws and Practices
- Legislative history and origins
  - Hong Kong Government and Legal System
    
    No regional association
    
    Shared Buddhist/Confucian beliefs
    
    Ruled by Britain 1842-1997. Restored to China as SAR in 1997
    
    Combination of UK common law and PRC laws, known as Basic law
    
    HK maintains a high degree of autonomy apart from foreign affairs and defense.
    
    Political Structure:
    
    Executive
    
    Chief Executive appointed by Central Govt PRC with limited role for democratic input.
    
    Executive Council (cabinet) appointed by Chief Executive.
    
    Consent of CE required before Bills relating to government policies may be introduced in Legislative Council.
    
    Legislative
    
    70-member Legislative Council (LegCo).
    
    Increased from 60 in 2010.
    
    50% by direct election from geographic constituencies.
    
    50% from specified occupational groups and industries – “functional constituencies.”
    
    Government Bill
    
    Introduced by Chief Executive / government.
    
    Only requires simple majority of LegCo.
    
    Practically, majority of bills are government bills
    
    Member Bill
    
    Non-government Bills or amendments to government Bills require majorities of both geographic and functional constituencies.
    
    Members may introduce member bills or private bills.
    
    Judicial
    
    Basic Law means that prior legal system of British common law is maintained.
    
    HK courts exercise normal powers associated with a common law system.
    
    Judicial review of admin power and review of legislation to ensure consistency with Basic Law.
    
    HK Court of Final Appeal is the highest court.
    
    BUT HK courts subject to overarching power of interpretation of Basic Law vested in the Standing Committee of the National People’ Congress of PRC.
    
    Legislative and political body, not judicial, not democratic.
    
    Thus common law subordinated to very different PRC legal system.
    
    Only been exercised 5 times in history, never in regards to privacy.
    
    PDPO has been extensively discussed and interpreted by the Commissioner, appeals tribunal, courts, Administrative Appeals Board, etc.
  - Hong Kong Basic Law Source Text
    
    Hong Kong Basic Law
    
    Hong Kong has been part of the territory of China since ancient times; it was occupied by Britain after the Opium War in 1840. On 19 December 1984, the Chinese and British Governments signed the Joint Declaration on the Question of Hong Kong, affirming that the Government of the People’s Republic of China will resume the exercise of sovereignty over Hong Kong with effect from 1 July 1997, thus fulfilling the long-cherished common aspiration of the Chinese people for the recovery of Hong Kong.
    
    Upholding national unity and territorial integrity, maintaining the prosperity and stability of Hong Kong, and taking account of its history and realities, the People’s Republic of China has decided that upon China’s resumption of the exercise of sovereignty over Hong Kong, a Hong Kong Special Administrative Region will be established in accordance with the provisions of Article 31 of the Constitution of the People’s Republic of China, and that under the principle of “one country, two systems”, the socialist system and policies will not be practised in Hong Kong. The basic policies of the People’s Republic of China regarding Hong Kong have been elaborated by the Chinese Government in the Sino-British Joint Declaration.
    
    In accordance with the Constitution of the People’s Republic of China, the National People’s Congress hereby enacts the Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China, prescribing the systems to be practised in the Hong Kong Special Administrative Region, in order to ensure the implementation of the basic policies of the People’s Republic of China regarding Hong Kong.
  - Social attitudes toward privacy and data protection
    
    Generally
    
    HK residents rate privacy as a social policy of most concern.
    
    Data users have positive attitude towards protection.
    
    Activism is generally low. Few major confrontations.
    
    Little public opposition to ID cards and credit reporting, unlike other countries.
    
    No civil libertarian constituency for privacy – unlike massive public disapproval of mainland/security issues.
    
    PDPO – positive, not reactive process. Created both for human rights and economic interests of HK.
    
    Based on OECD and EU models.
    
    HK residents above age 11 must carry ID.
    
    Self-regulation has little role in HK, but non-compliance may be admissible in legal proceedings.
    
    Specific Issues
    
    Octopus Card fiasco – Transportation System sold details to banks and insurance cos. Public and legislative pressure caused resignation of CEO, disgorgement of profits, reputational damage. Privacy Commissioner (PC) investigations hampered by inadequate powers, but led to new laws with stronger powers and very high penalties for unauthorized use of marketing info.
    
    PC found that paparazzi surveillance photos of celebrities in their own apartments was unfair collection of PI breaching HK law, not justified by public interest in absence of illegal conduct.
    
    Anti-spam legislation and do-not-call registry.
  - Surveillance and identification
    
    No omnipresent or oppressive surveillance.
    
    Similar to Europe, where state has high degree of basic info about all citizens through central ID system, but public and private sectors keep info segregated.
    
    HK ID Card (implemented as of 2003-2009)
    
    Required for all HK residents age 11 and above.
    
    Can be required for all dealings with government.
    
    Private sector may use ID card and number for identity verification.
    
    BUT use controlled by Privacy Ordinance (below).
    
    Public sector may also use ID card and number for internal identifier.
    
    BUT see Commissioner’s right to regulate data matching
    
    Credit Reporting
    
    Allowed since 2003.
    
    Data held by private CRA.
    
    Access confined to credit industry.
    
    NOT accessible to employers, insurers, or parties that are not credit providers.
    
    Workplace surveillance is common.
  - Credit Reporting Source Text
    
    PDPO Credit Reporting
    
    Under the Code, a credit provider is required to specify to the CRA, on each occasion of accessing its credit reference database, the reason and circumstances under which the access has been made (Clause 2.11 of the Code). The CRA is required to maintain a log of all instances of access to its database by credit providers. In the event of there being any suspected abnormal access by a credit provider Office of the Privacy Commissioner for Personal Data, Hong Kong Office of the Privacy Commissioner for Personal Data, Hong Kong www.pco.org.hk 2827 2827 pco@pco.org.hk 2877 7026 6 The information provided in this Fact Sheet is only for general guidance. For a complete and definitive statement of the provisions of the Code of Practice on Consumer Credit Data please refer to the published version of the Code itself. To obtain more PCO information booklets, please visit the PCO Office at Unit 2401, 24/F, Office Tower, Convention Plaza, 1 Harbour Road, Wan Chai, Hong Kong, or download from the PCO web site at www.pco.org.hk. © Office of the Privacy Commissioner for Personal Data, Hong Kong – June 2003 Reproduction of all or any part of this publication is permitted on the conditions that it is done for a nonprofit making purpose and due acknowledgement of this work is made as the source. it should report such incident to the senior management of the credit provider and the Privacy Commissioner. To ensure compliance with the requirements of the Code, the CRA is required to conduct a compliance audit at intervals not exceeding 12 months and to submit an audit report for consideration by the Privacy Commissioner.
- Constitutional Protections
  - Basic Law provides for ICCPR Art 17.
    
    Prohibits unlawful interference with privacy, family, home, or correspondence.
    
    No right of appeal to UNHRC b/c China has not ratified.
    
    BUT HK government made 3 reports to UNHRC (1999, 2005, 2013).
    
    Noted increasing arrests and prosecutions of demonstrators, use of cameras by police during demonstrations.
    
    Recommended that government make clear and public guidelines for police use of recording.
  - Bill of Rights Ordinance (BORO)
    
    ICCPR provisions replicated in local legislation.
    
    Subject to repeal by LegCo like any other non-Basic Law provision.
    
    BORO only binding on government authorities; cannot be used by individuals against private entities (“horizontal effect”).
    
    No significant case law.
  - Basic Law – Privacy
    
    Personal and physical rights included in basic laws
    
    Cannot be amended by LegCo.
    
    2005-2006 Repealed power of Chief Executive to authorize interception and introduced requirement for judicial auth of both interception of communications and other types of surveillance by law enforcement.
    
    Allows law enforcement to continue to use less intrusive surveillance.
    
    Appointed Commissioner on Interception of Communication.
    
    Required high degree of accountability and transparency.
  - ICPR Art. 17 Source Text
    
    ICPR Art. 17
    
    1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
    
    2. Everyone has the right to the protection of the law against such interference or attacks.
  - HK Bill of Rights Ordinance Source Text
    
    Article 5
    
    Liberty and security of person
    
    (1) Everyone has the right to liberty and security of person. No one shall be subjected to arbitrary arrest or detention. No one shall be deprived of his liberty except on such grounds and in accordance with such procedure as are established by law.
    
    (2) Anyone who is arrested shall be informed, at the time of arrest, of the reasons for his arrest and shall be promptly informed of any charges against him.
    
    (3) Anyone arrested or detained on a criminal charge shall be brought promptly before a judge or other officer authorized by law to exercise judicial power and shall be entitled to trial within a reasonable time or to release. It shall not be the general rule that persons awaiting trial shall be detained in custody, but release may be subject a guarantees to appear for trial, at any other stage of the judicial proceedings, and, should occasion arise, for execution of the judgment.
    
    (4) Anyone who is deprived of his liberty by arrest or detention shall be entitled to take proceedings before a court, in order that that court may decide without delay on the lawfulness of his detention and order his release if the detention is not lawful.
    
    (5) Anyone who has been the victim of unlawful arrest or detention shall have an enforceable right to compensation.
    
    [cf. ICCPR Art.9]
  - Basic Law Privacy Source Text
    
    Article 28 [Personal Freedom]
    
    (1) The freedom of the person of Hong Kong residents shall be inviolable.
    
    (2) No Hong Kong resident shall be subjected to arbitrary or unlawful arrest, detention or imprisonment. Arbitrary or unlawful search of the body of any resident or deprivation or restriction of the freedom of the person shall be prohibited. Torture of any resident or arbitrary or unlawful deprivation of the life of any resident shall be prohibited.
    
    Article 29 [Home]
    The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident’s home or other premises shall be prohibited.
    
    Article 30 [Privacy]
    The freedom and privacy of communication of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communication of residents except that the relevant authorities may inspect communication in accordance with legal procedures to meet the needs of public security or of investigation into criminal offences.
  - Common Law Protections
    
    No significant HK cases on privacy torts.
    
    But HK courts are free to adopt principles from other common law jurisdictions.
- Personal Data (Privacy) Ordinance
  - Application and Scope
    
    The PDPO only applies to the Private Sector.
  - PDPO Definitions
    
    Personal data
    
    Must relate directly or indirectly to a living individual and from which it must be practicable for the individual to be ID’d, directly or indirectly, in a form in which access to or processing is practicable.
    
    See definitions of data and document below.
    
    Must have the individual as the focus, not just a trivial reference. (See Durant case from U.K.)
    
    Publicly available data
    
    No special provisions concerning public registers, but various DPPs apply.
    
    Operators of public registers should advise data users of purposes for which it is legitimate to use data.
    
    See “Do No Evil” under DPP3.
    
    Sensitive personal data
    
    No special HK provisions, except for data matching and direct marketing.
    
    Arrest and conviction records are not public records.
    
    BUT: Higher court decisions (with names) are published on Internet.
    
    BUT: Data matching regulated if matching data collected for different purposes from at least 10 people.
    
    Prohibited unless one of:
    
    Data subject consents.
    
    Statutory permission.
    
    Commissioner consents.
    
    ‘Prescribed consent’
    
    Express consent of person given voluntarily
    
    Does not include withdrawn consent in writing.
    
    Rights of data subject
    
    Access and Correction
    
    See DPP6.
    
    Notice
    
    Right to notice generally – DPP1.
    
    Direct Marketing – See 2012 Amendments.
    
    No right to notice as disclosure occurs, EXCEPT for direct marketing.
    
    Right to object to direct marketing.
  - PDPO Definition Source Text
    
    PDPO Definitions
    
    personal data (個人資料) means any data(a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable;
    
    (1) In this Part— consent (同意), in relation to a use of personal data in direct marketing or a provision of personal data for use in direct marketing, includes an indication of no objection to the use or provision; direct marketing (直接促銷) means— (a) the offering, or advertising of the availability, of goods, facilities or services; or (b) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes,
    
    matching procedure (核對程序) means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects is compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison- (Amended 18 of 2012 s. 3) (a) is (whether in whole or in part) for the purpose of producing or verifying data that; or (b) produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data, may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects;
    
    Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent(a) means the express consent of the person given voluntarily; (b) does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served).
    
    data access request (查閱資料要求) means a request under section 18; data correction request (改正資料要求) means a request under section 22(1); data protection principle (保障資料原則) means any of the data protection principles set out in Schedule 1; data subject (資料當事人), in relation to personal data, means the individual who is the subject of the data; data user (資料使用者), in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data;
  - Personal Data (Privacy) (Amendment) Ordinance 2012 (PDPO)
    
    Pre-2012:
    
    Direct marketers required to give consumers ability to opt-out.
    
    Included govt agencies promoting govt services.
    
    Use of personal data for direct marketing was allowed as an exception to DPP3, subject to opt-out.
    
    Only HK$10k fines.
    
    ‘The New Guidance on Direct Marketing’
    
    Data subjects must be informed and consented prior to data user’s use of personal data for its own direct marketing uses.
    
    If oral, data user must send written confirmation in 14 days.
    
    Must be informed of kinds of personal data used.
    
    Must be informed of classes of marketing subjects, e.g. classes of goods, donations, sales, etc.
    
    “All goods and services” is NOT OK.
    
    Liability of HK$500k or 3 years in prison for lack of compliance.
    
    Written notice and explicit disclosure of types of sharing for all 3^rd party disclosures involving DM.
    
    Notice of intention must state whether for disclosure is for gain.
    
    Consent must also be in writing.
    
    Liability of HK$1M or 5 years prison.
    
    Applies even if data collected from third party.
    
    First time data is used for direct marketing, data subject must be informed about right to opt-out.
  - New Guidance on Direct Marketing Source Text
    
    New Guidance on Direct Marketing
    
    When handling personal data in the course of carrying out direct marketing activities, it is good practice for data users to observe the following principles: (a) Respect data subject’s right of selfdetermination of his/her own data New Guidance on Direct Marketing 3 January 2013 (b) Be accountable, open and transparent in the handling of personal data including clearly identifying to the data subject the data user whom the direct marketer represents (c) Give individuals an informed choice of deciding whether or not to allow the use of their personal data in direct marketing (d) Present information regarding the collection, use or provision of personal data in a manner that is easily understandable and, if in written form, easily readable (e) Honour and update the data subject’s request for ceasing the use of his/her personal data in a professional and timely manner (f) Be inclusive to cater for the special needs of minorities, for example, adopt a universal design for webpages following the W3C principles4 and thus provide information in large prints for the aged and those with impaired vision.
  - Exemptions
    
    Limited protections for individuals
    
    Public Security
    
    Journalism and news media
    
    Media is generally exempt from PDPO until after publication.
    
    Person cannot request access to personal data held by news media data user until after publication of story.
    
    Deidentified data for research or statistics gathering
- Key Concepts and Practices
  - Six Data Protection Principles (DPPs) and the Internet Data Guidance
    
    DPP1: Data Collections
    
    Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user.
    
    Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred
    
    Data collected should be necessary but not excessive.
    
    DPP2: Accuracy and retention
    
    Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfil the purpose for which it is used..
    
    DDP3: Data Use
    
    Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
    
    DPP4: Data security
    
    A data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access, processing , erasure, loss or use.
    
    DPP5: Openness
    
    A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
    
    DPP6: Data access and correction
    
    A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.
  - DPP Source Text
    
    DPP1 – Data Collection Principle
    
    Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user.
    
    Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
    
    Data collected should be necessary but not excessive.
    
    DPP2- Accuracy & Retention Principle
    
    Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfil the purpose for which it is used.
    
    DPP3 – Data Use Principle
    
    Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
    
    DPP4 – Data Security Principle
    
    A data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access, processing , erasure, loss or use.
    
    DPP5 – Openness Principle
    
    A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
    
    DPP6 – Data Access & Correction Principle
    
    A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.
    
    Source Text Link
  - Due Diligence Exemption and Exercise
    
    Due diligence exercise: examination of subject matter of transaction to enable a party to decide whether to proceed with transaction.
    
    Requires: (a) transfer of business or property of, or any shares in data user; (b) change in shareholdings of data user; or (c) an amalgamation of the data user with another body.
    
    Due diligence exercises in connection with a proposed business transaction are exempt from DPP 3 (use).
    
    Not more data than necessary, and only if data subject would be provided similar services before and after transaction.
    
    No Exemption if the data itself is the subject of the transaction.
    
    Data of data subject provided ONLY for due diligence exercise, must not be used for any other purpose, and must be destroyed/returned immediately afterwards.
    
    Criminal offense (2 years prison + fine) to contravene.
  - Due Diligence Source Text
    
    Due Diligence
    
    Personal data transferred or disclosed by a data user for the purpose of a due diligence exercise to be conducted in connection with a proposed business transaction that involves— (a) a transfer of the business or property of, or any shares in, the data user; (b) a change in the shareholdings of the data user; or (c) an amalgamation of the data user with another body, is exempt from the provisions of data protection principle 3 if each of the conditions specified in subsection (2) is satisfied. (2) The conditions are— (a) the personal data transferred or disclosed is not more than necessary for the purpose of the due diligence exercise; (b) goods, facilities or services which are the same as or similar to those provided by the data user to the data subject are to be provided to the data subject, on completion of the proposed business transaction, by a party to the transaction or a new body formed as a result of the transaction; (c) it is not practicable to obtain the prescribed consent of the data subject for the transfer or disclosure. (3) Subsection (1) does not apply if the primary purpose of the proposed business transaction is the transfer, disclosure or provision for gain of the personal data. (4) If a data user transfers or discloses personal data to a person for the purpose of a due diligence exercise to be conducted in connection with a proposed business transaction described in subsection (1), the person— (a) must only use the data for that purpose; and (b) must, as soon as practicable after the completion of the due diligence exercise— (i) return the personal data to the data user; and Cap 486 – Personal Data (Privacy) Ordinance 46 (ii) destroy any record of the personal data that is kept by the person. (5) A person who contravenes subsection (4) commits an offence and is liable on conviction to a fine at level 5 and to imprisonment for 2 years. (6) In this section— due diligence exercise (盡職審查), in relation to a proposed business transaction, means the examination of the subject matter of the transaction to enable a party to decide whether to proceed with the transaction; provision for gain (為得益而提供), in relation to personal data, means provision of the data in return for money or other property, irrespective of whether— (a) the return is contingent on any condition; or (b) the person who provides the data retains any control over the use of the data.
    
    Source Text Link
  - Guidance on Personal Data Erasure and Anonymization
    
    Erasure
    
    Generally:
    
    Should have a personal data retention and erasure policy.
    
    Includes method of destruction – cross-cut shredding, reformatting drives, etc.
    
    Consider BYOD policies.
    
    If data user engages data processor (whether inside or outside HK), data user must adopt contractual or other means:
    
    DPP2(3) – to prevent personal data at processor from being kept longer than necessary.
    
    DPP4(2) – to prevent unauthorized or unauthorized or accidental access, processing, erasure, loss of use.
    
    DPP4(1) – practicable steps to ensure that personal data is protected against unauthorized or accidental access, processing, erasure, loss of use.
    
    Anonymization
    
    Removing information from which an individual may be identified.
    
    Simply removing names, biometric, may not be sufficient.
  - PDPO Erasure and Anonymization Source Text
    
    Erasure and Anonymization
    
    A data user must take all practicable steps to erase personal data held by the data user where the data is no longer required for the purpose (including any directly related purpose) for which the data was used unless- (Amended 18 of 2012 s. 17) (a) any such erasure is prohibited under any law; or (b) it is in the public interest (including historical interest) for the data not to be erased. (2) For the avoidance of doubt, it is hereby declared that(a) a data user must take all practicable steps to erase personal data in accordance with subsection (1) notwithstanding that any other data user controls (whether in whole or in part) the processing of the data; (Amended 18 of 2012 s. 17) (b) the first-mentioned data user shall not be liable in an action for damages at the suit of the second-mentioned data user in respect of any such erasure.
    
    Source Text Link
  - Guidance on Employment Matters
    
    Code of Practice on Human Resource Management
    
    Non-compliance gives rise to presumption against employer in any PDPO breach.
    
    Recruitment
    
    Job ads should identify employer or employment agency.
    
    If necessary to conceal identity, may use recruitment agency or ask to obtain job form.
    
    Job ads asking for personal data should include statement about purposes for use of personal data, e.g. “recruitment purposes only.”
    
    Data collected should be adequate but not excessive and relevant to ID’ing suitable employees.
    
    Do not collect copy of HKID until offer accepted.
    
    Medical info only collected after provisional offer.
    
    Personal data of unsuccessful apps may be held for 2 years from date of rejection and then destroyed.
    
    Exceptions: (a) if there is a good reason or (b) applicant gave consent.
    
    Current Employment
    
    During collection, provide statement about purposes for which data is used, to whom transferred, rights of employee for access/correction.
    
    Info about employee during disciplinary proceedings, performance appraisal, or promotion should only be used for purposes directly related. Info should not be disclosed to 3^rd party without legitimate reason.
    
    Must obtain express and voluntary consent to disclose employment-related data of employees to 3^rd.
    
    3^rd party orgs for HR – must use contract or other means to ensure data is not kept longer than necessary for purpose, and has security.
    
    Vicarious liability for employer.
    
    Former Employees
    
    Data retained for up to 7 years after termination. (Or longer for good reason or contract/law.)
    
    Take all practicable steps to ensure only relevant and necessary info retained after ends.
    
    Do not disclose HKID in notice about former employee, and take care not to reveal excessive personal data, e.g. reasons for leaving.
    
    Do not provide reference without employee’s express and voluntary consent.
  - PDPO Employment Source Text
    
    Employment
    
    Personal data which consists of information relevant to any staff planning proposal to- (Amended 18 of 2012 s. 2) Cap 486 – Personal Data (Privacy) Ordinance 40 (a) fill any series of positions of employment which are presently, or may become, unfilled; or (b) cease any group of individuals’ employment, is exempt from the provisions of data protection principle 6 and section 18(1)(b).
    
    Personal data(a) held by a data user(i) immediately before the appointed day; (ii) who is the employer of the data subject; and (iii) relating to the employment of the subject; and (b) provided by an individual on the implicit or explicit condition that the subject would not have access to the data, is exempt from the provisions of data protection principle 6 and section 18(1)(b) until the expiration of 7 years immediately following the enactment of this Ordinance. (2) Personal data(a) to which subsection (1)(a) applies; or (b) held by a data user(i) but not so held at any time before the appointed day; (ii) who is the employer of the data subject; and (iii) relating to the employment of the subject, is exempt from the provisions of data protection principle 6 and section 18(1)(b) until 1 July 1996.
    
    Personal data held by a data user which consists of a personal reference- (Amended 18 of 2012 s. 2) Cap 486 – Personal Data (Privacy) Ordinance 41 (a) given by an individual other than in the ordinary course of his occupation; and (b) relevant to another individual’s suitability or otherwise to fill any position of employment or office which is presently, or may become, unfilled, is exempt from the provisions of data protection principle 6 and section 18(1)(b)- (Amended 18 of 2012 s. 2) (i) in any case, unless the individual referred to in paragraph (a) has informed the data user in writing that he has no objection to the reference being seen by the individual referred to in paragraph (b) (or words to the like effect); or (ii) in the case of a reference given on or after the day on which this section comes into operation, until the individual referred to in paragraph (b) has been informed in writing that he has been accepted or rejected to fill that position or office (or words to the like effect), whichever first occurs.
    
    Source Text Link
  Not Currently Being Enforced
  - Data Transfer/Export, Ordinance Section 33
    
    Prevents data transfers of any PI created or processed in HK or by a user/controller primarily based in HK, unless one of the following conditions is met:
    
    Place is on Whitelist by Commissioner.
    
    Reasonable grounds for believing place has law substantially similar to or serves same purpose as PDPO.
    
    Data subject gives written consent.
    
    Transfer is reasonably for benefit of data subject, but consent cannot practicably be obtained.
    
    Data user taken reasonable precautions and due diligence to ensure data processed according to PDPO.
    
    Data processors
    
    Not directly regulated by PDPO.
    
    Model contracts
    
    Guidance from PCPD about contracts that may satisfy PDPO for cross-border transfers.
  - Data Transfer/Export, Ordinance Section 33 Source Text
    
    PDPO Section 33
    
    Remarks: Not yet in operation (1) This section shall not apply to personal data other than personal data the collection, holding, processing or use of which(a) takes place in Hong Kong; or (b) is controlled by a data user whose principal place of business is in Hong Kong. (2) A data user shall not transfer personal data to a place outside Hong Kong unless(a) the place is specified for the purposes of this section in a notice under subsection (3); (b) the user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, this Ordinance; (c) the data subject has consented in writing to the transfer; (d) the user has reasonable grounds for believing that, in all the circumstances of the case(i) the transfer is for the avoidance or mitigation of adverse action against the data subject; (ii) it is not practicable to obtain the consent in writing of the data subject to that transfer; and (iii) if it was practicable to obtain such consent, the data subject would give it; (e) the data is exempt from data protection principle 3 by virtue of an exemption under Part 8; or (Amended 18 of 2012 s. 2) (f) the user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed or used in any manner which, if that place were Hong Kong, Cap 486 – Personal Data (Privacy) Ordinance 23 would be a contravention of a requirement under this Ordinance. (3) Where the Commissioner has reasonable grounds for believing that there is in force in a place outside Hong Kong any law which is substantially similar to, or serves the same purposes as, this Ordinance, he may, by notice in the Gazette, specify that place for the purposes of this section. (4) Where the Commissioner has reasonable grounds for believing that in a place specified in a notice under subsection (3) there is no longer in force any law which is substantially similar to, or serves the same purposes as, this Ordinance, he shall, either by repealing or amending that notice, cause that place to cease to be specified for the purposes of this section. (5) For the avoidance of doubt, it is hereby declared that(a) for the purposes of subsection (1)(b), a data user which is a company incorporated in Hong Kong is a data user whose principal place of business is in Hong Kong; (b) a notice under subsection (3) is subsidiary legislation; and (c) this section shall not operate to prejudice the generality of section 50.
- Enforcement
  - The Office of the Privacy Commissioner for Personal Data (PCPD)
    
    Generally
    
    First DPA in Asia, 1995.
    
    Independent statutory authority to monitor and promote compliance with PDPO.
    
    Appointed by Chief Exec of HK for 5 years, up to 2 terms.
    
    No power to grant compensation or issue fines other than those stated.
    
    Functions
    
    Supervise and promote compliance with PDPO.
    
    Promote awareness and understanding of PDPO.
    
    Examining proposed legislation for privacy concerns.
    
    Inspecting personal data systems.
    
    Including auditing, compliance checks.
    
    Undertaking research.
    
    Investigations
    
    Power exercised in response to (a) individual complaint of breach about his personal data, (b) on Comm’r’s own initiative (own motion), or (c) class complaint.
    
    When two or more individuals each make a complaint about the same matter, any one of them may do so on behalf of all individuals.
    
    Power to enter onto premises, require information and docs.
    
    Enforcement Notice
    
    When Comm’r finds following investigation that a data user is contravening or has contravened a requirement of the Ordinance (including a DPP).
    
    Contents
    
    Specify steps needed to remedy.
    
    2012 Amendments removed requirement that enforcement only occurs if contravention was likely to continue.
    
    Current version much more powerful.
    
    Breach of DPP is not a criminal offense, but breach of any other Ordinance requirement – including complying with enforcement notice – is a criminal offense.
    
    Maximum HK$50k fine + daily penalty HK$1,000. Doubles on second offense. Repeated acts may include two years prison.
  - The Office of the Privacy Commissioner Source Texts
    
    PDPC
    
    For the purposes of this Ordinance, there is hereby established an office by the name of the Privacy Commissioner for Personal Data. (2) The Commissioner shall be a corporation sole with perpetual succession and(a) shall have and may use a seal; and (b) shall be capable of suing and being sued. (3) The Chief Executive shall, by notice in the Gazette, appoint a person to be the Commissioner. (Amended 34 of 1999 s. 3) (4) Subject to subsection (5), the person appointed to be the Commissioner shall hold office for a period of 5 years and shall be eligible for reappointment for not more than 1 further period of 5 years. (5) The person appointed to be the Commissioner may(a) at any time resign from his office by notice in writing to the Chief Executive; or (b) be removed from office by the Chief Executive with the approval by resolution of the Legislative Council on the ground of(i) inability to perform the functions of his office; or (ii) misbehaviour. (Amended 34 of 1999 s. 3) (6) The Chief Executive shall determine- (Amended 34 of 1999 s. 3) (a) the emoluments; and (b) the terms and conditions of appointment, of the person appointed to be the Commissioner. (7) The provisions of Schedule 2 shall have effect with respect to the Commissioner. (8) Subject to subsection (9), the Commissioner shall not be regarded as a servant or agent of the Government or as enjoying any status, immunity or privilege of the Government. (9) The person appointed to be the Commissioner shall be deemed to be a public servant(a) within the meaning of section 2 of the Prevention of Bribery Ordinance (Cap 201); and Cap 486 – Personal Data (Privacy) Ordinance 6 (b) for the purposes of that Ordinance.
    
    If, following the completion of an investigation, the Commissioner is of the opinion that the relevant data user is contravening or has contravened a requirement under this Ordinance, the Commissioner may serve on the data user a notice in writing, directing the data user to remedy and, if appropriate, prevent any recurrence of the contravention. (Replaced 18 of 2012 s. 28) (1A) An enforcement notice under subsection (1) must— (a) state that the Commissioner is of the opinion referred to in subsection (1) and the reason for that opinion; (b) specify— (i) the requirement which, in the opinion of the Commissioner, is being or has been contravened; and Cap 486 – Personal Data (Privacy) Ordinance 38 (ii) the act or omission that constitutes the contravention; (c) specify the steps that the data user must take (including ceasing any act or practice) to remedy and, if appropriate, prevent any recurrence of the contravention; (d) specify the date on or before which the steps must be taken; and (e) be accompanied by a copy of this section. (Added 18 of 2012 s. 28) (1B) The date specified in subsection (1A)(d) must be a date which is not earlier than the expiry of the period specified in subsection (7) within which an appeal against the notice may be made. (Added 18 of 2012 s. 28) (2) In deciding whether to serve an enforcement notice the Commissioner shall consider whether the contravention to which the notice relates has caused or is likely to cause damage or distress to any individual who is the data subject of any personal data to which the contravention relates. (Amended 18 of 2012 s. 28) (3) The steps specified in an enforcement notice to remedy and, if appropriate, prevent any recurrence of any contravention to which the notice relates may be framed— (a) to any extent by reference to any approved code of practice; and (b) so as to afford the relevant data user a choice between different ways of remedying and, if appropriate, preventing any recurrence of the contravention. (Replaced 18 of 2012 s. 28) (4) Subject to subsection (5), the period specified in an enforcement notice for taking the steps specified in it shall not expire before the end of the period specified in subsection (7) within which an appeal against the notice may be made and, if such an appeal is made, those steps need not be taken pending the determination or withdrawal of the appeal. (5) If the Commissioner is of the opinion that by reason of special circumstances the steps specified in an enforcement notice should be taken as a matter of urgency(a) he may include a statement to that effect in the notice together with the reasons why he is of that opinion; (b) where such a statement is so included, subsection (4) shall not apply but the notice shall not require those steps to be taken before the end of the period of 7 days beginning with the date on which the notice was served. (6) The Commissioner may cancel an enforcement notice by notice in writing served on the relevant data user. (7) An appeal may be made to the Administrative Appeals Board against an enforcement notice by the relevant data user not later than 14 days after the notice was served. (8) Where the Commissioner(a) forms an opinion referred to in subsection (1) in respect of the relevant data user at any time before the completion of an investigation; and (b) is also of the opinion that, by reason of special circumstances, an enforcement notice should be served on the relevant data user as a matter of urgency, he may so serve such notice notwithstanding that the investigation has not been completed and, in any such case(i) the Commissioner shall, without prejudice to any other matters to be included in such notice, specify in the notice the reasons as to why he is of the opinion referred to in paragraph (b); and (ii) the other provisions of this Ordinance (including this section) shall be construed accordingly.
  - Commissioner Rules
    
    HK$500K + 3 years prison (maximum)
    
    Notice – Using person data for DM but failing to inform data subject about collection ,use, classes of marketing subjects, consent; response channel.
    
    Consent – DM without consent; not sending written confirmation in 14 days from oral consent (containing date of consent, permitted data, permitted classes).
    
    When using data for DM for first time, fails to inform data subject of right to opt out without charge.
    
    Failing to comply with opt out/cease request.
    
    Not for gain – Notice for DM.
    
    Not for gain – providing to a 3^rd party without getting written consent.
    
    Not for gain – ceasing to comply with request to stop.
    
    Data transferee fails to comply with data user’s written notification to cease using data subject’s personal data for DM.
    
    HK$1M + 5 years
    
    For gain – Notice for DM
    
    For gain – providing to a 3^rd party without getting written consent and not stating that data was provided for gain.
    
    For gain – ceasing to comply with request to stop.
  - Commissioner Rules Source Text
    
    Commissioner Rules
    
    (1) The Commissioner shall(a) monitor and supervise compliance with the provisions of this Ordinance; (b) promote and assist bodies representing data users to prepare, for the purposes of section 12, codes of practice for guidance in complying with the provisions of this Ordinance, in particular the data protection principles; (c) promote awareness and understanding of, and compliance with, the provisions of this Ordinance, in particular the data protection principles; (d) examine any proposed legislation (including subsidiary legislation) that the Commissioner considers may affect the privacy of individuals in relation to personal data and report the results of the examination to the person proposing the legislation; (e) carry out inspections, including inspections of any personal data systems used by data users which are departments of the Government or statutory corporations; (f) for the better performance of his other functions, undertake research into, and monitor developments in, the processing of data and information technology in order to take account of any likely adverse effects such developments may have on the privacy of individuals in relation to personal data; (Amended 18 of 2012 s. 4) (g) liaise and co-operate with any person in any place outside Hong Kong(i) performing in that place any functions which, in the opinion of the Commissioner, are similar (whether in whole or in part) to any of the Commissioner’s functions under this Ordinance; and (ii) in respect of matters of mutual interest concerning the privacy of individuals in relation to personal data; and (h) perform such other functions as are imposed on him under this Ordinance or any other enactment. Cap 486 – Personal Data (Privacy) Ordinance 7 (2) The Commissioner may do all such things as are necessary for, or incidental or conducive to, the better performance of his functions and in particular but without prejudice to the generality of the foregoing, may(a) acquire and hold property of any description if in the opinion of the Commissioner such property is necessary for(i) the accommodation of the Commissioner or of any prescribed officer; or (ii) the performance of any function which the Commissioner may perform, and, subject to the terms and conditions upon which such property is held, dispose of it; (b) enter into, carry out, assign or accept the assignment of, vary or rescind, any contract, agreement or other obligation; (c) undertake and execute any lawful trust which has as an object the furtherance of any function which the Commissioner is required or is permitted by this Ordinance to perform or any other similar object; (d) accept gifts and donations, whether subject to any trust or not; (e) with the prior approval of the Chief Executive, become a member of or affiliate to any international body concerned with (whether in whole or in part) the privacy of individuals in relation to personal data; (Amended 34 of 1999 s. 3) (ea) carry out promotional or educational activities or services; and (Added 18 of 2012 s. 4) (f) exercise such other powers as are conferred on him under this Ordinance or any other enactment. (2A) The Commissioner may impose reasonable charges for any promotional or educational activities or services carried out, or any promotional or educational publications or materials made available, by the Commissioner in the course of the performance of the Commissioner’s functions under this Ordinance. (Added 18 of 2012 s. 4) (3) The Commissioner may make and execute any document in the performance of his functions or the exercise of his powers or in connection with any matter reasonably incidental to or consequential upon the performance of his functions or the exercise of his powers. (4) Any document purporting to be executed under the seal of the Commissioner shall be admitted in evidence and shall, in the absence of evidence to the contrary, be deemed to have been duly executed. (5) The Commissioner may from time to time cause to be prepared and published by notice in the Gazette, for the guidance of data users and data subjects, guidelines not inconsistent with this Ordinance, indicating the manner in which he proposes to perform any of his functions, or exercise any of his powers, under this Ordinance. (Amended 18 of 2012 s. 4)
  - Commissioner Guidance and Published Positions
    
    Generally
    
    Commissioner may issue public report from Investigation when in the public interest. Reports name data user, but not data subjects.
    
    From 1997-2010, only 15 reports generally not ID’ing respondent.
    
    “Name and shame” starting in 2011.
    
    Octopus Rewards Ltd:
    
    DPP1(1) – Adequate but not excessive:
    
    For rewards program, excessive to collect passport, birth certificate number, and birth date – they are sensitive personal data.
    
    But income, gender, education, job was acceptable (to tailor rewards).
    
    Don’t collect birthdate if you only need age.
    
    Sometimes you don’t need gender.
    
    If no delivery is to be made, don’t need address.
    
    DPP1(2) – Lawful and fair collection. No trickery.
    
    NOT OK to invite applications for non-existent jobs.
    
    Fake lotteries.
    
    Special care for collection from children.
    
    Clearly disclose your name, physical location, and contact info on website if you’re collecting data.
    
    DPP1(3): Generic notice about use for any purpose and transfer to anybody do not provide real notice about classes of people to whom it will be transferred. Invalid and violation because no reasonable certainty.
    
    Also print was too small.
    
    DPP3: Use did not say that provision of data was for monetary gain by selling it. Violation because no consent.
  - Octopus Rewards Source Text
    
    Investigation Report – Octopus Rewards Program
    
    1.    The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Allan Chiang published today (18 October) a report (“the Report”) on the results of an investigation carried out pursuant to section 38(b) of the Personal Data (Privacy) Ordinance (“the Ordinance”) regarding the collection and use of customers’ personal data under the Octopus Rewards Programme (“the Program”) run by Octopus Rewards Limited (“ORL”), a company wholly owned by Octopus Holdings Limited (“OHL”).
    
    2.    The Program is a customer loyalty programme operated by ORL in collaboration with its business partners. Customers benefit from (i) redemption of goods and services from these partners with “Reward Dollars” earned from purchases made upon presentation of their registered Octopus cards; and (ii) direct marketing offers from the same or different partners of ORL.
    
    3.    Since late March 2010, there had been mounting public concerns about the handling of personal data by the Octopus group of companies. Some members of the Program operated by ORL expressed concerns about their personal data being transferred to third parties for direct marketing purposes without their knowledge or consent.
    
    4.    On 9 July 2010, an individual claiming to be a former employee of one of ORL’s business partners, CIGNA Worldwide Life Insurance Company Limited (“CIGNA”), reported to the press and the Office of the Privacy Commissioner for Personal Data (“this Office”) that ORL had sold its customers’ personal data of the Program to CIGNA for direct marketing purposes.
    
    5.    ORL admitted to the public on 20 July 2010 that it had transferred customers’ personal data to CIGNA and another business partner, Card Protection Plan Limited (“CPP”).
    
    6.    In view of the seriousness of the allegations, the Commissioner commenced investigations against OHL and ORL on 22 July 2010 to ascertain whether there had been contraventions of the requirements under the Ordinance.
    
    The investigation
    
    7.    The Commissioner conducted a public hearing on 26 July 2010 to take oral evidence from the Chief Executive Officer of OHL (also a director of ORL), the Chief Executive Officer of CIGNA and the Authorized Representative of CCP.
    
    8.    The Commissioner had considered written replies and documentary evidence from OHL, ORL, CIGNA and CCP as well as public announcements and written responses made by OHL and ORL to the Panel on Financial Affairs of the Legislative Council (“the Panel”). He had also reviewed documents made available to the Panel for inspection and records of Board meetings of OHL.
  - Decisions in Appealed Commissioner Rulings, Complaints
    
    Complainant may appeal to AAB against Comm’r decision not to issue an enforcement notice from investigation. No appeal from AAB to court, but aggrieved parties may seek judicial review of AAB decisions.
    
    Complainant may also appeal Comm’r decision not to investigate or to discontinue investigation.
India Privacy Law and Practices
- Definitions
  Personal data
  
  Rule 2(i): “Any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”
  
  Sensitive Personal Data
  
  Rule 3: Info relating to:
  - Password.
  - Financial info, e.g. bank account, payment.
  - Physical, physiological, and mental health.
  - Sexual orientation.
  - Any detail relating to above classes as provided to body corporate for providing service.
  - Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
  Under 2016 Aadhar Act, biometric info is considered SPI
  
  Body Corporate
  - Companies, firms, sole proprietorship, or other association of individuals engaged in commercial or professional activities.
  - Includes: public-sector bodies such as state-owned corporation.
  - Excludes: most of public sector, religious, social orgs, charities, others whose activities are not “commercial,” etc.
  Rights of data subjects
  - Some rules do not apply to data subjects, only “providers of data”.
  - If the data subject did not provide the information, some rules may not apply.
  - In outsourcing, the controller may be the provider (to the processor) and has the rights.
  Data
  - Data in any form, which is intended to be processed, is being processed, or has been processed in a computer system or computer network.
  - Excludes: non-automated data or manual filing systems.
  Government officers
  - Adjudicating Officers (AOs)
  - Contraventions of any provisions of the Act or rule, regulation, direction, head by AO appointment by Central Govt.
    
    Must have experience in IT and legal/judicial experience.
  - Judicial proceeding.
  - Must hold position of at least Director in state govt.
  - Secretary of Dept of Info Tech of each state and union terriory was appointed AO – 35 as of 2014.
  - Unclear what cases exist or how they have worked.
  - Civil court.
  Cyber Appellate Tribunal (CAT)
  - Order of AO may be appealed to CAT. Further right of appeal to High Court.
  - Lack of CAT chairperson (as of 2014) means that 43A and Rules have been largely non-functional.
  - Definitions Source Text
    
    21. in Section 43 of the principal Act, –
    
    a. in the marginal heading, for the word “Penalty”, the words “Penalty and Compensation” shall be substituted;
    
    b. in clause (a), after the words “computer network” , the words “or computer resource” shall be inserted
    
    c. after clause (h), the following clauses shall be inserted, namely: –
    
    “(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means
    
    (f) steal, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resources with an intention to cause damage”
    
    (d) for the portion beginning with the words “he shall be liable to pay damages” and ending with the words “persons so affected” the following shall be substituted,” namely: –
    
    He shall be liable to pay damages by way of compensation to the person so affected”;
    
    (e) in the Explanation, after clause (iv), the following clause shall be inserted, namely: –
    
    (v) “computer source code” means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form”.
    
    22. After section 43 of the principal act, the following section shall be inserted, namely: –
    
    43A. Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
    
    Explanation: – For the purposes of this section, –
    
    (i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
    
    (ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as many be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
    
    (iii) Sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. “
- Legislative History and Origins
  - Indian Government and Legal System
    
    SAARC – South Asian Association for Regional Cooperation
    
    SAARC Agreement on Trade in Services
    
    Allows SAARC members to impose restrictions on data exports and on outsourcing data processing to other SAARC states in order to protect data privacy.
    
    No positive commitments to HR or privacy other than general recitals.
    
    Treaties
    
    India is a signatory to ICCPR Article 17 (Privacy Protections), but
    
    Indian citizens cannot enforce.
    
    NOT signatory to OECD or APEC.
    
    Political Structure
    
    Concepts
    
    Federalism – Centre and State.
    
    Strong Centre, weaker states.
    
    28 states, 7 union territories, 2 with elected legislatures, 5 ruled directly by Centre.
    
    Separation of Powers – Legislative, Executive, Judicial
    
    Democratic regime.
    
    Legislative Branch
    
    Federal – Parliament, Westminster model.
    
    Lok Sabha – Council of People, voted in by people. (lower house)
    
    5-year elected terms, unless dissolved.
    
    Maximum of 552 members.
    
    Rajya Sabha – Council of States, voted in by state legislatures. (upper house)
    
    Staggered 6-year terms.
    
    Vice President of India presides.
    
    Max 250 members.
    
    Joint sessions – when one house doesn’t act on bill transmitted by other house. Lok Sabha usually wins because it has twice as many members.
    
    States – Assembly, voted in by people.
    
    Executive
    
    Positions
    
    President –head of state, largely ceremonial.
    
    Indirectly elected through elected members of both houses of Parliament and the state Assemblies.
    
    Renewable term of 5 years.
    
    Prime Minister – head of government, real governing authority.
    
    Designated by legislators in Lok Sabha.
    
    Head of Council of Ministers.
    
    Political executives
    
    Cabinet Minister – member of cabinet; leads a ministry.
    
    Minister of State – junior minister reporting to Cabinet minister.
    
    Minister of State (Independent Charges) – junior minister not reporting to Cabinet minister.
    
    Permanent executives
    
    Non-elected public servants.
    
    e.g. “Home Secretary”
    
    Powers of executive
    
    Regulations made under Acts
    
    Press Notes
    
    Ordinances
    
    Executive may legislate via ordinances when legislature not in session, but they lapse six weeks after it resumes.
    
    Judicial
    
    Unitary federal and state system.
    
    Supreme Court of India
    
    Chief Justice
    
    25 associate justices
    
    All appointed by President on advice of Chief Justice.
    
    High Courts of India (at state level)
    
    District Courts and Sessions Courts (at the district level)
    
    Precedent
    
    All courts may interpret Constitution.
    
    Decisions of Supreme Court binding on lower courts but not on SC itself.
    
    Decisions of foreign courts (other than Privy Council prior to independence) are of persuasive authority only.
  - Indian Parliament and Constitution Source Texts
    
    Indian Parliament
    
    Parliament is the supreme legislative body of India. The Indian Parliament comprises of the President and the two Houses – Rajya Sabha (Council of States) and Lok Sabha (House of the People). The President has the power to summon and prorogue either House of Parliament or to dissolve Lok Sabha. The Constitution of India came into force on January 26, 1950. The first general elections under the new Constitution were held during the year 1951-52 and the first elected Parliament came into existence in April, 1952, the Second Lok Sabha in April, 1957, the Third Lok Sabha in April, 1962, the Fourth Lok Sabha in March, 1967, the Fifth Lok Sabha in March, 1971, the Sixth Lok Sabha in March, 1977, the Seventh Lok Sabha in January, 1980, the Eighth Lok Sabha in December, 1984, the Ninth Lok Sabha in December, 1989, the Tenth Lok Sabha in June, 1991, the Eleventh Lok Sabha in May, 1996, the Twelfth Lok Sabha in March, 1998, Thirteenth Lok Sabha in October, 1999, Fourteenth Lok Sabha in May, 2004 and Fifteenth Lok Sabha in April, 2009.
    
    Source Text Link
    
    124. (1) There shall be a Supreme Court of India consisting of a Chief Justice of India and, until Parliament by law prescribes a larger number, of not more than seven2 other Judges. (2) Every Judge of the Supreme Court shall be appointed by the President by warrant under his hand and seal after consultation with such of the Judges of the Supreme Court and of the High Courts in the States as the President may deem necessary for the purpose and shall hold office until he attains the age of sixty-five years:
  - Social Attitudes Toward Privacy and Data Protection
    
    Anti-gay law ruled unconstitutional due to Constitutional right to privacy by Delhi High Court. Overturned by SC, but govt now considering laws.
    
    Considerable corruption.
    
    Frequent target of terrorist attacks, so privacy is very political. Considerable desire to extend surveillance.
    
    Slow-moving judiciary sensitive to civil liberties, including privacy.
  - Surveillance and Identification
    
    Credit Information Companies (Regulation) Act 2005
    
    Blueprint for comprehensive credit surveillance, but info collected largely restricted to credit industry.
    
    Only Indian legislation to provide comprehensive data protection code.
    
    No specific provisions for consumers to make complaints, receive assistance, or have remedies awarded.
    
    But there are provisions for penalties.
    
    RBI (Reserve Bank of India) website has no info on credit report dispute resolution. Same for credit bureaus.
    
    UIDAI (See V. a. iii. India’s UIDAI)
    
    Otherwise, government does not have pervasive surveillance of population.
  - Constitutional Protections
    
    Article 21
    
    “No person shall be deprived of his life or personal liberty except according to procedure established by law.”
    
    Interpreted by SC to include implied protection of privacy as essential ingredient of personal liberty.
    
    Available to anybody, not just citizens.
    
    Also Art 14 – equality before law.
    
    Justice K.S. Puttaswamy v. Union of India (SCI 2015) – Aadhar unconstitutional.
    
    Applies to persons, not places.
    
    Almost all cases are about search/seizure or telecommunications surveillance.
    
    Breaches of constitutional rights in India can result in court orders for compensation. Can also result in SC making binding rules (e.g. for right of access to public info) when legislature fails to act (which it eventually did, RTI 2005).
    
    The Right to Information Act 2005
    
    Freedom of Information Act
    
    No right of correction.
    
    Any citizen of India may request information from a Public Authority, which is required to reply within 30 days, except for exempt information under Section 8.
    
    “public authority” means any authority or body or institution of self- government established or constituted—
    
    by or under the Constitution;
    
    by any other law made by Parliament;
    
    by any other law made by State Legislature;
    
    by notification issued or order made by the appropriate Government, and includes any—
    
    body owned, controlled or substantially financed
    
    non-Government organization substantially financed, directly or indirectly by funds provided by the appropriate Government;
    
    Requirements
    
    Officers
    
    Every covered authority must appoint public information officer (PIO). Responsible for giving information as requested.
    
    Timeliness
    
    Response within 30 days
    
    If request pertains to another agency, PIO must forward within 5 days – respond 30 days after receipt by other authority.
    
    If life or liberty involved, PIO must reply within 1 day.
    
    Applicants
    
    Applicant must provide name and contact info, but not purpose of request
    
    Must pay fees (Rs 10 or more) unless from disadvantaged community (below poverty line – BPL). Prices defined.
    
    Exclusions
    
    Specific authorities
    
    Central Intelligence and Security
    
    Narcotics
    
    Special Frontier
    
    Crime Branch
    
    etc.
    
    Those excluded by state governments through a notification.
    
    Types of info
    
    Disclosure would prejudicially affect sovereignty and integrity of India.
    
    Security.
    
    Strategic, scientific or economic interests of state.
    
    Information forbidden by court.
    
    Breaching privilege of Parliament or state legislature.
    
    Would impede investigation.
    
    Personal information, disclosure of which has no relationship to public activity or interest, or would cause unwarranted invasion of privacy of individual.
    
    Trade secrets.
    
    Exclusion NOT absolute, e.g. human rights and corruption.
    
    The Protection of Human Rights Act 1993
    
    Refers to India’s constitution.
    
    Broad enough to cover ICCPR, Art 17 concerning privacy.
    
    Establishes National Human Rights Comm’n (NHRC).
    
    Power to investigate alleged violations and recommend that govt or authorities pay compensation, prosecute, approach courts for writs or orders.
    
    No independent power to take remedial actions.
    
    Complaints made to state HRCs.
  - Supreme Court Constitutional Right to Privacy Source Texts
    
    Supreme Court Source Text
    
    20. No person shall be deprived of his life or personal liberty except according to procedure established by law.
    
    *[21A. The State shall provide free and compulsory education to all children of the age of six to fourteen years in such manner as the State may, by law, determine.]
    
    While addressing these challenges, the Bench of three judges of this Court took note of several decisions of this Court in which the right to privacy has been held to be a constitutionally protected fundamental right. Those decisions include : Gobind v State of Madhya Pradesh6 (“Gobind”), R Rajagopal v State of Tamil Nadu7 (“Rajagopal”) and People’s Union for Civil Liberties v Union of India8 (“PUCL”). These subsequent decisions which affirmed the existence of a constitutionally protected right of privacy, were rendered by Benches of a strength smaller than those in M P Sharma and Kharak Singh. Faced with this predicament and having due regard to the far-reaching questions of importance involving interpretation of the Constitution, it was felt that institutional integrity and judicial discipline would require a reference to a larger Bench. Hence the Bench of three learned judges observed in its order dated 11 August 2015: “12. We are of the opinion that the cases on hand raise far reaching questions of importance involving interpretation of the Constitution. What is at stake is the amplitude of the fundamental rights including that precious and inalienable right under Article 21. If the observations made in M.P. Sharma (supra) and Kharak Singh (supra) are to be read literally and accepted as the law of this country, the fundamental rights guaranteed under the Constitution of India and more particularly right to liberty under Article 21 would be denuded of vigour and vitality. At the same time, we are also of the opinion that the institutional integrity and judicial discipline require that pronouncement made by larger Benches of this Court cannot be ignored by the smaller Benches without appropriately explaining the reasons for not following the pronouncements made by such larger Benches. With due respect to all the learned Judges who rendered the subsequent judgments – where right to privacy is asserted or referred to their Lordships concern for the liberty of human beings, we are of the humble opinion that there appears to be certain amount of apparent unresolved contradiction in the law declared by this Court. 13. Therefore, in our opinion to give a quietus to the kind of controversy raised in this batch of cases once for all, it is better that the ratio decidendi of M.P. Sharma (supra) and Kharak Singh (supra) is scrutinized and the jurisprudential correctness of the subsequent decisions of this Court where the right to privacy is either asserted or referred be examined and authoritatively decided by a Bench of appropriate strength.”
  - Right to Information Source Text
    
    Right to Information and Obligations of Public Authorities
    
    Subject to the provisions of this Act, all citizens shall have the right to information.
    
    Every Public Authority shall –
    
    Maintain all it’s records duly catalogues and indexed in a manner and the form which facilitates the right to information under this Act and ensure that all records that are appropriate to be computerised are, within a reasonable time and subject to availability of resources, computerised and connected through a network all over the country on different systems so that access to such records is facilitates.
    
    “Public authority” means any authority or body or institution of self-government established or constituted –
    
    by or under the Constitution;
    
    by any other law made by Parliament;
    
    by any other law made by State legislature;
    
    by notification issued or order made by the appropriate Government, and includes any –
    
    body owned, controlled, or substantially financed;
    
    non-Governmental organization substantially financed, directly or indirectly by funds provided by the appropriate government.
- Information Technology Act (IT Act)
  - Information Technology Act of 2000
    
    Information Technology Act 2000 Section 43
    
    Prohibits – without permission of the computer owner – copying data, introducing virus/contaminant, damages/disrupts network or data, altering data, DoS, etc.
    
    43(b) is the specific section prohibiting “downloads, copies, or extracts any data” so that harm to the data subject results.
    
    43(g) includes liability for anybody who assists the person doing the act.
    
    Creates liability for damages not exceeding Rs 10,000,000 “to the person so affected”
    
    So this can include data subjects.
    
    Section 66A
    
    If any person dishonestly or fraudulently does any act referred to in Section 43 – 3 years in prison, Rs 500,000, or both,
    
    Adds criminal component to Sec 43.
    
    Section 66B (as of 2008 Amendment): Whoever dishonestly receives or retains a stolen computer resource or communications device knowing it is stolen – three years in prison, Rs 100,000, or both.
    
    Section 66A and its Removal
    
    Became law in October 2009.
    
    Prohibited using computer or other communication device to send information that was grossly offensive, menacing, known to be false but for the purpose of annoying, insult, hatred, etc.
    
    Prohibited email with fake addresses.
    
    3 years prison + fine.
    
    Supreme Court ruled section 66a to be entirely unconstitutional in 2015.
    
    Violated freedom of expression and speech.
    
    Freedom of expression cannot be suppressed unless the situations created by allowing the freedom are pressing and the community interest is endangered – and not a remote danger.
    
    Section 66A goes beyond defamation – something may be grossly offensive or annoying without being defamatory.
    
    Void for vagueness. Terms undefined. E.g. what is offensive to one person is not to another.
    
    Chilling effect on discussion of governmental, literary, scientific, etc.
  - ITA Source Text
    
    ITA Source Text
    
    43. Penalty for damage to computer, computer system, etc. If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, — (a) accesses or secures access to such computer, computer system or computer network; (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; (c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; (d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network; (e) disrupts or causes disruption of any computer, computer system or computer network; (f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder; (h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. Explanation.—For the purposes of this section,— (i) “computer contaminant” means any set of computer instructions that are designed— (a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network; (ii) “computer data base” means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalized manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network; (iii) “computer virus” means any computer instruction, information, data or program that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a program, data or instruction is executed or some other event takes place in that computer resource; (iv) “damage” means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.
    
    66. Hacking with computer system. (1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack: (2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
    
    Any person who sends, by means of a computer resource or a communication device, –
    
    Any information that is grossly offensive or has menacing character, or
    
    Any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstructions, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently by making use of such computer resource or a communication device; or
    
    Any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages,
    
    Shall be punishable with imprisonment for a term which may extend to three years and with fine.
  - Information Technology (Amendment) Act 2008 (ITAA)
    
    Section 43A
    
    When a corporate body processing, dealing, or handling any sensitive personal information or information in a computer resource which it owns, controls, or operates, is negligent in implementing and maintaining reasonable security practices, thereby causing wrongful loss or wrongful gain to any person, such a body corporate shall be liable to pay damages by way of compensation to the person so affected.
    
    Only commercial private sectors. Only automated info systems.
    
    If Rules are “law,” they cannot be nullified by agreement between the parties.
    
    At least 6 Rules and sub-rules only apply to sensitive personal information.
    
    Half of the Rules do not apply directly to data subjects, only providers; may not be enforceable by consumers/data subjects.
    
    Unless a company processes some sensitive data, it will not have liability even if it processes other types of personal info.
- Section 43A and the 2011 Rules 3-8
  In 2011, delegated legislation made under section 43a of the IT Act created a data privacy regime. However, the rules are perhaps ultra vires, apply only to very strict definitions of sensitive data, and provide rights of action only to the “providers of data”.
  - Rule 4: Privacy Policies Required
    
    Corporate entities must provide privacy policy on website that discloses practices regarding personal information and SPI and ensure that policy is available for review.
    
    Clear statement of practices and policies.
    
    Type of PI or SPI under Rule 3.
    
    Purpose of info collected.
    
    Disclosure of information including SPI per Rule 6.
    
    Reasonable security practices per Rule 8.
    
    Policy need only be available to providers, not data subjects. Data subjects only have the right to seek a privacy policy from a party to whom they provided personal data.
  - Rule 5: Data Protection Principles
    
    Consent and purpose limitation
    
    SPI only: Obtain written consent regarding purpose, means, and modes of uses.
    
    Limited to ‘provider of info,” NOT to data subjects generally.
    
    Practically: if Indian data controllers are dealing directly with data subjects to collect sensitive PI, this is strong protection.
    
    Lawful purpose and minimal collection
    
    SPI only: Collector must ensure that info is collected for lawful purpose connected with a function or activity of the agency and that collection of info is necessary for that purpose.
    
    NO requirement for accurate or up to date info.
    
    Notice and purpose limitation
    
    All Personal Info: If collecting directly from individual concerned, companies shall take reasonable steps to ensure that individual is aware of the fact of collection, purpose, intended recipients, and contact info for collector and holder of data.
    
    Data subjects not entitled to notice when data collected from third parties.
    
    Retention
    
    SPI only: Companies may not retain info beyond when it may be lawfully used.
    
    NOT the same as when purpose of collection has expired!
    
    Very low standard for protection.
    
    Applies to processors as well as controllers.
    
    Use
    
    SPI only: Info collected shall be used for the purpose for which it has been collected.
    
    NOTE: Greenleaf says this is “sensitive info only – implied by context.”
    
    Applies to processors as well as controllers.
    
    Subject access and correction
    
    All Personal Info: Companies must permit providers of info to review info they provided and ensure that any info (SPI or PI) or info found to be inaccurate or deficient shall be correct or amended as feasible.
    
    Limited to ‘provider of info”
    
    Does not apply to data subjects who are not providers.
    
    Option to refuse or withdraw consent
    
    All Personal Info: Provider of info must have option not to provide, and must be able to withdraw consent given earlier.
    
    Body corporate can then refuse to do business.
    
    (Unclear if this will still work after company has performed its side of the bargain.)
    
    Security
    
    All PI must be kept secure.
    
    Complaint handling
    
    No obligation to address and respond to complaints.
    
    Company must designate Grievance Officer (and publish name and contact details on website), who must redress within 1 month.
  - Rule 6: Disclosure Limitations and Exceptions
    
    SPI only: Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.
    
    Companies prohibited from “publishing” SPI.
    
    Third parties receiving SPI shall not disclose it further.
    
    EXCEPTION: Disclosure permitted to govt agencies mandated by law to obtain info (including SPI) for verification of ID, prevention, detection, investigation of cyber incidents, prosecution, punishment.
    
    No disclosure rights for data subject if data subject is not also provider.
  - Rule 7: Data Export Restriction
    
    SPI only: Two conditions on transfer of SPI by a company in India to another company in India or elsewhere:
    
    Recipient must ensure the same level of data protection is adhered to as provided under Rules.
    
    (a) Transfer is necessary for performance of lawful contract between company and provider of info, or (b) where [provider??] has consented to data transfer.
    
    Again, largely useless to data subjects who are not providers. Consent of data subject not required.
    
    NOTE: IT Act 1(2) and 75(1) asserts unlimited territorial jurisdiction, but 75(2) limits this to where act or conduct involves a computer or network in India. Possibly interpreted as computer may be in India but controlled by people outside.
  - Rule 8: Reasonable Security
    
    “Such security practices and standards have a comprehensive documented info sec program and info sec policies that contain managerial, technical, operational, and physical security control measures that are commensurate with the info assets being protected with the nature of business.”
    
    “In the event of an info sec breach, the body corporate … shall be required to demonstrate [to agency] that they have implemented security control measures as per their documented info sec program and policies.”
    
    Burden of proof in R8 likely does not override 43A’s standard of negligence. But does have separate obligation to demonstrate security.
    
    IS/ISO/IEC 27001 specifically permitted as security standard under the rule.
    
    Other standards and programs allowed – get approval from Central Government.
    
    Any company complying with a security standard shall be deemed to have complied provided company is audited by independent auditor (approved by Centre) at least once per year or after major upgrades.
  - Rules 3-8 Source Text
    
    Rule 4 – Privacy and Disclosure Policy
    
    3.6.1 Rule 4 of the Sensitive Personal Data Rules, which obligates certain bodies corporate to publish privacy and disclosure policies for personal information, states:
    
    Body corporate to provide policy for privacy and disclosure of information. –(1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for –
    
    (i) Clear and easily accessible statements of its practices and policies;
    
    (ii) type of personal or sensitive personal data or information collected under rule 3;
    
    (iii) purpose of collection and usage of such information;
    
    (iv) disclosure of information including sensitive personal data or information as provided in rule 6;
    
    (v) reasonable security practices and procedures as provided under rule 8.
    
    3.6.2 This rule is very badly drafted, contains several discrepancies and is legally imprecise. Firstly, this rule is overbroad to bind all bodies corporate that receive and use information, as opposed to “personal information” or “sensitive personal data.” All bodies corporate receive and use information, even a vegetable seller uses information relating to vegetables and prices; but, not all bodies corporate receive and use personal information and even fewer bodies corporate receive and use sensitive personal data.
- Enforcement
  - The Ministry of Communication and Information Technology
    
    Dissolved 5 July 2016
    
    Superseded by DEIT
  - The Ministry of Electronics and Information (MeitY)
    
    Formerly the Department of Electronics and Information Technology (DeitY)
    
    Enforces policy matters relating to information technology; Electronics; and Internet (all matters other than licensing of Internet Service Provider).
    
    Contains:
    
    Department of Telecommunications
    
    Department of Posts (mail – irrelevant)
  - MeitY Source Text
    
    Functions of Ministry of Electronics and Information Technology
    
    Ministry of Electronics and Information Technology (Electroniki Aur Soochana Praudyogiki Mantralaya)
    
    1. Policy matters relating to information technology; Electronics; and Internet (all matters other than licensing of Internet Service Provider).
    
    2.   Promotion of internet, IT and IT enabled services.
    
    2A. Promotion of Digital Transactions including Digital Payments.2
    
    3. Assistance to other departments in the promotion of E-Governance, E- Commerce, E- Medicine, E- Infrastructure, etc.
    
    4. Promotion of Information Technology education and Information Technology-based education.
    
    5. Matters relating to Cyber Laws, administration of the Information Technology Act. 2000 (21 of 2000) and other IT related laws.
    
    6. Matters relating to promotion and manufacturing of Semiconductor Devices in the country excluding all matters relating to Semiconductor Complex Limited (SCL), Mohali.3
    
    7. Interaction in IT related matters with international agencies and bodies e.g. Internet for Business Limited (IFB), Institute for Education in Information Society (IBI) and International Code Council – on line (ICC).
    
    8. Initiative on bridging the Digital Divide: Matters relating to Digital India Corporation (DIC) [earlier Media Lab Asia (MLA)].
    
    9. Promotion of Standardization, Testing and Quality in IT and standardization of procedure for IT application and Tasks.
    
    10. Electronics Export and Computer Software Promotion Council (ESC).
    
    11. National Informatics Centre (NIC).
    
    12. Initiatives for development of Hardware/Software industry including knowledge– based enterprises, measures for promoting IT exports and competitiveness of the industry.
    
    13. All matters relating to personnel under the control of the Ministry.4
    
    14. Unique Identification Authority of India (UIDAI).5
  - The Telecom Regulatory Authority of India (TRAI) and Do Not Call Registry
    
    Banning Free Basics and Net Neutrality
    
    TRAI developed Common Charter of Telecom Services providing that all service providers assure that the privacy of their subscribers (not affecting national security) shall be scrupulously guarded.
    
    Charter is non-justiciable.
    
    Facebook’s “Free Basics” service violated principles of net neutrality.
    
    Net neutrality rules ban all programs that offer free access to a limited set of online services.
    
    Free basics provided free access to 38 websites through an app.
    
    TRAI ruled in Feb 2016 requiring net neutrality:
    
    No service provider can offer or charge discriminatory tariffs for data services on the basis of content.
    
    No service provider shall contract for discriminatory tariffs.
    
    Reduced tariffs for emergency services are
    
    Issue for privacy appears to be differentiating on the basis of content.
    
    Do Not Call Registry
    
    Nivedita Sharma Case (GL PG 430)
    
    Delhi CDRC ordered Cellular Operators Assoc to inform all members to cease using phone numbers for telemarketing or other purposes.
    
    Also ordered creation of Do Not Call Registry by TRAI.
    
    Telemarketing
    
    Telemarketer shall register with TRAI and obtain registration number.
    
    Telemarketers must update their national customer preference data with updated delta data every Tuesday and Friday.
    
    No commercial communication between 9 pm and 9 am.
    
    No promotional SMS or phone calls to registry numbers.
    
    NCPR – National Customer Preference Register.
  - TRAI and DNC Source Text
    
    TRAI
    
    Now, therefore, in supersession of its earlier direction No. 4-1/2011 BB&PA dated the 27th July, 2012, the Authority, in exercise of the powers conferred upon it under section 13, read with clause (b) of sub-section (1) of section 11, of the Telecom Regulatory Authority of India Act, 1997 (24 of 1997) and in order to ensure transparency in delivery of internet and broadband services and to protect interests of consumers of the telecom sector and to facilitate further growth of internet and broadband services in India, hereby directs all the telecom service providers providing broadband (wire-line or wireless) services to – (a) provide on their website and also in all advertisements published through any media, the following information in respect of all broadband tariff plans offered under Fair Usage Policy: – (A) for Fixed broadband service: (i) data usage limit with specified speed; (ii) speed of broadband connection upto specified data usage limit; and (iii) speed of broadband connection beyond data usage limit; (B) for Mobile broadband service: (i) data usage limit with specified technology (3G/4G) for providing services; (ii) technology (3G/4G) offered for providing broadband services upto specified data usage limit; and (iii) technology (2G/3G/4G) offered for providing broadband services beyond data usage limit; (b) provide information specified in para (a) above to both new and existing subscribers on their registered email address and through SMS on their mobile number registered with the service providers; (c) ensure that download speed of broadband service provided to the fixed broadband subscriber is not reduced below 512 kbps in any broadband tariff plan; (d) provide alert to the subscriber when his data usage reaches eighty percent of the data usage limit under his plan and ensure that such alert is provided to the fixed broadband subscriber at each login after data usage crosses the said limit of eighty percent; and (e) send alert to the subscriber either through SMS or Unstructured Supplementary Service Data (USSD) on his mobile number, registered with the service provider or to his registered email address, each time when the data usage by the subscriber reaches eighty percent and hundred percent of the data usage limit under his plan,- and furnish compliance report by the (date).
    
    Now, therefore, in supersession of its earlier direction No. 4-1/2011 BB&PA dated the 27th July, 2012, the Authority, in exercise of the powers conferred upon it under section 13, read with clause (b) of sub-section (1) of section 11, of the Telecom Regulatory Authority of India Act, 1997 (24 of 1997) and in order to ensure transparency in delivery of internet and broadband services and to protect interests of consumers of the telecom sector and to facilitate further growth of internet and broadband services in India, hereby directs all the telecom service providers providing broadband (wire-line or wireless) services to – (a) provide on their website and also in all advertisements published through any media, the following information in respect of all broadband tariff plans offered under Fair Usage Policy: – (A) for Fixed broadband service: (i) data usage limit with specified speed; (ii) speed of broadband connection upto specified data usage limit; and (iii) speed of broadband connection beyond data usage limit; (B) for Mobile broadband service: (i) data usage limit with specified technology (3G/4G) for providing services; (ii) technology (3G/4G) offered for providing broadband services upto specified data usage limit; and (iii) technology (2G/3G/4G) offered for providing broadband services beyond data usage limit; (b) provide information specified in para (a) above to both new and existing subscribers on their registered email address and through SMS on their mobile number registered with the service providers; (c) ensure that download speed of broadband service provided to the fixed broadband subscriber is not reduced below 512 kbps in any broadband tariff plan; (d) provide alert to the subscriber when his data usage reaches eighty percent of the data usage limit under his plan and ensure that such alert is provided to the fixed broadband subscriber at each login after data usage crosses the said limit of eighty percent; and (e) send alert to the subscriber either through SMS or Unstructured Supplementary Service Data (USSD) on his mobile number, registered with the service provider or to his registered email address, each time when the data usage by the subscriber reaches eighty percent and hundred percent of the data usage limit under his plan,- and furnish compliance report by the (date).
    
    Source Text Link
    
    DNC Legislation
    
    Existing National Do Not Call (NDNC) Registry and Unsolicited Commercial Communications (UCC) Regulations: 5. Based on the outcome of consultation process, the discussions and the international practices being adopted world over to curb the menace of unsolicited commercial calls, the Authority had decided to create a national database containing telephone numbers of the subscribers, who have opted not to receive UCC, to be called ‗National Do Not Call (NDNC) Registry‘. Accordingly, the Authority had sent its recommendations to Department of Telecommunications (DOT) for authorizing National Informatics Centre (NIC), Dept. of Information Technology, Govt. of India for designing and establishing the National Do Not Call Registry and formulating guidelines for Telemarketers. The DOT had authorised NIC for installation, operation and maintenance of NDNC registry. TRAI also notified the Telecom Unsolicited Commercial Communications Regulations, 2007 (4 of 2007) dated 5th June 2007.
  - Penalties and Sanctions
    
    IT Act Sections 43(b) and (g)
    
    Creates liability for damages not exceeding Rs 10,000,000 “to the person so affected”
    
    Potentially includes data subjects.
    
    Section 66 (as of 2008 Amendment): If any person dishonestly or fraudulently does any act referred to in Section 43 – 3 years in prison, Rs 500,000, or both,
    
    Adds criminal component to Sec 43.
    
    Section 66B (as of 2008 Amendment): Whoever dishonestly receives or retains a stolen computer resource or communications device knowing it is stolen – 3 years in prison, Rs 100,000, or both.
    
    IT Act Section 72:
    
    Any person found accessing or using electronic information without the owner’s permission “shall be punished with imprisonment for a term which may extend to 2 years, or with fine which may extend to Rs 100,000, or with both.”
    
    Section 72A:
    
    Any person processing or holding data under the constraints of a contract who discloses data in a manner that may cause harm without explicit consent “shall be punished with imprisonment for a term which may extend to 3 years, or with a fine which may extend to Rs 500,000, or with both.”
    
    Disclosure may be a violation even if it is not a breach of contract, if:
    
    It is without consent of data subject *and*
    
    It is made with requisite intent.
    
    Appears to be very broad, applying to both overseas and Indian customers. E.g. Indian business providing processing services (e.g. intermediary) for an overseas data controller under outsourcing contract.
    
    Does not criminalize further disclosures by third parties who received the data, only disclosures by data controller or intermediary/processor. Does not apply to public bodies because they do not usually provide services under terms of lawful contract.
    
    LIMITATIONS:
    
    Must have intent to cause wrongful loss or gain.
    
    Legitimate purposes (e.g. direct marketing) may or may not be included – unclear.
    
    Wrongful disclosure offense, does not apply to use only.
  - Confidentiality and Privacy Breach Source Text
    
    Breach Penalty
    
    72. Penalty for breach of confidentiality and privacy. Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book. register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
    
    “Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to 2 years, or with fine which may extend to Rs 100,000, or with both.”
    
    Section 72A: “Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to 3 years, or with a fine which may extend to Rs 500,000, or with both.”
  - Grievance Officers
    
    Required by IT Act 43A and Rule 5(9)
    
    Located at company dealing with SPI.
    
    Handles any discrepancies and grievances of the provider of info with respect to processing of information in a time bound manner.
    
    Must redress within one month.
Common Themes Among Principle Frameworks
- Sensitive Data Protections
  Singapore
  - No specific statements about children in PDPA.
  - Whether minor can give consent depends on other legislation and common law.
    
    Under 13, best to obtain from parent/guardian.
    
    At least age 13, typically understands.
  - Commission says that orgs should consider whether minor has sufficient understanding, and otherwise obtain from guardian.
    
    Deemed consent via parent.
    
    Understanding: purpose, effect, undue influence.
  - Organizations targeting minors should consider phrasing consent in easy-to-understand terms. Also take extra steps to verify accuracy.
  Hong Kong
  - 67B – abuse and pornography.
  - DPP3 – A “relevant person” (parent, guardian) might be required for consent for a new purpose if data subject is a minor or incapable of understanding the new purpose.
  India
  - UID/Aadhar – biometric based unique ID number.
    
    Not card-based – just a number and can print online.
  - Information to be submitted
    
    Demographic
    
    Name, address, birthdate.
    
    Biometric
    
    Fingerprint, iris scan, photograph.
    
    Used ONLY for enrollment and authentication and no other purpose.
    
    NOT shared with anybody, not displayed publicly, except for purposes specified by regs.
  - Use
    
    Verifying ID of person receiving subsidy or service.
    
    Proof of ID for any purpose asked by public or private entity.
    
    Requesting entity must obtain consent before collecting ID info for the purpose of auth. May not use collected data for any other purpose.
    
    NOT proof of citizenship or domicile.
  - Protection of Information
  - Authority shall ensure security, confidentiality of ID information and auth records of individuals.
  - Biometric info
  - may not be shared with anybody for any reason whatsoever.
  - BUT – OK for national security.
  - may not be used for any purpose except for those provided in the Act.
  - is considered “sensitive personal data or information” under the IT Act 2000.
  - Personal data can be transferred to “relevant person” regardless of the PDPO if:
  - In the interest of the minor.
  - Facilitates the parent or guardian to exercise proper care of minor.
  - Non-disclosure would prejudice exercise of proper care by the relevant person.
- Managing consent opt-out mechanisms: Use and limitations, consent to new purposes and documentation
  Singapore
  - Org shall not collect, use, or disclose PD about an individual unless (a) gives or is deemed to have given consent, or (b) collection, use, disclosure, without consent, authorized under PDPA or by other law.
    
    Individuals are deemed to have consented to collection, use, or disclosure by voluntarily providing their personal data to the organization for that purpose, where it is reasonable to do so.
  - Where actual consent is required, failure to opt-out will not be regarded as consent in all situations, but will depend on actual facts and circumstances.
  Hong Kong
  - DDP3: Data Use
    
    Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
  India
  - Provider of info must have option not to provide, and must be able to withdraw consent given earlier.
    
    Does little to protect data provided by those other than the data subject.
    
    Does not specify what constitutes an option not to provide or a reasonable option to withdraw consent.
  - Lacks specific enforceable language regarding how consent must be obtained. Data privacy rules require explicit written consent for the processing of Sensitive Personal Information, but these rules are not enforceable.
  - Penalties and Sanctions
    
    Singapore
    
    May investigate non-compliance with PDPA upon complaint or its own motion.
    
    No requirement for grounds or suspicion.
    
    No power to award compensation to Claimant.
    
    May order:
    
    Review decisions refusing to provide access or correction.
    
    If not complying with privacy principles, may give directions to ensure compliance, including to destroy data; to stop collecting, using, or disclosing data; to comply with directions on access and correction; to pay financial penalty not exceeding S$1m.
    
    Where no other penalty provided, max fine up to S$10k and 3 years in prison.
    
    + S$1k for each day offense continues.
    
    DNC Registry: S$10k/infraction
    
    Hong Kong
    
    Power exercised in response to (a) individual complaint of breach about his personal data, (b) on Comm’r’s own initiative (own motion), or (c) class complaint.
    
    When two or more individuals each make a complaint about the same matter, any one of them may do so on behalf of all individuals.
    
    Power to enter onto premises, require information and docs When Comm’r finds following investigation that a data user is contravening or has contravened a requirement of the Ordinance (including a DPP).
    
    2012 Amendments removed requirement that enforcement only occurs if contravention was likely to continue.
    
    Current version much more powerful.
    
    Breach of DPP is not a criminal offense, but breach of any other Ordinance requirement – including complying with enforcement notice – is a criminal offense.
    
    Maximum HK$50k fine + daily penalty HK$1000. Doubles on second offense. Repeated acts may include 2 years prison.
    
    India
    
    IT Act Sections 43(b) and (g)
    
    Creates liability for damages not exceeding Rs 10,000,000 “to the person so affected”
    
    Potentially includes data subjects.
    
    Section 66 (as of 2008 Amendment): If any person dishonestly or fraudulently does any act referred to in Section 43 – three years in prison, Rs 500,000, or both.
    
    Adds criminal component to Sec 43.
    
    Section 66B (as of 2008 Amendment): Whoever dishonestly receives or retains a stolen computer resource or communications device knowing it is stolen – three years in prison, Rs 100,000, or both.
    
    IT Act Section 72: Any person found accessing or using electronic information without the owner’s permission “shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 100,000, or with both.”
    
    Section 72A: Any person processing or holding data under the constraints of a contract who discloses data in a manner that may cause harm without explicit consent “shall be punished with imprisonment for a term which may extend to 3 years, or with a fine which may extend to Rs 500,000, or with both.”

ResourceCenter

All the tools and information you need in one easy-to-find place

CIPP/A Study Guide