Data Privacy Technology Law Updates

Latest News

Data Privacy Technology Law Updates

September 2024 Edition

INSIDE

NATIONAL

INTERNATIONAL

1. Bombay High Court quashes Government’s Fact-Check Unit

In January 2024, the Bombay High Court delivered a split verdict in the case of Kunal Kamra v. Union of India & Ors. [Writ Petition (L) No. 9792 of 2023], concerning amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 which empowered the Central Government to create Fact-Checking Units (“FCU”) for labelling online content as ‘fake, false, or misleading’. Petitioners argued that this provision infringed upon their fundamental rights under Articles 14 and 19 of the Constitution, alleging it was vague and could lead to arbitrary censorship, particularly threatening their freedom of expression.

The High Court deemed the amendment ultra vires, the Information Technology Act, 2001 (“IT Act”) citing vagueness in key terms and a failure to meet the test of proportionality. 

Our Founder’s Comments – “Centre could file a special leave petition in the Supreme Court to challenge the decision, amend the existing rules to clarify definitions of misinformation and establish transparent processes for FCUs, and engage with stakeholders like intermediaries and civil society to balance the need for accurate information with the protection of fundamental rights.” 

The Mint (September 20, 2024)


There is no denying that fake or misleading news in today’s digital age often leads to dangerous consequences. However, controlling the harmful effects could be a joint effort between the Government and the public. To this end, the Government could reach out to associations, self-regulatory organisations and other similar players rather than unilaterally giving arbitrary powers to authorities. A continuous dialogue between all stakeholders may bring out better solutions.   

2. Government of India blocks websites to safeguard Sensitive Data and Privacy Rights[1]

The Government of India blocked websites that were exposing sensitive personal information, including Aadhaar and PAN card details of citizens following a complaint lodged by Unique Identification Authority of India (“UIDAI”). The Indian Computer Emergency Response Team (“CERT-In”) identified security flaws on these sites. The concerned websites owners were provided guidance for actions to be taken at their end.

Although there is no information on the names of the specific websites that were blocked through this action, it is a clear reminder for other players to get their house in order.

3. SEBI introduces comprehensive Cybersecurity Framework for REs[2]

On August 20, 2024, SEBI introduced the Cybersecurity and Cyber Resilience Framework (“CSCRF”) for SEBI-regulated entities for addressing the growing cyber threats. The CSCRF sets out key provisions including mandatory governance structures, robust incident management protocols, and the Cyber Capability Index for assessing cyber resilience. The CSCRF requires regulated entities to implement strict control over sensitive information, regular risk assessments, encryption protocols, and compliance audits to ensure they are aligned with evolving cybersecurity standards.

SEBI regulated entities that include stock exchanges, depositories, clearing corporations, mutual funds, AIFs, credit rating agencies, merchant bankers, brokers, portfolio managers and share transfer agents will have to align their systems to the requirements of CSCRF.

4. RBI mandates compliance with DPDP Act for Regulatory Sandbox Entities[3]

In its latest update, RBI introduced key revisions to the Regulatory Sandbox Framework, chief among them being mandatory compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) for sandbox entities.

This proactive approach will enable entities to incorporate the compliances mandated under the DPDP Act and obtain valuable feedback on the effect and efficacy of data privacy regulations in terms of their operations.

5. MeitY issues advisory on prompt removal of Prohibited Content by Intermediaries[4]

On September 3, 2024, MeitY issued an advisory directing intermediaries to promptly remove prohibited content at the earliest and not wait for the expiry of time limit of 36 hours as provided under the IT Act and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

The advisory has been issued pursuant to the case of National Stock Exchange of India Ltd v. Meta Platforms, Inc. & Ors [Interim Application (L) No.21456 Of 2024], where the court ordered social media platform to act within 10 hours of receiving the complaint.

Prompt actions will curtail the reputational and financial damage to an entity resulting in a more effective manner of addressing such menace.  


INTERNATIONAL 

6. Uber Fined €290 Million by Dutch DPA for GDPR breach[5]

On August 26, 2024, the Dutch Data Protection Authority imposed a €290 million fine on Uber for serious violations of the General Data Protection Regulation (“GDPR”). The investigation stemmed from complaints by French drivers, revealing that Uber transferred sensitive personal data, including identification and health-related information, from Europe to the U.S. without adequate protection or explicit consent from the drivers. Instead of utilizing the EU Model Standard Contractual Clauses, Uber relied on a now-invalid framework known as the Privacy Shield. In response, Uber has announced plans to appeal the decision.

7. Canada’s New Data Portability Law takes effect[6]

On September 22, 2024, Québec implemented its data portability law to empower individuals by granting them the right to request confirmation, access, and copies of their personal information in a structured and commonly used technological format.

This is a significant step in enhancing consumer control over personal data, however, companies will need to navigate the practical challenges of compliance, especially regarding secure data transmission.

8. Privacy Reforms introduced in Australian Parliament[7]

Key proposals of the privacy reforms include inclusion of statutory tort for serious invasion of privacy and the introduction of tiered penalty provisions, allowing the Commissioner to impose fines up to AU$66,000 for specific breaches of the Australian Privacy Principles. Additional measures aim to enhance protection for minors, improve compliance mechanism for cross-border data transfers, and address issues related to automated decision-making.

9. Vietnam introduces Draft on Personal Data Protection Law[8]

On September 24, 2024, the Vietnamese Government unveiled the first draft of its Personal Data Protection Law, aiming for implementation on January 1, 2026 comprising of 68 articles across 7 chapters. Key highlights include emphasis on consent as the primary basis for data processing, introduction of data processing impact assessments, and definitions relevant to personal data management. Additionally, all enterprises must appoint a data protection department, though micro-enterprises and startups are exempt for the first 2 years. The public consultation period is open until November 24, 2024, allowing stakeholders to provide feedback.

10. Malaysia updates Personal Data Protection Act[9]

Malaysia is revising its Personal Data Protection Act to introduce a mandatory data breach notification obligation, requiring companies to notify the Personal Data Protection Commissioner within 72 hours of becoming aware of a significant breach. Additionally, organizations engaged in ‘large-scale’ data processing will be required to appoint a Data Protection Officer (“DPO”), with consultations on defining ‘large-scale’ and the necessary qualifications for DPOs underway.

Another significant change involves introduction of data portability rights, allowing individuals to request their data be sent to third parties. Feedback is being sought on the challenges, companies may face in fulfilling these requests and the types of data subject to portability.

Download File:

[1] https://pib.gov.in/PressReleasePage.aspx?PRID=2059179
[2] https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.html
[3] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=57406
[4] https://www.meity.gov.in/writereaddata/files/Merged%20for%20MeitY%20website3.pdf
[5] https://www.edpb.europa.eu/news/news/2024/dutch-sa-imposes-fine-290-million-euro-uber-because-transfers-drivers-data-us_en
[6] https://www.parl.ca/DocumentViewer/en/44-1/bill/C-27/first-reading
[7] https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r7249
[8] https://chinhphu.vn/du-thao-vbqppl/du-thao-luat-bao-ve-du-lieu-ca-nhan-6957
[9] https://www.pdp.gov.my/ppdpv1/akta/akta-pdp-2010/

Disclaimer

Current rules of the Bar Council of India impose restrictions on maintaining a web page and do not permit lawyers to provide information concerning their areas of practice. Fountainhead Legal is, therefore, constrained from providing any further information on this web page except as stated below.

The rules of the Bar Council of India prohibit law firms from soliciting work or advertising in any manner. By clicking on ‘I AGREE’, the user acknowledges that:

The user wishes to gain more information about Fountainhead Legal, its practice areas and the firm’s lawyers, for his/her own information and use;

The information is made available/provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site is not intended to, and will not, create any lawyer-client relationship; and

None of the information contained on the website is in the nature of a legal opinion or otherwise amounts to any legal advice.

Fountainhead Legal, is not liable for any consequence of any action taken by the user relying on material/information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.

I Agree I Disagree