Amit Luhach - International Data Protection Laws

Preface Preface The book is looking at the status of privacy protection in three of the most thriving IT-markets in the world. It provides an overview of the data protection laws of the European Union, the United States and India. Part I describes the EU´s General Data Protection Regulation. Part II provides an overview of the US’s federal regulation on data protection and reports on major legal developments on the State level. Most prominently it describes the California Consumer Privacy Act, which is spearheading the US States’ legal developments. Finally in Part III, the Indian Personal Data Protection Act is discussed. Despite our intent to keep this book concise, we have aimed to investigate the different view-points and explain the three legal concepts in a simplified but comprehensive way, including the relevant jurisdiction. Each chapter explores the pertinent legal provisions and supports them with decisions and examples. The book is written for legal practitioners as well as students and jurists who are looking for first access to privacy laws. It aims to provide the reader with enhanced awareness and understanding of the data protection laws in these three jurisdictions – an area of law that will certainly see fast future developments internationally in the years to come. The print edition of this book can be purchased from bookstores. It will receive updates to keep track of new developments in this area and/or respond to the reader´s feedback. Please feel free to contact us via info@justogo.net for any comments or questions. April, 2021 Göttingen: Amit Luhach, LL.M. Bad Soden: Dr. Katharina Scheja

Data Protection Law – Origins and Development

I. European Union: General Data Protection Regulation

1. GDPR Terminology

2. Material and Territorial Scope

3. Data Processing Principles

4. Lawful Processing

5. Data Processing Contracts

6. Security, Accountability and Compliance

7. Data Subject´s Rights and Enforcement

8. International Data Transfers

9. Member States´ Specifics

II. United States: Federal and State Laws

10. Federal Privacy Laws

11. California Consumer Privacy Act

12. California Privacy Rights Act

13. State Privacy Laws

III. India: Personal Data Protection Act

14. Territorial Scope and Definitions

15. Personal Data Processing

16. Data Principal´s Rights

17. Transparency and Accountability Measures

18. Cross Border Transfers

19. Data Protection Authority of India

20. Penalties, Offences and Adequacy under GDPR

IV. Closing Remarks: Data Protection Concepts and Principles

Abbreviations and acronyms

Cases

Notes

Authors

Copyright © 2021 JustoGO Publishing UG

Eifelstraße 3

65812 Bad Soden

info@justogo.net

The book is looking at the status of privacy protection in three of the most thriving IT-markets in the world. It provides an overview of the data protection laws of the European Union, the United States and India. Part I describes the EU´s General Data Protection Regulation. Part II provides an overview of the US’s federal regulation on data protection and reports on major legal developments on the State level. Most prominently it describes the California Consumer Privacy Act, which is spearheading the US States’ legal developments. Finally in Part III, the Indian Personal Data Protection Act is discussed.

Despite our intent to keep this book concise, we have aimed to investigate the different view-points and explain the three legal concepts in a simplified but comprehensive way, including the relevant jurisdiction. Each chapter explores the pertinent legal provisions and supports them with decisions and examples. The book is written for legal practitioners as well as students and jurists who are looking for first access to privacy laws. It aims to provide the reader with enhanced awareness and understanding of the data protection laws in these three jurisdictions – an area of law that will certainly see fast future developments internationally in the years to come.

The print edition of this book can be purchased from bookstores. It will receive updates to keep track of new developments in this area and/or respond to the reader´s feedback. Please feel free to contact us via info@justogo.net for any comments or questions.

April, 2021

Göttingen: Amit Luhach, LL.M.

Bad Soden: Dr. Katharina Scheja

The Right to Privacy as a fundamental right emerged from the Universal Declaration of Human Rights (UDHR) adopted in 1948. It has been referred to as the right to respect for private and family life in the European Convention on Human Rights (ECHR) adopted in 1950. The ECHR provides that “ everyone has the right to respect for his or her private and family life, home and correspondence ”, but this right is subject to interference by public authorities where such is in accordance with the law, follows legitimate public interest and/or is necessary for a democratic society. 1The UDHR and ECHR came into play before the development of computers and the internet. These technological advancements brought enormous benefits to individuals as well as society and created a new world of communication, a space in itself as some hold. 2Business processes, as well as communication, has gained ever-increasing speed, efficiency and productivity. Simultaneously, this technical revolution posed new dangers to the right to private and family life as illustrated by Edward Snowden in his book “Permanent Record” 3. The rapid developments in the field of electronic data processing and computers in the 1970s caused extensive data collection, storage and processing by big corporations, individuals, enterprises, academic and other public institutions. 4Not surprisingly this required the development of a new privacy concept, now known as ´informational privacy´ or ´right to self-determination. 5In Europe, the legal safeguards of the era such as the law of torts, secrecy and confidentiality failed to provide sufficient protection to the personal data of citizens. Over time it became apparent, that increased cross border trade and automated data processing require a new set of rules and standards enabling individual and market participants to exercise better control over their data. The need to provide a balance between personal freedom and privacy of the individual and commercial data processing as well as international data flows generated the development of special regulations for the protection of personal data.

In 2012, the Charter of Fundamental Rights of the European Union (EU Charter) provided the right to respect for private and family life, home and communications to everyone. 6Justice Tugendhat called these core components confidentiality and intrusion prevention and held that “ the right to respect for private life embraces more than one concept. The two core components of the right to privacy are to prohibit unwanted access to private information and unwanted access to one’s personal space. ” 7In Article 8 of the EU Charter, data protection is addressed. Therein everyone is granted a right to the protection of their personal data. Moreover, the data processing must be fair, and must be undertaken for specific purposes, and shall be based on consent or some legitimate basis. Also, the individual should have the right to access and rectification of personal data, and there must be a supervisory authority to oversee compliance by the controller and the processor. In essence, Article 8 deals with the data subject rights, obligations of data controllers and supervision by independent authorities. The Court of Justice of the European Union (CJEU) observed that “