In continuation of our previous blog Introduction to Data Privacy Impact Assessment, in our present blog, we will delve further into the legal intricacies pertaining to Data Privacy Impact Assessment and their stand under the Indian legal regime.
Each Member State is mandated under Article 51 of General Data Protection Regulation (GDPR) to constitute its Independent Public Authority for monitoring GDPR, which also ensures Data Privacy Impact Assessments (DPIA) are carried out respecting the rights and freedoms of individuals.
For instance, in the UK, the Information Commissioner’s Office (ICO) is the Independent Supervisory Authority responsible for promoting DPIAs and advising on matters pertaining to the same. It is not mandatory to send all DPIA reports to the ICO but it is necessary to send such DPIA reports which display a high-risk assessment, and whose risks cannot be mitigated. In a high-risk assessment, without consulting the ICO, the processing of data cannot begin.
The GDPR does not impose any penalty in case DPIA is not conducted; rather the penalty is imposed on the damage which arises as a result of not performing a risk assessment. Therefore, it is always advised to conduct a DPIA to understand and execute compliance, so that GDPR fines can be avoided.
Article 83 of the GDPR imposes administrative fines, and the responsibility for the same rests with the respective Nation’s Supervisory Authority. The GDPR has substantially increased the number of fines for data protection violations in severe cases, up to 20 million Euros or 4% of the annual worldwide turnover of the preceding financial year, whichever is higher. Certainly, such a high level of potential administrative fines merits taking measures to ensure compliance.
Article 84 of the GDPR imposes an obligation on the Member States to lay down their penalties for infringement and ensure implementation, except where the infringement warrants for administrative fines. The fine under Article 84 of the GDPR has to be proportionate, effective, and dissuasive. The penalty for infringement has to be notified to the Commission, by the Member States.
Case Study: Datainspektionen – Sweden (August 2019):
A school in Sweden was fined 18,000.00 EUR by the Swedish Data Protection Authority (DPA) for improper usage of facial recognition technology to monitor student attendance in the context of a facial recognition pilot program. The DPA stated that the school processed sensitive biometric data of students in violation of GDPR, and when asked, could not produce any evidence of a DPIA being conducted for the program. Since the processing required the usage of sensitive personal data and posed a high risk, performing a DPIA was mandatory along with the consultation of the DPA and hence, the fine imposed on the school was justified.
DPIA UNDER INDIAN LEGAL REGIME
India introduced its own Personal Data Protection Bill, 2019 (PDP Bill) which resembles closely with the EU’s GDPR and provides for a broader scope for Sensitive Personal Data than the GDPR. The necessity of conducting a prior DPIA is also provided under the PDP Bill. It imposes upon significant Data Fiduciaries to conduct a DPIA before processing personal data if the processing involves-
- New technologies;
- Large-scale profiling or use of sensitive data; or
- Any other activities that carry a significant risk of harm, as may be specified by regulations.
It is pertinent to be noted here that all DPIA reports are to be submitted to the DPA for review, which is a significant departure from the GDPR.
ROLE OF LEGAL PROFESSIONALS IN DPIA COMPLIANCE
Legal Professionals (both in-house and outside Counsel) play a pivotal role in assisting all organizations, irrespective of their size, in complying with the prevailing laws and regulations, and DPIA is no exception to such practice. According to Article 24 of the GDPR, the organization shall implement appropriate technical and organizational measures to protect the legal rights of Data Subjects, such as the Right to Privacy and Freedom.
Such technical and organizational measures require legal compliances which need to be followed in consonance with the GDPR, thereby bringing the legal team into the picture. The following are the measures, where the assistance of a Legal Professional becomes necessary for fulfilling compliances –
- There is certain information, which mandatorily needs to be disclosed by the Data Controller, such as the use of the information which has been submitted, sharing of data to third-party users or firms, etc., which the Legal Professionals possess the knowledge about. The disclosure needs to be carefully drafted in accordance with the GDPR, to provide correct and accurate information to the user.
- There are certain rights of the user, which are laid down in the GDPR, such as –
- Article 15: Right of Access to Data
- Article 16: Right to Rectification
- Article 17: Right to Erasure
- Article 18: Right to Restrict the Processing
- Article 20: Right to Data Portability
- Article 21: Right to Object
Such rights must be well known to the Data Controller in case of any dispute and thus, a Legal Professional can assist in sharing information upon such rights.
- There are requirements of entering into a contractual relationship with the Processor of personal data received by the Data Controller. The contract so drafted needs to demarcate the roles and responsibilities of both parties, including the liability caused due to such processing of the information of Data Subjects.
- The Data Controller is required to grant authorisations to administer the data, while simultaneously ensuring that the control of access is not lost by the Data Controller. Thus, the Legal Professional needs to determine which information shall be provided to the administrator to avoid the creation of any contingent legal issues.
- The Data Controller is required to implement certain security measures, in accordance with ISO/EIC 29100, Information Technology-Security Techniques, and series standards for the protection of data. The Legal Professional can assist the Data Controller in complying with such standards.
- In the event of a data breach, the Legal Professional shall assist in the legal intricacies of providing disclosure information to the general public and initiate the process of DPIA, to mitigate the risk of such data breaches.
It is pertinent to note that the legal professional advising the organization individually cannot complete this task unless accompanied by certain IT Solutions Specialists and Analysts which shall crunch and assess the numbers game and provide the answer to whether a DPIA is necessary. The teams go hand in hand while working upon the assessment, to find the answers to data protection and ensure the privacy of the users while simultaneously making optimum use of the data.
The GDPR has been drafted as a hybrid of both restrictive and general scope of interpretation to include as many Data Controllers as possible and confine the penalty applicable to every offender. India has also been inspired by the GDPR and drafted a bill for the protection of data of millions of users, the need of which has been illustrated by a series of large data breaches over the past few years.
The DPIA can be conducted by the collective effort of the Legal Professionals and the IT Data Controllers to produce the best output with the least legal damages and penalties. This implies the important role of the lawyers to be played in the world of data privacy and the need of the hour to raise awareness about the concerns posed by the internet. Moreover, the legal fraternity also needs to establish proper institutions to deal with such nuisance which causes losses of thousands of dollars daily.
– Team AMLEGALS, assisted by Ms. Akanksha Kashyap and Mr. Rohan Bangia (Interns)
For any queries or feedback, please feel free to connect with email@example.com or firstname.lastname@example.org