8 Matching Annotations
  1. Jul 2018
    1. where applicable, any rating in the form of a data trust score that may be assignedto the data fiduciary under section 35;and

      A Data Trust score. Thankfully, it isn't mandatory to have a data trust score, which mean that apps and services can exist without there being a trust score

    2. the period for which the personal data will beretained in terms of section 10 or where such period is not known, the criteria for determining such period;

      This defines the terms for data retention. From a company perspective, they are likely to keep this as broad as possible.

    3. Upon receipt of notification, the Authority shall determine whether such breach should be reported by the data fiduciaryto the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate suchharm.

      This means that users aren't always informed about a breach of data. That's the prerogative of the Data Protection Authority, and not mandatory, in the interest of the user.

    4. “Personal data breach”means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction, loss of access to, of personal data that compromises the confidentiality, integrity or availability of personal data to a data principal;

      Personal data breach here includes "accidental disclosure" as well.

    5. Notwithstanding anything contained in sub-sections (1) and (2), the Act shall not apply toprocessing ofanonymised data.

      The law isn't applicable to anonymised data. However it doesn't deal with pseudonomised data.

    6. in connection with any activity which involves profiling of data principals within the territory of India.

      This clause gives the law jurisdiction over data of Indian residents or visitors, processed beyond the physical boundaries of India

    7. in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or

      Since the Internet is boundary-less, this law will apply to all online services that are being consumed in India: apps downloaded, websites viewed.

    8. Where the data principal withdraws consentfor the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal.

      How does it serve public interest and individual rights to hold people liable for the withdrawal of consent to the processing of their personal data?