Andrew Grove, co-founder, and former CEO of Intel Corporation, in an interview in 2000, once said:
“Privacy is one of the biggest problems in this new electronic age. At the heart of the internet culture, is a force that wants to find out everything about you. And once it has found out everything about you and two hundred million others, that’s a very valuable asset, and people will be tempted to trade and do commerce with that asset. This wasn’t’ the information that people were thinking of when they called this the information age.”
This allows the people living in this age, to either choose to be left alone and preserve their own privacy, or be connected across a series of networks, connected globally, and interconnected with so many other networks. Following the trends of inter alia data breaches, free flow of information across group companies, review of decisions enabling commercial data transfers, this past year, witnessed significant developments in data privacy and protection laws, across the globe. A lot of focus was put on the rights of the consumers, in this ever “data” consuming world, where each technology platform offering any service or product to be delivered “online”, churns out large volumes of personal and sensitive personal data. Parenthetically, the web-world which has been witnessing a steady growth in children-specific service delivery platforms, also led to reconsideration of the rights and controls that are being afforded to their guardians, and the roles and obligations of their “data custodians”.
This past year was driven by concerns around data privacy, and people becoming extremely aware of the information that they generate, and the rights that they possess. With work from home becoming the norm in these past couple years, 20% of organizations experienced breach due to remote worker; consequently, companies became proactive in revamping their strategies around IT, and cybersecurity best practices became the focus.
The early half of this past year also was embroiled with apprehensions around contact tracing and vaccine passports, bringing health privacy to the fore. It became important to strike the balance between containing the spread of the virus and preserving the privacy of the individuals concerned. The UK government had to withdraw the original version of its contact tracing app and moved towards a decentralized model.
Apple propelled home the renewed demand of data privacy and introduced the privacy labels to the AppStore which meant that the user would get a glimpse of the privacy practices of an app before they download it. Close home, we now have a draft Data Protection Bill, for the good or the bad, yet to see.
Let’s look at the year, for what it was.
The European Data Protection Board adopted Guidelines on the interplay between Art. 3 and Chapter V GDPR – November 2021.
The Guidelines clarify the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V and aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers. Link:https://edpb.europa.eu/news/news/2021/edpb-adopts-guidelines-interplay-between-art-3-and-chapter-v-gdpr-statement-digital_en
Data Protection and European Union’s anti-laundering regulations – July 2021
The European Commission adopted a package of legislative proposals to strengthen the anti-money laundering regime in Europe by preventing the use of financial systems for money laundering, and terrorism financing activities. The legislations create a framework for the coordination of national and financial authorities and creates the EU anti-money laundering authority. The regulations stress on the data protection compliances of private entities, EU bodies, to conduct necessary risk assessment audits, and take reasonable steps to prevent said financial crimes while pursuing outsourcing relationships. Link: https://ec.europa.eu/info/publications/210720-anti-money-laundering-countering-financing-terrorism_en
Amsterdam District Court recognizes a GDPR right to an explanation for algorithmic decision-making – March 2021.
The Court required Ola to explain the logic behind a fully automated decision in the sense of Article 22 of the GDPR. The Court held that Ola must communicate the main assessment criteria and their role in the automated decision to [the drivers], so that they can understand the criteria on the basis of which the decisions were taken and they are able to check the correctness and lawfulness of the data processing.
European Digital Identity Wallets – June 2021
The European Commission (EC) proposed the framework for the creation of a European Digital Identity Wallet, to permit European citizens to store payment details, passwords, official documents at one secure location. The Wallet will enable Europeans to access government services online without the use of private identification methods, thereby restricting the mirroring of similar data units across services.
The Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (JPC), tabled its report in both houses of Parliament – December 2021.
The JPC report which contains a list of policy recommendations, on analysis of various provisions of the PDP Bill, 2019, also contained a draft bill titled the Data Protection Bill, 2021. The reports focus was to address the public policy concerns that have arisen of late, and also took into consideration the judgment of the Hon’ble Supreme Court in the matter of Justice KC Puttaswamy (Retd) v. Union of India. Link:http://220.127.116.11/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf
DPA Guidance on Contact Tracing Applications
In view of the prevalence of contact tracing applications (public and private) during the pandemic, several data protection authorities (DPAs) published guidance documents towards the safe maintenance of customer records and personal data. The guidance documents rely upon the privacy principles of data minimization, transparency, safe and limited storage and deletion upon exhaustion of collection purpose to safeguard user privacy. Link:https://www.dataprotection.ie/sites/default/files/uploads/2020-09/Processing%20Customer%20Data%20for%20COVID-19%20Contact%20Tracing%20Sep%2020.pdf
European Union’s ePrivacy Regulation
The European Union approved the revised ePrivacy Regulation which aims to overlook all forms of electronic communications services within the union. The Regulation imposes compliance obligation on communication content and metadata, restrictions on monitoring/processing user data without prior consent, simplifying cookie rules to allow user friendly browser settings, and ban unsolicited electronic communications by email, SMS or automated calling machines.
Germany’s Telecommunications and Telemedia Data Protection Act (TTDSG) – December 2021
TTDSG seeks to collate data protection laws from separate legislations in relation to telecommunication and telemedia within a single legislation. TTDSG aims to protect the confidentiality and privacy of its users while accessing internet – ready infrastructures such as websites, messaging services, or smart home devices. Key highlights include – processing of personal and non- personal data, broadening its application to IoT (Internet of Things) related devices, consolidation of data to one location, introduction of rights of heirs of telecommunication users, and regulation of cookies and cookie banners.
US ban on Chinese telecom subsidiaries over national security concerns – October 2021
Federal Communications Commission (FCC) revoked authorization of Chinese telecommunication companies in the country. It argued that such companies could be subject to exploitation, influence and control from the Chinese government, which could open them to further compliances neither having sufficient legal procedures nor judicial oversight. Subject to such control, FCC argued that it could cause substantial security and law enforcement risks while processing information generated in the country.
Colorado Privacy Act – July 2021
Colarado becomes the third state in the USA to implement its comprehensive data privacy legislation. The CPA applies to companies that conduct business in Colorado or sell product or services intentionally targeted to residents of Colorado and meet either of the following thresholds: (i) controls or processes personal data of 100,000 or more consumers during a calendar year; or (ii) derive revenue or receive discounts from the sale of personal data and control or process data of at least 25,000 consumers.
China’s Regulation for Industrial and Telecom Data Security – September 2021
The Ministry of Industry and Information Technology (MIIT) recently introduced the Measures for the Administration of Data Security in the Field of Industrial and Information Technology sectors (Trial) (Draft) (Measures). The Measures were drafted in furthering China’s Data Security Law. These Measure can be enforced against industries and telecommunication sectors. Briefly, these Measures aim to categorize data based on risk levels into three parts – ordinary, important and core data, while mandating localization of such core data along with other filing compliances. The Measures also provide guidelines on management of data, data inspection and other such legal responsibilities.
Virginia’s Consumer Data Protection Act – August 2021
CDPA expands consumer rights to access, correct, delete, and obtain a copy of personal data provided to or collected by a company, and to opt out of processing of the personal data for purposes of targeted advertising, sale, or profiling of the personal data. It applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
Standard Contractual Clauses – June 2021
On 4 June 2021, the Commission issued modernized standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR):
These modernized SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. Since 27 September 2021, it is no longer possible to conclude contracts incorporating these earlier sets of SCCs.
Until 27 December 2022, controllers and processors can continue to rely on those earlier SCCs for contracts that were concluded before 27 September 2021, provided that the processing operations that are the subject matter of the contract remain unchanged.
 https://www.esquire.com/entertainment/interviews/a1449/learned-andy-grove-0500/; originally published in the May 2000 issue; last accessed on January 15, 2022, at 0915 hrs.
 https://www.wired.com/story/worst-hacks-2021/ last accessed on January 15, 2022, at 1055 hrs; https://www.zdnet.com/article/the-biggest-data-breaches-of-2021/ last accessed on January 15, 2022, at 1055 hrs. The major breaches were across several consumer facing sectors, where the efficient delivery of the service is dependent on the accuracy of the information which is provided by the data subject.
 https://www.whatsapp.com/legal/updates/privacy-policy/ last accessed on January 24, 2022, at 2137 hrs. The technology giant, WhatsApp, made data sharing mandatory for the business accounts, with Facebook. This has drawn ire of several regulators (privacy, anti-trust) across the globe. The awareness and concerns raised by the users, forced the platform, to give more time for making its own policy mandatorily applicable across the existing users. Also see: https://blog.whatsapp.com/giving-more-time-for-our-recent-update, last accessed on January 24, 2022, at 2140 hrs.
 Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Judgment in Case C-311/18 (Schrems II); https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf, last access on January 24, 2022, at 2147 hrs. In the Schrems II judgment, the Court of Justice of the European Union declared the European Commission’s Privacy Shield Decision invalid on account of invasive US surveillance programs, thereby making transfers of personal data on the basis of the Privacy Shield decision illegal. Furthermore, the Court stipulated stricter requirements for the transfer of personal data based on standard contract clauses (SCCs).
 https://blog.malwarebytes.com/reports/2020/08/20-percent-of-organizations-experienced-breach-due-to-remote-worker-labs-report-reveals/, last accessed on January 24, 2022, at 0940 hrs.
 https://www.weforum.org/agenda/2021/05/what-is-a-vaccine-passport-and-will-you-need-one-the-next-time-you-travel/, last accessed on January 26, 2022, at 1140 hrs.
 https://www.openrightsgroup.org/campaign/protecting-digital-rights-during-covid-19/, last accessed on January 26, 2022, at 1138 hrs.
 https://support.apple.com/en-us/HT211970, last accessed on January 26, 2022, at 1129 hrs.