Skip to content

Tech Law Forum @ NALSAR

A student-run group at NALSAR University of Law

Menu
  • Home
  • Newsletter Archives
  • Blog Series
  • Editors’ Picks
  • Write for us!
  • About Us
Menu

Battling Goliath: An Analysis of the National Privacy Principles (Part II: Principles Five to Nine)

Posted on November 9, 2014 by Kartik Chawla

(Image Source: https://flic.kr/p/igPaVp)

This is the second in a two-part post on the National Privacy Principles. This post deals with Principles Five through Nine. Footnotes are especially important.
Disclaimers: I have taken a bit of artistic license with these two posts, so do allow for that. Feedback, comments, recommendations, are welcome.


Following up on the previous post, I discuss National Privacy Principles Five through Nine of the Justice AP Shah Report, continuing the parallel with the story of David and Goliath.

  1. Principle Five : Access and Correction

Following the general concept of empowering David discussed above, this principle requires that individuals should be able to see what personal information a data controller has about them. An example of this is the Facebook feature that allows you to download an entire archive of all the information that Facebook has about you.

The second part of this principle requires that an individual be able to correct, amend or delete the collected information where it is inaccurate. Thus, this principle allows David to check if the information and notifications given to him, such as the arena of the battle, the time, or the necessity of the battle itself, are actually just so.

Sadly, the Report makes these only a ‘best effort’ requirement, which is a dicey concept at best. Due to the crucial nature of this principle, the Report arguably should have made it mandatory. It is quite unfair to let David go to battle without letting him check if the information he has is correct, and at the same time, it wouldn’t do to have the Agency find have the wrong information about how to get in touch with David.

  1. Principle Six: Disclosure of Information

The sixth principle concerns the Disclosure of Information by the data controller. It discusses when, why, and how the data controller is allowed to share the information it has collected with third parties; i.e., parties that are neither the data controller as was originally notified to the data subject, nor the data subject him(or her)self.

The principles of notice and consent as articulated above are repeated here, and again made mandatory. Therefore, the collected information can only be shared with the consent of the data subject, and only after due notice has been given.

According to the Report, the third parties that do receive such information are also bound to adhere to the relevant and applicable Privacy Principles, including principle 6 itself.

  1. Principle Seven: Security

The seventh principle, Security, is perhaps the one principle that all data controllers would actually be hard pressed to ensure.

This principle requires data controllers to make sure that the information collected by them or in their custody remains secure, against a list of possible occurrences.[1] The level of security prescribed herein is the nearly omnipresent ‘reasonable’ standard, with the Report specifically requiring ‘reasonable security safeguards’, and protection against ‘reasonably foreseeable risks’.

The problem herein is twofold. One, the ‘reasonable’ standard is usually a basic minimums standard prescribed by various agencies, and in most cases it is blatantly insufficient. Thus, the data controllers essentially get away with putting a decades old rusted lock on Goliath’s cage. And whatever doors lie between him and the town he wants to rampage in.

The second problem is that it is admittedly a Herculean task to actually make anything perfectly secure on the internet – perhaps even impossible. But even so, it is quite inarguable that a vigilant and well-prepared IT department can always help prevent the damage in most cases, and mitigate it otherwise. That is, even though Goliath will break through, putting a garrison outside his prison really does help.

  1. Principle Eight: Openness

This principle is quite similar to the first principle of Notice, except that it is quite a bit broader. This principle applies not only to the collection et al of information, but to all the practices of the data collector regarding its compliance with the principles. It requires the Data Controller to make information regarding the steps taken by it to ensure its compliance easily accessible in an intelligible form, using clear and plain language. Furthermore, the obligation created herein is not limited to the data subjects alone, but to ‘all individuals’. A point worth note is that, this is, again, a ‘best effort’ principle.

So the obligations created herein would allow David to check up on a broader set of information than what is referred to above, including the compliance of the governing body in question with the above principles. And, crucially, these obligations can be claimed by ‘all individuals’, and not just David.

  1. Principle Nine: Accountability

The final principle is that of Accountability, or rather, the blame game.  This principle states that the data controller will be held accountable for complying with the measures which actually bring the above principles into force. It also lists some illustrations of what these measures ‘should’ include.[2]

This principle is, in a way, the linchpin of the entirety of the National Privacy principles, giving them teeth, if they had any legal value. That is because it is this principle that would actually mean that failing to comply with the above would actually have some consequences on the data controllers, and would therefore give them some incentive to ensure compliance. That is, it is this principle that would mean that if Agency doesn’t meet the requirements set herein, David’s soul gets to take them to the Court.[3]


[1] “…loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.”

[2] “Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.“

[3] Only The Court has jurisdiction over this specific dispute though, but the Court is currently unavailable. Some dispute between two factions of the Presiding Souls about the government’s power to amend the Constitution. A member of the Ruling Dynasty was involved I hear, something about punishing souls of assassins. Tch tch.

2 thoughts on “Battling Goliath: An Analysis of the National Privacy Principles (Part II: Principles Five to Nine)”

  1. Pingback: Battling Goliath: An Analysis of the National Privacy Principles (Part I: Principles One to Four) | Tech Law Forum @ NALSAR
  2. Pingback: Facebook’s Acquisitions: A Before and After Comparison of Privacy | Tech Law Forum @ NALSAR

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe

Recent Posts

  • Lawtomation: ChatGPT and the Legal Industry (Part II)
  • Lawtomation: ChatGPT and the Legal Industry (Part I)
  • “Free Speech is not Free Reach”: A Foray into Shadow-Banning
  • The Digital Personal Data Protection Bill: A Move Towards an Orwellian State?
  • IT AMENDMENT RULES 2022: An Analysis of What’s Changed
  • The Telecommunications Reforms: A Step towards a Surveillance State (Part II)
  • The Telecommunications Reforms: A Step towards a Surveillance State (Part I)
  • Subdermal Chipping – A Plain Sailing Task?
  • A Comparative Analysis of Adtech Regulations in India Vis-a-Vis Adtech Laws in the UK
  • CERT-In Directions on Cybersecurity, 2022: For the Better or Worse?

Categories

  • 101s
  • 3D Printing
  • Aadhar
  • Account Aggregators
  • Antitrust
  • Artificial Intelligence
  • Bitcoins
  • Blockchain
  • Blog Series
  • Bots
  • Broadcasting
  • Censorship
  • Collaboration with r – TLP
  • Convergence
  • Copyright
  • Criminal Law
  • Cryptocurrency
  • Data Protection
  • Digital Piracy
  • E-Commerce
  • Editors' Picks
  • Evidence
  • Feminist Perspectives
  • Finance
  • Freedom of Speech
  • GDPR
  • Insurance
  • Intellectual Property
  • Intermediary Liability
  • Internet Broadcasting
  • Internet Freedoms
  • Internet Governance
  • Internet Jurisdiction
  • Internet of Things
  • Internet Security
  • Internet Shutdowns
  • Labour
  • Licensing
  • Media Law
  • Medical Research
  • Network Neutrality
  • Newsletter
  • Open Access
  • Open Source
  • Others
  • OTT
  • Personal Data Protection Bill
  • Press Notes
  • Privacy
  • Recent News
  • Regulation
  • Right to be Forgotten
  • Right to Privacy
  • Right to Privacy
  • Social Media
  • Surveillance
  • Taxation
  • Technology
  • TLF Ed Board Test 2018-2019
  • TLF Editorial Board Test 2016
  • TLF Editorial Board Test 2019-2020
  • TLF Editorial Board Test 2020-2021
  • TLF Editorial Board Test 2021-2022
  • TLF Explainers
  • TLF Updates
  • Uncategorized
  • Virtual Reality

Tags

AI Amazon Antitrust Artificial Intelligence Chilling Effect Comparative Competition Copyright copyright act Criminal Law Cryptocurrency data data protection Data Retention e-commerce European Union Facebook facial recognition financial information Freedom of Speech Google India Intellectual Property Intermediaries Intermediary Liability internet Internet Regulation Internet Rights IPR Media Law News Newsletter OTT Privacy RBI Regulation Right to Privacy Social Media Surveillance technology The Future of Tech TRAI Twitter Uber WhatsApp

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
best online casino in india
© 2023 Tech Law Forum @ NALSAR | Powered by Minimalist Blog WordPress Theme