Data Transfer - NEWS POLITE

EU Announces New Data Transfer Pact With US, Faces Fresh Challenges

The European Commission announced a new data transfer pact with the United States on Monday, seeking to end the legal uncertainty plaguing thousands of companies which transfer personal data across the Atlantic.

However, the move was immediately criticised by non-profit group noyb, led by privacy activist Max Schrems, which said it would challenge the agreement.

The Commission and the United States had been struggling to reach a new agreement after Europe’s top court annulled two previous pacts that underpinned the transfer of personal data across the Atlantic for services ranging from cloud infrastructure to payroll and banking.

The EU executive said measures taken by the United States ensured an adequate level of protection for Europeans’ personal data transferred across the Atlantic for commercial use.

It said new binding safeguards, such as that limiting US intelligence services’ access to EU data to what is “necessary and proportionate” and the setting up of a Data Protection Review Court for Europeans, address the concerns raised by Europe’s top court.

EU justice chief Didier Reynders said he was confident of fending off any legal challenge.

“The principles of the data privacy framework are solid and I am convinced that we have made significant progress which meets the requirements of the European Court of Justice case law,” he told a news conference.

“I am very confident of fighting, defending the new data agreement.”

Schrems said the latest revision was inadequate.

“Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work,” he said in a statement.

“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year,” Schrems added.

Lobbying group DigitalEurope, whose members include Airbus, Amazon, Apple, Ericsson, Nokia, Philips and Samsung welcomed the deal.

“Data flows underpin the EU’s annual EUR 1 trillion (nearly Rs. 90,75,250 crore) of service exports to the United States, and this decision will give companies more confidence to conduct business and help our economies to grow,” its Director-General Cecilia Bonefeld-Dahl said.

Earlier this year, EU privacy watchdog the European Data Protection Board said the latest data agreement still fell short and urged the Commission to do more to protect Europeans’ privacy rights.

Europe’s top court scuppered the previous two deals after challenges by Schrems because of concerns about US intelligence agencies accessing European citizens’ private data.

© Thomson Reuters 2023

From the Nothing Phone 2 to the Motorola Razr 40 Ultra, several new smartphones are expected to make their debut in July. We discuss all of the most exciting smartphones coming this month and more on the latest episode of Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Meta Set to Face Record EU Privacy Fine Related to Data Transfer of Facebook Users

Meta Platforms is set to face a record European Union privacy fine related to data transfer of Facebook‘s EU users to US servers for failing to comply with a warning by a top EU court, two sources familiar with the matter said.

The penalty will be higher than the previous record EUR 746 million (nearly Rs. 6,660 crore) fine for Amazon.com, according to the sources.

Meta declined to comment, while the Irish Data Protection Commission (DPC) and the European Commission did not immediately respond to Reuters’ requests for comment.

EU regulators led by Ireland’s Data Protection Commissioner Helen Dixon have been finalising a ban on the legal tool used by Facebook to transfer European user data because of concerns US intelligence agencies could access the information.

In April, they said the Irish DPC had one month to make an order blocking Facebook’s transatlantic data flows. The ban could be in place by mid-May.

Europe’s highest court ruled in 2020 that an EU-US data transfer agreement was invalid, citing surveillance concerns.

Meta last year warned that an order to ban the mechanism it uses to transfer data from Europe to the United States could force it to suspend Facebook services in Europe.

Meanwhile, Meta Platforms joined the generative AI product race this week, saying it would begin testing artificial intelligence-powered ad tools that can create content like image backgrounds and variations of written text.

A select group of advertisers will be invited to experiment with the tools in a “testing playground” that the company is calling the AI Sandbox, Meta executives said at a press event in New York.

© Thomson Reuters 2023

The Vivo X90 Pro has finally made its debut in India, but is the company’s flagship smartphone for 2023 equipped with enough upgrades over its predecessor? We discuss this and more on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Draft Digital Personal Data Protection Bill Lets Easy Cross-Border Data Transfer, to Act as Relief for Big Tech

The government on Friday proposed a new data privacy law that allows the transfer and storage of personal data in some countries while raising the penalty for violations.

The draft Digital Personal Data Protection (DPDP) Bill 2022 will be a great relief for Google, Amazon, Facebook and other global firms as it replaces an earlier version that had alarmed big tech companies over its stringent restrictions on cross-border data flows.

The government will “notify such countries or territories outside India to which a data fiduciary may transfer personal data”, according to the draft unveiled on Friday for public feedback.

The new draft will become law once Parliament approves it.

The proposed legislation stipulates consent before collecting personal data and provides for stiff penalties of as much as Rs. 500 crore on persons and companies that fail to prevent data breaches including accidental disclosures, sharing, altering or destroying personal data.

Companies are allowed to store the collected data for only specified periods.

The draft also gives powers to the central government to exempt state agencies from provisions of the bill “in the interests of sovereignty and integrity of India” and to maintain public order.

With more than 750 million internet users and the second-largest home for mobile phones, India is a big and growing market for tech giants but the previous privacy rules had riled them.

The draft bill covers personal data collected online and digitised offline data. It will also apply to the processing of personal data abroad if such data involves profiling Indian users or selling services to them.

“The 2022 DPDP Bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions. Particularly, data mirroring, data localisation requirements, and overall compliances appear to be limited compared to the previous Bill,” said Rupinder Malik, Partner at law firm JSA.

The legislative intent, he said, appears to be tech and IT business-friendly, focused on facilitating cross-border data flows. “Some aspects that have been watered down could potentially reduce overall protection accorded to individual privacy rights. The positive bit is that the Bill has been drafted in a simpler manner, with less ambiguities.” The new draft legislation comes in place of the Data Protection Bill, which was withdrawn by the government in August this year. The draft is open for public comment till December 17.

The draft bill requires the setting up of a ‘Data Protection Board’ to ensure compliance. The board will also hear user complaints.

It requires firms such as Google and Facebook to be accountable to a ‘consent manager’ to provide an “accessible, transparent and inter-operable platform” to give, manage, review and withdraw consent.

Users shall have the right to correct and erase their personal data.

While the personal data of children cannot be obtained or processed without parental consent, the draft law provides that advertising cannot target children.

Companies of ‘significant’ size — based on factors such as the volume of data they process — would be required to appoint an independent data auditor to evaluate compliance with provisions of the law.

The provision in the previous version that gave the government powers to ask a company to provide anonymised personal data and non-personal data to help target the delivery of services or formulate policies, is not there in the new draft.

The new draft raises penalty amount to up to Rs. 500 crore for violating provisions. The draft personal data protection bill, issued in 2019, had proposed a penalty of Rs. 15 crore or 4 percent of the global turnover of an entity, whichever is higher.

“The purpose of this Bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes,” an explanatory note of the draft bill said.

The draft proposes to set up a Data Protection Board of India, which will carry on functions as per the provisions of the bill.

“If the Board determines at the conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance,” the draft said.

It has proposed a graded penalty system for Data Fiduciaries and Data Processors in case of any violation under the proposed legislation.

Data Fiduciaries are those entities which will process personal data, either by themselves or with the help of Data Processors.

The draft has proposed a penalty of up to Rs. 250 crore in case the Data Fiduciary or Data Processor fails to protect against personal data breaches in its possession or under its control.

The draft has also proposed a penalty of up to Rs. 200 crore in case the Data Fiduciary or Data Processor fails to inform the Board and data owner about the data breach.

Besides, the bill proposes to impose a penalty of Rs. 10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address etc and for registering a false or frivolous complaint with a Data Fiduciary or the Board.

The bill has a provision to allow entities to transfer the personal data of a citizen outside the country in cases where the processing of personal data is necessary for enforcing any legal right or claim, the performance of any judicial or quasi-judicial function, investigation or prosecution of any offence or if the data owner is not within the territory of India and has entered into any contract with any person outside the country.

“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data,” according to the draft.

The explanatory note issued by the Ministry of Electronics and IT listed seven principles on which the bill is based.

These include the usage of personal data by organisations being done in a manner that is lawful, transparent, and fair to the individuals concerned and the personal data is used for the purposes for which it was collected.

The draft also has a provision to ensure that only those items of personal data required for attaining a specific purpose must be collected and it must be stored perpetually by default.

“The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand,” the explanatory note said.

Comments on the draft bill can be submitted till December 17.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.