white_paper_on_data_protection_in_india_171127_final_v2
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER 2: ACCOUNTABILITY AND ENFORCEMENT TOOLS<br />
ACCOUNTABILITY<br />
2.1 Introducti<strong>on</strong><br />
The process<strong>in</strong>g of pers<strong>on</strong>al <strong>data</strong> entails an <strong>in</strong>crease of power (<strong>in</strong> terms of knowledge and its<br />
c<strong>on</strong>sequent <strong>in</strong>sights) of the <strong>data</strong> c<strong>on</strong>troller vis-à-vis the <strong>in</strong>dividual. Data protecti<strong>on</strong> regulati<strong>on</strong>s<br />
are a means to help protect <strong>in</strong>dividuals from abuses of power result<strong>in</strong>g from the process<strong>in</strong>g of<br />
their pers<strong>on</strong>al <strong>data</strong>. The method by which this protecti<strong>on</strong> was traditi<strong>on</strong>ally sought to be<br />
achieved was us<strong>in</strong>g notice and c<strong>on</strong>sent, offer<strong>in</strong>g the <strong>in</strong>dividual the aut<strong>on</strong>omy to decide<br />
whether or not to allow her <strong>data</strong> to be processed after provid<strong>in</strong>g her full knowledge of what<br />
was go<strong>in</strong>g to be d<strong>on</strong>e with that <strong>data</strong>. As we have seen, that model has begun to come under<br />
pressure. Ow<strong>in</strong>g to the abundance of services, the complexity of <strong>data</strong> process<strong>in</strong>g requirements<br />
and the multiplicity of purposes to which <strong>data</strong> can be put, notices have become too complex<br />
to understand. As a result, the c<strong>on</strong>cept of privacy self-management is com<strong>in</strong>g under pressure<br />
given the complexity of the trade-offs between the benefits and the harms of modern<br />
technology.<br />
To offset the flaws of the notice and choice model, a key pr<strong>in</strong>ciple that has emerged is of<br />
accountability as articulated <strong>in</strong> the EU GDPR. Central to accountability are the c<strong>on</strong>cepts of<br />
‗privacy by design‘ and ‗privacy by default‘ which oblige bus<strong>in</strong>esses to c<strong>on</strong>sider <strong>data</strong> privacy<br />
at the <strong>in</strong>itial design stages of a project as well as throughout the life cycle of the relevant <strong>data</strong><br />
process<strong>in</strong>g. 669 In this sense, accountability does not redef<strong>in</strong>e <strong>data</strong> protecti<strong>on</strong>, nor does it<br />
replace exist<strong>in</strong>g law or regulati<strong>on</strong>, s<strong>in</strong>ce accountable organisati<strong>on</strong>s must comply with exist<strong>in</strong>g<br />
applicable law. Instead, accountability shifts the focus of privacy governance to an<br />
organisati<strong>on</strong>‘s ability to dem<strong>on</strong>strate its capacity to achieve specified privacy objectives. 670 A<br />
recent <str<strong>on</strong>g>paper</str<strong>on</strong>g> has suggested a much more aggressive use of accountability by hold<strong>in</strong>g <strong>data</strong><br />
c<strong>on</strong>trollers resp<strong>on</strong>sible for all <strong>data</strong> under its c<strong>on</strong>trol so much so that if a <strong>data</strong> subject suffers<br />
any harm as a result of a security breach or from the manner <strong>in</strong> which the <strong>data</strong> is processed,<br />
the <strong>data</strong> c<strong>on</strong>troller will be held liable for these harms. 671<br />
The essential elements of the pr<strong>in</strong>ciple of accountability <strong>in</strong> the EU are two-fold. First, a <strong>data</strong><br />
c<strong>on</strong>troller should take appropriate measures to implement <strong>data</strong> protecti<strong>on</strong> pr<strong>in</strong>ciples. Sec<strong>on</strong>d,<br />
669 Andrew Dunlop, Burges Salm<strong>on</strong> LLP, ‗GDPR: The Accountability Pr<strong>in</strong>ciple‘, Lexology (10 November<br />
2016), available at: https://www.lexology.com/library/detail.aspx?g=5454293d-7fea-4963-afc4-7e4310ed0a1e,<br />
(last accessed 23 November 2017).<br />
670 Centre for Informati<strong>on</strong> Policy Leadership, ‗Data Protecti<strong>on</strong> Accountability: The Essential Elements A<br />
Document for Discussi<strong>on</strong>‘, Hunt<strong>on</strong> & Williams LLP (October 2009), available at:<br />
https://www.hunt<strong>on</strong>.com/files/webupload/CIPL_Galway_Accountability_Paper.pdf, (last accessed 21 November<br />
2017).<br />
671 Rahul Matthan, ‗Bey<strong>on</strong>d C<strong>on</strong>sent: A New Paradigm for Data Protecti<strong>on</strong>- Discussi<strong>on</strong> Document 2017-03‘,<br />
Takshashila Instituti<strong>on</strong> (19 July 2017), available at: http://takshashila.org.<strong>in</strong>/wp-c<strong>on</strong>tent/uploads/2017/07/TDD-<br />
Bey<strong>on</strong>d-C<strong>on</strong>sent-Data-Protecti<strong>on</strong>-RM-2017-03.pdf, (last accessed 24 October 2017).<br />
147