SCHOOL OF LAW

THE ICFAI UNIVERSITY

Study centre

Dehradun

Project report of

Cyber Law

Topic

GENERAL DATA PROTECTION REGULATION AND AMENDMENTS

SUBMITTED BY

Ayush Kumar Singh

17FLICDDN01034

BBA.LLB (Hons.) 5th Year

SUBMITTED TO

Miss Prachi Mishra

General Data Protection Regulation and Amendments Page 1

 INDEX OF ABBREVIATION

1. S SECTION
2. & AND
3. AIR ALL INDIA REPOTER
4. vs. VERSUS
5. Vol. VOLUME
6. PG PAGE
7. TOTO TOATLITY
8. Ors. OTHERS
9. Cl. CLAUSE
10. Art. ARTICLE
11. Govt. GOVERNMENT
12. i.e THAT IS
13. SCC SUPREME COURT CASES
14. SCR SUPREME COURT REPORTER
15. Supp. SUPPLEMENTARY
16. W.r.t WITH RESPECT TO

General Data Protection Regulation and Amendments Page 2

GENERAL DATA PROTECTION REGULATION AND AMENDMENTS

ABSTRACT

The goal of this study is to present an understanding of recent developments in this field in
light of existing research, international standards, and GDPR best practises. GDPR is a
regulation that harmonises data protection rules across the EU's 28 member states. This
information is primarily for GDPR. It gives states new data subject rights and applies
extraterritorially to any EU institution that is in charge of or processing personal data of real
beings. The European Union is a grouping of nations. The European Union (EU) has
prioritised personal data protection for more than couple of decades, and the recently enacted
General Data Protection Regulation (GDPR) lifts the standard even higher. The GDPR
applies to almost every firm in the world that collects or processes data on EU residents,
including permanent residents, visitors, and expatriates, and it establishes a new set of
regulatory standards that necessitates both organisational and technological solutions. As a
consequence, rather than the business's registered address, compliance is decided by the
physical location of the individuals about whom an organisation retains personal data. This is
a major shift in how businesses must protect EU individuals' personal data, and it may have
ramifications for non-EU residents' data as well. As a result, the "General" Data Protection
Regulation may be better referred to as the "Global" Data Protection Regulation, and
considering the economic penalties for non-compliance, all businesses doing business in
Europe (including the United Kingdom post-Brexit), both within the EU and within the
European Economic Area, must pay heed and act.

Keywords: Privacy, Data Protection, European Union, General Data Protection Regulation
(GDPR), Personal Data

General Data Protection Regulation and Amendments Page 3

INTRODUCTION

On May 25, 2018, the EU General Data Protection Regulation (GDPR) took effect in all EU
Member States. This essay provides a foundation for understanding the key concepts of the
new GDPR, with a focus on data processing and collection. It also aids in determining the
implications of various legitimate basis for statistical and/or scientific research, as well as the
appropriate legal grounds for collecting, processing, or further processing personal data for
all types of research, the conditions that must be met, and the data subject rights associated
with it. Because researchers' work necessitates the acquisition and processing of personal
data, the data they collect and analyse must be secure. GDPR recommendations should be
considered general information rather than legal advice, and should not be taken as such. Any
particular legal difficulties or challenges should be resolved with the help of a specialist.
Every researcher will be required to understand the legal basis for collecting, using, storing,
sharing, and processing personal data, whether employed by an agency, working
independently, or working in a client's research department. The Regulation's primary goal is
to provide greater protection and long-term viability of data protection measures in a digitally
neutral manner.1

The GDPR's aim is to consolidate various standards among Member States, reducing the
legal fragmentation, issues, and ambiguities that the Data Protection Directive imposes.
Furthermore, the Regulation strengthens data subjects' five rights, making it easier for them
to recover control of their personal data. Despite considerable modifications and the
incorporation of essential new individual rights and procedures, the GDPR continues to apply
broadly to public and private sector data controllers and processors for corporate and non-
commercial reasons.2

WHAT DOES GDPR APPLIES TO?

The General Data Protection Policy (GDPR) is a new data protection regulation enacted by
the European Union. It replaces the 1995 EU Data Protection Directive, offering a
modernised and harmonised norm for all EU member states. It raises the bar for data
protection in a few key areas while keeping the essential principles of the original Directive.3

1
P. Voigt, A. Von Dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide,
Springer, 2017, Accessed on 21st October 2021.
2
Ibid.
3
European Commission, Communication from the commission to the European parliament and the council,
Stronger protection, new opportunities - Commission guidance on the direct application of the General Data
Protection Regulation as of 25 May 2018, Brussels, 2018, Accessed on 21st October 2021.

General Data Protection Regulation and Amendments Page 4

To start with, it is applicable to all organisations, including those based outside of Europe,
because it enforces certain protections and provisions on any organisation that controls or
processes personal information on EU residents for the purposes of offering products or
services ("regardless of whether the data subject is required to pay") or monitoring actions
within the EU (Article 3)4. Noncompliance imposes a hefty financial penalty of up to €20
million or 4% of global annual revenue for the previous financial year, and see which is
higher.

The fundamental human right to privacy is protected by data protection standards, which
control how organisations collect and utilise personal data. The data protection regulation of
the European Union is usually considered as one of the most comprehensive and stringent in
the world. The GDPR applies to controllers and processors located outside of the EU who
collect and process personal data about EU residents, raising the bar for firms in comparable
situations around the world.5

Controllers should be able to develop and sustain customer/user trust, reputation, and, most
importantly, value by complying with the GDPR. Processors should be able to reassure
controllers that they are the right partner and that GDPR compliance will allow them to
maintain a competitive advantage. Other firms that provide services to both controllers and
processors, such as marketing agencies and payroll providers, might greatly profit from
providing compliance-enabling solutions to their customers.6

FORMER TIMES

The European Union passed a directive on personal data protection in 1995, which all EU
members were expected to follow. It established a right for EU citizens to have their personal
data protected, as well as particular criteria for companies operating within the Union in
terms of personal data protection and processing. Because it was a directive, Member States
were able to define the responsibilities in a variety of ways, resulting in discrepancies in data
protection regulation across the EU and a plethora of negative downstream effects for
multinational firms doing business across borders. The 1995 Directive was replaced in May
2016 by Regulation (EU) 2016/679, also known as the General Data Protection Regulation,
after four years of research, debate, and negotiation (GDPR). Member states are no longer
free to add nuances to the GDPR's implementation because it is a regulation rather than a
4
New guidance proposed on the extra-territorial scope of the GDPR, Legal Alerts, Eversheds Sutherland, 18
December 2018, Accessed on 21st October 2021
5
Hunton & Williams, The Proposed EU General Data Protection Regulation, A Guide for in-house lawyers,
2015, Accessed on 23th October 2021.
6
Ibid.

General Data Protection Regulation and Amendments Page 5

directive, unless the GDPR expressly allows it. In 2016, the Directive's legal underpinning
was updated to reflect the current status of data protection, security, and the relevant
technological landscape, as well as the addition of new far-reaching standards.

On May 25, 2018, the 1995 Directive will be "effectively repealed," the same day that the
new standard enters effect (Article 94). While the GDPR is complemented by additional
legislation governing the acquisition and processing of personal data in criminal proceedings,
it is worth noting the unique procedures and standards established by Directive (EU)
2016/680.7

STATUS AT THE MOMENT

The GDPR is part of the European Commission's goal of creating a Digital Unified Market,
which aspires to bring together 28 national digital marketplaces into one. 8 In a variety of
ways, the new legislation contributes to this aim, but two stand out. To begin with, it
modernises and harmonises the EU's data protection legal framework, thus putting an end to
the nuanced implementation approaches that flourished under the previous Directive.
Because the EU now has a unified data protection rule that applies to all 28 member states,
businesses no longer have to manage distinct data protection plans for each market.
Businesses are expected to save €2.3 billion per year as a result of this, according to the
European Commission. Second, businesses now compete on an equal playing field when it
comes to data security. In effect, the application test has shifted from identifying whether a
company is headquartered in an EU market to determining whether the data received or
processed belongs to a single natural person based in an EU market. Data protection
principles apply in this scenario regardless of the company's location.9

Personal data is defined as any information on a person who can be identified or identified,
either directly or indirectly, most commonly through the use of an identifier. 10 Under this
definition, personal data, such as a person's name, social security number, location data, or
online identifier, can be made up of a variety of distinct personal identifiers, taking into
account the ongoing advancement of technology and how businesses collect information
about them. Any information relating to an identified or identifiable natural person ('data
7
European Federation for Print and Digital Communication, INTERGRAF, INTERGRAF Guide to the
European data protection regulation for European printers, 2016, Accessed on 22th October 2021.
8
Juliana De Groot, what is the General Data Protection Regulation? Understanding & Complying with GDPR
Requirements in 2019, Data Insider, September 30, 2020, Accessed on 23rd October 2021.
9
Charity Finance Group (CFG), Inspiring Financial Leadership, General data protection regulation: a guide for
charities, 2017, Accessed on 26th October 2021.
10
Luke Irwin, The GDPR: What exactly is personal data, IT governance, 12th November 2020, Accessed on
23rd October 2021.

General Data Protection Regulation and Amendments Page 6

subject') is referred to as 'personal data.' The GDPR applies to both automatic and human
personal information filing cabinets that provide access to personal data based on specific
criteria. Furthermore, personal information can be merged with chronologically ordered
collections of manual data.11

The GDPR may apply to pseudonymized personal data, such as key-coded data, depending
on how difficult it is to relate the pseudonym to a specific person. The GDPR refers to
sensitive personal data as "special categories of personal data," and the definition of this type
of information has been broadened to cover new industries such as biometric data. The
GDPR provides enhanced protection for certain categories of sensitive personal data. These
are classified as "special categories" of personal data under Article 9 of the GDPR. The
following are the special categories:12

 Personal information that reveals a person's racial or ethnic origin.

 Opinions on politics
 Beliefs in religion or philosophy.
 Membership in a labour union.
 Processed genetic and biometric data with the goal of uniquely identifying a natural
person.
 Health-related information.
 Information about a person's sex life or sexual orientation.

This category covers genetic and biometric data that has been processed in order to identify a
various specialized. Despite the fact that it is subject to the same strengthened safeguards,
personal data linked to criminal convictions and offences is not included. In cases where data
is used to make automated decisions that impact individuals, this Regulation introduces
further and more comprehensive constraints.13 Biometric data, such as facial photos or
fingerprint data, are personal data obtained from a natural person's physical, physiological, or
behavioural features for the aim of enabling or confirming the natural person's unique
identification. Profiling, on the other hand, is any type of automated personal data processing
that uses personal data to assess a natural person's work performance, economic status,
health, personal preferences, interests, reliability, behaviour, location, or movements.14

11
Charity Finance Group (CFG), Inspiring Financial Leadership, General data protection regulation: a guide for
charities, 2017, Accessed on 26th October 2021.
12
Special Category Data, Law Proceeding, Data Protection Commission, Accessed on 23rd October 2021.
13
Charity Finance Group (CFG), Inspiring Financial Leadership, General data protection regulation: a guide for
charities, 2017, accessed on 24th October 2021.
14
Ibid.

General Data Protection Regulation and Amendments Page 7

AN INDIAN POINT OF VIEW

Despite the fact that the European Union has long recognised a right to personal data
protection (under the Treaty on the Functioning of the European Union), India still lacks a
comprehensive data protection law. The 2000 Information Technology Act addresses a
number of issues, including cybercrime and the accountability of internet intermediaries like
social media sites, while also having some privacy protection provisions.15

Section 43A16, for example, compensates victims for losses incurred as a result of a failure to
maintain adequate security measures to protect sensitive personal data. In comparison, data
protection and confidentiality obligations are regulated through a patchwork of industry-
specific regulation. In August 2017, the Indian Supreme Court held that under Article 21 17,
the right to privacy is a component of the fundamental right to life.18

It viewed informational privacy as a subset of the right to privacy, emphasising that privacy
also included the right to be anonymous. This clearly demonstrated that existing legislation's
patchwork approach to privacy was insufficient and that a more comprehensive approach to
informational privacy was required. The Indian government, the court found, had already
established the DPC and effectively consented to the committee's responsibilities. 19 Despite
considering numerous legislative frameworks for privacy protection in several countries, the
DPC chose to draught a regulation substantially inspired by the GDPR.

 Data principles and data processing (gathering and analysing personal data) are two
intellectual and legal ideas that are closely intertwined (persons or entities that
provide data that is then used by firms for data processing).
 Requirements for notifying individuals and obtaining their consent to their personal
data being processed.
 Restrictions on the processing of personal data, such as minimization requirements,
which require the data processor and the user to acquire only the data necessary to
provide the services agreed upon.

15
Ministry of Law, Justice and Company Affairs (Legislative Department), The Information Technology ACT,
2000, (https://www.meity.gov.in/content/information-technology-act-2000-0), Accessed on 24th October 2021.
16
Ibid.
17
The Constitution of India [India], 26 January 1950, (https://www.refworld.org/docid/3ae6b5e20.html),
Accessed on 23 October 2021.
18
“Justice KS Puttaswamy and Another Vs. Union of India and Ors,” 10 SCC 1, Supreme Court of India, 2017,
(https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf) 7 See paragraph
185 of the judgement by the plurality of judges authored by J. Chandrachud in “Justice KS Puttaswamy And
Another Vs. Union of India and Ors,” 10 SCC,
19
DPC Act - CAG's Duties Powers and Conditions of Service, (https://cag.gov.in/en), Accessed on 25th October
2021.

General Data Protection Regulation and Amendments Page 8

  Enabling positive rights for users, such as data portability (the ability to move data
across service providers) and the right to be forgotten.
 Data localization is required—sensitive personal data must be stored on Indian
systems, and other personal data cannot be transmitted outside of the country.
 The firm would be governed and supervised by a proposed Data Protection Authority,
and infractions might result in punishments such as processing bans and financial
fines.

However, the law differs from the GDPR in various aspects, the most significant of which is
the establishment of criminal penalties for bill breaches, as well as the proposal to treat a data
processor's connection with its consumer as "fiduciary." Despite this, the provisions of the
bill would significantly tighten data protection duties. The bill will force Indian companies,
as well as international companies that provide services in India, to change their data
collection, storage, and management policies substantially. India would be the first country to
adopt a privacy framework, despite the fact that the European Union already has one (the
1995 Data Protection Directive). As a result, India's compliance and data protection costs will
rise. Furthermore, no comprehensive economic analysis of the proposed bill has been
conducted in order to provide an informed assessment of its overall impact on India.20

ROLE OF GDPR FRAMEWORK

The GDPR introduces a slew of new or "refreshed" rights to data subjects' existing statutory
rights (such as access to their data files). These rights are unrestricted (i.e., at no expense to
the data subject) and must be exercised within 30 days in most situations. Controllers will
very definitely face significant pressure as a result of the limited time for responding to
requests and the loss of the right to impose fees, forcing them to take efforts to expand data
subject access to their systems.21 There are four legal protections that we can identify. The
right to a copy of your data, as well as the right to have it erased. The data subject has the
right to request that the controller erase personal data in a range of circumstances, including
when the data are no longer necessary for the intended purpose or when permission to
processing has been withdrawn. Individuals have the right to object to their private data being
processed for legitimate interests, direct marketing, research, or statistics. If this request is

20
“Justice KS Puttaswamy and Another Vs. Union of India and Ors,” 10 SCC 1, Supreme Court of India, 2017,
(https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf) 7 See
paragraph 185 of the judgement by the plurality of judges authored by J. Chandrachud in “Justice KS
Puttaswamy And Another Vs. Union of India and Ors,” 10 SCC,
21
IT governance, EU General Data Protection Regulation, A Compliance Guide, 2016, Accessed on 27 th October
2021.

General Data Protection Regulation and Amendments Page 9

made, it must be honoured unless the organisation can demonstrate compelling grounds to
refuse it.22

The GDPR's data protection provisions are essentially equivalent to those of the Data
Protection Act. The most significant modification is the addition of a new accountability
requirement: compliance with the principles must be verified. Personal data must be collected
for specific, explicit, and legitimate objectives, and not further processed in ways that are
inconsistent with those purposes. Private details must also be adequate, relevant, and
restricted to what is required for those purposes, as well as accurate and, where necessary,
kept up to date23. In comparison to the DPA, the GDPR places a higher emphasis on
accountability. The Regulation introduces a new concept of accountability by forcing
controllers to actively comply with their statutory provisions.

This is achieved by combining data protection into the organization ’s structure and customs,
such as keeping a clear written account of all information transmission that a regulator can
inspect on demand; mechanisms and procedures for monitoring and verifying compliance;
and measures to raise creates an advantage of data protection issues. 24 The transparency
principle requires that all information and communications relating to the processing of
personal information be easily accessible and understandable, using plain and simple
language. This principle entails informing data subjects about the controller's identity and
processing purposes, as well as any additional information required to ensure fair and
transparent processing in relation to the natural persons involved, as well as their right to
obtain confirmation and communication of personal data about them that is being processed.
This regulation will have a considerable impact on how businesses communicate with their
customers about the use of their data. Under no circumstances will information be obfuscated
through densely written privacy policies or terms and conditions be accepted. Under the
GDPR, consent is invalid if it is given without a public transparency of the processing's
consequences.

The operator must be able to present that the principles have been followed. To ensure that it
complies, evidence is required for 39 of the 99 components. The Regulation does not require
organizations to register their processing activities with regulatory authorities, but it does
require them to keep detailed records of their operations.25

22
Ibid.
23
Mason Hayers & Curran, Getting Ready for The General Data Protection Regulation, A Guide by Mason Hayes
& Curran, Dublin, London, New York & San Francisco, 2018, Accessed on 26 th October 2021
24
Ibid

General Data Protection Regulation and Amendments Page 10

CONCLUSION

Organizations that collect information on EU residents should always unquestionably ensure

that they have the necessary capacity to satisfy the Regulation's numerous requirements. Non-
compliance could be extremely costly, if not disastrous, if the EU adheres to its intended
particle shape. As an outcome, it is essential to plan ahead of time for GDPR compliance and
to enlist the cooperation of key stakeholders within the organization. To comply with the
GDPR's new transparency and individual rights standards, for illustration, new guidelines
may be required, which could have a significant impact on large and complicated
organization's financial, information technology, personnel, governance, and communication
services.

The GDPR prioritizes the supporting documents that data controllers must keep in order to be
held accountable. In order to comply with all of the topics covered in this article,
organizations must examine their governance practices and how they manage data protection
as a corporate issue. Investigating controller contractual agreements and other data-sharing
agreements with other organizations could be part of this.

Individual segments of the GDPR will have varying effects on different organizations (for
example, provisions corresponding to profiling or children's data), so it will be advantageous
to identify which sections of the Regulation will have the greatest impact on specific business
models and then devote the necessary attention to those sections during the planning process.
The GDPR prioritizes a new antitrust-style enforcement system. Data protection will be taken
more seriously now that sanctions of up to 4% of annual global revenue, or €20 million, are
on the table. However, there is a danger of going too far and suffocating creativity. As a
result, anyone giving legal advice on the Regulation will be under a lot of pressure to provide
adequate advice while avoiding disciplinary action. Privacy guidelines will need a little more
thought, care, and courage in the short term. The GDPR has clear implications for businesses:
any organization's data strategy for personal and sensitive personal data must be rethought
immediately. In order to resolve issues, enhance rules and protections, and prepare for worst-
case scenarios, GDPR-specific duties, as well as organisational and technological techniques,
must be planned for. Data protection must be "by design and by default," according to Article
25 of the GDPR's fundamental principle. Businesses who do not adequately preparing will
face challenges.

25
Association of financial mutual - AFM, Implementing the General Data Protection Regulation, A practical
guide for members of AFM, 2017, Accessed on 18th October 2021.

General Data Protection Regulation and Amendments Page 11

Non-EU companies must quickly catch up. Furthermore, because their headquarters are
located outside of one of the EU members states, the GDPR has a significant impact on firms
that were previously exempt from previous EU data privacy legislation. The GDPR
establishes a new level playing field for all firms who control or process personal data
relating to EU citizens, regardless of their location. Organizations that have been subjected to
the data privacy regulation previously have a two-decade head start in building the
organisational and technological techniques required to function successfully in Europe.
Whereas the GDPR demands these companies to acquire new skills, the foundation has
already been set. Businesses who have lately been affected by the GDPR have a lot of work
ahead of them.

Although technological and organisational approaches to the GDPR's demands have focused
on technological solutions, technology alone will not be sufficient to meet them. Cutting-edge
technology should be implemented by any company, but only as part of a larger
organisational response. GDPR compliance is not something that can be accomplished alone
by the IT department.

Compliance will necessitate a coordinated and reasonable response from the entire
organization, with the knowledge and experience of various groups, including Company
Directors, Legal, Human Resources, Training, and the Information Technology Department,
informing strategy, strategy, training, and governance practices. Finally, because the rewards
system has the ability to risk a company's very survival, visibility of the sanctions system at
the board level is crucial.

To recapitulate, GDPR is rapidly arriving, it almost certainly applies to your company, and
the consequences of getting it wrong are serious. There seem to be, however, advantages to
getting it right, such as a strong foundation for working with European companies, a deep
grasp of consumer behaviour, and strict internal data protection and security protocols that
encourage customer loyalty and collaborators.

BIBLIOGRAPHY

Websites

 https://www.meity.gov.in/content/information-technology-act-2000-0

General Data Protection Regulation and Amendments Page 12

  https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-
2017.pdf
 (https://www.refworld.org/docid/3ae6b5e20.html
 https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-
2017.pdf
 https://cag.gov.in/en

E- books

 GDPR A Complete Guide- 2019 Edition

 Protecting Personal Information- The Right to Privacy Reconsidered
 A Practical Guide to GDPR for Small Businesses
 Disrupting Data Governance- A Call to Action

General Data Protection Regulation and Amendments Page 13