Data Protection across BRICS countries

Scope

1. What national laws (or other types of normative acts) regulate the collection and use of personal data?

Brazil

The collection and processing of personal data is regulated by the Brazilian General Data Protection Law – LGPD (n. 13.709/18). But it is also important to note that such law is embedded in a set of rules that address, at least in some respect, issues relating to privacy and protection of personal data, as the following:

  • General Telecommunications Law (Federal Law n. 9,472 of 1997) Criminal Identification Law (Federal Law n. 12,037 of 2009) Freedom of Information Act (Federal Law n. 12,527 of 2011)
  • Civil Rights Framework for the Internet (Federal Law n. 12,965 of 2014).

Russia

Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA as well as other laws, including the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees’ personal data (Part XIV). Other laws may also contain data protection provisions, which implement the data protection rules in relation to specific areas of state services or industries.

Source

India

A draft Personal Data Protection Bill was released in 2018 and is expected to be tabled in Parliament soon. Until then, the Information Technology (Amendment) Act, 2008, provides limited protection. In addition, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and the Aadhaar and Other Laws (Amendment) Act, 2019 address questions regarding personal data specifically in the context of Aadhaar, India’s unique ID. Sectoral directions and regulations, such as those issued by the Reserve Bank of India, also impact personal data. Further draft policies and laws that address aspects of data protection include the draft National e-Commerce Policy, 2019, and the DNA Technology (Use and Application) Regulation Bill, 2019.

China

These mainly include the following categories:

National-level laws and decisions:

  1. Criminal Law (1997) Amendment V (2005), VII (2009), and IX (2015)

  2. Law of the People’s Republic of China on the Protection of Consumer Rights and Interests (1994) with Amendment in 2013

  3. Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks (2012)

  4. Cybersecurity Law of the Peoples Republic of China (2017)

  5. General Rules of the Civil Law of the People’s Republic of China (2017)

  6. E-Commerce Law of the People’s Republic of China (2019)

  7. Measures on Security Assessment of the Cross-border Transfer of Personal Information (Draft for comments, 2019)

  8. Data Security Administrative Measures (Draft for comments, 2019)

South Africa

The Electronic Communications and Transactions Act, 25 of 2002.
The Protection of Personal Information Act 4 of 2013. This Act has been signed into law, but it has not yet come into effect.

2. Is the country a part of any international data protection agreement?

Brazil

Brazil is not part of any international data protection agreement.

Russia

Convention on the protection of individuals in the automated processing of personal data. Concluded in the city of Strasbourg on January 28, 1981 (together with the Amendments to the Convention on the Protection of Individuals with the Automated Processing of Personal Data (CETS No. 108), allowing the accession of the European Communities adopted by the Committee of Ministers in Strasbourg on 15.06.1999). This document entered into force on October 1, 1985. For the Russian Federation, this document entered into force on September 1, 2013.

India

India is not part of any international data protection legislation.

China

No

South Africa

No.

3. What data is regulated?

Brazil

The LGPD regulates personal data (online and offline).

[Art. 1, Art. 3]

Russia

Personal data is information, i.e. messages or data regardless of the form of their representation”. The form of displaying information does not matter: it can be information in text, graphic, sound form, perceived by a person or device. The carrier of such data is also irrelevant: they can be recorded on paper, in another analogue form (for example, on videotape) or exist in electronic form.
The information must have a certain relationship with an individual. Such an attitude may occur in cases where such information:
1) by virtue of its content it concerns a certain person;
2) has as its purpose an assessment of a person’s activities or may affect the status of such a person, including by making any decisions regarding his;
3) is of a technical nature (for example, data of devices used by an individual) and is used for technical purposes, but can, if desired, be used by the operator for purposes that have an impact on the rights and obligations of the individual.
Information relates directly or indirectly to a particular or designated person, i.e. possesses certain identifying potential.
If the data makes it possible to single out an individual from a variety of persons and use his particular interaction model with respect to him, then that person is definable, and the corresponding information is his personal data.

Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M .: Statute, 2017. 320 p.

India

The draft Personal Data Protection Bill applies to the processing of personal data that has been collected, disclosed, shared or otherwise processed within India, as well as to personal data that is processed by the state, an Indian company or citizen, or any person or body of persons incorporated or created under Indian law.
Section 43A of the IT (Amendment) Act concerns sensitive personal data or information in a computer resource owned, controlled or operated by a body corporate. Section 72A of the IT (Amendment) Act concerns personal information about a person which any person, including an intermediary, may have access to while providing services under the terms of a lawful contract.

China

Article 76 of the Cybersecurity Law of the PRC (2017) and Article 38.3 of the Measures (2019) define “personal information” as:

“all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including but not limited to natural persons’ full names, birth dates, national identification numbers, personal biometric information, addresses, telephone numbers, and so forth.”

Article 3.1 of the Specification (2017) defines “personal information” as:

“personal information, recorded by electronic or other means, that can be used, alone or combined with other information, to identify a specific natural person or reflect activities of a specific natural person.”

South Africa

Section 4 of ECTA provides that this Act applies in respect of data relating to economic transactions which are defined as transactions of either a commercial or non-commercial nature, and includes the provision of information and e-government services. It also applies to data messages which are defined as data generated, sent, received or stored by electronic means.

4. Are there any exemptions?

Brazil

The law does not apply when data is treated by natural persons for private and non-economic interests.

The law does not apply when data is treated for the following reasons or interests: journalists, artistic, academic, public security, national defence, state security, criminal investigation / repression.

[Art. 4]

Russia

The Federal Law on Personal Data does not apply to relations arising from:

1) the processing of personal data by individuals solely for personal and family needs, if this does not violate the rights of the subjects of personal data;

2) the organisation of storage, acquisition, accounting and use of documents containing the personal data of the Archival Fund of the Russian Federation and other archival documents in accordance with the legislation on archives in the Russian Federation;

3) the processing of personal data assigned in the prescribed manner to information constituting state secrets.

The Law on Personal Data does not apply to storage and other types of processing of unsystematised personal data, even if subsequent access by third parties is possible.

;Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”;

Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M .: Statute, 2017. 320 p.

India

The draft Personal Data Protection Bill shall not apply to the processing of anonymised data. It also exempts from a number of provisions in the Act:

1) necessary and proportionate processing in the interests of the security of the State, authorised by law and in accordance with the procedure established by law;

2) necessary and proportionate processing in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law, authorised by law;

3) processing for the purpose of legal proceedings, including any judicial function;

4) processing for research, archiving, or statistical purposes, where, among other things, the purpose of processing cannot be achieved if the personal data is anonymised;

5) processing by a natural person for purely personal or domestic purposes …

China

Yes. Article 8.5 of the Specification (2017) – Exemptions From Obtaining Authorized Consent Prior to Sharing, Transfer, and Public Disclosure of Personal Information – explains that:

The personal information controller does not need to obtain authorized consent from the personal information subject prior to sharing, transfer, or public disclosure of personal information in the following circumstances:

1) Those directly related to national security and national defense;

2) Those directly related to public safety, public health, and significant public interests;

3) Those directly related to criminal investigation, prosecution, trial, and judgment enforcement etc.;

4) When safeguarding the major lawful rights and interests such as life and property of personal information subjects and other individuals, and it is difficult to obtain consent from personal information subject;

5) When the personal information subject voluntarily opened the collected personal information to the general public;

South Africa

This Act does not apply to any data which falls outside the definition of electronic transactions and data messages.
Chapter VIII of the Act provides for the protection of personal information which is limited to personal information which has been obtained through electronic transactions. Section 51(2) provides that a data controller may not electronically request, collect, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

5. To whom do the laws apply?

Brazil

The LGPD will apply to all natural persons or legal entities incorporated or doing business in Brazil that collect personal data about Brazilian nationals. They will have to comply with the new law, as long as:

  • The processing operation is carried out in Brazil;
  • The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil;
  • The personal data was collected in Brazil.
     

The law will not apply to data processing:

  • Carried out by a natural person exclusively for private and non-economic purposes;
  • Performed for journalistic, artistic or academic purposes;
  • Carried out for purposes of public safety, national security and defense or activities of investigation and prosecution of criminal offenses (which will be regulated by specific legislation);
  • Originated outside the Brazilian territory and are not the object of communication; Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, as long as the country of origin offers a level of personal data protection adequate to that established by LGPD.

[Art. 3]

Russia

The legislation on personal data applies to all entities that process personal data. Federal government bodies, as well as government bodies of constituent entities of the Russian Federation can process personal data. Local governments and municipal bodies that are not part of the system of local governments carry out the processing of personal data.

If legal entities process personal data, they are also subject to the law on personal data.

Under the individuals processing in the framework of the legislation on personal data, are citizens who carry out business activities without forming a legal entity, from the moment of state registration as an individual entrepreneur. Individuals engaged in the processing of personal data may also include attorneys, notaries, heads of farms.

Kukharenko, T.A. Commentary to the Federal Law of July 27, 2006 No. 152-ФЗ “On Personal Data” (itemised) “Consultant Plus” Legal Reference System, 2011.

India

The draft Personal Data Protection Bill extends to the whole of India. It applies to the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law. It also applies to data fiduciaries and data processors not present within the territory of India who engage in processing of personal data in connection with any business carried on in India, or any systematic activity of offering goods or services to data subjects within the territory of India, or in connection with any activity which involves the profiling of data subjects within the territory of India.

The IT (Amendment) Act applies to the whole of India as well as to any offence or contravention under the Act committed outside India by any person, irrespective of their nationality, provided the suspected offence involves a computer, computer system or computer network located in India. Section 43A of the IT (Amendment) Act specifically applies to body corporates, i.e. any company, including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Section 72 of the IT (Amendment) Act applies to any person, including an intermediary, who has secured access to material containing personal information about a person while providing services under the terms of a lawful contract.

China

Article 2 of Data Security Administrative Measures (2019 Draft) states the law applies to entities that carry out “activities such as the collection, storage, transmission, processing and use of data” as well as the protection, regulation and administration of data security within China. The Measures (2019 draft) also states household and personal affairs are not covered by the law.

South Africa

This law was created for the public interest. The Act seeks to
make electronic transactions between consumers, private and public bodies, institutions and citizens (Section 2(1)(g)) of ECTA.

It also seeks to promote SMMEs (Small, medium and Micro-sized Enterprises) within the electronic transactions environment. Section 2(1)(p)) of ECTA.

Chapter 2 section 3 of POPI Act

Applies to responsible party domiciled in South Africa and if not domiciled in South Africa, makes use of automated or nonautomated means in South Africa.

6. Do the laws apply to foreign entities that do not have physical presence in the country?

Brazil

The law applies to any natural or legal person, irrespective of their location, whenever:

  1. Processing is done in Brazilian territory;
  2. The processing activity aims at offering goods, services or data processing to individuals located in the country; or
  3. The personal data used in the processing activities have been collected in national territory.

[Art. 3]

Russia

Even if a foreign company conducts its business through the Internet without a physical presence in Russia, data protection requirements may apply to such a company. The main criterion is that activity of such a foreign company is directed to the territory of the Russian Federation.

According to the Ministry of Communications and Mass Media, the use of a domain name associated with the Russian Federation (.ru, .рф., .su, .москва., .moscow и т.п.)  may indicate the focus of activity on the territory of Russia; as well as the presence of the Russian-language version of the Internet site, created by the owner of such a site or on his behalf by another person, except for the function of an automated translation.

Additional criteria are the ability to make payments in Russian roubles, the ability to deliver goods, provide services or use digital content in Russia, as well as other cases of contract execution in the Russian Federation, the use of advertising in Russian, referring to the corresponding Internet site, and other circumstances that clearly indicate the intention of the owner of the website to include the Russian market in their business strategy.

Zherdina S. Localisation of personal data of Russians for foreign companies // EZh-Yurist. 2017. N 45. p. 5.

India

Yes. For details, see above.

China

In general, no. However, in Appendix D “Privacy Policy Template” of the Specification (2017), Section 7 of the Appendix “How your information will be transferred globally” explains that for countries and territories without or with different personal data protection laws, China will provide at the bare minimum equal protection afforded to persons and entities within Chinese territory.

Further, Article 20 of Measures on Security Assessment of the Cross-border Transfer of Personal Information (draft, 2019) can have impact on foreign entities that collect data from Chinese subjects even though they don’t have physical presence in China:

“If the business activities of an organization located outside China result in the collection of personal information of domestic users through the Internet and other means, then that organization shall fulfill the responsibilities and obligations of network operators in these Measures through a legal representative or entity within the territory.”

South Africa

Not directly. According to the rules of jurisdiction of the courts, a foreign entity would only be held liable only as far as the effects of the conduct is felt in the Republic.

However, any service provider must be accredited and authenticated if they offer products or services in a foreign jurisdiction by the Minister.

Definitions

7. How are personal data defined?

Brazil

Personal data are defined as information related to an identified or identifiable natural person.

[Art. 5]

Russia

Personal data – any information related to directly or indirectly determined or determining individual (subject of personal data).

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

India

The draft Personal Data Protection Bill defines personal data as ‘data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identify of such natural person, or any combination of such features, or any combination of such features with any other information’.

The IT (Amendment) Act does not provide a definition.

China

Article 3.1 of the Specification (2017) defines “personal information” as:

All kinds of information, recorded by electronic or other means, that can be used, alone or combined with other information, to identify a specific natural person or reflect activities of a specific natural person.

South Africa

ECTA Definitions

“personal information” means information about an identifiable individual, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual;

(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;

(c) any identifying number, symbol, or other particular assigned to the individual;

(d) the address, fingerprints or blood type of the individual;

(e) the personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual; …

8. Are there special categories of personal data (e.g. sensitive data)?

Brazil

A specific classification is made for sensitive personal data being information related to specifically defined categories like race, ethnicity, religion, political orientations or activities and others. There is also a classification for anonymized data, which is defined as data relating to an data subject who cannot be identified, considering the use of reasonable technical means available at the time of the processed thereof.

[Art. 5]

Russia

Article 10 of the Federal Law “On Personal Data” defines that special categories of personal data include data relating to race, nationality, political opinion, religious or philosophical beliefs, health, and intimate life. Giving special categories of personal data a special status is due to the possibility of the occurrence of particularly negative consequences for the subject upon their disclosure or other unauthorised use. Such consequences can be expressed not only in risks to the life and health of a person but also in discrimination, the impossibility of exercising basic constitutional rights to work, education, freedom of conscience, holding assemblies, etc.

According to Article 11 of the Federal Law “On Personal Data”, biometric personal data includes information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established and which are used by the operator to identify the subject of personal data. The sensitive nature of biometric data, the impossibility of their “replacement” in the event of a compromise due to their inseparable connection with the person, determine the special order of their processing.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”

Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M .: Statute, 2017. 320 p.

India

The draft Personal Data Protection Bill distinguishes ‘sensitive personal data’ (including ‘biometric data’, ‘financial data’, ‘genetic data’, ‘health data’, ‘intersex status’, ‘official identifier’, and ‘transgender status’) from personal data. It further provides the Central Government with the power to notify categories of personal data as ‘critical personal data’ that shall only be processed in a server or data centre located in India.

Section 43A of the IT (Amendment) Act also specifies and defines ‘sensitive personal data and information’; the Reasonable Security Practices and Procedures Rules, 2011, under that section provide further detail.

China

Yes. Article 3.2 of the Specification (2017) defines “personal sensitive information” as:

Personal information that, once leaked, illegally provided, or abused, can threaten personal and property security and/or easily cause personal reputational damage, physical and mental health damage, or discrimination.

South Africa

No.

POPI Part B: Processing of special personal information

Section 26 of the POPI Act provides:

A responsible part may, subject to section 27, not process personal information concerning-

(a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

(b) the criminal behaviour of a data subject to the extent that such information relates to –

(i) the alleged commission by a data subject of any offence; or

(ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

Section 28: Authorisation concerning data subject´s religious or philosophical beliefs

Section 29: Authorisation concerning data subject´s race or ethnic origin

Section 30: Authorisation concerning data subject´s trade union membership

Section 31: Authorisation concerning data subject´s political persuasion

Section 32: Authorisation concerning data subject´s health and sex life

Section 33: Authorisation concerning data subject´s criminal behaviour or biometric information

9. How is the data controller and the data processor/operator defined?

Brazil

A data controller is a natural or legal person governed by public or private law, responsible for taking decisions on the processing of personal data.

A data operator is a natural or legal person governed by public or private law, executing the processing of personal data in the name of the data controller.

[Art. 5]

Russia

Operator is a state body, municipal body, legal or natural person, independently or jointly with other persons organising and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.

This definition is in fact a borrowing of the provisions of Directive 95/46 / EC of the European Parliament and of the Council of the European Union on the protection of individuals in the processing of personal data and on the free circulation of such data, which became invalid due to the adoption of the GDPR.

It differs from the definition contained in the 1981 Convention, which uses the concept of the controller of the file, defined as “an individual or legal entity, state authority, institution or any other body competent in accordance with domestic law decide what should be the purpose of an automated data file, which categories of personal data should be stored or which operations should be performed with them”.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

India

Rather than ‘data controller’, the draft Personal Data Protection Bill uses the term ‘data fiduciary’, which means ‘any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data’. The draft Bill defines ‘data processor’ as ‘any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary’.

The IT (Amendment) Act does not include these definitions.

China

Article 3.4 of the Specification (2017) defines “personal information controller” as:

An organization or individual that has the authority to determine the purposes and/or methods of the processing of personal information.

South Africa

ECTA Definitions

“data controller” means any person who electronically requests, collects, collates, processes or stores personal information from or in respect of a data subject;

“data subject” means any natural person from or in respect of whom personal information has been requested, collected, collated, processed or stored, after the commencement of
this Act;

POPI Act Definitions

Information officer of, or in relation to a:
(a) public body means an information officer or deputy
information as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private as contemplated
in section 1
Of the Protection of Access to Information Act.

Operator means a person who processes personal information
for a responsible party in terms of a contract or mandate, without
coming under the direct authority of that party.

10. What are the data protection principles and how are they defined?

Brazil

The LGPD lists the following data processing principles. Purpose limitation: realisation of data processing for intentions that are legitimate, specific, explicit and with knowledge of the data subject, without the possibility of a later processing that does not consistent with these objectives;

Appropriateness: compatibility of the processing in accordance with the objectives informed to the data subject, in consistence with the context of the processing;

Necessity: limitation of the processing to the necessary minimum to achieve the objectives, covering the specific data in a proportional but not excessive manner in relation to the objectives of the data processing;

Free access: the guarantee for the data subject to easily and freely receive information regarding the manners and period of the processing, just as regarding the integrity of its personal data.

Russia

  1. The processing of personal data must be carried out in a lawful and fair manner.
  2. The processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals. It is not allowed to process personal data incompatible with the purposes of collecting personal data.
  3. It is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other.
  4. Only personal data is processed that meets the purposes of processing it.
  5. The content and volume of processed personal data must comply with the stated processing objectives. The processed personal data should not be redundant in relation to the stated purposes of their processing.

India

The draft Personal Data Protection Bill lists the following:

1) fair and reasonable processing, that respects the privacy of the data subject;

2) purpose limitation, meaning that the purposes are clear, specific and lawful, although incidental purposes that the data subject would ‘reasonably expect the data to be used for’ are allowed as well;

3) collection limitation, meaning that only data that is necessary for the purpose of processing should be collected;

4) lawful processing, meaning that processing shall only be done on the grounds specified in the Bill for personal data and sensitive personal data respectively;

5) notice (with the draft Bill specifying fourteen elements of information which the notice needs to contain), to be provided at the time of collection of the personal data or, if the data is not collected from the data subject, as soon as is reasonably practicable, and to be provided in a clear and concise manner that is easily comprehensible and in multiple languages ‘where necessary and practicable’ – exemption of the notice obligation is provided where processing is required for prompt action;

China

Article 4 of the Specification (2017) includes the following “Basic Principles of Personal Information Security”:
Personal information controllers should follow the basic principles below when processing personal information:

1) Commensurability of Powers and Responsibilities Principle: Bear responsibility for damage to the lawful rights and interests of the personal information subject caused by personal information processing.

2) Purpose Specification Principle: Process personal information for legal, justified, necessary, and specific purposes.

3) Consent Principle: Obtain authorized consent from the personal information subject after expressly providing the personal information subject with the information including the purpose, method, scope, and rules of the processing.

4) Minimization Principle: Unless otherwise agreed by the personal information subject, only process the minimum types and quantity of personal information necessary for the purposes for which the authorized consent is obtained from the personal information subject. After the purposes have been achieved, the personal information should be deleted promptly according to the agreement.

South Africa

POPI provides for eight conditions for lawful processing of personal information.

Condition 1: Accountability

Section 8: Responsible party to ensure conditions for lawful processing.

The responsible party must ensure that the conditions set out in this chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

Condition 2: Processing limitation

Section 9: Lawfulness of processing.

Personal information must be processed (a) lawfully and (b) in a reasonable manner that does not infringe the privacy of the data subject

Section 10: Minimality

Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

Section 11: Consent, justification and objection

Section 12: Collection directly from data subject

11. Does the law provide any specific definitions with regards to data protection in the digital sphere?

Brazil

Yes, the law defines database as structured set of personal data, established in one or several sites, in electronic or physical support.

[Art. 5]

Russia

Automated processing of personal data – processing of personal data using computer technology.

Personal Data Information System – a set of personal data contained in databases and information technologies and technical means ensuring their processing.

The user of an information system of personal data is a person participating in the operation of an information system of personal data or using the results of its operation.

India

The draft Personal Data Protection Bill also defines ‘automated means’. In addition, its preamble highlights that its formulation in general has to be seen in the context of the growth of the digital economy.

Relevant definitions in the IT (Amendment) Act include those for ‘access, ‘intermediary’ and ‘reasonable security practices and procedures’.

China

The law does not mention “digital sphere” but it is generally understood that network and online activities engaged in “the collection, storage, transmission, processing and use of data” occur in the digital sphere. The Data Security Administrative Measures (2019 Draft) provides details for proper data collection, data processing and use, as well as data security regulation and administration. Chapter V specifically provides definitions for “network operators,” “network data,” “personal information,” “personal information subject” and “important data.”

South Africa

Chapter VIII of ECTA

Section 50(1) provides that these provisions only apply to personal information that has been obtained through electronic transactions.

Chapter 4 of POPI

Section 37

Rights

12. Is the data protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

Brazil

Yes, article 2 of the data protection law refers to fundamental rights, including (but not limited to) privacy, freedom of expression, free initiative and human rights.

Russia

Initially, provisions relating to the protection of the rights of citizens in the field of personal data were reflected in the Universal Declaration of Human Rights adopted by the UN General Assembly on December 10, 1948. Later they were developed and reflected in the 1981 Convention ratified by the Russian Federation in 2013. The legislation of the Russian Federation in the field of personal data generally repeats the main provisions of the above international acts.

In Art. 23 of the Constitution of the Russian Federation, it is established that everyone has the right to privacy, personal and family secrets, protection of his honour and good name, the right to privacy of correspondence, telephone conversations, postal, telegraph and other messages. Restriction of this right is allowed only in exceptional cases provided by law.

Federal Law “On Personal Data”: scientific and practical commentary (article by article) / A.Kh. Gafurova, E.V. Dorotenko, Yu.E. Kontemirov and others; by ed. A.A. Priezhzheva. M.: The editors of “Rossiyskaya Gazeta”, 2015. Vol. 11. 176 s.

India

The Preamble to the draft Personal Data Protection Bill specifically states that the right to privacy is a fundamental right and that it is necessary to protect personal data as an essential facet of informational privacy.

The IT (Amendment) Act does not explicitly address this question.

China

The Specification (2017) or Measures (draft, 2019) does not explicitly refers to the Chinese Constitution or international binding documents. “Introduction” of the Specification states the necessity for the Specification to also comply with other pre-existing Chinese laws and regulations including all the rights and responsibilities of citizens outlined in Chapter II of the Constitution.

South Africa

The ECTA has not specified any fundamental rights.

POPI Act is based on the right to privacy enshrined in the Constitution of the Republic of South Africa, 1996.

13. What are the rights of the data subjects according to the law?

Brazil

Data subjects have the right to receive facilitated access to information regarding the treatment of their personal data.

Article 9 of the data protection law states the manner this information has to be provided including information on the objectives of the process, its duration, the identification of controllers and its contact information, information regarding data sharing, the responsibilities of the processing agents and the rights of the data subject.

Art. 17: Every natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed, under the terms of this Law;

Art. 18: The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being processed by the controller, at any time and by means of request:

I – confirmation of the existence of the processing;

II – access to the data;

III – correction of incomplete, inaccurate or out-of-date data;

Russia

The right to receive information on the processing of his personal data.

The right to clarify the personal data processed by the operator.

The right to block personal data.

The right to demand the destruction of data.

The right to take measures prescribed by law to protect their rights.

The right to appeal the actions of the operator to the authorised body.

The right to the processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using means of communication, as well as for the purposes of political agitation only with the prior consent of the subject of personal data.

The prohibition to make decisions on the basis of automated processing of personal data, generating legal consequences in relation to the subject of personal data or otherwise affecting his rights and legitimate interests.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

India

The draft Personal Data Protection Bill lists the following data subject rights:

  1. the right to confirmation whether the data fiduciary is processing or has processed personal data of the data subject and to access a brief summary of that data and of the processing activities undertaken by the data fiduciary in relation to that data;
  2. the right to, where necessary, correct inaccurate or misleading personal data, to complete incomplete personal data, and to update personal data that is out of date – where the data fiduciary does not agree that there is a need, it has to provide its justification to the data subject in writing and indicate alongside the relevant personal data that it is disputed;
  3. the right to data portability, which means that the data subject has the right to receive their personal data under control of a data fiduciary in a structured, commonly used and machine-readable format, and to have it transferred to another data fiduciary in that format, wherever the processing has been carried out through automated means, except where the processing is necessary for specific functions of the State outlined in the Act, is in compliance of law, or where compliance with this provision would reveal a trade secret of any data fiduciary or would not be technical feasible;
  4. the right to be forgotten, which is defined as the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal under certain conditions and after the Adjudicating Officer has determined that these conditions have been satisfied.

China

Article 5.6 of the Specification (2017) states the data subject has the right to: “access, correct, or delete data; to deactivate the account, to withdraw consent; to obtain a copy of the data; to restrain automated decision-making by the information system; etc.”

Article 7.7 of the Specification states the data subject has the right to: “refuse to receive business advertisements delivered on the basis of their personal information”

In Appendix D “Privacy Policy Template” of the Specification (2017), Section 5 “Your rights” specifies the following user rights:

South Africa

The rights of the data subject in POPI are described in terms of the obligations of the data controller, therefore see below. Section 5: Rights of the data subject

Chapter 8: Rights of Data subjects regarding Direct marketing by means of unsolicited electronic communications, directories and automated decision making

Section 69 Direct Marketing by means of unsolicited electronic communication italicise this piece about chapter 8.

Section 70 Directories

Section 71 Automated Decision making

Obligations and Sanctions

14. What are the obligations of the controllers and processors/ operators?

Brazil

Controllers need specific additional consent of the data subject before sharing their data with other controllers.

[Art. 7, I and par 5]

The controller has the responsibility to prove that consent was given by the user to process their data.

[Art. 8, par 2]

The controller needs to inform the data owner/subject regarding specific changes which are defined in Art 9 (e.g. objectives and means of data processing, identification of controller etc.). The data subject has the right to not accept the changes and withdraw his consent.

[Art. 8, par 6; Art. 9, par 2]

The controller can only process data for legitimate objectives as defined in Art 10 (e.g. promotional and service activities). In this context, processing is limited to those data which are necessary for the specific objective. The controller has to adopt measures to guarantee transparency during the processing of data.

[Art. 10]

Russia

Obligation to ensure the confidentiality of personal data – the prohibition to disclose personal data to third parties without the consent of the subject.

Obtaining the consent of the subject of personal data (when there are no other conditions for their processing) in a form that provides the opportunity to prove the fact of obtaining consent, or in written cases in certain cases provided by law

Publication of the privacy policy or other document defining its policy in relation to the processing of personal data, and information about the implemented requirements for the protection of personal data, as well as providing access to the specified document using the appropriate information and telecommunication network.

Publication of local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, elimination of the consequences of such violations.

Notification of Roskomnadzor prior to the processing of personal data.

India

In addition to the obligations data fiduciaries and data processors/operators have with regard to the implementation of the general data protection principles and the rights of the data subjects under the draft Personal Data Protection Bill (see above), data fiduciaries have a number of obligations under the Bill that specifically relate to the personal and sensitive data of children. These include processing the personal data of children in a way that protects and advances their rights and interests and incorporating mechanisms for age verification and parental consent. Additional obligations adhere to those data fiduciaries who process large volumes of personal data of children or who operate websites or provide services targeted at children, so-called guardian data fiduciaries.

Data fiduciaries are also obliged to take a number of privacy and accountability measures, including

  1. privacy by design;
  2. transparency regarding their general practices relating to the processing of personal data as well as regarding important processes in the processing of personal data related specifically to the data subject;
  3. appropriate security safeguards;
  4. procedures and mechanisms to address grievances of data subjects in an efficient and timely manner; and
  5. notification of the Authority of breaches of the personal data processed by the controller where such breach is likely to cause harm to a data subject.

Data fiduciaries need to further ensure the storage on a server or data centre located in India of at least one serving copy of personal data to which the law applies.

China

The main body of the Specification (2017) lays out in detail the obligations for “personal information controllers”: the collection of personal information (in Article 5), retention of personal information (in Article 6), use of personal information (in Article 7), processing, sharing, transfer, and public disclosure of personal information (in Article 8), as well as the handling of personal information during security incident (in Article 9).

Article 6 of the Measures (draft, 2019) states:

“Network operators must perform their obligations to protect data security, establish an accountability and assessment system for data security management, formulate data security plans, implement technical safeguards for data security, conduct data security risk assessments, formulate emergency response plans for cyber security incidents, promptly deal with security incidents and organize data security education and training.”

South Africa

Principles for electronically collecting personal information Section 51 of ECTA

  1. A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.
  2. A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.
  3. The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.
  4. The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.
  5. The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.
  6. A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.

15. Is notification to a national regulator or registration required before processing data?

Brazil

In specific situations, notification to a national regulator is required. This includes data transfer from public to private actors [Art. 26 par. 2] and modifications of specific procedures for international data transfers [Art. 36].

Russia

The operator, prior to the processing of personal data, is obliged to notify the authorised body for the protection of the rights of personal data subjects about their intention to process personal data, except in the special cases.

The operator has the right to carry out the processing of personal data without notifying the authorised body for the protection of the rights of personal data subjects:

  1. processed in accordance with labor laws;
  2. received by the operator in connection with the conclusion of the contract to which the subject of personal data is a party,
  3. relating to members (participants) of a public association or religious organisation and processed by the relevant public association or religious organisation,
  4. made by the subject of personal data publicly available;
  5. including only surnames, names and patronymic of personal data subjects;
  6. necessary for the purpose of a single pass of the subject of personal data to the territory in which the operator is located, or for other similar purposes;

India

As per the draft Personal Data Protection Bill, those data fiduciaries or classes of data fiduciaries who have been classified by the Data Protection Authority as ‘significant data fiduciaries’ are required to register with the Authority. Classification as a significant data fiduciary will depend on such factors as the volume of data processed, the sensitivity of the personal data processed, the turnover of the data fiduciary, the risk of harm resulting from the processing and the use of new technologies for processing.

Further, although not required before processing the data, the transfer of sensitive personal data outside the territory of India to a person or entity engaged in the provision of health or emergency services where such transfer is strictly necessary for prompt action requires notification to the Authority within the time period that will be prescribed. Where a data fiduciary seeks to transfer personal data outside the territory of India subject to standard contractual clauses or intra-group schemes that have been approved by the Authority, it also needs to certify and periodically report to the Authority that the transfer is made under a contract that adheres to such standard contractual clauses or intra-group schemes and that it will bear liability for any harm caused in the case of non-compliance.

China

Yes, operators are expected to obtain approval for cross-border data transfer from provincial-level office of Cyberspace Administration of China (CAC) according to Measures on Security Assessment of the Cross-border Transfer of Personal Information (see Question #24 for this section).

South Africa

According to ECTA, no.

Yes, one must obtain prior authorisation, according to Chapter 6, section 57 of POPI Act.

Section 55(1) of POPI Act also establishes duties and responsibilities for the Information regulator.

16. Does the law require privacy impact assessment to process any category of personal data?

Brazil

The law establishes that the national authority may require the controller to prepare a data protection impact assessment, including sensitive data, relating to its data processing operations, as provided for by the regulations, with due regard for trade and industrial secrets. The report shall contain at least a description of the types of data collected, the methodology used for collection and as guarantee of security of the information, and an analysis of the controller in relation to the measures, safeguards and risk mitigation mechanisms adopted.

[Art. 38]

Russia

The operator is obliged to take measures necessary and sufficient to ensure the performance of their duties. Such measures include an assessment of the harm that may be caused to personal data subjects in the event of a violation of the Federal Law “On Personal Data”, the ratio of the said harm and the measures taken by the operator to ensure the fulfilment of duties provided for by the Federal Law “On Personal Data”.

The main goal of such an audit is to analyse the effectiveness of organisational and technical measures taken to protect the processed personal data in order to minimize possible harm. The order and frequency of such an audit is determined by the local act of the operator.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

India

As per the draft Personal Data Protection Bill, significant data fiduciaries are required to undertake a data protection impact assessment when they intend to undertake any processing involving new technologies, or large scale profiling, or the use of sensitive personal data such as genetic or biometric data, or any other processing which carries a risk of significant harm to data subjects. In addition, the Data Protection Authority may specify further circumstances or classes of data or processing operations for which a data protection impact assessment by significant data fiduciaries is mandatory. The Data Protection Authority can also specify instances in which significant data fiduciaries need to engage a data auditor under the Act to carry out the data protection impact assessment. Where the Data Protection Authority is of the view that any processing activity undertaken by data fiduciaries other than significant data fiduciaries carries a risk of significant harm to data subjects, it can notify that data protection impact assessments are mandatory for them as well.

China

Yes. Article 10.2 of the Specification (2017) details the process of “Carrying Out Personal Information Security Impact Assessments.” It should be understood however that compliance with the entire Specification is voluntary, not mandatory.

South Africa

Not directly, however, section 40(1)(b)(vi) of POPI provides that the duties, powers and functions of a Regulator include monitoring and enforcing compliance by conducting an assessment in respect of the the processing of personal information by that private or public body for the purpose of ascertaining whether or not the information is processed according to the conditions for the lawful processing of personal information.

17. What conditions must be met to ensure that personal data are processed lawfully?

Brazil

The legal bases for data processing are:

  • receiving consent from the data subject;
  • To fulfil legal or regulatory requirements by the controller;
  • For public administration to execute public policies;
  • For the realisation of studies conducted by research organs;
  • For the execution of contracts;
  • For the execution of legal processes;
  • To protect the life of data subjects and other individuals;
  • To enable specific health care activities;
  • To attend legitimate interests of controllers or others; or
  • For credit protection.

[Art. 7]

Russia

The processing of personal data is permitted under the following conditions:

  1. processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
  2. processing of personal data is necessary to achieve the goals stipulated by an international treaty of the Russian Federation or the law for the implementation and fulfilment of the functions, powers and duties assigned by the legislation of the Russian Federation to the operator;
  3. processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts;

3.1) processing of personal data is necessary for the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;

India

The draft Personal Data Protection Bill recognises the following grounds for the processing of personal data:

  1. on the basis of consent;
  2. for functions of the State, including the provision of any service or benefit to the data subject from the State and the issuance of any certification, licence or permit for any action or activity of the data subject by the state;
  3. in compliance with law or any order of any court or tribunal;
  4. when necessary for prompt action in medical emergencies and during epidemics, disasters and breakdowns of public order;
  5. for purposes related to employment, where processing on the basis of consent is inappropriate or would involve a disproportionate effort, including recruitment, termination, provision of any benefit to the employee, verification of attendance of the employee and any other activity relating to the assessment of the employee’s performance;
  6. for reasonable purposes, including the prevention and detection of any unlawful activity, whistle blowing, mergers and acquisitions, network and information security, credit scoring, the recovery of debt and the processing of publicly available personal data.

China

The explicit authorization and consent by the personal information subject is required.

Article 9 of the Measures (draft, 2019) states:

“Where the rules for the collection and use of personal information are included in a privacy policy, such rules shall be relatively focused with clear instructions for ease of understanding. In addition, network operators may collect personal information only if the user is aware of and explicitly consents to such rules.”

Article 5.3 of the Specification (2017) states that:

“Prior to the collection of the personal information, clearly provide the information subject with the following information and obtain the authorized consent from the personal information subject: the respective types of the personal information collected by different operational functions of the products or services; the rules of collecting and using the personal information (e.g., purpose of collection and use; manner and frequency of collection; storage location; storage period; [the controller’s] data security capabilities; information related to sharing, transferring, and public disclosure; etc.).”

South Africa

See answer for question 10 above.

18. What are the conditions for the expression of consent?

Brazil

Consent has to be given in a written or any other form that expresses the agreement of the data subject. The controller is obligated to prove that consent was given. The consent has to refer to specific objectives. Consent can be cancelled at any moment by the data subject.

[Art. 8]

Russia

The subject of personal data decides on the provision of his personal data and agrees to their processing freely, by his own will and in his interest. Consent to the processing of personal data must be specific, informed and conscious. The subject of personal data or his representative in any form allowing confirming the fact of his receipt, unless otherwise established by federal law, may give consent to the processing of personal data. In the case of obtaining consent for the processing of personal data from a representative of the subject of personal data, the authority of the representative to give consent on behalf of the subject of personal data is checked by the operator.

The subject of personal data may withdraw consent to the processing of personal data.

In cases stipulated by federal law, the processing of personal data is carried out only with the consent in writing of the subject of personal data. The written consent on paper is recognised as equivalent to a consent in the form of an electronic document signed in accordance with federal law with an electronic signature.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

India

The draft Personal Data Protection Bill requires consent to be given no later than at the beginning of processing, with consent being valid when it is free, informed, specific, clear and capable of being withdrawn. Where explicit consent for sensitive personal data is concerned, the Bill sets additional, higher standards for the consent be considered informed, clear and specific.

China

Article 3.6 defines “Explicit Consent” as:

“The explicit authorization by the personal information subject of specific personal information processing through a written statement or an affirmative action on the personal information subject’s own initiative.

Note: Affirmative action includes the personal information subject, on his or her initiative, making a statement (in electronic form or on paper), checking a box, or clicking “agree,” “sign up,” “send,” “dial,” etc.”

South Africa

Section 11 of POPI provides for the measures to be taken regarding
consent, justification and objection to collection of personal data.

19. If the law foresees special categories of data, what are the conditions to ensure the lawfulness of processing of such data?

Brazil

There are specific requirements for the treatment of sensitive personal data. This procedure can lawfully occur when the data subject or a legal representative gives consent to the specific objectives of the process. Exceptions are made in a number of cases, among them legal necessities of controllers and of public administration, for the purpose of research and medical treatment, for security reasons, and others.

[Art. 11]

Russia

The processing of special categories of personal data is considered legal if it is carried out for the following reasons. The second reason is the processing of publicly available personal data, if the subject of personal data makes them publicly available. The third reason is the need to process personal data in connection with the implementation of international readmission agreements of the Russian Federation.

The fourth reason is the processing of personal data in accordance with Federal Law No. 8-FZ dated January 25, 2002 “On the All-Russian Population Census”.

The fifth reason is the processing of personal data in accordance with the legislation governing the citizenship of the Russian Federation, insurance legislation, legislation on defence, security, countering terrorism, transport security, countering corruption, criminal investigation executive legislation, as well as legislation on state social assistance, labor and pension legislation.

India

The draft Personal Data Protection Bill recognises the following grounds for the processing of sensitive personal data:

  1. explicit consent;
  2. for certain functions of the State, including the exercise of any function of the State authorised by law for the provision of any service or benefit to the data principal;
  3. in compliance with any law which explicitly mandates such processing or any order of any court or tribunal;
  4. certain categories of sensitive personal data, including passwords, financial data, health data, official identifiers, genetic data and biometric data, may be processed when necessary for prompt action in medical emergencies are during epidemics, disasters and breakdowns of public order.

China

The Specification (2017) calls attention to “sensitive information” (defined in Article 3.2). It details in Article 5.5 the “Explicit Consent for Collection of Personal Sensitive Information” as well as the requirements for “Personal Sensitive Information Transfer and Storage” in Article 6.3.

South Africa

Sections 26 – 33 (Chapter 3, Part B) of POPI provide for the measures to be taken when processing special personal information.

20. What are the security requirements for collecting and processing personal data?

Brazil

Data processing actors have to establish security measures to protect personal data. The national authority can define technical security standards for data processing actors.

[Art. 46]

Data processing actors are obliged to guarantee security for personal data during and after processing them.

[Art. 47]

The controller has to inform the national authority and the data subject in case of security incidents that could cause relevant harm to the data subject.

In this context, the controller has to provide information including the nature of the affected data, the affected data subjects, the data protection measures taken, the risks related to the incident, an explanation in case of delayed communications, and the measures taken to solve the situation.

The national authority will analyse the incident and if necessary take measures to protect the rights of the data subject. This can include (but is not limited to) a public announcement of the incident and measures to reduce harm caused by the incident.

[Art. 48]

Russia

Ensuring the security of personal data is achieved, in particular, by:

  1. identification of threats to the security of personal data when they are processed in personal data information systems;
  2. the use of organisational and technical measures to ensure the security of personal data when processing them in personal data information systems necessary to meet the requirements for the protection of personal data, the performance of which ensures the levels of personal data protection established by the Government of the Russian Federation;
  3. the use of the information security measures passed in the prescribed manner;
  4. an assessment of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
  5. registration of the machine carriers of personal data;
  6. detection of facts of unauthorised access to personal data and taking measures;
  7. recovery of personal data modified or destroyed due to unauthorised access to it;

India

The draft Personal Data Protection Bill requires the data fiduciary and data processor to implement security safeguards such as the use of de-identification and encryption, steps necessary to protect the integrity of personal data, and steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data, having regard to the nature, scope and purpose of the processing of the personal data, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing.

Where a breach of personal data is likely to cause harm to any data subject, the draft Personal Data Protection Bill requires the data fiduciary to notify the Data Protection Authority of the breach, as well as of 1) the nature of the personal data that has been breached, 2) the number of data subjects affected by the breach, 3) possible consequences of the breach, and 4) measures taken to remedy the breach. The Authority will determine whether or not the breach should be reported to the data subject.

The Reasonable Security Practices and Procedures Rules, 2011, under the IT (Amendment) Act specify a number of security precautions to be taken as well, including the adoption of international standards for information security management or other codes of best practices that have been approved and notified by the Central Government.

China

As a basic principles of personal information security, Article 4 of the Specification (2017) states that information controllers should possess the appropriate security capacity to address potential security risks, implement sufficient management and technical measures to safeguard the confidentiality, integrity, and availability of personal information.

In terms of organizational arrangements, Article 10.1 states responsible departments and personnel should be designated to take measures to protect personal information including security assessment, training and audits.

Article 10.2 spells out the details regarding “Carrying Out Personal Information Security Impact Assessments.”

Article 10.3 asks information controllers to establish data security capabilities.

Article 10.4 specifies the main aspects of managing and training personnel for information security.

Article 10.5 spells out the requirements for security audits.

South Africa

Condition 7 in sections 19-22 (Chapter 3) of POPI provides for the security safeguards for processing personal information which includes
protecting the confidentiality and integrity of personal information.

21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

Brazil

There is no such requirement.

Russia

There is no such requirement. When collecting personal data, including through the Internet information and telecommunications network, the operator is obliged to ensure the recording, systematisation, accumulation, storage, refinement (update, change), extraction of personal data of citizens of the Russian Federation using databases located in Federation.

Part 5 of Article 18 of the Federal Law “On Personal Data” enshrines the obligation of the operator to ensure the localisation of individual processes for the processing of personal data collected from Russian citizens. The provisions of this part came into force on September 1, 2015 and have no analogues in foreign legal orders, in connection with which the issues of their interpretation and correlation with the provisions on cross-border data transfer are of particular relevance. The important role in this is also played by the possibility of blocking the operator’s online resource, which processes personal data of citizens of the Russian Federation in violation of localisation requirements.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

India

The draft Personal Data Protection Bill requires every data fiduciary to ensure that at least one serving copy of personal data to which the Act applies is stored on a service or in a data centre located in India. The Central Government may notify certain categories of personal data as exempt from this requirement on the grounds of necessity or strategic interests of the State, but sensitive personal data cannot be exempted. In addition, the draft Personal Data Protection Bill gives the Central Government the power to notify categories of personal data as critical personal data, which shall only be processed in a server or data centre located in India.

Sectoral localisation requirements already exist in India, including as required by the Reserve Bank of India Notification on Storage of Payments Systems Data of April 2018; the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017; the Companies Act, 2013, and the attendant rules and the Unified Access Licence for Telecom. Localisation requirements of various kinds have also been included in other draft policies and regulations, such as the draft E-Commerce Policy 2019 and the draft e-Pharmacy Rules 2018.

China

Yes. Article 37 of Cybersecurity Law of the People’s Republic of China (2017) specifies:

“Critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China.”

South Africa

Chapter 9 of POPI provides for transfers of personal information outside of the Republic. It provides in section 72 that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless it meets certain requirements set out in the section.

A responsible party may not transfer personal info outside South Africa to a foreign third party unless the third party is subject to law, corporate rules or binding agreements which afford the data subject protection:

  • Data subject consents;
  • Transfer is necessary for performance of a contract etc;
  • Transfer is for the benefit of the data subject.

22. What are the requirements for transferring data outside the national jurisdiction?

Brazil

The transfer of data to outside the national jurisdiction is allowed in case the receiving country or organisation offers adequate data protection measures as provided by the Brazilian law. The data controller has to provide guarantees to comply with the principles and the rights of the data subject and the data protection regime of the law.

In specific cases, international data transfer is allowed which includes international juridical cooperation, the protection of life, transfers authorised by the national authority, the compliance with international cooperation agreements besides others.

[Art. 33]

The level of data protection of the foreign entity is evaluated by the national authority.

[Art. 34]

Russia

According to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data, a party should not prohibit or condition cross-border personal data flows to the territory of the other Party with a special permit, for the sole purpose of protecting privacy.

Nevertheless, each Party has the right to deviate from this principle,

  1. to the extent that its domestic law includes special rules for certain categories of personal data or automated personal data files because of the nature of the data or these files, unless the rules of the other Party provide for the same protection;
  2. when a transfer is made from its territory to the territory of a state that is not a Party to this Convention, through the territory of the other Party, in order to prevent such a transfer, which would bypass the legislation of the Party mentioned at the beginning of this paragraph.

India

As per the draft Personal Data Protection Bill, personal data other than those categories of sensitive personal data that have been notified as critical personal data may be transferred outside of India where:

  1. the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Data Protection Authority after it has been satisfied that these effectively protect the rights of data subjects under the Act; or
  2. the Central Government, after consultation with the Authority, has prescribed that transfers to a particular country, or to a sector within a country or to a particular international organisation is permissible as it believes that the relevant personal data shall be subject to an adequate level of protection.
  3. the Authority approves a particular transfer or set of transfers as permissible due to a situation of necessity.

China

Article 37 of Cybersecurity Law (2017) specifies:

“Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.”

The draft of a new law regulating cross-border personal data transfer – Measures on Security Assessment of the Cross-border Transfer of Personal Information – specifies that network operators must apply for security assessment for cross-border transfer of personal data from the provincial-level cybersecurity regulator (provincial branch of Cyber Administration of China).

South Africa

See answer to question 21.

23. Are data transfer agreements foreseen by the law?

Brazil

Yes, the law has a chapter dedicated to international data transfer (Chapter V). Article 33 sets out the cases in which transfer is permitted, which are as follows:

I – to countries or international organizations that provide the appropriate level of protection of personal data provided for by the Brazilian Law.

II – where the controller provides and demonstrates guarantees of compliance with the principles, rights of the data subject and data protection regime established in the Brazilian Law.

III – where the transfer is required for international legal cooperation between government intelligence, investigation and police bodies, in accordance with the international law instruments.

IV – where the transfer is required for life protection or physical integrity of the data subject or any third party.

Russia

Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in cases provided for by international treaties of the Russian Federation.

At the same time, not only intergovernmental agreements, but also intergovernmental agreements and agreements of an interdepartmental nature, both bilateral and multilateral, are considered as international treaties of the Russian Federation. The above international agreements may not contain the terms “cross-border transmission”, “personal data”, however the content of specific norms of such agreements or agreements as a whole should be directed specifically to actions that are classified by personal data legislation as cross-border data transmission. The law does not require the preparation of an agreement on the transfer of personal data and their approval by an authorised body. The authorised body for the protection of the rights of personal data subjects approves the list of foreign states that are not parties to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data and ensure adequate protection of the rights of personal data subjects.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12. 2017) “On personal data”; “Federal Law” On Personal Data “: Scientific and practical commentary” (article by article). Issue 11. Ed. A.A. Priezhzheva. “The Editors of the” Rossiyskaya Gazeta “, 2015.

India

Yes, see above.

China

So far, China is not part of any international treaty for personal data/information protection. Its Cybersecurity Law (2017) recognizes the need for cross-border data transfer and asks information controllers to follow relevant laws to conduct security assessment (Article 37).

The Cyber Administration of China issued a draft of Measures on Security Assessment of the Cross-border Transfer of Personal Information in 2019 for public comments for protecting the cross-border transfer of personal information. Article 20 of the new Assessment specifies:

“If the business activities of an organization located outside China result in the collection of personal information of domestic users through the Internet and other means, then that organization shall fulfill the responsibilities and obligations of network operators in these Measures through a legal representative or entity within the territory.”

South Africa

Yes, Section 72: Binding corporate rules/binding agreements with an adequate level of protection.

24. Does the relevant national regulator need to approve the data transfer agreements?

Brazil

Yes, the national regulator needs to evaluate the level of data protection in the foreign country or entity.

[Art. 34]

Russia

The law does not require the preparation of an agreement on the transfer of personal data and their approval by an authorised body. The authorised body for the protection of the rights of personal data subjects approves the list of foreign states that are not parties to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data and ensure adequate protection of the rights of personal data subjects.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”

India

Yes, see above.

China

Yes. Article 37 of Cybersecurity Law (2017) specifies:

“Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.”

The draft of a new law regulating cross-border personal data transfer – Measures on Security Assessment of the Cross-border Transfer of Personal Information – specifies that network operators must apply for security assessment for cross-border transfer of personal data from the provincial-level cybersecurity regulator (provincial branch of Cyber Administration of China).

South Africa

Yes, section 57 of POPI provides for circumstances where a responsible party would be required to obtain prior authorisation from the Regulator in terms of section 58.

25. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

Brazil

The data protection law provides a number of sanctions and remedies including warnings, fines, publication of the occurrences, the temporary blocking or deletion of personal data.

[Art. 52]

Russia

Unlawful refusal of an official to present to a citizen documents and materials collected in accordance with the established procedure and directly affecting his rights and freedoms of a citizen (Article 140 of the Criminal Code of the Russian Federation).

Source: Who and what is responsible for violation of the law on personal data. Prepared by the experts of the JSC “Consultant Plus” // “Consultant Plus” Legal Reference System, 2019.

India

The draft Personal Data Protection Bill provides for fines and, where a data subject who has suffered harm as a result of any violation files a complaint, compensation for the data subject. Where a violation is listed as an offence in the Bill, it can also attract a prison term, as well as a fine. In addition, the Data Protection Authority can issue warnings, reprimands, and orders to cease and desist from committing or causing any violation of the Act; require the data fiduciary or data processor to modify its business; temporarily suspend or discontinue the business or activity of the data fiduciary or data processor that is in contravention of the provisions of the Act; vary, suspend or cancel any registration granted by the Authority in the case of a significant data fiduciary; suspend or discontinue any cross-border flow of personal data; and require the data fiduciary or data processor to take any such action in regards to a matter that arose during an inquiry as the Authority may deem fit.

Section 43 of the IT (Amendment) Act provides for compensation to the victim, while section 72A of the Act attracts a prison term and/or a fine.

China

For non-compliance, either by “storing network data outside the mainland territory, or provide network data to those outside of the mainland territory,” Article 66 of the Cybersecurity Law (2017) states punishments can include:

1) fines between 50,000 and 500,000 RMB,

2) temporary suspension of operations,

3) suspension of business for corrective measures,

4) closing down of websites,

5) revocation of relevant operations permits, or cancellation of business licenses

6) fines between RMB 10,000 and 100,000 for responsible personnel.
Amendment IX to the Criminal Law of the PRC (2015) also states:

South Africa

Chapter 11 of POPI provides for offences, penalties and administrative fines as contained in sections 100-109.

Actors

26. What actors are responsible for the implementation of the data protection law?

Brazil

The national authority called “Autoridade Nacional de Proteção de Dados” (ANPD) is responsible for the implementation.

[Art. 55]

Russia

Administrative responsibility is established for:

  • violation of the rules for processing personal data;
  • failure to perform duties when interacting with a citizen – the subject of personal data;
  • non-compliance with personal data protection requirements;
  • failure to perform duties when interacting with Roskomnadzor.

Violation of legislation in the field of personal data may entail civil liability in the form of compensation for moral damage, compensation for damages, and recovery of a penalty, if it was provided by the contract.

The employee and the employer are liable for violations of personal data laws.

In this case, the employer may be materially liable to their employees.

An employee can be brought both to disciplinary and to material liability if it is his fault in the processing of personal data that violates the legislation in the field of personal data.

India

The draft Personal Data Protection Bill provides for the establishment of a Data Protection Authority of India, which will be the main actor responsible for implementation. It also provides for the establishment of an Appellate Tribunal. Appeals to decisions or orders of the Appellate Tribunal are to be made to the Supreme Court of India.

An adjudicating officer appointed by the Central Government will adjudicate matters in which the claim for injury or damage under Section 43A of the IT (Amendment) Act does not exceed Rs. five crores (Rs. 50 million). The jurisdiction in respect of claims for injury or damage exceeding that amount vests with the competent court. Appeals to an order from an adjudicating officer can be made to the Cyber Appellate Tribunal. Appeals to decisions or orders from the Cyber Appellate Tribunal are to be made to the High Court.

China

Actors responsible for the implementation of the data protection provisions are not specified in the law or the Specification (2017).

South Africa

The ECT Act envisions cyber inspectors however, they are not specifically created for issues relating to data protection.

Section 39

The establishment of POPI the Information Regulator.

27. What is the administrative structure of actors responsible for the implementation of the data protection law (e.g. independent authority, executive agency, judiciary)?

Brazil

The ANPD is being created by the Presidency of the Republic. It has a transitory nature: at first it will be a branch of Federal Government, but within two years it may be transformed into an independent Regulatory Agency.

Russia

The Federal Service for Supervisionin the Sphere of Communications, Information Technologies and Mass Communications (Roskomnadzor) is under the jurisdiction of the Ministry of Digital Development, Communications and Mass Communications of the Russian Federation. As part of it, the Office for the Protection of Rights of Subjects of Personal Data of the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications is formed. It is a structural unit of the Federal Service for Supervision of Communications, Information Technologies and Mass Communications. The department of keeping the register of operators engaged in the processing of personal data, the Department for control and supervision of the processing of personal data, and the Department of the Legal and methodological support. The relevant departments are formed in the 71 territorial body of Roskomnadzor.

Resolution of the Government of the Russian Federation of 16.03.2009 N 228 (Ed. 28.02.2019) “On the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications” (along with the “Regulations on the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications”) Official Website of Roskomnadzor.

India

The Data Protection Authority will be a body corporate, with the chairperson and members appointed by the Central Government on the recommendation of a selection committee. When the Authority calls for information from or conducts inspections and inquiries into the affairs of data fiduciaries in accordance with the provisions of the Act, it shall have the same powers in a number of respects as those vested in a civil court under the Code of Civil Procedure, 1908. For the purpose of imposing penalties and awarding compensation, the Authority will have a separate adjudication wing, with the number, qualification, jurisdiction and manner and terms of appointment of the adjudicating officers to be prescribed by the Central Government; the draft Bill requires this to be done in a manner that ensure the operational segregation, independence and neutrality of the adjudication wing.

The Appellate Tribunal, though it has the powers to regulate its own procedures, shall be deemed to be a civil court in a number of respects and every proceeding before the Appellate Tribunal shall be deemed to be a judicial proceeding.

Under the IT (Amendment) Act, the adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal, and all proceedings before it shall be deemed judicial proceedings. The Cyber Appellate Tribunal, though it has the powers to regulate its own procedures, too, shall be deemed to be a civil court in a number of respects, and every proceeding before it shall be deemed to be a judicial proceeding.

China

Not specified, but operators are expected to obtain approval for cross-border data transfer from Cyberspace Administration of China (CAC) according to Measures on Security Assessment of the Cross-border Transfer of Personal Information (see Question #24 above).

South Africa

The Minister of the Department of Telecommunications and Postal Services.

Section 39 of POPI Act

The Information Regulator is an in independent juristic person subject only to the Constitution and to the law. The IR must be impartial and perform its functions and exercise its powers without fear, favour or prejudice.

It must exercise and perform its functions in accordance with POPI and the Promotion of Access to Information Act.

It is accountable to the National Assembly.

28. What are the powers of the actors responsible for the implementation of the data protection law?

Brazil

ANPD has a series of powers, including oversight, elaborating guidelines and regulations, conducting or ordering audits, receiving complaints from data subjects against controllers, among others.

Russia

The activity of the control and supervision body aimed at preventing, detecting and stopping the violation by operators of personal data of the requirements of the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it by:

  1. the organisation and conduct of scheduled and unscheduled inspections;
  2. taking measures to suppress and (or) eliminate the consequences of the violations found;
  3. control measures without interaction with operators;
  4. measures for the prevention of violations.

Within these powers, Roskomnadzor:

  • keeps a register of operators engaged in the processing of personal data;
  • considers appeals of the subject of personal data about the compliance of the content of personal data and methods of their processing with the purposes of their processing and makes the appropriate decision;
  • cooperates with the authorities authorised to protect the rights of personal data subjects in foreign countries, in particular the international exchange of information on the protection of the rights of personal data subjects;
  • annually sends a report on its activities to the President of the Russian Federation, the Government of the Russian Federation and the Federal Assembly of the Russian Federation.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Resolution of the Government of the Russian Federation of 16.03.2009 N 228 (Ed. 28.02.2019) “On the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications” (along with the “Regulations on the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications”).

India

The draft Personal Data Protection Bill requires the Authority is to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the Act, and promote awareness of data protection. It contains a large number of powers and functions to help concretise that mandate, including the power to issue codes of practice, to issue directions to data fiduciaries and data processors, to call for information from data fiduciaries and data processors, to conduct an inquiry, to engage in search and seizure, and to take action pursuant to an inquiry.

When the Authority calls for information from or conducts inspections and inquiries into the affairs of data fiduciaries in accordance with the provisions of the Act, it shall have the same powers in a number of respects as those vested in a civil court under the Code of Civil Procedure, 1908, including the discovery and production of books of account and other documents at such time and place as may be specified; the inspection of any book, document, register or record of any data fiduciary; summoning and enforcing the attendance of any person and examining them under oath; and issuing commission for the examination of witnesses or documents.

The Appellate Tribunal is to hear appeals from orders of the Authority and of the adjudicating officers of the Authority’s adjudication wing, as well as challenges to search and seizure orders by the Authority. It, too, has a number of powers as vested in a civil court under the Code of Civil Procedure, 1908, including those listed above for the Data Protection Authority as well as, among other things, receiving evidence on affidavits and dismissing an application for default or examining it, ex parte.

Under the IT (Amendment) Act, the adjudicating officer shall have the powers of a civil court, which are conferred on the Cyber Appellate Tribunal. The Cyber Appellate Tribunal has the powers of a civil court under the Code of Civil Procedure 1908, in a number of respects while trying a suit; these powers largely, though not completely, overlap with those of the Appellate Tribunal established under the draft Data Protection Bill.

China

Not specified. Overall, the Cybersecurity Law of PRC (2017) broadly regulates the collection, storage, transmission and use of “personal information” by network operators and critical information infrastructure operators. The country’s top cyber policymaking body, Cyberspace Administration of China (CAC), coordinates cybersecurity work including personal data protection laws.

South Africa

The Minister is responsible for overseeing all aspects of the ECT Act. His or her powers and duties are provided for in chapter II of the ECT Act.

Section 5 to 9 of the ECTA: The minister must develop and implement a national e-strategy.

Section 40 of the POPI ACT

The powers, of POPI provides for duties and functions of the Regulator in terms of this Act are:

(a) To provide education…
(b) to monitor and enforce compliance…
(c) to consult with interested parties…
(d) to handle complaints…
(e) to conduct research and to report to Parliament…
(f) to administrate codes of conduct
(g) to facilitate cross-border cooperation in the enforcement of
privacy laws by participate in any initiative that is aimed at such
cooperation
(h) to perform any general functions incidental or conducive to
the preceding functions