Data Protection across BRICS countries

Scope

1. What national laws (or other types of normative acts) regulate the collection and use of personal data?

Brazil

The collection and processing of personal data is regulated by the Brazilian General Data Protection Law – LGPD (n. 13.709/18). But it is also important to note that such law is embedded in a set of rules that address, at least in some respect, issues relating to privacy and protection of personal data, as the following:

  • General Telecommunications Law (Federal Law n. 9,472 of 1997) Criminal Identification Law (Federal Law n. 12,037 of 2009) Freedom of Information Act (Federal Law n. 12,527 of 2011)
  • Civil Rights Framework for the Internet (Federal Law n. 12,965 of 2014).

Russia

Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA as well as other laws, including the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees’ personal data (Part XIV). Other laws may also contain data protection provisions, which implement the data protection rules in relation to specific areas of state services or industries.

Source

New amendments to the Federal Law No. 152-FZ were introduced by Federal Law No. 519-FZ of December 30, 2020. Federal Law No. 515-FZ of 30.12.2020 “On Amendments to Certain Legislative Acts of the Russian Federation to Ensure the Confidentiality of Information about Protected Persons and on the Implementation of Operational Search Activities” also introduced new rules regarding the protection of the personal data of “protected persons” (see question 8)

India

A draft Personal Data Protection Bill was released in 2018 and was introduced in the Parliament in December, 2019. While it is being discussed, the Information Technology (Amendment) Act, 2008, provides limited protection. In addition, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and the Aadhaar and Other Laws (Amendment) Act, 2019 address questions regarding personal data specifically in the context of Aadhaar, India’s unique ID. Sectoral directions and regulations, such as those issued by the Reserve Bank of India, also impact personal data. Further draft policies and laws that address aspects of data protection include the draft National e-Commerce Policy, 2019, and the DNA Technology (Use and Application) Regulation Bill, 2019.

China

On Aug. 20, 2021, the Standing Committee of the 13th National People’s Congress approved China’s first comprehensive Personal Information Protection Law (PIPL), which will come into force on Nov. 1, 2021. The right to protection of personal information is also guaranteed by the Civil Code of the People’s Republic of China, and several administrative measures, national standards and industry-specific regulations also define rules applicable to the collection and use of personal data, both on the public and private sectors, such as: 

  • People’s Republic of China Criminal Law (1997) Amendment V (2005), VII (2009), and IX (2015)
  • Law of the People’s Republic of China on Resident Identity Cards (2003)
  • Passport Law of the People’s Republic of China (2007)
  • China’s National Health and Family Planning Commission’s Administrative Measures for Population Health Information (2014)
  • Cybersecurity Law of the People’s Republic of China (2017)
  • E-Commerce Law of the People’s Republic of China (2019)
  • Implementing Measures of the People’s Bank of China for the Protection of Financial Consumers’ Rights and Interests (2020)
  • Data Security Law of the People’s Republic of China (2021)

South Africa

The Electronic Communications and Transactions Act, 25 of 2002 (ECTA). The CyberCrimes Act, 19 of 2020. The Protection of Personal Information Act 4 of 2013 (POPIA). This Act has come into effect in June 2021 after a one year grace period.

2. Is the country a part of any international data protection agreement?

Brazil

Brazil is not part of any international data protection agreement.

Russia

Convention on the protection of individuals in the automated processing of personal data. Concluded in the city of Strasbourg on January 28, 1981 (together with the Amendments to the Convention on the Protection of Individuals with the Automated Processing of Personal Data (CETS No. 108), allowing the accession of the European Communities adopted by the Committee of Ministers in Strasbourg on 15.06.1999). This document entered into force on October 1, 1985. For the Russian Federation, this document entered into force on September 1, 2013.

India

India is not part of any international data protection legislation.

China

Not as of October 10th, 2021. However, it is worth noting that on Sept. 16 2021, China applied to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP),  which has its own set of rules on cross-border data flows.

South Africa

No.

3. What data is regulated?

Brazil

The LGPD regulates personal data (online and offline). Personal data is defined as “information related to an identified or identifiable natural person” (art. 5).

[Art. 1, Art. 3]

Russia

Personal data is information, i.e. messages or data regardless of the form of their representation”. The form of displaying information does not matter: it can be information in text, graphic, sound form, perceived by a person or device. The carrier of such data is also irrelevant: they can be recorded on paper, in another analogue form (for example, on videotape) or exist in electronic form.
The information must have a certain relationship with an individual. Such an attitude may occur in cases where such information:
1) by virtue of its content it concerns a certain person;
2) has as its purpose an assessment of a person’s activities or may affect the status of such a person, including by making any decisions regarding his;
3) is of a technical nature (for example, data of devices used by an individual) and is used for technical purposes, but can, if desired, be used by the operator for purposes that have an impact on the rights and obligations of the individual.
Information relates directly or indirectly to a particular or designated person, i.e. possesses certain identifying potential.
If the data makes it possible to single out an individual from a variety of persons and use his particular interaction model with respect to him, then that person is definable, and the corresponding information is his personal data.

Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M .: Statute, 2017. 320 p.

India

The Personal Data Protection Bill, 2019 applies to the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within India, as well as personal data by the State, companies or any person or body of persons created under Indian law. It also includes the processing of personal data outside Indian territory if it is connected to any Indian business or systematic activity or if it involves profiling of data principals within the territory of India.

Section 43A of the IT (Amendment) Act concerns sensitive personal data or information in a computer resource owned, controlled or operated by a body corporate. Section 72A of the IT (Amendment) Act concerns personal information about a person which any person, including an intermediary, may have access to while providing services under the terms of a lawful contract.

China

The PIPL regulates personal information, defined in article 4 as ‘all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling’.

The Data Security Law regulates all data, defined in article 3 as ‘any information recorded in electronic or other form’.

South Africa

Section 4 of ECTA provides that this Act applies in respect of data relating to economic transactions which are defined as transactions of either a commercial or non-commercial nature, and includes the provision of information and e-government services. It also applies to data messages which are defined as data generated, sent, received or stored by electronic means.

The POPIA applies to the processing of personal information (Chapter 2, 3. (1)) “entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof;”

The Act defines personal information as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person” (Chapter 1, Section 1), which include, for example, information relating to race, gender and sex of a person; medical and educational history; identifying numbers and addresses; biometric information; correspondence, etc

The Cyber Crimes Act applies more broadly to crimes committed in cyberspace, which include offences that infringe on anyone’s personal information.

4. Are there any exemptions?

Brazil

The law does not apply when data is treated by natural persons for private and non-economic interests.

The law does not apply when data is treated for the following reasons or interests: journalistic, artistic, academic, public security, national defence, state security, criminal investigation / repression.

The law also doesn’t apply when data originate outside the Brazilian territory and are not the object of communication, shared data use with Brazilian processing agents or are the object of international transfer of data to another country that is not the country of origin, as long as the country of origin offers a level of personal data protection adequate to that established by LGPD.

The law also doesn’t apply to anonymized data.

[Art. 4]

Russia

The Federal Law on Personal Data does not apply to relations arising from:

1) the processing of personal data by individuals solely for personal and family needs, if this does not violate the rights of the subjects of personal data;

2) the organisation of storage, acquisition, accounting and use of documents containing the personal data of the Archival Fund of the Russian Federation and other archival documents in accordance with the legislation on archives in the Russian Federation;

3) the processing of personal data assigned in the prescribed manner to information constituting state secrets.

The Law on Personal Data does not apply to storage and other types of processing of unsystematised personal data, even if subsequent access by third parties is possible.

;Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”;

Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M .: Statute, 2017. 320 p.

India

Exceptions are available for law enforcement and certain other purposes under Sec 35 and 36 of the bill.

This Act shall never apply to the processing of anonymized data, except when the Central Government (in consultation with the Authority), requires personal data anonymized or other non-personal data to enable better targeting of delivery services or formulation of evidence-based policies.

Other exemptions are found in Chapter VIII of the Bill, which states that exemptions can be made where the Central Government is satisfied that it is necessary or expedient in the following cases:

1. In the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order.

2. For preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order.

China

The PIPL is not applicable to ‘natural persons handling personal information for personal or family affairs’ (article 72).  Furthermore, as defined by the second paragraph of article 72, ‘where the law contains provisions on personal information handling by people’s governments at all levels and their relevant departments and organizations implementing statistical and archival management activities, those provisions apply’.

South Africa

The ECTA does not apply to any data which falls outside the definition of electronic transactions and data messages.
Chapter VIII of the Act provides for the protection of personal information which is limited to personal information which has been obtained through electronic transactions. Section 51(2) provides that a data controller may not electronically request, collect, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

Section 6 of the POPIA states that the Act does not apply to the processing of personal information:

“(a) in the course of a purely personal or household activity;

(b) that has been de-identified to the extent that it cannot be re-identified again;

(c ) by or on behalf of a public body—

  • which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety; or
  • the purpose of which is the prevention, detection, including assistance in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in legislation for the protection of such personal information;

(d) by the Cabinet and its committees or the Executive Council of a province; or

(e ) relating to the judicial functions of a court referred to in section 166 of the Constitution.

The Act also does not apply to the processing of personal information for the purpose of “journalistic, literary or artistic expression.” (Section 7) POPIA also states that the Regulator can exempt a responsible party to process personal information without accordance to the Act, under the terms explained on Chapter 4.

5. To whom do the laws apply?

Brazil

The LGPD is applicable to all natural persons or legal entities incorporated or doing business in Brazil that collect personal data about Brazilian nationals. They will have to comply with the new law, as long as:

  • The processing operation is carried out in Brazil;
  • The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil;
  • The personal data was collected in Brazil.

[Art. 3]

Russia

The legislation on personal data applies to all entities that process personal data. Federal government bodies, as well as government bodies of constituent entities of the Russian Federation can process personal data. Local governments and municipal bodies that are not part of the system of local governments carry out the processing of personal data.

If legal entities process personal data, they are also subject to the law on personal data.

Under the individuals processing in the framework of the legislation on personal data, are citizens who carry out business activities without forming a legal entity, from the moment of state registration as an individual entrepreneur. Individuals engaged in the processing of personal data may also include attorneys, notaries, heads of farms.

Kukharenko, T.A. Commentary to the Federal Law of July 27, 2006 No. 152-ФЗ “On Personal Data” (itemised) “Consultant Plus” Legal Reference System, 2011.

India

The draft Personal Data Protection Bill extends to the whole of India. It applies to the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law. It also applies to data fiduciaries and data processors not present within the territory of India who engage in processing of personal data in connection with any business carried on in India, or any systematic activity of offering goods or services to data subjects within the territory of India, or in connection with any activity which involves the profiling of data subjects within the territory of India.

The IT (Amendment) Act applies to the whole of India as well as to any offence or contravention under the Act committed outside India by any person, irrespective of their nationality, provided the suspected offence involves a computer, computer system or computer network located in India. Section 43A of the IT (Amendment) Act specifically applies to body corporates, i.e. any company, including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Section 72 of the IT (Amendment) Act applies to any person, including an intermediary, who has secured access to material containing personal information about a person while providing services under the terms of a lawful contract.

China

Article 3 of the PIPL defines that it applies to the activities of handling the personal information of natural persons within the borders of the People’s Republic of China. If the handling activities of personal information of natural persons within the borders of the PRC are being carried out outside the borders of PRC, the law shall also apply when one of the following circumstances is present: 

  1. Where the purpose is to provide products or services to natural persons inside the borders;
  1. Where analyzing or assessing activities of natural persons inside the borders;
  2. Other circumstances provided in laws or administrative regulations.

The Data Security Law is applicable to ‘data handling activities and their security regulation within the mainland territory of the People’s Republic of China’ (Article 2). The Cybersecurity Law is applicable to the construction, operation, maintenance, and use of networks, as well as to cybersecurity supervision and management within the mainland territory of the People’s Republic of China’.

South Africa

The ECTA was created for the public interest. The Act seeks to make electronic transactions between consumers, private and public bodies, institutions and citizens (Section 2(1)(g)) of ECTA. It also seeks to promote SMMEs (Small, medium and Micro-sized Enterprises) within the electronic transactions environment. Section 2(1)(p)) of ECTA.

The POPIA applies to any responsible party domiciled in South Africa and if not domiciled in South Africa, makes use of automated or nonautomated means in South Africa (Chapter 2, Section 3).

The Cyber Crimes Act was also created for the public interest.

6. Do the laws apply to foreign entities that do not have physical presence in the country?

Brazil

The law applies to any natural or legal person, irrespective of their location, whenever:

  1. Processing is done in Brazilian territory;
  2. The processing activity aims at offering goods, services or data processing to individuals located in the country; or
  3. The personal data used in the processing activities have been collected in national territory.

[Art. 3]

Russia

Even if a foreign company conducts its business through the Internet without a physical presence in Russia, data protection requirements may apply to such a company. The main criterion is that activity of such a foreign company is directed to the territory of the Russian Federation.

According to the Ministry of Communications and Mass Media, the use of a domain name associated with the Russian Federation (.ru, .рф., .su, .москва., .moscow и т.п.)  may indicate the focus of activity on the territory of Russia; as well as the presence of the Russian-language version of the Internet site, created by the owner of such a site or on his behalf by another person, except for the function of an automated translation.

Additional criteria are the ability to make payments in Russian roubles, the ability to deliver goods, provide services or use digital content in Russia, as well as other cases of contract execution in the Russian Federation, the use of advertising in Russian, referring to the corresponding Internet site, and other circumstances that clearly indicate the intention of the owner of the website to include the Russian market in their business strategy.

Zherdina S. Localisation of personal data of Russians for foreign companies // EZh-Yurist. 2017. N 45. p. 5.

India

Yes. For details, see above.

China

Yes, as defined in article 3 of the PIPL if the handling activities of personal information of natural persons within the borders of the PRC are being carried out outside the borders of PRC, the law shall also apply when one of the following circumstances is present: 

  1. Where the purpose is to provide products or services to natural persons inside the borders.
  2. Where analyzing or assessing activities of natural persons inside the borders;
  3. Other circumstances provided in laws or administrative regulations.

The Data Security Law does not specify its applicability to entities that to not have physical presence in the PRC, however, it states that ‘when data handling activities outside the mainland territory of the PRC harm the national security, the public interest, or the lawful rights and interests of citizens or organizations of the PRC, legal liability is to be pursued according to the law’ (second paragraph of Article 2).

South Africa

The ECTA does Not apply directly. According to the rules of jurisdiction of the courts, a foreign entity would only be held liable only as far as the effects of the conduct is felt in the Republic. However, any service provider must be accredited and authenticated if they offer products or services in a foreign jurisdiction by the Minister.

The POPIA applies to responsible parties that do not have physical presence in South Africa, given that they make use of automated or non-automated means in the Republic. (Chapter 2, Section 3 of POPIA).

Definitions

7. How are personal data defined?

Brazil

Personal data are defined as information related to an identified or identifiable natural person.

[Art. 5]

Russia

Personal data – any information related to directly or indirectly determined or determining individual (subject of personal data).

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

India

The draft Personal Data Protection Bill defines personal data as ‘data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identify of such natural person, or any combination of such features, or any combination of such features with any other information’.

The IT (Amendment) Act does not provide a definition.

China

During the elaboration of the laws, China has not used the word “data” specifically but the term “personal information”. Following are the definitions in accordance with current legislation:

  • Article 4 of the PIPL defines “personal information” as the ‘various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously’.
  • Article 76 of the Cybersecurity Law provides that: “Personal information” refers to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including but not limited to natural persons’ full names, birth dates, national identification numbers, personal biometric information, addresses, telephone numbers, and so forth.
  • Article 1.034 of the Civil Code of the PRC, also defines “personal information” as: the information recorded electronically or in other ways that can be used, by itself or in combination with other information, to identify a natural person, including the name, date of birth, identification number, biometric information, residential address, telephone number, email address, health information, whereabouts, and the like, of the person.

Note that the Civil Code and the Cybersecurity Law are not laws made specifically to regulate personal data protection.

South Africa

ECTA Definitions

“personal information” means information about an identifiable individual, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual;

(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;

(c) any identifying number, symbol, or other particular assigned to the individual;

(d) the address, fingerprints or blood type of the individual;

(e) the personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual; …

8. Are there special categories of personal data (e.g. sensitive data)?

Brazil

A specific classification is made for sensitive personal data, being information related to racial or ethnic origin, religious
belief, public opinion, affiliation to union or religious, philosophical or
political organization, data relating to health or sex life, genetic or
biometric data.

There is also a classification for anonymized data, which is defined as data relating to a data subject who cannot be identified, considering the use of reasonable technical means available at the time of the processed thereof.

[Art. 5]

Data of children and adolescents are also given special protection.

[Art. 14]

Russia

Article 10 of the Federal Law “On Personal Data” defines that special categories of personal data include data relating to race, nationality, political opinion, religious or philosophical beliefs, health, and intimate life. Giving special categories of personal data a special status is due to the possibility of the occurrence of particularly negative consequences for the subject upon their disclosure or other unauthorised use. Such consequences can be expressed not only in risks to the life and health of a person but also in discrimination, the impossibility of exercising basic constitutional rights to work, education, freedom of conscience, holding assemblies, etc.

India

The draft Personal Data Protection Bill distinguishes ‘sensitive personal data’ (including ‘biometric data’, ‘financial data’, ‘genetic data’, ‘health data’, ‘intersex status’, ‘official identifier’, and ‘transgender status’) from personal data. It further provides the Central Government with the power to notify categories of personal data as ‘critical personal data’ that shall only be processed in a server or data centre located in India.

Section 43A of the IT (Amendment) Act also specifies and defines ‘sensitive personal data and information’; the Reasonable Security Practices and Procedures Rules, 2011, under that section provide further detail.

China

Yes. Article 28 of the PIPL defines personal sensitive information as ‘personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14’.

South Africa

Regarding the ECTA, no.

The POPIA’s section 26 establishes the category of “special personal information”, which includes:

(a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

(b) the criminal behaviour of a data subject to the extent that such information relates to –

(i) the alleged commission by a data subject of any offence; or

(ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

Sections 27 to 33 deal with authorizations of data processing related to the data mentioned in 26.

Sections 34 and 35 of the Act establish special protections on the processing of children’s personal information.

9. How is the data controller and the data processor/operator defined?

Brazil

A data controller is a natural or legal person governed by public or private law, responsible for making decisions on the processing of personal data.

A data operator is a natural or legal person governed by public or private law, executing the processing of personal data in the name of the data controller.

[Art. 5]

Russia

Operator is a state body, municipal body, legal or natural person, independently or jointly with other persons organising and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.

This definition is in fact a borrowing of the provisions of Directive 95/46 / EC of the European Parliament and of the Council of the European Union on the protection of individuals in the processing of personal data and on the free circulation of such data, which became invalid due to the adoption of the GDPR.

It differs from the definition contained in the 1981 Convention, which uses the concept of the controller of the file, defined as “an individual or legal entity, state authority, institution or any other body competent in accordance with domestic law decide what should be the purpose of an automated data file, which categories of personal data should be stored or which operations should be performed with them”.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

India

Rather than ‘data controller’, the draft Personal Data Protection Bill uses the term ‘data fiduciary’, which means ‘any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data’. The draft Bill defines ‘data processor’ as ‘any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary’.

The IT (Amendment) Act does not include these definitions.

China

The PIPL does not use the term controller or processor but the term “Personal Information Handler” to refer to ‘ organizations and individuals that, in personal information handling activities, autonomously decide handling purposes and handling methods’ (Article 73.1). When referring to what GDPR considers ‘data processors’, Article 21 of the PIPL stipulates “entrusted parties”, that is, when personal information handlers entrust the handling of personal information to another personal information handler via an agreement.

South Africa

ECTA Definitions

“data controller” means any person who electronically requests, collects, collates, processes or stores personal information from or in respect of a data subject;

POPI Act Definitions

Rather than “data controller” the POPIA uses the term “responsible party”, which means “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information” (Section 1)

Operator means a person who processes personal information
for a responsible party in terms of a contract or mandate, without
coming under the direct authority of that party.

10. What are the data protection principles and how are they defined?

Brazil

The LGPD lists the following data processing principles. Purpose limitation: realisation of data processing for purposes that are legitimate, specific, explicit and known by the data subject, without the possibility of a later processing that does not align to these purposes;

Appropriateness: compatibility between the processing activity and the intended purposes informed to the data subject, in consistence with the context of the processing;

Necessity: limitation of the processing to the necessary minimum to achieve the objectives, covering the specific data in a proportional but not excessive manner in relation to the objectives of the data processing;

Free access: the guarantee for the data subject of easy and free access to information regarding the form and duration of the processing, as well as to the entirety of their data.

Russia

  1. The processing of personal data must be carried out in a lawful and fair manner.
  2. The processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals. It is not allowed to process personal data incompatible with the purposes of collecting personal data.
  3. It is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other.
  4. Only personal data is processed that meets the purposes of processing it.
  5. The content and volume of processed personal data must comply with the stated processing objectives. The processed personal data should not be redundant in relation to the stated purposes of their processing.

India

Chapter II introduces the principles that govern the processing of personal data by any person:

1) fair and reasonable processing, that respects the privacy of the data subject;

2) purpose limitation, meaning that the purposes are clear, specific and lawful, although incidental purposes that the data subject would ‘reasonably expect the data to be used for’ are allowed as well;

3) collection limitation, meaning that only data that is necessary for the purpose of processing should be collected;

4) Information that must be included in the notice gyiven by the fata fiduciary to the data principal at the time od the collection of the personal data:

(a) the purposes for which the personal data is to be processed;

(b) the nature and categories of personal data being collected;

China

There are several principles in different laws regulating the data protection, such as: 

  • Article 5 of the PIPL defines that personal information shall be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and shall not be processed by misleading, fraud, coercion, or other means.
  • Article 7 of the PIPL provides specific principles for handling personal information, such as: the principles of openness and transparency shall be observed in the handling of personal information, disclosing the rules for handling personal information and clearly indicating the purpose, method, and scope of handling.
  • Article 58 of the PIPL determines special principles that should be fulfilled by personal information handlers who provide important Internet platform services, who have a large number of users, and whose business models are complex. Those handlers should abide by the principles of openness, fairness, and justice.
  • Article 41 of the DSL provides that: State authorities shall abide by the principles of fairness, impartiality, and convenience for the people and promptly and accurately disclose government data according to provisions, except that which according to law is not to be disclosed. 
  • Article 3 of the Cybersecurity Law provides that: The State persists in equally stressing cybersecurity and informatization development, and abides by the principles of active use, scientific development, management in accordance with law, and ensuring security..
  • Article 41 of the Cybersecurity Law, also defines: Network operators collecting and using personal information shall abide by the principles of legality, propriety, and necessity (…)

Article 1.035 of the Civil Code of the PRC also defines more principles for the processing of personal information. It must be done in compliance with the principles of lawfulness, justification, and within a necessary limit, and shall not be excessively processed;

South Africa

POPI provides for eight conditions for lawful processing of personal information.

Condition 1: Accountability

Section 8: Responsible party to ensure conditions for lawful processing.

The responsible party must ensure that the conditions set out in this chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

Condition 2: Processing limitation

Section 9: Lawfulness of processing.

Personal information must be processed (a) lawfully and (b) in a reasonable manner that does not infringe the privacy of the data subject

Section 10: Minimality

Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

Section 11: Consent, justification and objection

Section 12: Collection directly from data subject

11. Does the law provide any specific definitions with regard to data protection in the digital sphere?

Brazil

Yes, the law defines database as structured set of personal data, established in one or several sites, in electronic or physical support.

[Art. 5]

Russia

Automated processing of personal data – processing of personal data using computer technology.

Personal Data Information System – a set of personal data contained in databases and information technologies and technical means ensuring their processing.

The user of an information system of personal data is a person participating in the operation of an information system of personal data or using the results of its operation.

India

The draft Personal Data Protection Bill also defines ‘automated means’. In addition, its preamble highlights that its formulation in general has to be seen in the context of the growth of the digital economy.

Relevant definitions in the IT (Amendment) Act include those for ‘access, ‘intermediary’ and ‘reasonable security practices and procedures’.

China

The PIPL does not specifically mention “digital sphere”, but it is applicable to ‘personal information recorded by electronic or other means’ (Article 4), and defines a set of duties for personal information handlers requiring the corresponding technical security measures to protect personal information, “such as encryption, de-identification etc” (Article 51.3). Moreover, both the Cybersecurity Law of the People’s Republic of China (2017) and the Data Security Law of the People’s Republic of China (2021) bring definitions regarding data protection in the cyberspace: 

  • Article 14 of the Data Security Law provides that: The state is to implement a big data strategy, advancing the establishment of data infrastructure, and encouraging and supporting innovative applications of data in each industry and field. People’s governments at the county level or higher shall include the development of the digital economy in the people’s economic and social development plans for that level, and draft development plans for the digital economy as needed.
  • Article 1 of the Cybersecurity Law provides that the ‘law is formulated to ensure cybersecurity; safeguard cyberspace sovereignty and national security’, among other goals;
  • Article 4 of the Cybersecurity Law defines that ‘the State formulates and continuously improves cybersecurity strategy, clarifies the fundamental requirements and primary goals of ensuring cybersecurity, and puts forward cybersecurity policies, work tasks, and procedures for key sectors’.

South Africa

Chapter VIII, Section 50(1) of the ECTA provides that the provisions stated only apply to personal information that has been obtained through electronic transactions.

Although the POPIA does not specifically mention the “digital sphere”, several articles mention electronic communications, automated data processing and other operations that occur through digital means, meaning that the law applies to this sphere.

The Cyber Crimes Act applies to crimes committed in cyberspace, which include offences that infringe on anyone’s personal information.

Rights

12. Is the data protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

Brazil

Yes, article 2 of the data protection law refers to fundamental rights, including (but not limited to) privacy, freedom of expression, free initiative and human rights.

Data protection is not a right inscribed in the Federal Constitution, but privacy (“intimacy and private life”, art. 5th, X, of the Federal Constitution) is.

There is a Constitutional Amendment project which aims at introducing data protection into the Constitution as a fundamental right.

There was also a recent Supreme Court decision regarding sharing of data with the public demography and statistics body (IBGE) in which the Court declared data protection an autonomous fundamental right.

Russia

Initially, provisions relating to the protection of the rights of citizens in the field of personal data were reflected in the Universal Declaration of Human Rights adopted by the UN General Assembly on December 10, 1948. Later they were developed and reflected in the 1981 Convention ratified by the Russian Federation in 2013. The legislation of the Russian Federation in the field of personal data generally repeats the main provisions of the above international acts.

In Art. 23 of the Constitution of the Russian Federation, it is established that everyone has the right to privacy, personal and family secrets, protection of his honour and good name, the right to privacy of correspondence, telephone conversations, postal, telegraph and other messages. Restriction of this right is allowed only in exceptional cases provided by law.

Federal Law “On Personal Data”: scientific and practical commentary (article by article) / A.Kh. Gafurova, E.V. Dorotenko, Yu.E. Kontemirov and others; by ed. A.A. Priezhzheva. M.: The editors of “Rossiyskaya Gazeta”, 2015. Vol. 11. 176 s.

India

The Preamble to the draft Personal Data Protection Bill specifically states that the right to privacy is a fundamental right and that it is necessary to protect personal data as an essential facet of informational privacy.

The IT (Amendment) Act does not explicitly address this question.

China

Yes. The Constitution of the Republic of China in it’s Chapter II provides the fundamental rights of Chinese citizens, which include freedom of speech, the press, assembly, association, procession and demonstration (article 35); personal freedom (article 37), personal dignity (article 38), inviolability of the home (article 39) and freedom and confidentiality of correspondence (article 40). The right to privacy has been interpreted and built upon the interpretation of the right to personal dignity combined with other fundamental rights, and the right to data protection evolved from such interpretation in the context of digital information and mass communication. It is worth noting that the Right to Protection of Personal Information was provided for in Book IV, Chapter VI as a personality right in the Civil Code of the PRC. Article 1034 of the Civil Code also provides that it will be up to the specific law to address the issue.

South Africa

The ECTA has not specified any fundamental rights.

POPI Act is based on the right to privacy enshrined in the Constitution of the Republic of South Africa, 1996.

The Cyber Crimes Act has not specified any fundamental rights.

13. What are the rights of the data subjects according to the law?

Brazil

Data subjects have the right to receive facilitated access to information regarding the processing of their personal data.

Article 9 of the data protection law states the manner this information has to be provided including information on the objectives of the processing, its duration, the identification of controllers and their contact information, information regarding data sharing, the responsibilities of the processing agents and the rights of the data subject.

Art. 17: Every natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed, under the terms of this Law;

Art. 18: The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being processed by the controller, at any time and by means of request:

I – confirmation of the existence of the processing;

II – access to the data;

III – correction of incomplete, inaccurate or out-of-date data;

Russia

The right to receive information on the processing of his personal data.

The right to clarify the personal data processed by the operator.

The right to block personal data.

The right to demand the destruction of data.

The right to take measures prescribed by law to protect their rights.

The right to appeal the actions of the operator to the authorised body.

The right to the processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using means of communication, as well as for the purposes of political agitation only with the prior consent of the subject of personal data.

The prohibition to make decisions on the basis of automated processing of personal data, generating legal consequences in relation to the subject of personal data or otherwise affecting his rights and legitimate interests.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

The right to request a halt to the dissemination of personal data allowed by the data subject to be disseminated (see question 8).

India

The draft Personal Data Protection Bill lists the following data subject rights:

  1. the right to confirmation whether the data fiduciary is processing or has processed personal data of the data subject and to access a brief summary of that data and of the processing activities undertaken by the data fiduciary in relation to that data;
  2. the right to, where necessary, correct inaccurate or misleading personal data, to complete incomplete personal data, and to update personal data that is out of date – where the data fiduciary does not agree that there is a need, it has to provide its justification to the data subject in writing and indicate alongside the relevant personal data that it is disputed;
  3. the right to data portability, which means that the data subject has the right to receive their personal data under control of a data fiduciary in a structured, commonly used and machine-readable format, and to have it transferred to another data fiduciary in that format, wherever the processing has been carried out through automated means, except where the processing is necessary for specific functions of the State outlined in the Act, is in compliance of law, or where compliance with this provision would reveal a trade secret of any data fiduciary or would not be technical feasible;
  4. the right to be forgotten, which is defined as the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal under certain conditions and after the Adjudicating Officer has determined that these conditions have been satisfied.

China

The PIPL defines rights of individuals in activities of processing personal information in Chapter IV, throughout articles 44 to 50. Individuals are entitled to: make their own decisions regarding the use of their personal information; to restrict or refuse such use; to consult, tocopy, to correct and to supplement  their personal information; to request the deletion; to request the personal information handler to explain data handling rules; and, in the event of death of the individual, their relatives can exercise the rights provided in PIPL to consult, copy, correct, delete, etc., the personal information of the deceased, except where the deceased has arranged otherwise before their death. Lastly, if the personal information handler refuses an individual’s request to exercise their rights, individuals may file a lawsuit with a People’s Court.

South Africa

Section 5 of POPIA: Rights of data subjects:

“A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right—

  1. to be notified that—
    1. personal information about him, her or it is being collected as provided for in terms of section 18; or
    2. his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
  2. to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
  3. to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
  4. to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
  5. to object to the processing of his, her or its personal information—
    1. at any time for purposes of direct marketing in terms of section 11(3)(b); or
    2. in terms of section 69(3)(c);

Obligations and Sanctions

14. What are the obligations of the controllers and processors/ operators?

Brazil

Controllers need to observe one of the legal bases for data processing of personal data (article 7) and sensitive personal data (article 11).

Controllers need specific additional consent of the data subject before sharing their data with other controllers.

[Art. 7, I and par 5]

The controller has the responsibility to prove that consent was given by the user to process their data.

[Art. 8, par 2]

The controller needs to inform the data subject regarding specific changes which are defined in Art 9 (e.g. objectives and means of data processing, identification of controller etc.). The data subject has the right to not accept the changes and withdraw his consent.

[Art. 8, par 6; Art. 9, par 2]

The controller can only process data for legitimate objectives as defined in Art 10. In this context, processing is limited to those data which are necessary for the specific objective. The controller has to adopt measures to guarantee transparency during the processing of data.

[Art. 10]

Russia

Obligation to ensure the confidentiality of personal data – the prohibition to disclose personal data to third parties without the consent of the subject.

Obtaining the consent of the subject of personal data (when there are no other conditions for their processing) in a form that provides the opportunity to prove the fact of obtaining consent, or in written cases in certain cases provided by law

Publication of the privacy policy or other document defining its policy in relation to the processing of personal data, and information about the implemented requirements for the protection of personal data, as well as providing access to the specified document using the appropriate information and telecommunication network.

Publication of local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, elimination of the consequences of such violations.

Notification of Roskomnadzor prior to the processing of personal data.

India

In addition to the obligations data fiduciaries and data processors/operators have with regard to the implementation of the general data protection principles and the rights of the data subjects under the draft Personal Data Protection Bill (see above), data fiduciaries have a number of obligations under the Bill that specifically relate to the personal and sensitive data of children. These include processing the personal data of children in a way that protects and advances their rights and interests and incorporating mechanisms for age verification and parental consent. Additional obligations adhere to those data fiduciaries who process large volumes of personal data of children or who operate websites or provide services targeted at children, so-called guardian data fiduciaries.

Data fiduciaries are also obliged to take a number of privacy and accountability measures, including

  1. privacy by design;
  2. transparency regarding their general practices relating to the processing of personal data as well as regarding important processes in the processing of personal data related specifically to the data subject;
  3. appropriate security safeguards;
  4. procedures and mechanisms to address grievances of data subjects in an efficient and timely manner; and
  5. notification of the Authority of breaches of the personal data processed by the controller where such breach is likely to cause harm to a data subject.

Data fiduciaries need to further ensure the storage on a server or data centre located in India of at least one serving copy of personal data to which the law applies.

China

The PIPL defines, on its Chapter II, all the Personal Information Handling Rules, which include:

  • Only handling personal information when personal information handles conform to one of the circumstances presented on Article 13 (“lawful bases” for handling personal information), such as when consent is given; to conclude of fulfill a contract; to conduct HR management; to fulfill statutory duties and responsibilities or obligations; to respond to sudden public health incidents, to protect natural person’ lives and health, or the security of their property, under emergency conditions; to implement news reporting or carry out public opinion supervision or correlated activities; or when the personal information being handled has already been lawfully disclosed, within a reasonable scope.

South Africa

Principles for electronically collecting personal information Section 51 of ECTA

  1. A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.
  2. A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.
  3. The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.
  4. The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.
  5. The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.
  6. A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.

15. Is notification to a national regulator or registration required before processing data?

Brazil

In specific situations, notification to a national regulator is required. This includes data transfer from public to private actors [Art. 26 par. 2] and modifications of specific procedures for international data transfers [Art. 36].

Russia

The operator, prior to the processing of personal data, is obliged to notify the authorised body for the protection of the rights of personal data subjects about their intention to process personal data, except in the special cases.

The operator has the right to carry out the processing of personal data without notifying the authorised body for the protection of the rights of personal data subjects:

  1. processed in accordance with labor laws;
  2. received by the operator in connection with the conclusion of the contract to which the subject of personal data is a party,
  3. relating to members (participants) of a public association or religious organisation and processed by the relevant public association or religious organisation,
  4. made by the subject of personal data publicly available;
  5. including only surnames, names and patronymic of personal data subjects;
  6. necessary for the purpose of a single pass of the subject of personal data to the territory in which the operator is located, or for other similar purposes;

India

As per the draft Personal Data Protection Bill, those data fiduciaries or classes of data fiduciaries who have been classified by the Data Protection Authority as ‘significant data fiduciaries’ are required to register with the Authority. Classification as a significant data fiduciary will depend on such factors as the volume of data processed, the sensitivity of the personal data processed, the turnover of the data fiduciary, the risk of harm resulting from the processing and the use of new technologies for processing.

Further, although not required before processing the data, the transfer of sensitive personal data outside the territory of India to a person or entity engaged in the provision of health or emergency services where such transfer is strictly necessary for prompt action requires notification to the Authority within the time period that will be prescribed. Where a data fiduciary seeks to transfer personal data outside the territory of India subject to standard contractual clauses or intra-group schemes that have been approved by the Authority, it also needs to certify and periodically report to the Authority that the transfer is made under a contract that adheres to such standard contractual clauses or intra-group schemes and that it will bear liability for any harm caused in the case of non-compliance.

China

Such notification is required by the PIPL when the processing is to provide personal information outside the borders of the People’s Republic of China (Articles 38 through 43), and must be made to the Cyberspace Administration of China (CAC), which will then assess the necessity. 

South Africa

According to ECTA, no.

According to Chapter 6, section 57 of POPI Act, yes, one must obtain prior authorisation. According to this section, there are four categories of processing that require prior authorization from the Information Regulator: the processing of any unique identifiers of data subjects; information on criminal behaviour or other unlawful conducts; information for the purpose of credit reporting; and the transferring of “special information” (see question 8) or the personal information of children.

16. Does the law require privacy impact assessment to process any category of personal data?

Brazil

The law establishes that the national authority may require the controller to prepare a data protection impact assessment, including sensitive data, relating to its data processing operations, as provided for by the regulations, with due regard for trade and industrial secrets. The report shall contain at least a description of the types of data collected, the methodology used for collection and as guarantee of security of the information, and an analysis of the controller in relation to the measures, safeguards and risk mitigation mechanisms adopted.

[Art. 38]

Russia

The operator is obliged to take measures necessary and sufficient to ensure the performance of their duties. Such measures include an assessment of the harm that may be caused to personal data subjects in the event of a violation of the Federal Law “On Personal Data”, the ratio of the said harm and the measures taken by the operator to ensure the fulfilment of duties provided for by the Federal Law “On Personal Data”.

The main goal of such an audit is to analyse the effectiveness of organisational and technical measures taken to protect the processed personal data in order to minimize possible harm. The order and frequency of such an audit is determined by the local act of the operator.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

India

As per the draft Personal Data Protection Bill, significant data fiduciaries are required to undertake a data protection impact assessment when they intend to undertake any processing involving new technologies, or large scale profiling, or the use of sensitive personal data such as genetic or biometric data, or any other processing which carries a risk of significant harm to data subjects. In addition, the Data Protection Authority may specify further circumstances or classes of data or processing operations for which a data protection impact assessment by significant data fiduciaries is mandatory. The Data Protection Authority can also specify instances in which significant data fiduciaries need to engage a data auditor under the Act to carry out the data protection impact assessment. Where the Data Protection Authority is of the view that any processing activity undertaken by data fiduciaries other than significant data fiduciaries carries a risk of significant harm to data subjects, it can notify that data protection impact assessments are mandatory for them as well.

China

Article 55 of the PIPL stipulates that a privacy impact assessment must be made to process sensitive personal information, as well as when one of the following circumstances is present: 

  • Using personal information to conduct automated decision-making;
  • Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
  • Providing personal information abroad;
  • Other personal information handling activities with a major influence on individuals.

South Africa

Not directly, however, section 40(1)(b)(vi) of POPI provides that the duties, powers and functions of a Regulator include monitoring and enforcing compliance by conducting an assessment in respect of the the processing of personal information by that private or public body for the purpose of ascertaining whether or not the information is processed according to the conditions for the lawful processing of personal information.

17. What conditions must be met to ensure that personal data are processed lawfully?

Brazil

The legal bases for data processing are:

  • Consent from the data subject;
  • To fulfill legal or regulatory requirements;
  • For public administration to execute public policies;
  • For the realisation of studies conducted by research entities;
  • For the preparation or execution of contracts;
  • For the exercise of rights in judicial, administrative or arbitration procedures;
  • To protect the life of data subjects and other individuals;
  • To enable specific health care activities;
  • To attend legitimate interests of controllers or others; or
  • For credit protection.

[Art. 7]

Russia

The processing of personal data is permitted under the following conditions:

  1. processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
  2. processing of personal data is necessary to achieve the goals stipulated by an international treaty of the Russian Federation or the law for the implementation and fulfilment of the functions, powers and duties assigned by the legislation of the Russian Federation to the operator;
  3. processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts;

3.1) processing of personal data is necessary for the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;

India

The draft Personal Data Protection Bill recognises the following grounds for the processing of personal data:

  1. on the basis of consent;
  2. for functions of the State, including the provision of any service or benefit to the data subject from the State and the issuance of any certification, licence or permit for any action or activity of the data subject by the state;
  3. in compliance with law or any order of any court or tribunal;
  4. when necessary for prompt action in medical emergencies and during epidemics, disasters and breakdowns of public order;
  5. for purposes related to employment, where processing on the basis of consent is inappropriate or would involve a disproportionate effort, including recruitment, termination, provision of any benefit to the employee, verification of attendance of the employee and any other activity relating to the assessment of the employee’s performance;
  6. for reasonable purposes, including the prevention and detection of any unlawful activity, whistle blowing, mergers and acquisitions, network and information security, credit scoring, the recovery of debt and the processing of publicly available personal data.

China

On top of following the principles established by Article 5, as mentioned on question #10, and obeying the duties as explained on question #14, to ensure that personal information are handled lawfully, the PIPL requires that:

  • The handling conforms to any of the lawful bases defined by Article 13;
  • A notification be presented to individuals, giving transparency regarding the personal information handling activities, as defined by Article 17;
  • Personal information must only be processed and retained for the shortest amount of time (Article 19);
  • When processing personal information for automated decision-making, follow the rules established by Article 24 – guarantee transparency, fairness, justice and provision of explanations regarding automated decision-making, as well as provide individuals the right to oppose to automated decision-making if such decisions have major influence on the rights and interests of the individual.

South Africa

Besides the Conditions for lawful processing (see question 10) stated in POPIA, Section 11 of the Act also establish that the processing of personal information may only take place if:

“(a) the data subject or a competent person where the data subject is a child consents to the processing;

(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;

(c ) processing complies with an obligation imposed by law on the responsible party;

(d) processing protects a legitimate interest of the data subject;

(e) processing is necessary for the proper performance of a public law duty by a public body; or

(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”

18. What are the conditions for the expression of consent?

Brazil

Consent has to be given in a written or any other form that expresses the agreement of the data subject. The controller is obligated to prove that consent was given. The consent has to refer to specific purposes. Consent can be withdrawn at any moment by the data subject. Consent has to be freely given, informed and demonstrated.

[Art. 5, art. 8]

Russia

The subject of personal data decides on the provision of his personal data and agrees to their processing freely, by his own will and in his interest. Consent to the processing of personal data must be specific, informed and conscious. The subject of personal data or his representative in any form allowing confirming the fact of his receipt, unless otherwise established by federal law, may give consent to the processing of personal data. In the case of obtaining consent for the processing of personal data from a representative of the subject of personal data, the authority of the representative to give consent on behalf of the subject of personal data is checked by the operator.

The subject of personal data may withdraw consent to the processing of personal data.

In cases stipulated by federal law, the processing of personal data is carried out only with the consent in writing of the subject of personal data. The written consent on paper is recognised as equivalent to a consent in the form of an electronic document signed in accordance with federal law with an electronic signature.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”.

India

The draft Personal Data Protection Bill requires consent to be given no later than at the beginning of processing, with consent being valid when it is free, informed, specific, clear and capable of being withdrawn. Where explicit consent for sensitive personal data is concerned, the Bill sets additional, higher standards for the consent be considered informed, clear and specific.

China

Regarding the expression of consent, the PIPL sets forth the following conditions:

  • Article 14, paragraph 1: Consent shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement. Where laws or administrative regulations provide that separate consent or written consent shall be obtained to handle personal information, those provisions are to be followed.
  • Article 14, paragraph 2: Where a change occurs in the purpose of personal information handling, the handling method, or the categories of handled personal information, the individual’s consent shall be obtained again.
  • Article 15, paragraph 1: When personal information is handled based on individual consent, individuals have the right to rescind their consent. Personal information handlers shall provide a convenient way to withdraw consent.
  • Article 15, paragraph 2: If an individual rescinds consent, it does not affect the effectiveness of personal information handling activities undertaken on the basis of individual consent before consent was rescinded.
  • Article 16: Personal information handlers may not refuse to provide products or services on the basis that an individual does not consent to the handling of their personal information or rescinds their consent, except where handling personal information is necessary for the provision of products or services.

South Africa

The POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information” (Chapter 1).

Section 11 establishes that the processing of personal information can only take place if the data subject has given their consent. The responsible party must “bear the burden of proof” of the data subject’s consent. This consent may be withdrawed at any time.

19. If the law foresees special categories of data, what are the conditions to ensure the lawfulness of processing of such data?

Brazil

Processing of sensitive personal data can be lawfully conducted via consent or the following legal bases:

  • compliance with a statutory or regulatory obligation by the controller;
  • shared processing of data required for the enforcement, by the public administration, of public policies set forth in laws or regulations;
  • conducting studies by research bodies, guaranteeing, whenever possible, anonymization of sensitive personal data;
  • regular exercise of rights, including in agreements and in lawsuits, administrative or arbitration proceedings, the latter pursuant to the provisions of Law 9.307, of September 23, 1996 (Arbitration Law);
  • protection of life or physical safety of the data subject or of third parties;

Russia

The processing of special categories of personal data is considered legal if it is carried out for the following reasons. The second reason is the processing of publicly available personal data, if the subject of personal data makes them publicly available. The third reason is the need to process personal data in connection with the implementation of international readmission agreements of the Russian Federation.

The fourth reason is the processing of personal data in accordance with Federal Law No. 8-FZ dated January 25, 2002 “On the All-Russian Population Census”.

The fifth reason is the processing of personal data in accordance with the legislation governing the citizenship of the Russian Federation, insurance legislation, legislation on defence, security, countering terrorism, transport security, countering corruption, criminal investigation executive legislation, as well as legislation on state social assistance, labor and pension legislation.

India

The draft Personal Data Protection Bill recognises the following grounds for the processing of sensitive personal data:

  1. explicit consent;
  2. for certain functions of the State, including the exercise of any function of the State authorised by law for the provision of any service or benefit to the data principal;
  3. in compliance with any law which explicitly mandates such processing or any order of any court or tribunal;
  4. certain categories of sensitive personal data, including passwords, financial data, health data, official identifiers, genetic data and biometric data, may be processed when necessary for prompt action in medical emergencies are during epidemics, disasters and breakdowns of public order.

China

On top of following the principles established by Article 5, as mentioned on question #10, and obeying the duties as explained on question #14, to ensure that sensitive personal information are handled lawfully, the PIPL requires that:

  • Article 29: To handle sensitive personal information, the individual’s separate consent shall be obtained. Where laws or administrative regulations provide that written consent shall be obtained for handling sensitive personal information, those provisions are to be followed.
  • Article 30: Personal information handlers handling sensitive personal information, in addition to the items set out in Article 17, Paragraph 1, of this Law, shall also notify individuals of the necessity and influence on the individual’s rights and interests of handling the sensitive personal information, except where this Law provides that it is permitted not to notify the individuals.
  • Article 31: Where personal information handlers handle the personal information of minors under the age of 14, they shall obtain the consent of the parent or other guardian of the minor. Where personal information handlers handle the personal information of minors under the age of 14, they shall formulate specialized personal information handling rules.
  • Article 32: Where laws or administrative regulations provide that relevant administrative licenses shall be obtained or other restrictions apply to the handling of sensitive personal information, those provisions are to be followed.

South Africa

Chapter 3 – Part B of the POPIA provide for the measures to be taken when processing special personal information. The processing of this category of information is prohibited, except when:

  1. processing is carried out with the consent of a data subject referred to in section 26;
  2. processing is necessary for the establishment, exercise or defence of a right or obligation in law;
  3. processing is necessary to comply with an obligation of international public law;
  4. processing is for historical, statistical or research purposes to the extent that—
    1. the purpose serves a public interest and the processing is necessary for the purpose concerned; or
    2. it appears to be impossible or would involve a disproportionate effort to ask for consent,

and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;

20. What are the security requirements for collecting and processing personal data?

Brazil

Data processing agents have to establish security measures to protect personal data. The national authority can define technical security standards for data processing agents.

[Art. 46]

Data processing agents are obliged to guarantee security for personal data during and after processing them.

[Art. 47]

The controller has to inform the national authority and the data subject in case of security incidents that could cause relevant harm to the data subject.

In this context, the controller has to provide information including the nature of the affected data, the affected data subjects, the data protection measures taken, the risks related to the incident, an explanation in case of delayed communications, and the measures taken to solve the situation.

The national authority will analyse the incident and if necessary take measures to protect the rights of the data subject. This can include (but is not limited to) a public announcement of the incident and measures to reduce harm caused by the incident.

[Art. 48]

Russia

Ensuring the security of personal data is achieved, in particular, by:

  1. identification of threats to the security of personal data when they are processed in personal data information systems;
  2. the use of organisational and technical measures to ensure the security of personal data when processing them in personal data information systems necessary to meet the requirements for the protection of personal data, the performance of which ensures the levels of personal data protection established by the Government of the Russian Federation;
  3. the use of the information security measures passed in the prescribed manner;
  4. an assessment of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
  5. registration of the machine carriers of personal data;
  6. detection of facts of unauthorised access to personal data and taking measures;
  7. recovery of personal data modified or destroyed due to unauthorised access to it;

India

The draft Personal Data Protection Bill requires the data fiduciary and data processor to implement security safeguards such as the use of de-identification and encryption, steps necessary to protect the integrity of personal data, and steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data, having regard to the nature, scope and purpose of the processing of the personal data, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing.

Where a breach of personal data is likely to cause harm to any data subject, the draft Personal Data Protection Bill requires the data fiduciary to notify the Data Protection Authority of the breach, as well as of 1) the nature of the personal data that has been breached, 2) the number of data subjects affected by the breach, 3) possible consequences of the breach, and 4) measures taken to remedy the breach. The Authority will determine whether or not the breach should be reported to the data subject.

The Reasonable Security Practices and Procedures Rules, 2011, under the IT (Amendment) Act specify a number of security precautions to be taken as well, including the adoption of international standards for information security management or other codes of best practices that have been approved and notified by the Central Government.

China

The PIPL mentions that personal information handlers shall adopt necessary measures to safeguard the security of the personal information they handle (Article 9), without going into details as to what these measures might be. It also adds that personal information handlers must adopt the corresponding technical security measures such as encryption, de-identification, etc. (Article 51.3).

The Data Security Law defines several rules regarding the security for collecting and processing data, be it personal data or not. Such rules include a State definition of a categorized and graded protection system for data, implementation of categorized and graded protection according to the data’s degree of importance in economic and social development, as well as the degree of danger to national security, public interests, or the lawful rights and interests of individuals or organizations brought about if it is altered, destroyed, leaked, or illegally obtained or used (Article 21, paragraph 1). A stricter management system will be implemented for data related to national security, the lifelines of the national economy, important aspects of people’s livelihoods, major public interests, etc., as such types of data constitute core national data (Article 21, paragraph 2). 

The Data Security Law then carries on defining several other data security protection obligations throughout Articles 27 to 36.

South Africa

Condition 7 in sections 19-22 (Chapter 3) of POPI provides for the security safeguards for processing personal information which includes protecting the confidentiality and integrity of personal information.

In order to ensure the protection of the data subject’s personal information, the responsible party must:

  1. “identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
  2. establish and maintain appropriate safeguards against the risks identified;
  3. regularly verify that the safeguards are effectively implemented; and
  4. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.”

21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

Brazil

There is no such requirement.

Russia

There is no such requirement. When collecting personal data, including through the Internet information and telecommunications network, the operator is obliged to ensure the recording, systematisation, accumulation, storage, refinement (update, change), extraction of personal data of citizens of the Russian Federation using databases located in Federation.

Part 5 of Article 18 of the Federal Law “On Personal Data” enshrines the obligation of the operator to ensure the localisation of individual processes for the processing of personal data collected from Russian citizens. The provisions of this part came into force on September 1, 2015 and have no analogues in foreign legal orders, in connection with which the issues of their interpretation and correlation with the provisions on cross-border data transfer are of particular relevance. The important role in this is also played by the possibility of blocking the operator’s online resource, which processes personal data of citizens of the Russian Federation in violation of localisation requirements.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Saveliev A.I. Scientific and practical article by article commentary to the Federal Law “On Personal Data”. M.: Statute, 2017. 320 p.

India

The draft Personal Data Protection Bill requires every data fiduciary to ensure that at least one serving copy of personal data to which the Act applies is stored on a service or in a data centre located in India. The Central Government may notify certain categories of personal data as exempt from this requirement on the grounds of necessity or strategic interests of the State, but sensitive personal data cannot be exempted. In addition, the draft Personal Data Protection Bill gives the Central Government the power to notify categories of personal data as critical personal data, which shall only be processed in a server or data centre located in India.

Sectoral localisation requirements already exist in India, including as required by the Reserve Bank of India Notification on Storage of Payments Systems Data of April 2018; the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017; the Companies Act, 2013, and the attendant rules and the Unified Access Licence for Telecom. Localisation requirements of various kinds have also been included in other draft policies and regulations, such as the draft E-Commerce Policy 2019 and the draft e-Pharmacy Rules 2018.

  • Sensitive personal data may be transferred outside India, but shall continue to be stored in India.
    • It may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer.
  • Critical personal data shall only be processed in India

China

As a rule, all personal information must be kept within the borders of the People’s Republic of China, unless provided and allowed so otherwise by the Cyberspace Administration of China (CAC). Special attention must be paid to Article 40 of the PIPL: critical information infrastructure operators and personal information handlers handling personal information reaching quantities provided by the State cybersecurity and informatization department shall store personal information collected and produced within the borders of the People’s Republic of China domestically, unless provided and allowed so otherwise by the State cybersecurity and informatization department.

South Africa

There is no such requirement. The Act states that a responsible party in South Africa may not transfer personal information about a data subject to a third party who is in a foreign country unless they follow certain requirements (see question 22 below).

22. What are the requirements for transferring data outside the national jurisdiction?

Brazil

Transfer of data outside national jurisdiction is allowed when:

  • the receiving country or organism provides a data protection level on par with that provided by LGPD;
  • when controller provides proof of adequate precautions in the form of: specific contract clauses; standard contractual clauses; global corporate norms; or certificates, codes of conduct and similar tools;
  • when transfer is necessary to comply with international law instruments related to international cooperation among intelligence agencies, investigation and prosecution;
  • when transfer is necessary to protect life or physical integrity of the data subject or a third party;
  • when transfer is authorized by the data protection authority;
  • when transfer results in an international cooperation agreement;
  • when transfer is necessary to implement a public policy, following the rules of art. 23;
  • when the data subject provides previous, informed and specific consent;
  • under the legal bases of article 7, II, V and VI of LGPD.

Russia

According to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data, a party should not prohibit or condition cross-border personal data flows to the territory of the other Party with a special permit, for the sole purpose of protecting privacy.

Nevertheless, each Party has the right to deviate from this principle,

  1. to the extent that its domestic law includes special rules for certain categories of personal data or automated personal data files because of the nature of the data or these files, unless the rules of the other Party provide for the same protection;
  2. when a transfer is made from its territory to the territory of a state that is not a Party to this Convention, through the territory of the other Party, in order to prevent such a transfer, which would bypass the legislation of the Party mentioned at the beginning of this paragraph.

India

As per the draft Personal Data Protection Bill, personal data other than those categories of sensitive personal data that have been notified as critical personal data may be transferred outside of India where:

  1. the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Data Protection Authority after it has been satisfied that these effectively protect the rights of data subjects under the Act; or
  2. the Central Government, after consultation with the Authority, has prescribed that transfers to a particular country, or to a sector within a country or to a particular international organisation is permissible as it believes that the relevant personal data shall be subject to an adequate level of protection.
  3. the Authority approves a particular transfer or set of transfers as permissible due to a situation of necessity.

China

Article 38 of the PIPL defines that personal information may be provided outside the PRC’s territory if, aside from ensuring the receiving party has the standard of personal information protection provided by PIPL, one of the following circumstances are present:

  1. Passing a security assessment organized by the State cybersecurity and informatization department according to Article 40 of this Law;
  2. Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;
  3. Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;
  4. Other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.

Article 39 sets an obligation of transparency, in which personal information handlers must notify individuals about the foreign receiving side’s name or personal name, contact method, handling purpose, handling methods, and personal information categories, as well as ways or procedures for individuals to exercise the rights provided in this Law with the foreign receiving side, and other such matters, and obtain individuals’ separate consent.

South Africa

Chapter 9 of POPI provides for transfers of personal information outside of the Republic. It provides in section 72 that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless it meets certain requirements set out in the section.

A responsible party may not transfer personal info outside South Africa to a foreign third party unless the third party is subject to law, corporate rules or binding agreements which afford the data subject protection:

  • Data subject consents;
  • Transfer is necessary for performance of a contract etc;
  • Transfer is for the benefit of the data subject.

23. Are data transfer agreements foreseen by the law?

Brazil

Yes, the law has a chapter dedicated to international data transfer (Chapter V) where article 33 cites standard contractual clauses and other non-standard clauses in data trasnfer agreements as bases for the international transfer.

Russia

Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in cases provided for by international treaties of the Russian Federation.

At the same time, not only intergovernmental agreements, but also intergovernmental agreements and agreements of an interdepartmental nature, both bilateral and multilateral, are considered as international treaties of the Russian Federation. The above international agreements may not contain the terms “cross-border transmission”, “personal data”, however the content of specific norms of such agreements or agreements as a whole should be directed specifically to actions that are classified by personal data legislation as cross-border data transmission. The law does not require the preparation of an agreement on the transfer of personal data and their approval by an authorised body. The authorised body for the protection of the rights of personal data subjects approves the list of foreign states that are not parties to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data and ensure adequate protection of the rights of personal data subjects.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12. 2017) “On personal data”; “Federal Law” On Personal Data “: Scientific and practical commentary” (article by article). Issue 11. Ed. A.A. Priezhzheva. “The Editors of the” Rossiyskaya Gazeta “, 2015.

India

Yes, see above.

China

Yes. Article 38 mentions a standard contract formulated by the State cyberspace and informatization department, setting forth the data transfer agreement to be used in case of cross-border provision of personal information. Article 20 defines that personal information handlers jointly making decisions about personal information handling must agree on the rights and obligations of each.

South Africa

Yes. Section 72 of POPIA establishes that one of the conditions for an international personal information transfer is that the third party (recipient of the personal information) “is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection”

24. Does the relevant national regulator need to approve the data transfer agreements?

Brazil

Yes, the national regulator needs to evaluate the level of data protection in the foreign country or entity.

[Art. 34]

Russia

The law does not require the preparation of an agreement on the transfer of personal data and their approval by an authorised body. The authorised body for the protection of the rights of personal data subjects approves the list of foreign states that are not parties to the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data and ensure adequate protection of the rights of personal data subjects.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”

India

Yes, see above.

China

Yes, all cross-border personal information flows must be assessed, reviewed and approved by the Cyberspace Administration of China (CAC), unless one of the following circumstances established by Article 38 and mentioned in question 22 are present.

South Africa

According to Section 57, the Information Regulator must approve the transfer of special personal information, or the personal information of children, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information (see question 23). Section 72 mentions that an adequate level of protection in an agreement means that it must contain provisions similar to POPIA  and uphold principles that are similar to the “conditions for lawful processing” established by the Act. However, the Act does not mention the necessity of the Regulator’s approval of such an agreement.

25. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

Brazil

The data protection law provides a number of sanctions and remedies including warnings, fines, publication of the occurrences, and the temporary blocking or deletion of personal data. Fines can reach up to 50 million reais per infraction.

[Art. 52]

Russia

Unlawful refusal of an official to present to a citizen documents and materials collected in accordance with the established procedure and directly affecting his rights and freedoms of a citizen (Article 140 of the Criminal Code of the Russian Federation).

Source: Who and what is responsible for violation of the law on personal data. Prepared by the experts of the JSC “Consultant Plus” // “Consultant Plus” Legal Reference System, 2019.

India

Chapter X of the Personal Data Protection Bill introduces a series of sanctions for contravening the provisions of the Act, that can lead to a fine of between five and fifteen crore rupees or a percentage of the company’s total worldwide turnover of the preceding financial year. These fines have its equivalent in between half and two million american dollars.

The Bill also introduces a daily fine of five thousand rupees for each day that a data fiduciary fails to comply with a request made by a data principal under the provisions of the law.

These five thousand rupees fine will add on daily while the default continues. All sanctions for data fiduciaries that don’t comply with the law are around these quantities.

It also includes lower fines for individuals, which may extend to a maximum of one crore rupees in case of significant data fiduciaries, and a maximum of twenty five lakh rupees in other cases (between 7.000 and 135.000 american dollars).

The Act also mentions imprisonment when any person, intentionally, re-identifies personal data which has been de-identified by a data fiduciary or a data processor. Such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lack rupees (2600 american dollars) or both.

It is important to note that no compensation awarded, or penalty imposed, under this Act shall prevent the award of compensation or imposition of any other penalty or punishment under this Act or any other law for the time being in force.

China

Legal liability for violating the PIPL is defined throughout Articles 66 to 71

Article 66 defines that personal information handlers not complying with PIPL are to ‘order correction, confiscate unlawful income, and order the provisional suspension or termination of service provision of the application programs unlawfully handling personal information; where correction is refused, a fine of not more than 1 million Yuan is to be additionally imposed; the directly responsible person in charge and other directly responsible personnel are to be fined between 10,000 and 100,000 Yuan’.  

South Africa

Chapter 11 of POPI provides for offences, penalties and administrative fines as contained in sections 100-109.

Penalties include fines and imprisonment of up to 10 years, according to the offence committed. The infringer shall also receive an infringement notice from the Regulator, containing the particulars of the alleged offence and the amount of the administrative fine they should pay.

Actors

26. What actors are responsible for the implementation of the data protection law?

Brazil

The national authority called “Autoridade Nacional de Proteção de Dados” (ANPD) is responsible for the implementation.

[Art. 55]

Russia

Administrative responsibility is established for:

  • violation of the rules for processing personal data;
  • failure to perform duties when interacting with a citizen – the subject of personal data;
  • non-compliance with personal data protection requirements;
  • failure to perform duties when interacting with Roskomnadzor.

Violation of legislation in the field of personal data may entail civil liability in the form of compensation for moral damage, compensation for damages, and recovery of a penalty, if it was provided by the contract.

The employee and the employer are liable for violations of personal data laws.

In this case, the employer may be materially liable to their employees.

An employee can be brought both to disciplinary and to material liability if it is his fault in the processing of personal data that violates the legislation in the field of personal data.

India

The draft Personal Data Protection Bill provides for the establishment of a Data Protection Authority of India, which will be the main actor responsible for implementation. It also provides for the establishment of an Appellate Tribunal. Appeals to decisions or orders of the Appellate Tribunal are to be made to the Supreme Court of India.

An adjudicating officer appointed by the Central Government will adjudicate matters in which the claim for injury or damage under Section 43A of the IT (Amendment) Act does not exceed Rs. five crores (Rs. 50 million). The jurisdiction in respect of claims for injury or damage exceeding that amount vests with the competent court. Appeals to an order from an adjudicating officer can be made to the Cyber Appellate Tribunal. Appeals to decisions or orders from the Cyber Appellate Tribunal are to be made to the High Court.

China

The PIPL provides on its Chapter VI, articles 60-65 the Departments Fulfilling Personal Information Protection Duties and Responsibilities.

According to article 60, the State Cybersecurity and Informatization department is the main authority responsible for implementing  the PIPL in China. Furthermore, at state level, the authorities responsible are the Relevant State Council Departments. At County level, China also has its higher people’s relevant departments.

South Africa

The ECT Act envisions cyber inspectors however, they are not specifically created for issues relating to data protection.

The Information Regulator is responsible for implementation of the Act (Chapter 5 – Part A)

27. What is the administrative structure of actors responsible for the implementation of the data protection law (e.g. independent authority, executive agency, judiciary)?

Brazil

ANPD is part of the administrative structure of the Presidency of the Republic. It has a transitory nature: at first it will be a branch of Federal Government, but within two years it may be transformed into an independent Regulatory Agency.

Russia

The Federal Service for Supervisionin the Sphere of Communications, Information Technologies and Mass Communications (Roskomnadzor) is under the jurisdiction of the Ministry of Digital Development, Communications and Mass Communications of the Russian Federation. As part of it, the Office for the Protection of Rights of Subjects of Personal Data of the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications is formed. It is a structural unit of the Federal Service for Supervision of Communications, Information Technologies and Mass Communications. The department of keeping the register of operators engaged in the processing of personal data, the Department for control and supervision of the processing of personal data, and the Department of the Legal and methodological support. The relevant departments are formed in the 71 territorial body of Roskomnadzor.

Resolution of the Government of the Russian Federation of 16.03.2009 N 228 (Ed. 28.02.2019) “On the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications” (along with the “Regulations on the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications”) Official Website of Roskomnadzor.

India

The Data Protection Authority will be a body corporate, with the chairperson and members appointed by the Central Government on the recommendation of a selection committee. When the Authority calls for information from or conducts inspections and inquiries into the affairs of data fiduciaries in accordance with the provisions of the Act, it shall have the same powers in a number of respects as those vested in a civil court under the Code of Civil Procedure, 1908. For the purpose of imposing penalties and awarding compensation, the Authority will have a separate adjudication wing, with the number, qualification, jurisdiction and manner and terms of appointment of the adjudicating officers to be prescribed by the Central Government; the draft Bill requires this to be done in a manner that ensure the operational segregation, independence and neutrality of the adjudication wing.

The Appellate Tribunal, though it has the powers to regulate its own procedures, shall be deemed to be a civil court in a number of respects and every proceeding before the Appellate Tribunal shall be deemed to be a judicial proceeding.

Under the IT (Amendment) Act, the adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal, and all proceedings before it shall be deemed judicial proceedings. The Cyber Appellate Tribunal, though it has the powers to regulate its own procedures, too, shall be deemed to be a civil court in a number of respects, and every proceeding before it shall be deemed to be a judicial proceeding.

China

The Cybersecurity and Informatization department is a policy formulation and implementation body set up under the Central Committee of the Chinese Communist Party. The members of the authority are composed by the Director, Deputy directors, Chief of General Office, and other related members.

At the state level, there are Relevant State Council Departments. According to article 60 of the PIPL, they are responsible for personal information protection, supervision, and management work within their respective scope of duties and responsibilities, according to the provisions of the PIPL, relevant laws and administrative regulations.

 

At the County level, there are higher people’s relevant departments responsible for personal information protection, supervisions and management duties and responsibilities that were determined according to relevant State provisions.

South Africa

The Minister of the Department of Telecommunications and Postal Services.

Section 39 of POPI Act

The Information Regulator is an in independent juristic person subject only to the Constitution and to the law. The IR must be impartial and perform its functions and exercise its powers without fear, favour or prejudice.

It must exercise and perform its functions in accordance with POPI and the Promotion of Access to Information Act.

It is accountable to the National Assembly.

28. What are the powers of the actors responsible for the implementation of the data protection law?

Brazil

ANPD has a series of powers, including oversight, elaborating guidelines and regulations, conducting or ordering audits, receiving complaints from data subjects against controllers, collaborating with consumer protection and other national agencies, collaborating with international agencies among others.

Russia

The activity of the control and supervision body aimed at preventing, detecting and stopping the violation by operators of personal data of the requirements of the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it by:

  1. the organisation and conduct of scheduled and unscheduled inspections;
  2. taking measures to suppress and (or) eliminate the consequences of the violations found;
  3. control measures without interaction with operators;
  4. measures for the prevention of violations.

Within these powers, Roskomnadzor:

  • keeps a register of operators engaged in the processing of personal data;
  • considers appeals of the subject of personal data about the compliance of the content of personal data and methods of their processing with the purposes of their processing and makes the appropriate decision;
  • cooperates with the authorities authorised to protect the rights of personal data subjects in foreign countries, in particular the international exchange of information on the protection of the rights of personal data subjects;
  • annually sends a report on its activities to the President of the Russian Federation, the Government of the Russian Federation and the Federal Assembly of the Russian Federation.

Federal law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) “On personal data”. Resolution of the Government of the Russian Federation of 16.03.2009 N 228 (Ed. 28.02.2019) “On the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications” (along with the “Regulations on the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications”).

The Roskomnadzor may also be responsible for receiving the express consent to process personal data allowed by the data subject to be disseminated of data subjects through a special information system managed by the agency (see question 19).

India

The draft Personal Data Protection Bill requires the Authority is to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the Act, and promote awareness of data protection. It contains a large number of powers and functions to help concretise that mandate, including the power to issue codes of practice, to issue directions to data fiduciaries and data processors, to call for information from data fiduciaries and data processors, to conduct an inquiry, to engage in search and seizure, and to take action pursuant to an inquiry.

When the Authority calls for information from or conducts inspections and inquiries into the affairs of data fiduciaries in accordance with the provisions of the Act, it shall have the same powers in a number of respects as those vested in a civil court under the Code of Civil Procedure, 1908, including the discovery and production of books of account and other documents at such time and place as may be specified; the inspection of any book, document, register or record of any data fiduciary; summoning and enforcing the attendance of any person and examining them under oath; and issuing commission for the examination of witnesses or documents.

The Appellate Tribunal is to hear appeals from orders of the Authority and of the adjudicating officers of the Authority’s adjudication wing, as well as challenges to search and seizure orders by the Authority. It, too, has a number of powers as vested in a civil court under the Code of Civil Procedure, 1908, including those listed above for the Data Protection Authority as well as, among other things, receiving evidence on affidavits and dismissing an application for default or examining it, ex parte.

Under the IT (Amendment) Act, the adjudicating officer shall have the powers of a civil court, which are conferred on the Cyber Appellate Tribunal. The Cyber Appellate Tribunal has the powers of a civil court under the Code of Civil Procedure 1908, in a number of respects while trying a suit; these powers largely, though not completely, overlap with those of the Appellate Tribunal established under the draft Data Protection Bill.

China

The powers of actors responsible for the implementation of the data protection law are provided in Article 61 – 63 of the PIPL.

  • Article 61: Departments fulfilling personal information protection duties and responsibilities may conduct personal information protection propaganda and education, guide and supervise personal information handlers’ conduct of personal information protection work; accept and handle personal information protection-related complaints and reports; organize evaluation of the personal information protection situation such as procedures used, and publish the evaluation results; investigate and deal with unlawful personal information handling activities; fulfill other duties and responsibilities provided in laws or administrative regulations.
  • Article 62: The State cybersecurity and informatization department coordinates overall the following personal information protection work by the relevant departments: (1) Formulate concrete personal information protection rules and standards; (2) formulate specialized personal information protection rules and standards for small-scale personal information handlers and new technologies and new applications for handling sensitive personal information, facial recognition, artificial intelligence, etc.; (3) Support the research, development, and broad adoption of secure and convenient electronic identity authentication technology, and promote the construction of public online identity authentication services; (4) Advance the construction of service systems to socialize personal information protection, and support relevant organizations to launch personal information protection evaluation and certification services; (5) Perfect personal information protection complaint and reporting work mechanisms.

South Africa

The Minister is responsible for overseeing all aspects of the ECT Act. His or her powers and duties are provided for in chapter II of the ECT Act.

Section 5 to 9 of the ECTA: The minister must develop and implement a national e-strategy.

Section 40 of the POPI ACT

The powers, of POPI provides for duties and functions of the Regulator in terms of this Act are:

(a) To provide education…
(b) to monitor and enforce compliance…
(c) to consult with interested parties…
(d) to handle complaints…
(e) to conduct research and to report to Parliament…
(f) to administrate codes of conduct
(g) to facilitate cross-border cooperation in the enforcement of
privacy laws by participate in any initiative that is aimed at such
cooperation
(h) to perform any general functions incidental or conducive to
the preceding functions

AI regulation

29. Is there a national AI strategy in the country?

Brazil

Yes. In 2021, Brazil has published a National AI Strategy (EBIA) based on input by stakeholders on an open consultation process.

India

Yes: #AIforAll (2018). The strategy is in the form of a discussion paper, prepared by NITI Aayog (India’s governmental public policy think tank).

China

Yes. In 2017, the State Council issued the New Generation of Artificial Intelligence Development Plan. Also in 2017, the Ministry of Industry and Information Technology released the Three-Year Action Plan for Promoting Development of a New Generation Artificial Intelligence Industry (2018-2020), an action plan set to implement the Development Plan.

On August 2021, the Cyberspace Administration of China issued the Draft Internet Information Service Algorithmic Recommendation Management Provisions, aimed at standardizing Internet information service algorithmic recommendation activities, safeguarding national security and the social and public interest, protecting the lawful rights and interests of citizens, legal persons, and other organizations, stimulating the healthy development of Internet information services, and carrying forward the Socialist core value view.

 

Article 2 of the Draft states that the provisions apply to the use of algorithmic recommendation technology, such as the use of generative or synthetic–type, personalized recommendation–type, ranking and selection–type, search filter–type, dispatching and decision-making–type, and other such algorithmic technologies to provide information content to users.

Furthermore, on September 2021, 9 agencies – Cyberspace Administration of China, Central Propaganda Department, Ministry of Education, Ministry of Science and Technology, Ministry of Industry and Information Technology, Ministry of Public Security, Ministry of Culture and Tourism, State Administration of Market Regulation and National Radio and Television Administration – published Guiding Opinions on Strengthening Overall Governance of Internet Information Service Algorithms.

South Africa

No. The Presidential Commission on the 4th Industrial Revolution recommended (2020) the creation of an AI Institute, which would look over R&D.

30. Does the Data Protection Law regulate the use of automated data processing?

Brazil

Yes. Article 20 of the LGPD (English version here) establishes that data subjects are entitled to request a review of decisions made solely based on automated personal data processing.

Russia

Yes. Article 16 of the Federal Law N152-FZ (“On personal data”) states that decisions that “give rise to legal consequences” cannot be taken only on the basis of the automated data processing of data subjects.

India

Not specifically. The country’s draft Personal Data Protection Bill specifies that “’data’ includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means” (Chapter I, Art. 3, (11)). Therefore, automated data processing should fall under the general scope of the law and follow its principles.

China

Questions 14, 16, 17 briefly introduce this topic, relating it to personal information handlers’ duties and obligations. Moreover, Article 24 of the PIPL states the rights of individuals in situations when automated decision making is used.

South Africa

Yes. Section 71 of the POPIA states that “a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person”.

31. Is there any specific requirement in the data protection framework with regard to automated processing of data, such as transparency, fairness and non-discrimination obligations?

Brazil

Yes. Besides what’s stated in Article 20 of the LGPD, the Law (English version here) has a broad definition of both “processing operation” and “personal data”. “Therefore, processing operations that use automated means (ADM included) fall under the protective scope of the law.”

See FPF analysis.

Russia

Yes. Article 16 also guarantees that operators must uphold transparency regarding the automated data processing, and explain to personal data subjects the procedure and the possible legal consequences of an automated decision.

India

No. Although there are no specific requirements with regard to ADM, the draft Personal Data Protection Bill has a broad definition of both “processing operation” and “personal data”. “Therefore, processing operations that use automated means (ADM included) fall under the protective scope of the law.”

See FPF Analysis.

China

Yes. The same Article 24 of PIPL guarantees the principles of transparency, fairness, and justice of the handling; non-discrimination related to trading conditions; and states that individuals have the right not to have their characteristics targeted and to refuse decisions taken through automated means.

South Africa

No. Although there are no specific requirements to it, the POPIA defines processing as “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information (…)” (Chapter 1 – Definitions), therefore, the general conditions for the lawful processing of personal information must be followed. These include: ‘‘Accountability’’;‘Processing limitation’’; ‘‘Purpose specification’’; ‘‘Further processing limitation’’; ‘‘Information quality’’; ‘‘Openness’’; ‘‘Security safeguards’’; ‘‘Data subject participation’’ (Chapter 3).

32. Is there any regulation on specific automated processing such as profiling or facial recognition?

Brazil

No. However, Article 12, §2 of the LGPD defines “profiling” and declares that the data used for such means are considered personal data, therefore, profiling is subject to the rules and principles stated in the law.

Russia

No. Although facial recognition is not specifically acknowledged, the definition of biometric personal data as “Information concerning a person’s physiological and biological characteristics from which he/she may be identified (biometric personal data) and which is used by an operator to establish the identity of a personal data subject” in Article 11 of the Federal Law N152-FZ should encompass facial recognition data processing. The Article states that this kind of data can be processed without the consent of the personal data subject only in specific cases predicted by law (such as enforcement of judicial acts, cases concerning internal security, investigative activities etc.).

India

Yes, profiling. Article 16(5) prohibits the guardian data fiduciary of profiling children. Article 15(2) states that the Data Protection Authority shall provide “additional safeguards or restrictions for the purposes of repeated, continuous or systematic collection of sensitive personal data for profiling of such personal data.”. Biometric data, including facial images and iris scans, cannot be processed by data fiduciaries, except in cases that are permitted by law (Article 92). Article 27 states that data fiduciaries must undertake a “data protection impact assessment” before undertaking “any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data”. Considering this article covers biometric data and the usage of new technologies, it is possible that facial recognition should be regulated by it.

China

For automated decision making, see Questions 14, 16, 17, 30 and 31. 

For some types of profiling, a data protection impact assessment might be mandatory (see Question 16).

Regarding facial recognition, Article 26 of the PIPL states that “the installation of image collection or personal identity recognition equipment in public venues shall occur as required to safeguard public security and observe relevant State regulations, and clear indicating signs shall be installed”. Chapter VI, Article 62 of the PIPL states that the cyberspace administration will be responsible for formulating regulations on  “(…) new technologies and new applications for handling sensitive personal information, facial recognition, artificial intelligence, etc.”

South Africa

Yes, profiling. Article 5 (g) states that data subjects have the right “no to be subject, under certain circumstances, to a decision which is based solely on the basis of his, her, or its personal information, intended to provide a profile of such person”. Section 71 of POPIA further elaborates the rights of data subjects related to automated profiling. Since the definition of “personal information” includes biometric information, facial recognition data processing should also respect the conditions for lawful processing. Articles 26 and 27 regulate the processing of special personal information (biometric information included).