Header image alt text


Building a Responsible Cyber Society…Since 1998

Data Protection Industry is closely related to the Information Security industry on the one hand and the Legal Compliance industry on the other hand.

This industry includes of Data Controllers and Data Processors as envisaged in Data Protection laws such as GDPR but is not limited to this segment alone. Data Protection is required not only for protecting the Privacy of Citizens under the Privacy Protection Objective, but also because Data is an essential raw material of business. Hence We protect data both for the reason of preventing Privacy Breach as well as Cyber Crimes and for protecting business interests.

Different Laws are made for prevention of Cyber Crimes and for the Protection of Privacy Rights of individuals and therefore “Compliance” applies to both segments of activity. Cyber Crime prevention laws have been in existence for some time and have not been in conflict with the business requirements. Hence compliance did not have any conflict either for a Company or for the Compliance managers.

Privacy Protection Laws on the other hand ignore the needs of the business not only for Business Data Protection but also the interests of the Business Development itself except within  narrow boundaries. In many cases the law inhibits business development and justifies it in the larger interest of protecting rights of Privacy. Cyber Security is also a secondary objective for most of the Data Protection Laws.

Cyber Crime prevention laws do not ignore Privacy Rights but address both protection of business data as well as personal data to the extent that there is a measurable “Loss” suffered by a Citizen.

Data Protection Laws cannot completely over rule the Cyber Security requirements and hence “Legitimate Interest of the Business”, “Law Enforcement Requirements” , “Legal Defense requirements”, “Vital Interests of other individuals” and ” Public Interest” are provided as exceptions in the law.

However, recognizing the availability of “Exceptions” and applying it in a given scenario where multiple interpretations exist is a difficult proposition for operating Data Protection Professionals. The Business would like to err on the safer side and that “Safe” option is often a business hurdle.

Conflicts will therefore arise when a Data Protection Professional (DPP) tries to balance the Privacy Protection requirements of a data subject along with the legitimate interests of the Data Processing industry. The conflict management will require utmost skill for the DPPs which is a skill to manage not only the technical aspects, but also the legal issues  and the managerial concerns involved.

Under GDPR it is envisaged that the DPO is answerable to the Supervisory Authority while working under the salary/financial consideration of the Data Controller/Data Processor. This sort of relationship where there is an inherent conflict is new to the IT professionals. It is a kind of relationship which Chartered Accountants and Company Secretaries tries to manage but not always with success.

It with a recognition of this difficulty, and not letting the DPPs sandwiched between their responsibilities to their bosses vs responsibilities that  Naavi has promoted the idea that there is a need for an Indian Association of Data Protection Professionals (IADPP) and along with like-minded individuals is finalizing the formation of a suitable organization.

Explore this idea and contribute by becoming a member of this community today.



The recent fight between ICANN with the German judiciary on what is the “legitimate interest” in ICANN collecting and making available to public the domain name registration details is an indication of the war that is going on between EU and US for economic supremacy on the global platform. EU wants to snatch away the advantage that US enjoys as a global IT player.  In this war, EU is trying to use GDPR as an instrument to make US business bow before the EU authorities. In this fight, the EU Administrators and Courts will stand with the interpretation of GDPR which favours EU. This bias is visible in the case of ICANN issue.

We must understand that ICANN already has a contract under which the registrars have obtained the license and running the commercial activity. Now GDPR is being interpreted as a superimposing law that invalidates the earlier contract. If GDPR has to be brought into domain name contracts, then the existing contracts will have to be revised or ICANN should cancel the registrar licenses of all those who fail to adhere to the contractual terms.

Already Domain Name registrations are often done under unverified e-mail addresses and are used for committing many crimes including phishing and fake news distribution. There is an urgent need to build a trust worthy internet and prevent the misuse of the liberties that enable easy registration of domain named under fake e-mail addresses or e-mails registered with service providers who are dark web constituents untouchable by the international law. Now GDPR is giving legitimacy to such dark web activities and reducing the law enforcement powers of global authorities.

If a EU Citizen books a domain name and hosts a website which is delivering content to people outside EU, then it is an activity outside the EU law making jurisdiction. There is no reason that the world should accept an anonymous registration of a website from a EU registrar. 

The objective of GDPR is protecting the Privacy Right of an EU Citizen. It cannot be an instrument of launching a Cyber War on non EU Citizens through the websites registered by EU registrars. If EU wants to have a system of domain name registrations allowing secrecy of the registrant, they are welcome to create a closed Internet system in which no information goes out of EU borders.  It can be a dark web within the current dark web which non EU countries should be able to block off.

The provision of registrant details and its preservation by registrars is an essential aspect of Cyber Security and EU authorities have displayed a blind faith in Privacy and ignored the adverse effect of the legislation if it is interpreted as it is sought to be interpreted now.

Currently the disputing registrar in EU is taking a stand that they will not collect the admin contact and technical contact details and no registrant details are to be made available under WhoIs search because such details are not required for delivering the service.

Domain Name Registration is a Commercial Activity

Registering a domain name is not a fundamental right of a person in which the Privacy right is embedded. It is a commercial decision that a person takes so that the content of the website can be used for some benefit either directly as in an E Commerce Website or indirectly through advertisement generation or brand building.

Hence when an individual books a domain name there is no fundamental right of privacy under which the domain name registrant should be allowed to hide himself and use the services. If this argument is extended, no Government should collect details of promoters and directors of a company because the personal details of the promoters and directors gets recorded and made available to a number of reasons to a number of authorities.

Hence the decision of the German Court was incorrect and there is no reason why GDPR should impinge on activities such as IP address displays on E Mails and WhoIs data in case of domain names.

In fact providing the contact details and ownership particulars of a website is a necessary disclosure under law in India. Hiding the IP address of the sender of an e-mail by email service providers such as Google is an open assistance to criminal activities. Present remedies such as contacting a relationship manager by Police through a notice is causing delay in investigations and impeding Cyber Crime prevention.

The demand of GDPR on the ICANN activities is a symptom of a larger malaise where criminals who want to hide are taking over the current transparent systems of administration and in the long run will seriously damage the law enforcement. As a result Cyber Crimes will increase, Cyber Terrorists will use EU as their base to launch attacks on the world.

Hence we should oppose the move of the German Court and demand from ICANN that all domain name registrations from EU registrars should be immediately transferred to other registrars for which a new “Domain Name Transfer Auction” can be arranged by ICANN to redistribute the domain names presently under the control of EU registrars to other registrars.

The EU registrars may exit from the business and develop an internal EU only internet system where they can introduce anonymous domain name registrations similar to the numbered Swiss Bank system. Just as the Swiss authorities benefited from the global black money, now EU can benefit from the darkweb activities which can effectively run as EU-Internet.

If we donot take a firm stand on this, gradually EU registrars may take over the business from the registrars from the rest of the world since there is a majority community who would like to hide and throw stones at others. If these masked stone pelters keep working along with the genuine domain name registrants, then there will be no value for honest web operators.

Remedy in India

While there is an economic fight going on between US and EU which is using GDPR as a weapon, India is being caught in the cross fire since a good part of Indian IT business provides services to US companies who in turn provide services to EU. Indian companies also have a part of their business with EU directly. Under both categories, GDPR is trying to impose itself as if it is the law applicable in India.

There is also the impending Indian Data Protection Act (IDPA) and the pressure of the Aadhaar related demands on Privacy protection which is clouding the judgement of many experts.

Media as usual does not understand the real issues and is only interested in TRP based reporting.

If therefore IDPA becomes a replica of GDPR like what UK has shamelessly done in drafting UK DPA, there will be many in the media patting Justice Srikrishna and his team to say “Wow, India is as great as EU in drafting Privacy law” .

But the law makers should put the interest of the country ahead of the temporary headlines in news papers that may praise them while drafting the Indian DPA.

Some time back there was discussion in India that websites have to be registered with the Government. Now to move into the GDPR suggested regime of “Anonymously registered domain names” is a step which would be a significant departure from the earlier thinking.

The Ministry of Home Affairs, in the Central Government is responsible for maintenance of Law and Order in the country along with the State Governments. It is clear that Cyber Crimes is a matter of increasing concern to the MHO not only because there is an increasing digital push to the commercial activities but also because the mis-application of certain laws such as privacy laws.

I urge the MHO to be aggressive and take up with the Justice Srikrishna Committee that under no circumstance, Cyber Security should be compromised in drafting the Privacy Law. The Supreme Court should also take a stand in the interest of the security of the county rather than a misplaced importance on anonymous Cyber transactions for protecting Privacy.

I am sure there are enough experts in India who are so committed to Privacy that they would not mind “Masked cyber stone pelters” being protected  in the garb of human rights while those who get hit are not considered to having any human rights. They would all hail GDPR and push Indian authorities to adopt a “Cyber Criminal Friendly Indian Data Protection Act”.

But I fondly hope that Justice Srikrishna would resist such pressure and suggest a law that is fair on honest people and donot err on the unsafe side.


Territorial Scope of GDPR and UK DPA 2018

Posted by Vijayashankar Na on May 29, 2018
Posted in Cyber Law  | Tagged With: , , | No Comments yet, please leave one

There is a mis-perception prevailing in some sections of IT industry in India that  “GDPR is applicable to India” without recognizing that its applicability is subject to certain conditions. This needs to be dispensed with at the earliest.

One of the frequent questions asked is

if we encounter an EU Citizen in India and its business, am I liable for GDPR?

If so should I appoint a representative in EU?

The answers to these questions are to be given only with reference to the context and not absolutely.

For example, GDPR is applicable to EU Citizens in the context of their activities in EU. In the case of EU Citizens in the context of their activities in India, GDPR is not applicable.

If a company in India is monitoring the behaviour of an EU Citizen in respect of his/her activity in EU, or offering any goods and services to the EU Citizens in EU, then GDPR may be applicable. But if the processing involves an “Occassional Interaction” with the EU Citizen, then  GDPR is not applicable.

Therefore, If an EU citizen walks into a mall in Bangalore and gives his credit card for buying a product, it is not a case that falls under GDPR. If an Indian maintains a website and a EU person visits it, then also it should not ordinarily fall under GDPR. Only when a service is specifically targeted to an EU person, GDPR may become relevant.

The above inference can be drawn from the following articles:

Article 2(2): This Regulation does not apply to the processing of personal data…  in the course of an activity which falls outside the scope of Union law;

Article 3(1) :  This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Article 3(2);

This Regulation applies to the processing of personal data of

data subjects who are in the Union

by a controller or processor not established in the Union,

where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

In the case of data processors in India who process data sent to them by another entity established in the EU, that entity would be the Data Controller and is liable for compliance of GDPR. The Indian entity is only liable to it’s contractual bindings with the data supplier.

GDPR is badly drafted in this respect as it uses the ambiguous words “Data Subjects in the Union” without specifying if it is restricted to EU Citizens or every body else who at the time of collection of data are within the boundaries of EU.

However, those who are not “Residents” of EU cannot be considered as coming under GDPR since their encounter with the data collector will be only “Occasional”. Since the power of EU and the mandate is to make laws for Eu Citizens, it is unclear how it can extend to other citizens. Similarly when a EU Citizen is travelling in another country under a VISA and is bound by the laws of that country, it is unclear how GDPR can extend to his activities outside the EU>

UK DPA 2018

UK DPA 2018 extends the GDPR blindly, and therefore also extends the unclear aspects of GDPR. But when defining the direct incidence of DPA 2018, UK DPA is a little bit more clear.

Article 207 of UK DPA 2018 states as follows:

207 Territorial application of this Act

(1) This Act applies only to processing of personal data described in subsections (2) and (3).

(2) It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or
not the processing takes place in the United Kingdom.

(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—

(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—

(i) the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United Kingdom.

(4) Subsections (1) to (3) have effect subject to any provision in or made under section 120 providing for the Commissioner to carry out functions in relation to other processing of personal data.

(5) Section 3(14)(c) does not apply to the reference to the processing of personal data in subsection (2).

(6) The reference in subsection (3) to Chapter 2 of Part 2 (the GDPR) does not include that Chapter as applied by Chapter 3 of Part 2 (the applied GDPR).

(7) In this section, references to a person who has an establishment in the United Kingdom include the following—

(a) an individual who is ordinarily resident in the United Kingdom,

(b) a body incorporated under the law of the United Kingdom or a part of the United Kingdom,

(c) a partnership or other unincorporated association formed under the law of the United Kingdom or a part of the United Kingdom, and

(d) a person not within paragraph (a), (b) or (c) who maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom, and references to a person who has an establishment in another country or territory have a corresponding meaning.

In the above article, para 3(a) states as follows:

(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,

This provision is ambiguous since it does not specify clearly that it refers to the Controller or Processor who is established in EU and gets his data processed elsewhere. DPA 2018 is not a law which is directly applicable to a company established in another country under a different law and this has to be recognized while reading this article.

Para (7) is however welcome as it explains which are the organizations which are considered as “Established in EU”.

Section 3(b) also clarifies that “In the UK” is to be interpreted as “At the time of processing”.

It is unfortunate that both GDPR and the UK DPA are drafted inadequately and puts needless doubts in the mind of technical persons not well versed in the legal aspects. It is not clear if this is deliberate.

I presume that Indian DPA will provide the necessary clarification when it is drafted and establish the sovereignty of the Indian Government to make laws for its companies and not allow EU and UK to think that India is still their colony.


GDPR has changed the landscape of Cyber Laws by redefining the priorities of Cyber Laws. So far the concern of the society was mostly on “Preventing Damage to a Citizen” through Cyber Crime laws. This was achieved by defining certain actions as “Contraventions” and/or “Offences” and imposing a “Civil Liability to pay compensation” or treat it as a “Criminal Offence” in which the perpetrator of the crime will “Pay penalty to the Government and face imprisonment”.

“Unauthorized Access” to data was therefore considered as a Cyber Crime and if the person who caused a wrongful loss through an act which contravened the law was asked to pay compensation for which the victim had to prove the extent of damage suffered. If the unauthorized access was intentional and had a “Malicious intent”, it was considered as a “Crime punishable with imprisonment and fine”. Criminal action was a state action and intended to be a deterrent. Civil action was meant to recover the loss suffered by the victim.

When unauthorized access was accompanied by “Data Theft”, “Data Deletion”, “Data Modification”, “Impersonation”, “Cheating”, “Profit making” etc, the crime was considered a higher order crime and the punishment could be harsher. But the civil damages always were based on the actual loss suffered by the victim which he was supposed to prove during the trial.

The Cyber Crime laws focused on providing deterrent punishments that were commensurate with the gravity of the crime and easy grievance redressal procedures through fast court systems, simplified procedures etc.

India provided such measures through ITA 2000 in which “Adjudication” was provided as a fast Court system to compensate the victims of cyber crimes. ITA 2000 was a representative of the first generation of Cyber Crime laws where the target was to provide protection to a victim of Cyber Crime.

Out of necessity, the first generation Cyber Crime laws did address the responsibilities of an “Intermediary” and need for the intermediary to take suitable “Due Diligence” steps to make it harder for criminals to benefit and if they do, provide suitable evidence to the law enforcement to bring the culprits to book. Section 85 and Section 79 in ITA 2000 were meant for this purpose.

In the second generation of Cyber Crime laws represented by ITA 2008 (Amended version of ITA 2000) apart from defining more Cyber Crimes, were fundamentally different from ITA 2000 since there was a greater emphasis on the role of “Information/Cyber Security”. For example, ITA 2008 introduced data protection clauses such as Sections 43A and 72A providing civil and criminal penalties if “Personal/Sensitive personal data” is not protected adequately by a data processor, which term included the Data Controller or Data Consumer or a Data Collecting agent. There were also Data Retention provisions under Section 67C, Regulatory powers to different authorities under Sections 69, 69A ,69B and 70B which represented the requirements of national security and law enforcement requirements.

ITA 2008 was stringent enough in terms of “Non Compliance” but the penalties were not in the form of huge financial penalties that the regulator would collect but in the form of huge imprisonment terms that the act provided for.

GDPR and UK DPA 2018 represent the third generation of Cyber Laws where more than the crime itself, prevention is considered as a greater responsibility and intermediaries will be subject to penalties that could be crippling.

GDPR raises a concern about the power of a “Supervisory Authority” to pursue penalties arising out of non compliance to the extent of 4% of Global turnover of an undertaking which has no relation to the actual damage that the data subjects might have suffered due to the non compliance.

ITA 2008 on the other hand has upto 7 years punishments in the case of Sections 69 and 69A, 3 years under Section 69B and 1 year under 70B. The penalties were in the range of upto Rs 1 lakh or left unstated.

Though the criminal punishments under ITA 2008 are huge, the Courts would evaluate the crime and arrive at the actual punishments both in terms of the imprisonment and the fine. Indian Courts provide enough opportunity for the accused to seek justice based on the actual facts of a case.

However, GDPR has now placed a power to impose a billion dollar fine on an executive and even in cases in which the non compliance can be technical and may not result in significant damage to the citizens whose privacy right is what the act tries to protect.

It appears as if the “Non Compliance” of a regulatory provision is a greater offence than an actual Cyber Crime in which some body is cheated of a million dollar.

This is a wrong prioritization in the justice system where the “Failure to implement Crime prevention” is considered a bigger crime than what the “Criminal” has committed.

An example is to impose an imprisonment of life term to a Security guard who forgot to lock the gates of the godown from which the thief stole some valuables while the thief himself is punishable for an imprisonment of two or three years.

EU authorities may justify their action by stating that the penalty provision in EU is just an enabling provision and would not be imposed in a manner that is unfair.

But there was no need to place such a stringent provision without any checks and balance?. It would have been better to leave the larger amount of penalty to the Courts instead of the executive. GDPR has failed in this regard to have a fair legislation.

We may recall that ITA 2008 has placed a Rs 5 crore cap on the power of the Adjudicator and left the higher penalties to the discretion of the Courts. But EU did not provide for such checks and balances before indicating a threatening level of penalties.

It appears that the Regulators have started considering the penalty provisions as an opportunity for “Profiteering” rather than as a deterrent.

This could well be the tendency of the new generation of Privacy Protection Laws which are actually one part of Cyber Crime laws applicable only to the mis-use of one type of data called “Personal data”. Every data theft is also a cyber crime and there is already a legal penalty for the same. The administrative fines are just one of the penalties that may be imposed on an intermediary in respect of a Cyber Crime and should not ideally be more damaging than the punishments meant for the cyber crimes.

Let’s forget the European Laws since EU is unmindful of the damage they are doing to their own business fabric through such crazy penalties. India is now considering its own Data Protection Law which Justice Srikrishna is in charge of drafting.

We need to watch and see whether Justice Srikrishna Committee would be falling into the trap set by GDPR and the UK DPA 2018 and make data protection legislation over power the Cyber crime laws or keep it as a subordinate law to the Cyber Crime law as it should normally be.

Many suggestions have been made to the Committee in this regard and we need to watch the developments so that India can show to the world of how to frame data protection laws which are fair to all stake holders.

India should also remember that GDPR is a terrorist friendly and Criminal friendly regulation and India cannot afford to toe its line. Hence Right of Erasure must be avoided and Right to restriction and correction should be moderated with appropriate data retention protections. These are required in the interest of national security which GDPR has ignored but we cannot.



Tame the monster of GDPR

Posted by Vijayashankar Na on May 26, 2018
Posted in Cyber Law  | Tagged With: , , | No Comments yet, please leave one

GDPR has come into effect since yesterday along with the UK Data Protection Act 2018. Together these legislation are completely changing the IT business landscape in India.

Already an Austrian Data Privacy Activist Max Schrems has launched three complaints worth a total of Euro 3.9 billion against Facebook, WhatsApp and Instagram through regulators in Austria, Belgium and Germany.

More such insane legal action will follow.

These actions elsewhere in the globe will also have ripple effects in India which is the back end processing center for a large part of personal data processing. To a corporate entity, they can be devastating. Defending such cases particularly in foreign countries could be expensive and it would increase the cost of doing business.

Indian Companies need to be therefore extremely concerned with the damage that motivated activists can do to their business both to boost their ego as well as an instrument of blackmail.

While it is the legitimate right of any individual or an activist to seek legal recourse for any grievance real or imaginary, Courts and Regulatory authorities need to remember that law is there for the benefit of people in general and that “People” include “Legitimate Business”.

But we have to admit that when a primafacie case is made out, the Courts have no option to launch a trial and that itself is a burden on the business.

The first line of defense for Companies is to present it’s case properly to the regulatory authorities so that unfair litigation is killed in the bud.

Knowledge is the tool for such defence and every company and the CEOs and Directors should themselves be reasonably aware of the provisions of data protection laws so that they can ensure that their legal teams find out appropriate solutions to problems that may arise.

I therefore urge the top management team in business to go through an awareness program for themselves before taking action on the basis of recommendations from different consultants and being swayed by the media which will sensationalize most of the issues.

In this direction, Naavi has launched a new online training program on GDPR through Apnacourse.com. I hope it would be of use to companies in first acquiring some basic understanding of GDPR as a regulation and then take steps in compliance.

This online program may not be an end in itself but can be the beginning of a journey in understanding the intricacies of data protection laws essential to protect the existential interest of business.



UK Data Protection Act 2018 comes into force…

Posted by Vijayashankar Na on May 24, 2018
Posted in Cyber Law  | Tagged With: , | No Comments yet, please leave one

Racing against time with the implementation of GDPR, UK authorities have completed the formalities in introducing the new version of Data Protection legislation effective from 25th May 2018 co-terminus with the applicability of EU GDPR. This will continue even after BREXIT.

UK-DPA 2018 should be considered as an extension of GDPR and entities to whom UK DPA 2018 is applicable may have to read both the DPA 2018 and GDPR side by side.

The office of ICO provides further information about the Act.  (Refer here).

A copy of the Data Protection Act is available here.

The DPA 2018 copy as released on 23rd may 2018 contains 215 articles divided into 7 parts and 20 Schedules.

While Data Protection Legislation advise Companies to make their consents “Simple” and expressed in easily intelligible language, UK’s DPA is as complicated as any legislation can be and alien to the principle of simplicity. It will take some time for the industry to fully digest the provisions and be confident of compliance.

As we have often highlighted, laws that are simple are more likely to be complied with and a complex law will have a lower level of voluntary compliance requiring rigid penalties and enforcement.

India is in the process of completing its Data Protection Act and I wish that Indian legislators donot make the law as huge and as complicated as the UK DPA and opt for a more simpler legislation which can be equally effective.

Law makers need to remember that laws are made not to show how knowledgeable the law maker is, but to ensure that the citizen understands it for compliance.

However we shall continue to try demystifying the UK DPA 2018 over a time.

The PDF version of the Act as made available is a 353 page document that requires a detailed study.

Some of the salient features for immediate consumption is given below:


Under Article 207, this act is applicable to

a) processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom

b) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—

(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—

(i) the offering of goods or services to data subjects in the United
Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United

The Act is about “Processing of Personal Data” and Personal data is defined as ” any information relating to an identified or identifiable living individual”. The Act does not say whether it is the Personal data of a UK citizen or a citizen of other countries.

Jurisdiction of Courts

The Jurisdiction conferred on a Court under UK_DPA 2018 is excercisable in England and Wales, Northern Ireland and Scotland.

This effectively recognizes the limitations of the law making body which derives its powers from the sovereign Government that it represents. The EU GDPR ignored this limitation and arrogated itself the responsibility for protecting global citizens as if it is a global legislative body.

However as a humble servant of the EU which the majority of UK voters voted to exit, the legislators have vowed to legitimize GDPR within this legislation. Considering the details to which this legislation went, there was no need for making it a subordinate legislation to the GDPR but it appears that the UK legislators were under some thing like a “Stockholm Syndrome” and could not break themselves from expressing their past loyalties to EU by importing GDPR into its own legislation. UK seems to have lost its mental independence to stand up as an independent sovereign country and feels obliged to follow its EU masters.

Part 2 of the Act is devoted to supplement GDPR

Chapter 2 of this part applies to the types of processing of personal data to which GDPR applies by virtue of Article 2 of GDPR. Further the Act confirms that Chapter 2 has to be read with the GDPR.

Chapter 3 of Part 2 has some provisions which is defined as “Applied GDPR”.

Article 21 states

This Chapter applies to the automated or structured processing of personal
data in the course of—

(a) an activity which is outside the scope of European Union law, or
(b) an activity which falls within the scope of Article 2(2)(b) of the GDPR (Coming under Treaties of EU),

The term “Outside the scope of European law” is a loose statement that is amenable to mis interpretation.

The Applicability of UK DPA 2018 cannot extend beyond the jurisdiction of Courts as defined under Article 180 and all other narrations represent legislative imperfections.


Penalties as specified in EU GDPR Article 83 are applicable under UK DPA 2018 also.

More Codes to follow

The ICO has to develop certain code of practice such as data sharing code, Direct Marketing Code, age appropriate designing code, Data Protection and Journalism Code etc., These codes need to be approved by the British Parliament and hence the industry needs to await for the codes which will be important from compliance point of view.


UK DPA 2018 mandates the designation of a DPO by all organizations other than a Court or a Judicial authority. (Article 69)

Principles and Rights

UK DPA 2018 re-states the Principles of Privacy and Data Subject’s Rights as in GDPR.

Cross Border Transfer of Data

Cross border transfer of data is subject to requirements similar to EU which includes “Adequacy Decision” (Article 74) or Safeguards (article 75). Adequacy is as decided by the EU and Safeguard includes a legal instrument that binds the recipient of the data for protection of personal data. Additionally special circumstances such as where the vital interests of the data subject, legitimate interests of the data subject (not the data controller… Ed: Could be a drafting error), public security, law enforcement and legal requirements.

Responsibilities of Controller and Processor

The Act re-states the responsibilities of the Controller and Processor as in GDPR.


UK DPA 2018 defines the following offences related to personal data

a) Unlawful obtaining of  personal data, selling personal data

b) Re-identification or de-identified personal data

c) Alteration to prevent disclosure

The person who commits the offence is liable for summary conviction to a fine. Prosecution may be instituted only by the Commissioner or with the consent of the Director of Public prosecutions.

The directors of a company maybe liable for offences committed by a body corporate if there is negligence on their part.

These are some preliminary observations and more discussions may follow in due course.