TFSBS- Created to Service Your Privacy Requirements

Privacy laws and regulations are continuously expanding across the world and have made their presence felt in recent times with fines levied for misuse and abuse with regards to Personal Data or Personally Identifiable Information (including Sensitive Personally Identifiable Information). Privacy laws require organizations to have a proactive approach towards privacy and the protection of personal data. As a result, organizations are enhancing and strengthening the way they handle and govern personal data across its lifecycle i.e. collection, use, transfer, retention, destruction for personal data that belongs to customers, employees, vendors and other stakeholders.

Why is data privacy important?

In many jurisdictions, privacy is considered a fundamental human right, and data protection laws exist to guard that right. Data privacy is also important because in order for individuals to be willing to engage online, they have to trust that their personal data will be handled with care. Organizations use data protection practices to demonstrate to their customers and users that they can be trusted with their personal data.

Personal data can be misused in a number of ways if it is not kept private or if people don’t have the ability to control how their information is used:

• Criminals can use personal data to defraud or harass users.
• Entities may sell personal data to advertisers or other outside parties without user consent, which can result in users receiving unwanted marketing or advertising.
• When a person’s activities are tracked and monitored, this may restrict their ability to express themselves freely, especially under repressive governments.

For individuals, any of these outcomes can be harmful. For a business, these outcomes can irreparably harm their reputation, as well as resulting in fines, sanctions, and other legal consequences.

In addition to the real-world implications of privacy infringements, many people and countries hold that privacy has intrinsic value: that privacy is a human right fundamental to a free society, like the right to free speech.

TFSBS – Created to Service Your Privacy Requirements

Privacy laws and regulations are continuously expanding across the world and have made their presence felt in recent times with fines levied for misuse and abuse with regards to Personal Data…

DPO as a Service

We understand that many organizations are looking for outsourcing DPOs(Data Protection Officers) as a Service solution since they would like to comply

TFSBS takes a pragmatic approach in assisting organizations understand the applicable privacy regulations and laws and their requirements for protecting personal information or data and in accordance, identify technology partners. We are Authorized Partners with the global organizations that are the leading players in the Privacy Automation Solution 

Data Privacy as a Service for Small and Medium Enterprises

 Identify applicable local and global laws

 Prepare an organisational Privacy framework

 Conduct Privacy assessments as per requirements of local and global laws

 Provide recommendations to address specific requirements

 Provide recommendations for updating the framework as per new laws and amendments

 Conduct Data Protection Impact Assessments

Privacy Training & Awareness

 Conduct trainings for DPO

 Conduct trainings for Privacy team

 Conduct trainings for leadership

 Conduct trainings for certifications

 Prepare privacy awareness materials for the organisation

 Conduct Data Protection Impact Assessments

Privacy Automation Solutions (tools and technologies)

 Identify the technology partners for privacy and data protection in your organisation

 Assist in the implementation and roll out of the selected tools and technologies

 Train the teams to operate and utilize the functionalities of the tools and technologies

 Provide any other assistance as required

DPO as a service

 Outsource your DPO

 Set up your DPO Office

 Managed DPO Services

CyberBullying India

 Training – customised trainings and workshops to schools, colleges, NGOs and organisations to create awareness of

 Awareness – prepare and implement awareness materials such as presentations, posters, flyers, brochures,roadshows, etc. to disseminate awareness on Cyber Safety, Cyber Hygiene and Cyber Security.

 Advisory services w.r.t CyberBullying

 Investigations w.r.t CyberBullying

What is Privacy?

Privacy is a fundamental right, essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built.

Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives, which allows us to negotiate who we are and how we want to interact with the world around us.  Privacy helps us establish boundaries to limit who has access to our bodies, places and things, as well as our communications and information.

Privacy can be defined in multiple definitions.  However, lets us first understand how the Right to Privacy was identified.  Year on year  the definition of  Privacy has continued to evolve and reached a level where today it means to encompass the tangible, physical body as well thoughts and emotions.

That the individual shall have full protection in person and in property is a principle as old as the common law; but it has undergone many necessary changes from time to time to reflect the actual requirement in the society. Political, Social and economic changes require the enactment of new rights as per the changing norms.  Thus in very early times, the law gave a remedy only for physical interference with life and property for trespasses vi et armis (Latin for “with force and arms).

Then the “Right to Life” served only to protect the human beings from various physical harms like Liberty meant freedom from actual restraint; and the right to property secured to the individual to his/her lands and cattle. 

However, much later, there came a recognition of man’s spiritual nature, of his feelings and his intellect.  Gradually, the scope of these legal rights broadened.  Now, the right to life has come to mean the right to enjoy life and the right to be let alone.  The right to liberty secures the exercise of extensive civil privileges.  The term ‘’property’’ includes every form of possession intangible as well as tangible.

As the time progressed, the newer laws were required to address the various other needs.  The intense intellectual and emotional life, and the heightening of sensations which came with the progress of civilization at a rapid pace made it clear to humans that only a part of the pain, pleasure and profit of life lay in physical things.

Thoughts, sensations and emotions demanded legal recognition and needed the framework of law to secure and provide protection through various legislatures.

Hence, in the United States, in an article in the Harvard Law Review, issue December 15, 1890, written by Attorney Samuel D Warren and future US Supreme Court Judge, Louise Brendeis, entitled “The Right to Privacy”, is often cited as the first explicit finding of US right to privacy.  They wrote and explained that Privacy is the “right to be let alone” and focussed on protecting individuals.  This approach was a response to recent technological developments of the time, such as photography and sensationalist journalism against the individuals

Individual privacy is a modern concept that ushered first in Western culture and carried on to the rest of the world, leading to the enactment of privacy laws that entitle individuals not to be subjected to unsanctioned invasions by the government and corporation alike. Privacy for an individual or group is the ability to withhold information particular to them from access to wider society, and thereby express themselves selectively.

What is Personal Information

Also known as personally identifiable information (PII) or personal data, personal information belongs to a natural, living person. If information relating to an individual acting as an employee, partner, company director or sole trader is individually identifiable, it may as well constitute personal information. According to IAPP, it includes a broad range of information that may relate to, describe, associate with, or could reasonably link with a particular consumer’s identity, preferences, location, activities, directly or indirectly.

Personal information could be as simple as a name and phone number, or as sensitive as criminal convictions and offences data. Sensitive PII comprises of  different walks of life, such as health, finance, education, business, internet activities, including but not limited to email address, date of birth, religion and caste, home and office address; official documents like social security number, driving license number, passport number, PAN, aadhar number; financial attributes like bank account number, credit or debit card number; personal characteristics like photographic image, handwriting, biometric data, etc.

Power of Personal Information

A Plethora of options unlock with a user’s consent to cookie preferences, allowing a brand to collect, process and share the personal data. Personal information answers vital questions on which contemporary businesses thrive. It is being scooped up, sold, traded, and disclosed by marketers, advertisers, analysts, and investors for a host of purposes ranging from products we need/buy/want to our engagement recency/frequency with a brand, from functional/emotional connectivity with the brand to channels/devices where we engage–and that’s not the end of the rope.

According to Interactive Advertising Bureau, American corporations alone expectedly shelled out $19 billion this year acquiring and assessing personal data that consumers mostly remain opaque about. The privacy risks associated with vast streams of data rooted in personal experience, identity, and specific context that fuel the digital economy are still not being compensated fairly.

Understanding the risks associated with companies reaping billions of dollars at the expense of users’ data, policymakers and researchers worldwide have proposed granular market designs to balance the current uneven data mechanism. Some ideas have been enacted into nation-level data protection regulations such as GDPR, CCPA, PDPB, etc.

International Privacy Standards

The Universal Declaration of Human Rights y United Nations is a milestone that provides every human being  with the right to privacy. However, the interpretation of these rights varies globally and are not always harmonious.  It was proclaimed by the United Nations General Assembly in Paris on 10^th December 1948.

• All 21 member economies of Asia-Pacific Economic Cooperation (APEC) since 2004 have agreed upon a treaty that underpins nine Privacy Principles governing information privacy and cross-border data transfer.
• The Council of Europe adopted the Convention for the Protection of Individuals with Regards to Automatic Processing of Personal Data in 1981 and morphed its internet version in 1998 with the publication of “Draft Guidelines for the protection of individuals with regard to the collection and processing of personal data on the information highway, which may be incorporated in or annexed by Code of Conduct.”
• In the European Union, the Data Protection Directives of 1995 has been substituted by General Data Protection Regulation since 2018, which is influenced by European Convention on Human Rights.
• The USA has enacted its data privacy legislation meeting the specifics of a particular industry or section of the population. For example, the Children’s Online Privacy Protection Act (COPPA) entrusts parents to govern their kids’ information privacy; Electronic Communications Privacy Act (ECPA) extends government restrictions on the wire, oral and electronic communications; Gramm-Leach-Bliley Act mandates financial institutions to explain their information-sharing practices to their consumers, etc. The USA has no federal law on Privacy.  However, till recently various states are coming up with their own version of Privacy Laws e.g California Consumer Privacy Act and CPRA 2020, Washington Privacy Act etc.
• In 2013, the United Nations General Assembly adopted resolution 68/167 on the right to privacy in the digital age for the United Nations (UN).

Evolution of Privacy in India

Momentum in the Indian privacy space picked pace with the Information Technology Act, 2000 giving a legal framework for electronic governance by giving recognition to electronic records and digital signatures. However, in absence of provisions for protection and procedures to stick by to ensure security of sensitive personal information, it couldn’t do much.

In 2006, the Information Technology bill was placed in parliament but was not passed.

In 2008, the same Bill led to the Information Technology Act. Major amendments were made in 2008, with the introduction of Section 43A, which mandates a data processing body to compensate the affected person in case the corporate body deals with sensitive personal information and fails in maintaining reasonable security standards to protect such data, which thereby causes damage to the person; Section 72A provides for the punishment for a term not exceeding three years for disclosure of information in breach of lawful contract.

In June 2011, India issued final regulations implementing parts of IT (Amendment) Act, 2008, requiring organisations to obtain written consent from the data subjects before undertaking data processing activities. However, to date, the enforcement and application of the law remain uncertain.

In 2016, Karmanya Singh Sareen and Shreya Sethi filed a petition in Delhi High Court arguing WhatsApp’s change in privacy policy to share data with Facebook violated user privacy. On 23rd September 2016, a Divisional bench rejected the petition but directed WhatsApp to delete the data, until 25th September 2016, of users who opt to delete–as well as who retain–the application.

In 2017, TRAI came out with a consultation paper on “Privacy, Security and Ownership of Data in the Telecom Sector” to protect the data rights of individuals.

What are Fair Information Practices?

Many of the existing data protection laws are based on foundational privacy principles and practices, such as those laid out in the Fair Information Practices. The Fair Information Practices are a set of guidelines for data collection and usage. These guidelines were first proposed by an advisory committee to the U.S. Department of Health, Education, and Welfare in 1973. They were later adopted by the international Organization for Economic Cooperation and Development (OECD) in its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The Fair Information Practices are:

• Collection limitation: There should be limits to how much personal data can be collected
• Data quality: Personal data, when collected, should be accurate and related to the purpose it is being used for
• Purpose specification: The use for personal data should be specified
• Use limitation: Data should not be used for purposes other than what was specified
• Security safeguards: Data should be kept secure
• Openness: Personal data collection and usage should not be kept secret from individuals
• Individual participation: Individuals have a number of rights, including the right to know who has their personal data, to have their data communicated to them, to know why a request for their data is denied, and to have their personal data corrected or erased
• Accountability: Anyone who collects data should be held accountable for implementing these principles

What are some of the challenges users face when protecting their online privacy?

Online tracking: User behavior is regularly tracked online. Cookies often record a user’s activities, and while most countries require websites to alert users of cookie usage, users may not be aware of to what degree cookies are recording their activities.

Losing control of data: With so many online services in common use, individuals may not be aware of how their data is being shared beyond the websites with which they interact online, and they may not have a say over what happens to their data.

Lack of transparency: To use web applications, users often have to provide personal data like their name, email, phone number, or location; meanwhile, the privacy policies associated with those applications may be dense and difficult to understand.

Social media: It is easier than ever to find someone online using social media platforms, and social media posts may reveal more personal information than users realize. In addition, social media platforms often collect more data than users are aware of.

Cyber crime: Many attackers try to steal user data in order to commit fraud, compromise secure systems, or sell it on underground markets to parties who will use the data for malicious purposes. Some attackers use phishing attacks to try to trick users into revealing personal information; others attempt to compromise companies’ internal systems that contain personal data.

What are some of the challenges businesses face when protecting user privacy?

Communication: Organizations sometimes struggle to communicate clearly to their users what personal data they are collecting and how they use it.

Cyber crime: Attackers target both individual users and organizations that collect and store data about those users. In addition, as more aspects of a business become Internet-connected, the attack surface increases.

Data breaches: A data breach can lead to a massive violation of user privacy if personal details are leaked, and attackers continue to refine the techniques they use to cause these breaches.

Insider threats: Internal employees or contractors might inappropriately access data if it is not adequately protected.

What are some of the most important technologies for data privacy?

• Encryption is a way to conceal information by scrambling it so that it appears to be random data. Only parties with the encryption key can unscramble the information.
• Access control ensures that only authorized parties access systems and data. Access control can be combined with data loss prevention (DLP) to stop sensitive data from leaving the network.
• Two-factor authentication is one of the most important technologies for regular users, as it makes it far harder for attackers to gain unauthorized access to personal accounts.

These are just some of the technologies available today that can protect user privacy and keep data more secure. However, technology alone is not sufficient to protect data privacy.