Foundations of Data Privacy and Comparative Regulations Flashcards

A comprehensive set of 100 vocabulary flashcards covering global data privacy regulations (GDPR, DPDPA, APPI, UAE PDPL), core principles, stakeholder roles, data rights, and enforcement mechanisms based on lecture notes.

Data Privacy

The essential tenet governing the rights, regulations, and practices for the collection, use, storage, and sharing of personal information.

Four Pillars of Personal Data

The four integrated criteria under GDPR: Any information, Relating to, Identified or Identifiable, and Natural Person.

Content Element

A condition for information relating to an individual where the data is directly about the person, such as medical records.

Purpose Element

A condition for information relating to an individual where data is used to influence or analyze a person, such as targeted advertising.

Result Element

A condition for information relating to an individual where the use of data impacts an individual's rights or interests, even if it appears impersonal.

Right to Privacy (1890)

An article by Warren and Brandeis arguing for the 'right to be left alone.'

Article 12 of the Universal Declaration of Human Rights

The 1948 global standard recognizing privacy as a fundamental right.

1980 OECD Guidelines

Guidelines issued to address the rise of computer-based business processing.

1983 German Census Judgment

A landmark German Federal Constitutional Court ruling on informational self-determination.

EU Directive 95/46/EC

The 1995 organized framework establishing the foundation for modern data transfer and processing until the GDPR.

Justice K.S. Puttaswamy (Retd.) vs. Union of India

The landmark Supreme Court judgment that declared the Right to Privacy as a fundamental right under Article 21 of the Indian Constitution.

Srikrishna Committee

The committee formed following the Puttaswamy ruling that led to the notification of the DPDPA in 2023.

Natural Person

A living human being, as opposed to legal entities, to whom personal data protections apply.

Data Protection

The technical responsibility of a company focusing on mechanisms, tools, and procedures to enforce privacy policies.

Data Security

Broad measures designed to protect data from external and internal threats, emphasizing confidentiality, integrity, and availability.

Right to Nominate

A unique DPDPA feature allowing a Data Principal to name another person to exercise privacy rights on their behalf in case of death or incapacity.

Digital Personal Data

The specific scope of the DPDPA, which excludes non-digital data stored in physical formats.

Personal Information Handling Business Operator (PIHBO)

Any entity under Japan's APPI, including individuals and non-profits, using a personal information database for business.

Extraterritorial Application (APPI)

The APPI applies to foreign entities handling Japanese individuals' information in connection with supplying goods or services.

Free Zones (UAE)

Areas like DIFC or ADGM that have their own independent data protection regulations and are exempt from the UAE PDPL.

Establishment Principle

A jurisdictional threshold where laws apply to organizations based in a specific region, regardless of where data processing occurs.

Targeting Principle

A jurisdictional threshold where laws apply to non-resident entities if they offer goods/services or monitor residents in a specific region.

Statutory Reference for SMI

Under DPDPA Notified Rules, Social Media Intermediaries are defined by a reference to the IT Rules, 2021.

Material Scope Exclusion (GDPR)

Exclusions under Article 2(2) for household activity, law enforcement, national security, and common foreign security policy.

Publicly Available Data (DPDPA)

Personal data explicitly excluded from scope if made public by the Data Principal or under legal obligation.

Real and Effective Activity

The flexible interpretation of 'Establishment' under GDPR that focuses on stable arrangements rather than legal incorporation.

Special Care-Required Personal Information

Japan's version of sensitive data, including race, creed, medical history, or criminal record.

Section 17(2)(b) of the DPDPA

Provides a wide exemption for data processing undertaken for research, archiving, or statistical purposes.

Lawfulness, Fairness, and Transparency

The base layer principle requiring a valid legal reason, no surprises for the user, and clear communication.

Purpose Limitation

The rule that data must be collected for specific reasons and not used for incompatible 'scope creep' later.

Data Minimization

The requirement to collect only data that is strictly adequate and relevant for a specific task.

Accuracy Principle

The proactive duty of an organization to take reasonable steps to ensure data is not incorrect or misleading.

Storage Limitation

The requirement to delete or anonymize personal data once it is no longer needed after a set retention period.

Integrity and Confidentiality

The security principle mandating technical measures like encryption to protect data from leaks, loss, or damage.

Accountability Principle

The 'deemed principle' requiring a company to prove its compliance through evidence like logs, policies, and training.

Rule 10 (DPDPA)

Mandates verifiable parental consent through held information, parent-provided ID, or government-issued tokens.

Children's Tracking Exemption (India)

Permits tracking without parental consent strictly for real-time location safety or avoiding detrimental advertisements.

Data Controller (or Data Fiduciary)

The entity that decides the 'Why' and 'How' of personal data processing and carries ultimate responsibility.

Data Processor

A separate entity handling data on behalf of a Controller with limited autonomy and strict documented instructions.

Joint Controllers

Two or more organizations that together decide the purposes and means of processing and share accountability.

Consent Manager (DPDPA)

A registered entity acting as an agent for the Data Principal to manage, review, and withdraw consents across services.

Data Subject (or Data Principal)

The natural person whose data is being processed.

Contractual Necessity

A legal basis for processing data required to deliver a product or service the person signed up for.

Vital Interests

A legal basis for processing in emergency 'life-or-death' situations to save a person's life.

Legitimate Interests

A balancing act where a company's valid business reason (e.g., fraud prevention) does not override individual privacy rights.

Two-Layer Retention Framework

A DPDPA update requiring 1-year general log retention and 3-year deletion for inactive platforms.

Retained Personal Data Rights (Japan)

Rights allowing individuals to request disclosure, correction, or cessation of use/third-party transfer.

Voluntary Purpose (DPDPA)

A category where consent is assumed if a person willingly gives data for a specific reason, like a digital receipt.

Strict Consent Requirements

Criteria requiring consent to be freely given, specific, informed, unambiguous, and easy to withdraw.

Explicit Consent

The default requirement for sensitive data processing, stricter than regular consent.

Pseudonymization

Replacing direct identifiers with artificial ones so data cannot be linked to a person without additional information.

PPC (Personal Information Protection Commission)

The Japanese regulator to whom significant data breaches must be reported.

UAE Breach Reporting Timeline

The Controller must notify the UAE Data Office 'immediately' upon a data breach.

DPDPA Comprehensive Breach Report

A detailed report that must be submitted to the Data Protection Board within 72 hours of initial discovery.

90 Days

The maximum period allowed for an organization to respond to a Data Principal's grievance under DPDPA Rules.

Right to be Informed

Requirement for organizations to provide clear details on the 'Who, What, Why, and How Long' of processing.

Right of Access (GDPR)

The right to ask for a copy of actual personal data and an explanation of its use.

Right of Access (DPDPA)

The right to receive a summary of data processed and a list of entities with whom data was shared.

Right to Restriction of Processing

A 'pause button' where processing stops but data remains stored, used during accuracy disputes.

Right to Erasure

Also known as the 'Right to be Forgotten,' it allows users to demand total deletion of data.

Right to Data Portability

The technical requirement to provide data in a structured, machine-readable format like CSV or JSON.

Right to Object

The right to halt specific processing types, most commonly applied to direct marketing.

Privacy by Design

Integrating privacy protections into product development from the very first line of code.

Privacy by Default

A system setting where the most privacy-friendly options are automatically active without user intervention.

Data Breach

Any security incident leading to unauthorized destruction, loss, alteration, or access to personal data.

Data Protection Officer (DPO)

A specialized officer responsible for overseeing data protection strategy and ensuring legal compliance.

DPO Independence

The guarantee that a DPO must not receive instructions from management on how to perform their duties.

Significant Data Fiduciary

Entities in India for whom appointing a DPO based in India is mandatory.

Adequacy Decision

A 'Green List' of countries officially recognized by the European Commission as having equivalent data protections.

Standard Contractual Clauses (SCCs)

Pre-approved, non-negotiable contract templates used to legally bind data importers to GDPR-level standards.

Binding Corporate Rules (BCRs)

A single set of internal privacy rules for global company branches to follow for international transfers.

Transfer Impact Assessment (TIA)

A proactive assessment evaluating the laws of a destination country, made famous by the Schrems II case.

Legitimate Interest Assessment (LIA)

A tool used to prove a company's business need outweighs the individual's privacy risk.

Blacklist (DPDPA Transfers)

A restricted list of countries to which the Indian government may prohibit data transfers.

Supervisory Authority

Independent 'referees' like the ICO (UK) or CNIL (France) that investigate complaints and issue fines.

GDPR Tier 1 Penalty

Fines up to $10$ million Euro or $2\%$ of global annual turnover for administrative failures.

GDPR Tier 2 Penalty

Fines up to $20$ million Euro or $4\%$ of global annual turnover for core principle violations.

DPDPA Security Breach Fine

Fixed cap up to $\text{₹}250$ Crores for failing to take reasonable security measures.

DPDPA Children's Data Fine

Fixed cap up to $\text{₹}200$ Crores for violating minor-specific obligations.

Blocking Power (Section 37)

The Indian Government's power to block public access to a platform if a Fiduciary is a repeat offender.

Cambridge Analytica Saga

A case where negligence in overseeing third-party developers led to unauthorized harvesting of millions of users' data.

Schrems I (2015)

Legal judgment that invalidated the 'Safe Harbor' framework for EU to U.S. data transfers.

Schrems II (2020)

Legal judgment that invalidated 'Privacy Shield' and mandated TIAs for international transfers.

Access Control

The technical measure ensuring only authorized staff with a 'need-to-know' can access specific datasets.

Supplementary Measures

Additions like strong End-to-End Encryption required if a TIA identifies high risk in a destination jurisdiction.

DPIA (Data Protection Impact Assessment)

A mandatory safety audit for projects involving high-risk data processing or large-scale monitoring.

Opt-out Scheme (Japan)

A registered scheme allowing third-party data provision unless the individual opts out.

72 Hours

The reporting window under GDPR and DPDPA for notifying authorities of a data breach.

Identified or Identifiable

Pillar of personal data where a person is distinguishable or can be identified by combining disparate identifiers.

Automated Decision-Making

Processes where algorithms make significant decisions (like loan denials) without human oversight.

Human Intervention

The right of a user to request a review of an algorithmic decision by a real person.

Confidentiality, Integrity, and Availability

The three core pillars emphasized by Data Security measures.

Consent (UAE Basis)

While primary, it is not mandatory if processing is for contracts, legal obligations, or public interest.

Physical Data Exclusion

The DPDPA explicitly excludes non-digital data that is stored in physical formats and not digitized.

Informational Self-Determination

A concept originating from the German 'census judgment' of 1983.

Deceased Individuals' Data

Excluded by GDPR but covered by the 'Right to Nominate' under the Indian DPDPA.

Itemized Description

A requirement for DPDPA Privacy Notices to list specific data and processing purposes.

Access Tokens

A technical metaphor for the legal grounds required before a system can execute data processing logic.

User API

A technical metaphor for the set of rights endpoints an organization must expose to let individuals control their data.

Digital Office

The designated nature of the Data Protection Board of India for handling complaints and breach remediation.