International Laws and Conventions
Global legal frameworks and treaties pertaining to the protection of personal information and monitoring. The subject matter under examination pertains to the legal mechanisms implemented by global institutions, including the United Nations, the European Union, and several regional entities. Prominent conventions may encompass:
General Data Protection Regulation (GDPR):
Indeed, let us explore the General Data Protection Regulation (GDPR) in further detail from a legal standpoint, highlighting its fundamental principles and consequences: The General Data Protection Regulation (GDPR), implemented by the European Union (EU) in May 2018, signifies a substantial revision of data protection legislation inside the EU and carries extensive consequences for global companies that handle the personal data of EU citizens. The core of the General Data Protection Regulation (GDPR) is in its principles that regulate the handling of personal data. These principles, such as reducing data and limiting its use, are based on the basic right to privacy protected by Article 8 of the EU Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union (TFEU). They stress the need of companies collecting and handling personal data in a legal, equitable, and transparent manner, with explicit objectives and limited data utilization.[1] Data minimization is a fundamental principle of the General Data Protection Regulation (GDPR), which mandates that companies restrict the acquisition and retention of personal data to just what is essential for the intended objectives. This approach is in accordance with the principle of proportionality in European Union (EU) legislation, which guarantees that data processing activities are commensurate with their intended aims and do not unduly violate individuals’ privacy rights. In a similar vein, the concept of purpose limitation stipulates that the collection of personal data should be limited to specific, explicit, and lawful objectives, and should not be subjected to any further processing that contradicts those objectives.[2] The EU’s focus on upholding people’ autonomy and guaranteeing openness and accountability in data processing operations is reflected in this concept. The General Data Protection Regulation (GDPR) confers onto individuals a range of entitlements pertaining to their personal data, including the entitlement to access, update, and delete their data, alongside the entitlement to express objections to certain processing activities. The aforementioned rights are taken from many sources of European Union (EU) legislation, such as the Charter of Fundamental Rights, which ensures the right to the safeguarding of personal data in Article 8, and the Data Protection Directive 95/46/EC, which functioned as the precursor to the General Data Protection Regulation (GDPR).[3] In order to adhere to the regulations outlined in the GDPR, organizations are required to carry out various duties. These include implementing suitable technical and organizational measures to safeguard personal data, promptly notifying supervisory authorities of any data breaches within 72 hours of becoming aware of them, and appointing a data protection officer (DPO) in specific situations.
Failure to comply with the General Data Protection Regulation (GDPR) can lead to substantial penalties, such as fines of up to €20 million or 4% of the company’s global annual revenue, whichever amount is greater. The purpose of these sanctions is to dissuade enterprises from violating the provisions of the GDPR and emphasize the EU’s dedication to successfully implementing data protection rules. In general, the General Data Protection Regulation (GDPR) is a significant regulatory measure that enhances the protection of individuals’ privacy rights and establishes explicit responsibilities for enterprises to guarantee the legitimate and responsible handling of personal data. The GDPR establishes a rigorous benchmark for data protection and privacy by incorporating concepts such as data minimization and purpose limitation into EU legislation. This serves as a blueprint for countries worldwide.
Convention 108 of the Council of Europe:
The Council of Europe’s Convention 108 is a crucial global agreement designed to protect individuals’ rights regarding the automated processing of personal data. Convention 108, which was adopted by the Council of Europe in 1981, functions as a fundamental instrument within the realm of data protection. It establishes crucial concepts and criteria that member nations are obligated to adhere to. The handling of personal data is governed by fundamental principles that are central to Convention 108. The concepts encompassed are equity, legality, openness, purpose restriction, and data protection. The Convention aims to guarantee that personal data is handled in a way that upholds persons’ rights, fosters trust, and reduces risks related to data processing activities by prioritizing these values.
The principles of fairness and legality necessitate that personal data be handled in a just and legitimate manner, while upholding the rights and freedoms of persons. Transparency necessitates the provision of information to persons regarding the processing of their personal data and the underlying objectives for which such processing is undertaken. The principle of purpose limitation guarantees that personal data is gathered for specific, clear, and lawful objectives, and is not subsequently manipulated in a manner that contradicts those objectives. Convention 108 also encompasses the crucial topic of data security. It is imperative to establish and enforce suitable technological and organizational protocols in order to safeguard personal data against unauthorized access, dissemination, modification, or destruction.[4] The significance of protecting personal data from security breaches and unauthorized use is emphasized by this concept, which enhances the overall trust and confidence in data processing operations. Furthermore, Convention 108 emphasizes the significance of global collaboration in dealing with the transfer of data across borders and advancing the standardization of data protection legislation among member nations. The Convention acknowledges the worldwide scope of data processing operations and promotes international cooperation to ease the legal and safe movement of personal data across national boundaries, while maintaining uniform standards of data protection. In essence, Convention 108 of the Council of Europe assumes a crucial function in influencing global norms pertaining to the safeguarding of data and the preservation of privacy. The Convention seeks to protect the rights of persons in a society that is becoming more linked and reliant on data by delineating core principles and fostering collaboration among member nations. Convention 108, being a groundbreaking convention in the realm of data protection, is a vital foundation for policymakers and stakeholders that want to safeguard privacy rights and advance responsible data processing methods.
International Covenant on Civil and Political Rights (ICCPR):
The International Covenant on Civil and Political Rights (ICCPR) is a fundamental principle of global human rights legislation, with the objective of safeguarding the civil and political rights of persons on a global scale. The International Covenant on Civil and Political Rights (ICCPR), established by the United Nations General Assembly in 1966, guarantees essential rights, such as the right to privacy, as stated in Article 17 of the Covenant. The right to privacy is expressly addressed in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), which states that individuals cannot be subjected to arbitrary or unlawful interference with their private, family, home, or communications, nor can they be exposed to unlawful assaults on their honor and reputation. The aforementioned clause highlights the intrinsic worth and significance of privacy as a basic entitlement of individuals, crucial for the exercise of further civil and political liberties.[5] The International Covenant on Civil and Political Rights (ICCPR) safeguards privacy in several aspects of individuals’ lives, encompassing personal communications, family life, and the sacredness of the home. It acknowledges the need of protecting individuals from unjustified intrusion and interference by both governmental and non-governmental entities, guaranteeing that individuals can have independence and authority over their personal information and private matters. Additionally, Article 17 of the International Covenant on Civil and Political Rights (ICCPR) establishes restrictions on the surveillance operations conducted by states, highlighting the need of adhering to the criteria of legality, necessity, and proportionality when infringing upon privacy. This implies that the implementation of surveillance measures should be mandated by legislation, essential for the attainment of valid objectives, and commensurate with the level of threat or harm they attempt to mitigate. The purpose of these constraints is to mitigate the occurrence of arbitrary or abusive state surveillance techniques and to protect the private rights of persons against unwarranted intrusion by governmental entities.[6] The acknowledgment of the right to privacy by the ICCPR signifies the growing comprehension of privacy as an essential human right within the context of the digital era. In the current period characterized by heightened surveillance capabilities and technological progress, the International Covenant on Civil and Political Rights (ICCPR) assumes a pivotal role as a fundamental foundation for tackling present-day obstacles to privacy rights. Its primary objective is to guarantee the preservation and safeguarding of persons’ privacy by governmental bodies and other relevant entities. In its entirety, the international Covenant on Civil and Political Rights (ICCPR) emphasizes the importance of the right to privacy as a basic human right that is crucial for safeguarding individual dignity, autonomy, and independence. The International Covenant on Civil and Political Rights (ICCPR) plays a significant role in advancing privacy rights and democratic ideals on a global scale by establishing explicit rules and constraints on governmental surveillance operations.The aforementioned legislative instruments are of paramount importance in influencing the development of data protection and privacy rights at both regional and worldwide scales.[7] They establish a comprehensive structure to guarantee the safeguarding of individuals’ personal data and privacy rights.
National Laws and Regulations
Data privacy and security in India are predominantly governed under the Information Technology Act, 2000 (IT Act), together with its following revisions and regulations. The Information Technology Act establishes a substantive legal structure governing electronic transactions, digital signatures, and cybercrimes. The essential provisions pertaining to data privacy and security encompass:
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
The IT Rules of 2011, also known as the Information Technology (Reasonable Security Practises and Procedures and Sensitive Personal Data or Information) Rules, are of significant importance in the regulation of the management of sensitive personal data or information (SPDI) by entities operating within the jurisdiction of India. The regulations were established in accordance with the Information Technology Act, 2000, with the objective of granting legal acknowledgment to electronic transactions and promoting e-governance.[8] The primary objective of the IT Rules, 2011 is to guarantee the security and confidentiality of sensitive personal information (SPDI), acknowledging the significance of safeguarding persons’ privacy in the digital age. The main aim of the IT Rules, 2011 is to provide appropriate security policies and procedures for companies engaged in the handling of Sensitive Personal Data Information (SPDI). SPDI encompasses any data pertaining to an individual’s personal identification, including passwords, financial details, medical records, biometric information, and any other data that has the potential to do harm to the person if revealed. The regulations establish and classify SPDI, offering organizations a clear understanding of the specific data that needs particular protection. The IT Rules, 2011 enforce responsibilities on “corporate entities” and “individuals” that gather, retain, or manage Special Purpose Development Information (SDPI) throughout their business operations. It is mandatory for these companies to adopt and enforce appropriate security standards and procedures in order to safeguard sensitive personal information (SPI) from unauthorized access, disclosure, or abuse. The guidelines do not include a specific definition for the word “reasonable security practices and procedures,” therefore allowing organizations the flexibility to implement security measures that align with their scale, business characteristics, and the level of sensitivity associated with the data they manage. Entities that are governed by the IT Rules, 2011 are obligated to establish contractual arrangements with any third party that may possess access to Sensitive Personal Data Information (SPDI). These agreements must ensure that these third parties also comply with the necessary security policies and procedures. The purpose of this criterion is to mitigate the risk of illegal access or exploitation of Sensitive Personal Data Information (SPDI) by external entities, while also ensuring that third-party service providers are held responsible for their management of sensitive data.[9]
Entities are required by the guidelines to inform persons about the purpose of collecting their SPDI, the intended receivers of the data, and the individual’s rights to access and modify their data. The implementation of this transparency mandate serves to augment individuals’ consciousness regarding the utilization of their personal information, therefore granting them the ability to exert authority over their data. Failure to adhere to the IT Rules, 2011 may lead to various consequences for entities, such as penalties and liabilities, encompassing both civil and criminal aspects. The Indian Computer Emergency Response Team (CERT-In) is granted the authority to issue directives for adherence and to conduct inquiries into any breaches of the regulations. Furthermore, anyone impacted by a violation of SPDI possess the entitlement to pursue reparation for the harm endured due to the violation.
The IT Rules of 2011 are of significant importance in fostering data security and privacy within India’s digital landscape. The guidelines aim to reduce the risks associated with unauthorized access or abuse of sensitive personal information by setting explicit standards for managing SPDI and requiring businesses to apply adequate security measures. Nevertheless, it is important to maintain ongoing surveillance and implementation in order to guarantee efficient adherence to regulations and safeguard the private rights of persons in the era of digital technology.
Personal Data Protection Bill, 2019:
The PDP Bill, 2019 is a substantial legislative proposition designed to govern the handling of personal data in India. The proposed legislation aims to enhance individuals’ autonomy in managing their personal information and develop a comprehensive structure for the ethical management of data by companies operating inside the nation. The PDP Bill has significant importance as a pivotal legislative measure, with substantial ramifications for the domains of data privacy, surveillance, and financial data protection. Consequently, it serves as a relevant topic for examination within the context of this dissertation.[10]
The PDP Bill incorporates a number of significant measures aimed at protecting the privacy rights of persons and fostering openness and accountability in the handling of data. The measure places significant emphasis on the notion of “data minimization,” which mandates that organizations restrict the gathering and manipulation of personal data to the degree that is essential for the designated objective. This concept is in accordance with the overarching goals of data privacy legislation on a global scale, highlighting the significance of mitigating the potential hazards linked to the excessive gathering and storage of data. Furthermore, the PDP Bill incorporates the notion of “explicit consent,” which requires individuals to give express and unequivocal approval for the handling of their personal data. This clause serves to augment individuals’ autonomy in managing their data and guarantees that their permission is acquired in a way that is both transparent and well-informed. The bill seeks to prohibit unauthorized access to personal information and reduce the danger of data breaches and abuse by placing a strong emphasis on the significance of permission. In addition, the PDP Bill imposes rigorous responsibilities on organizations responsible for managing confidential personal information, including but not limited to financial data, medical records, biometric data, and any other data that might potentially result in injury or distress if revealed. It is imperative for these businesses to establish and enforce stringent security protocols in order to safeguard sensitive data against illegal access, dissemination, or improper utilization. The law further mandates companies to notify persons and the appropriate authorities in the case of a data breach that is expected to result in harm.[11]
The PDP Bill aims to not only improve individuals’ privacy rights but also establish regulations for the transfer of personal data across borders. These regulations will ensure that such transfers are adequately protected to guarantee individuals’ privacy and prevent unlawful access or exploitation of their data. In the context of global data flows and the growing incidence of international data transfers, this clause holds special relevance.
The PDP Bill carries substantial consequences for businesses working within the financial industry, particularly in terms of financial data protection. Financial institutions, encompassing banks, insurance companies, and fintech enterprises, bear the responsibility of safeguarding extensive quantities of confidential financial information, rendering them susceptible to rigorous regulatory obligations as stipulated by the legislation.[12] In order to protect the confidentiality and integrity of financial data, it is imperative for these businesses to comply with the principles of data minimization, express permission, and security measures as outlined in the law. The PDP Bill grants individuals the authority to exercise their entitlements regarding their financial data, including the right to obtain, correct, and delete their personal information. The inclusion of this clause serves to bolster customer trust and confidence in financial institutions, while also fostering accountability and openness in the realm of data processing methods. Nevertheless, the PDP Bill presents difficulties in its execution and gives rise to apprehensions over its possible influence on innovation and economic expansion. The legislation places compliance obligations on various organizations, with a special focus on small and medium-sized firms (SMEs), who may have difficulties in meeting the rigorous criteria outlined in the bill. Furthermore, the restrictions outlined in the bill pertaining to data localization and storage regulations have the potential to obstruct the unrestricted movement of data and impair cross-border commercial operations.[13] In summary, the Personal Data Protection Bill of 2019 signifies a notable advancement in the realm of data privacy and safeguarding within the Indian context. The contents of this legislation are designed to enhance the agency of persons, provide regulations for entities involved in the management of personal data, and foster accountability and openness in the processing of data. Nevertheless, the successful execution and enforcement of the law will play a crucial role in efficiently achieving its goals, while also considering the interests of individuals, corporations, and regulatory bodies.
Data privacy and surveillance in the United States
Data privacy and surveillance in the United States are regulated by an intricate system of federal and state laws designed to safeguard people’ private rights while also considering national security and law enforcement concerns. The Health Insurance Portability and Accountability Act (HIPAA), the Electronic Communications Privacy Act (ECPA), and the USA PATRIOT Act are significant federal legislation that pertain to these matters. Gaining a comprehensive understanding of the extent, objectives, and ramifications of these legislations is necessary in order to grasp the legal framework pertaining to data privacy and surveillance inside the United States.[14]
IPAA, enacted in 1996, is a significant federal legislation that establishes guidelines for safeguarding individuals’ health information, commonly referred to as protected health information (PHI). Health Insurance Portability and Accountability Act (HIPAA) laws are applicable to many entities that fall within its purview, such as healthcare providers, health plans, healthcare clearinghouses, and their business affiliates. The main objective of HIPAA is to protect the privacy, accuracy, and accessibility of protected health information (PHI) while also upholding individuals’ rights to access and manage their health data. The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) sets forth regulations pertaining to the utilization, dissemination, and protection of Protected Health Information (PHI). These regulations encompass provisions for acquiring individuals’ consent for specific uses and disclosures, implementing protective measures to safeguard PHI, and granting individuals the rights to access and modify their health information. The ECPA, enacted in 1986, is a significant federal legislation that regulates data privacy and monitoring in the United States. The Electronic Communications Privacy Act (ECPA) deals with the surveillance of electronic communications and the retrieval of stored electronic communications and data. The legislation encompasses regulations pertaining to the interception of wire, oral, and electronic communications, along with the authorization to access stored electronic communications, such as emails and electrical files. The Wiretap Act of the Electronic Communications Privacy Act (ECPA) imposes restrictions on the illegal interception of wire, oral, and electronic communications, with specific exceptions and limits. Furthermore, the Stored Communications Act of the Electronic Communications Privacy Act (ECPA) has provisions that control the government’s authority to access stored electronic communications maintained by third-party service providers. This legislation imposes limitations on law enforcement’s capacity to acquire people’ electronic communications and records. The USA PATRIOT Act, which was implemented as a direct response to the terrorist attacks that occurred on September 11, 2001, is a comprehensive federal legislation that substantially enhanced the surveillance and investigative authorities of the government with the aim of countering terrorism and bolstering the security of the nation. The United States Patriot Act has measures pertaining to the acquisition of intelligence data, the surveillance of electronic communications, and the monitoring of financial activities. The law grants the government the power to carry out different types of surveillance, such as gathering foreign intelligence data, acquiring records and physical items from businesses through national security letters, and monitoring electronic communications and financial transactions carried out by suspected terrorists or foreign agents. The USA PATRIOT Act has garnered commendation for its efficacy in mitigating terrorist attacks; yet, it has also engendered scrutiny and apprehension over its possible ramifications on civil liberties and privacy rights.[15] The federal statutes in question serve as the fundamental basis for the legal structure that regulates data privacy and monitoring within the United States. These measures exemplify the government’s endeavors to achieve a harmonious equilibrium between safeguarding the private rights of individuals and meeting the imperatives of national security and law enforcement in an ever more interconnected and technology-driven global landscape. Nevertheless, the continuous deliberations and legal disputes persist in influencing the development of data privacy and surveillance legislation in the United States, underscoring the intricate and ever-changing character of this regulatory framework.
The fundamental regulation controlling data privacy and protection in the European Union is the General Data Protection Regulation (GDPR). The General Data Protection Regulation (GDPR) may be supplemented by data protection regulations specific to each member state of the European Union (EU). These regulations may target particular national issues or offer supplementary safeguards beyond those provided by the GDPR.
Comparative Analysis of Legal Frameworks
The examination of the breadth, definitions, legal principles, and enforcement mechanisms controlling data privacy and surveillance is crucial for undertaking a comparative analysis of legal frameworks across various jurisdictions. Through a comparative analysis of these components, scholars may get valuable perspectives on the merits and drawbacks of different methodologies employed in the regulation of data privacy and surveillance.[16]
Scope and Definitions:
An examination of data privacy legislation sometimes involves closely examining the scope of data protection and the understanding of important phrases in different countries. The General Data Protection Regulation (GDPR) of the European Union provides a comprehensive definition of personal data, which includes any information associated with a specific and identifiable individual. In addition to direct identifiers such as names and addresses, this comprehensive definition encompasses indirect identifiers such as IP addresses or genetic data. On the other hand, alternative legal frameworks may employ more restrictive definitions, so constraining the extent of data that is safeguarded. The presence of diverse definitions can have a substantial influence on the relevance and efficacy of data privacy legislation, underscoring the need of comprehending jurisdictional disparities when interpreting crucial concepts such as “personal data” and “data subject.”
Legal Principles:
In the realm of comparative study of legal frameworks, legal principles pertain to the fundamental norms and notions that serve as the basis for data privacy laws and regulations in various countries. These principles function as the foundational framework for the collection, processing, storage, and sharing of data, with the objective of safeguarding individuals’ privacy rights while facilitating lawful data utilization. Comparative studies sometimes involve the analysis of several fundamental legal principles.[17]
Differences in consent methods, include the necessity of explicit or implicit consent for operations involving data processing. The concept that organizations need to just gather and preserve the requisite quantity of personal data essential for designated objectives, hence mitigating the potential for superfluous data exposure.[18]
The purpose limitation refers to the practice of collecting personal data for specific, clear, and lawful objectives, and refraining from further processing it in a manner that is inconsistent with those purposes. Accountability measures encompass the necessary technical and organizational steps that enterprises must adopt in order to assure adherence to data privacy rules. These measures include the implementation of data security precautions and the adoption of transparency measures. Transparency and accountability are essential responsibilities that enterprises must uphold in relation to their data processing operations. These obligations encompass the obligation to provide individuals with information regarding the utilization of their data and to assume responsibility for any violations of data privacy. By conducting an analysis of these legal concepts under various legal frameworks, researchers are able to uncover commonalities, disparities, advantages, and disadvantages in the manner in which nations address the protection of data privacy. This study offers valuable information into the efficacy of legislative frameworks in safeguarding individuals’ privacy rights and fostering responsible behaviors in data management.
Enforcement Mechanisms:
enforcement mechanisms within the realm of data privacy laws pertain to the establishment of methods and procedures aimed at ensuring compliance with these rules and effectively addressing any instances of non-compliance. The comparative research of legal frameworks entails the examination of the enforcement of data privacy legislation in different countries, encompassing: The identification of regulatory agencies tasked with the oversight of compliance with data privacy rules and their enforcement authorities, encompassing investigative activities and the imposition of fines.An examination of the gravity and uniformity of penalties levied on entities identified as contravening data privacy legislation, encompassing monetary fines, punitive actions, or alternative forms of retribution.Assessing procedures aimed at ensuring organizational accountability for data processing operations, encompassing criteria for openness, assessments of privacy effects, and obligations for reporting.[19]
Examining the availability of legal options for individuals to address infringements on their data privacy rights, such as pursuing private litigation or lodging complaints with regulatory bodies.The Importance of International Cooperation: Exploring collaborative procedures across countries to effectively tackle cross-border data privacy concerns and enhance the exchange of information and enforcement measures.[20]
The comprehension and juxtaposition of enforcement methods across diverse legal frameworks offer valuable perspectives on the efficacy of data privacy legislation and the legislative authority’s ability to safeguard individuals’ privacy rights on a worldwide scale.
[1]General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, 2016 O.J. (L 119).
[2]Sharma, S. (2018). India’s Approach to Data Privacy in the Digital Age. Journal of Indian Law and Society, 25(3), 145-162
[3][3]Menon, R. (2019). Privacy and Data Protection: A Comparative Analysis of Indian and European Approaches. Indian Journal of Law and Technology, 11(2), 78-93.
[4]Convention 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data, opened for signature Jan. 28, 1981, E.T.S. No. 108
[5]Solove, D. J. (2006). A taxonomy of privacy. University of Pennsylvania Law Review, 154(3), 477-560
[6]International Covenant on Civil and Political Rights (ICCPR), Dec. 16, 1966, 999 U.N.T.S. 171
[7]Health Insurance Portability and Accountability Act (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996)
[8]Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, G.S.R. 313(E), Ministry of Communications and Information Technology, Department of Information Technology, Notification No. G.S.R. 313(E), Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i) (Apr. 11, 2011)
[9]Kumar, A. (2017). Data Privacy Laws in India: Current Status and Future Challenges. Indian Journal of Legal Studies, 14(1), 32-47
[10]Patel, N. (2018). Understanding India’s Data Protection Regulatory Landscape. Journal of Intellectual Property Rights, 25(4), 210-225
[11]Personal Data Protection Bill, 2019, Bill No. 373 of 2019, Lok Sabha Secretariat, Government of India
[12]Electronic Communications Privacy Act (ECPA), Pub. L. No. 99-508, 100 Stat. 1848 (1986)
[13]Lane, J., & Kitzmiller, A. (2015). The privacy engineer’s manifesto: Getting from policy to code to QA to value. Apress
[14]Swire, P. P. (2009). Privacy and information sharing. Harvard Journal of Law & Technology, 22(1), 171-245.
[15]USA PATRIOT Act, Pub. L. No. 107-56, 115 Stat. 272 (2001).
[16]Singh, P. (2016). A Comparative Study of Data Privacy Laws: India, the EU, and the US. Indian Journal of Legal Research, 19(2), 89-104.
[17]Kapoor, A. (2019). Comparative Analysis of Privacy Laws: Implications for India. Journal of Comparative Law, 26(3), 178-195.
[18]Schwartz, P. M., & Solove, D. J. (2011). Information privacy law. Aspen Publishers.
[19]van der Sloot, B. (2019). The GDPR as a model for global privacy. Computer Law & Security Review, 35(2), 137-147.
[20]Singh, P. (2016). A Comparative Study of Data Privacy Laws: India, the EU, and the US. Indian Journal of Legal Research, 19(2), 89-104.