Advisory for APS School Students

Modern international trade heavily relies on data transfers for the exchange of digital goods and services. User data travels across multiple jurisdictions and legal regimes, each with different rules for processing it. Since international treaties and standards for data protection are inadequate, states, in an effort to protect their citizens' data, have begun extending their domestic privacy laws beyond their borders. However, this opens a Pandora's box of legal and administrative complexities for both, the data protection authorities and data processors. The former must balance the harmonization of domestic data protection laws with their extraterritorial enforcement, without overreaching into the sovereignty of other states. The latter must comply with the data privacy laws in all states where it collects, stores, and processes data. While the international legal community continues to grapple with these challenges, India can draw valuable lessons to refine the Digital Personal Data Protection Act, 2023 (DPDP) in a way that effectively addresses these complexities.

Why Extraterritorial Application? 

Since data moves freely across borders and entities collecting such data from users in multiple states can misuse it or use it to gain an unfair competitive advantage in local markets, data privacy laws carry a clause on their extraterritorial application. Thus, this principle is utilized by states to frame laws that can ensure comprehensive data protection for their citizens, irrespective of the data’s location.  The foremost example of this is the European Union’s (EU) General Data Protection Regulation (GDPR), 2016,  which applies to any entity that processes the personal data of its citizens, regardless of its location. Recently, India has enacted the DPDP Act of 2023, which includes a clause on extraterritorial application.

The Extraterritorial Approach: GDPR and DPDP Act

The GDPR is considered the toughest data privacy law in the world and sets a global standard in data protection. According to Article 3, its provisions apply not only to data processors within the EU but also to those established outside its territory, if they offer goods and services to and conduct behavioural monitoring of data subjects within the EU. The enforcement of this regulation relies on heavy penalties for non-compliance in the form of fines up to €20 million or 4% of the company’s global turnover, whichever is higher, in case of severe violations. As a result, corporations based in the USA, like Meta and Clearview AI, have been fined over  €1.5 billion and €5.5 million respectively, under the GDPR. 

Like the GDPR, the DPDP Act extends its jurisdiction to foreign companies dealing with personal data of data principles within Indian territory under section 3(b). It has a similar extraterritorial reach and prescribes a penalty of up to Rs 250 crores in case of breaches. However, the Act or DPDP Rules, 2025, which are currently under deliberation, do not elaborate on an enforcement mechanism through which foreign companies can be held accountable. 

Lessons for India’s DPDP on Managing Extraterritorial Application 

1. Clarity in Definitions: GDPR clearly defines ‘personal data’, covering direct information such as name and identification number,  indirect identifiers like location data, and, online identifiers that can be used to identify the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person. It also prohibits revealing special categories of personal data like religious beliefs and biometric data to protect the fundamental rights and freedoms of the subjects. On the other hand, the DPDP Act/ Rules define ‘personal data’ vaguely, leaving a broad scope for Big Tech and ad-tech firms to bypass obligations. 
2. International Cooperation: Compliance is complex for companies due to varying data protection laws in different countries. The success of regulatory measures in such a scenario depends on international cooperation for governing cross-border data flows and enforcement. For DPDP to be effective, India will have to foster cooperation frameworks with other nations. 
3. Adequate Safeguards for Data Transfers: The GDPR regulates data transfers outside the EU via pre-approved legal mechanisms such as standard contractual clauses or binding corporate rules to ensure that the same level of protection applies to EU citizens’ data even when it is processed outside the EU. The DPDP should adopt similar safeguards to ensure that Indian citizens’ data is protected when processed abroad.
4. Revised Penalty Structure: The GDPR mandates a penalty structure that must be effective, proportionate, and dissuasive. The supervisory authority in each member state has the power to impose administrative fines as per these principles, up to an upper limit set by the GDPR. On the other hand, the DPDP’s penalty structure is simplistic and will disproportionately impact smaller businesses. It must take into regard factors such as nature, gravity, and duration of the infringement, its consequences, compliance measures taken, etc.
5. Governance Structure: The GDPR envisages a multi-tiered governance structure comprising of   

• National-level Data Protection Authorities (DPAs) for enforcing national data protection laws and the GDPR, 
• European Data Protection Supervisor (EDPS) for monitoring the processing of personal data by EU institutions and bodies,  
• European Commission (EC) for developing GDPR legislation
• European Data Protection Board (EDPB) for enabling coordination between the EC, EDPS, and DPAs

In contrast, the Data Protection Board (DPB) under DPDP will be a single, centralized body overseeing compliance and enforcement. Since its members are to be appointed by the Central Government, it raises questions about the Board’s autonomy and ability to apply regulations consistently. Further, its investigative and enforcement capabilities are not well defined.

Conclusion 

The protection of the human right to privacy ( under the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights) in today’s increasingly interconnected digital economy warrants international standard-setting on cross-border data protection. In the meantime, States relying on the extraterritorial application of domestic laws is unavoidable. While India’s DPDP takes measures towards this, they must be refined to ensure clarity regarding implementation mechanisms. They should push for alignment with data protection laws of other States, and account for the complexity of enforcement in cases involving extraterritorial jurisdiction. As India sets out to position itself as a global digital leader, a well-crafted extraterritorial framework under the DPDP Act will be essential to promote international trust in India’s data governance regime.

Sources

• https://gdpr-info.eu/art-83-gdpr/ 
• https://gdpr-info.eu/recitals/no-150/ 
• https://gdpr-info.eu/recitals/no-51/ 
• https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf 
• https://www.eqs.com/compliance-blog/biggest-gdpr-fines/#:~:text=ease%20the%20burden.-,At%20a%20glance,In%20summary 
• https://gdpr-info.eu/art-3-gdpr/ 
• https://www.legal500.com/developments/thought-leadership/gdpr-v-indias-dpdpa-key-differences-and-compliance-implications/#:~:text=Both%20laws%20cover%20'personal%20data,of%20personal%20data%20as%20sensitive. 

‍

In the pulsating heart of the digitized era, our world is rapidly morphing into a tightly knit network of interconnections. Concurrently, the vast expanse of the cyber realm continues to broaden at an unparalleled pace. As we, denizens of the Information Revolution, pioneer this challenging new frontier, a novel notion is steadily gaining traction as an essential instrument for tackling the multifaceted predicaments and hazards emanating from our escalating dependency on digital technology. This novel notion is cyber diplomacy.

Recently, a riveting discourse unraveling the continually evolving topography of cyber diplomacy unfolded on the podcast 'Patching the System.' Two distinguished personalities graced the conversation - Benedikt Wechsler, Switzerland's Ambassador for Digitization, and Kaja Ciglic, Senior Director of Digital Diplomacy at Microsoft. This thought-provoking dialogue provides a mesmerizing peek into the intricate maze of this freshly minted diplomatic domain - a landscape still in the process of carving out its rules against an ever-escalating high stakes backdrop.

Call for Robust International Norms 

During their enlightening exchange, Wechsler and Ciglic shed light on the dire need of robust international norms and regulations in dynamic cyberspace. The drew comparison with well established norms governing maritime and airspace activities, suggesting a similar framework to maneuver the intricacies of the digital realm. The necessity of this mammoth task is accentuated by swift technological development and the unique nature of the internet where participation is diverse. 

Their discourse also underscores the critical argument that cyberspace cannot be commoditized. It has evolved into critical infrastructure that demands collective supervision. Wechsler also advocated for collaboration and the importance of a united front composed of big tech giants and the government working in tandem for creation of a resilient and secured digital landscape. 

Dual Edged Sword

Their conversation courageously plunged into the more sinister depths of the digital world and dissected the rising tide of cyberspace militarisation. Illustrative case point, recent cyber operations in Ukraine starkly underscore how malevolent elements have exploited digital tools to disastrous effect. Ciglic astutely pointed out the inherent dual nature of this scenario - while malignant entities will persistently manipulate technologies like AI, these identical tools can simultaneously serve as critical allies in reinforcing cyber defenses.

In finality, the dialogue unspools a potent call to arms. Both Wechsler and Ciglic fervently endorse the inception of a permanent body under the United Nations' purview specifically designed to tackle cyber-related quandaries. They also amplified the significance of an inclusive engagement process involving diverse stakeholders cutting across sectors - private entities, academia, civil society.

In India, this strategy is very practical. India has been making proactive investments in cybersecurity and digital resilience due to its rapidly developing digital ecosystem and strong IT industry. The government of the country, business executives, and academic institutions understand how strategically important it is to protect vital digital infrastructure and data. For example, India has seen a number of high-profile assaults on its vital infrastructure, like the Mumbai power outage in 2020, which emphasizes the necessity for extensive cybersecurity protections. The security components of the digital ecosystem have been given top priority by the Indian government's "Digital India" project, which aims to promote digital inclusion. This program has improved cybersecurity while simultaneously making great progress toward closing the nation's digital gap, especially in rural areas.

India's growing influence on global affairs and its prowess in the digital realm highlight how important it is to incorporate Indian viewpoints into the larger plan. By doing this, it guarantees a thorough and all-encompassing strategy that negotiates the intricacies of the Indian and global digital ecosystems. This strategy enhances cybersecurity at the national level and establishes India as a key global partner in the endeavor to make the internet a safer and more secure place for everyone. The whole community may benefit greatly from India's experiences and activities in combating cyber dangers and enhancing resilience in an increasingly interconnected world.

Conclusion 

As we meticulously chart our trajectory across the cyber wilderness, the wisdom disseminated by Wechsler and Ciglic emerges as a priceless navigational aid. They inspire us to remember that while the gauntlet we face may be daunting, the opportunities unfurling before us are equally, if not more, monumental in their potential. By embracing a multi-faceted, synergistic approach, we set the stage for a shared journey towards a safer, resilient digital habitat.

The timeless words of Albert Einstein echo these sentiments: 'Technology advances could have made human life carefree and happy if the development of the organizing power of men [and women] had been able to keep pace with its technical advances.' As we grapple with the perplexities and burstiness of the digital age, let these words guide our collective endeavor as we strive to balance our organizing prowess with our rapid technological advancements.

‍

Executive Summary:

A photo claiming that Mr. Rowan Atkinson, the famous actor who played the role of Mr. Bean, lying sick on bed is circulating on social media. However, this claim is false. The image is a digitally altered picture of Mr.Barry Balderstone from Bollington, England, who died in October 2019 from advanced Parkinson’s disease. Reverse image searches and media news reports confirm that the original photo is of Barry, not Rowan Atkinson. Furthermore, there are no reports of Atkinson being ill; he was recently seen attending the 2024 British Grand Prix. Thus, the viral claim is baseless and misleading.

Claims:

A viral photo of Rowan Atkinson aka Mr. Bean, lying on a bed in sick condition.

‍

Fact Check:

When we received the posts, we first did some keyword search based on the claim made, but no such posts were found to support the claim made.Though, we found an interview video where it was seen Mr. Bean attending F1 Race on July 7, 2024. 

Then we reverse searched the viral image and found a news report that looked similar to the viral photo of Mr. Bean, the T-Shirt seems to be similar in both the images.

‍

The man in this photo is Barry Balderstone who was a civil engineer from Bollington, England, died in October 2019 due to advanced Parkinson’s disease. Barry received many illnesses according to the news report and his application for extensive healthcare reimbursement was rejected by the East Cheshire Clinical Commissioning Group.

Taking a cue from this, we then analyzed the image in an AI Image detection tool named, TrueMedia. The detection tool found the image to be AI manipulated. The original image is manipulated by replacing the face with Rowan Atkinson aka Mr. Bean.

‍

Hence, it is clear that the viral claimed image of Rowan Atkinson bedridden is fake and misleading. Netizens should verify before sharing anything on the internet.

Conclusion:

Therefore, it can be summarized that the photo claiming Rowan Atkinson in a sick state is fake and has been manipulated with another man’s image. The original photo features Barry Balderstone, the man who was diagnosed with stage 4 Parkinson’s disease and subsequently died in 2019. In fact, Rowan Atkinson seemed perfectly healthy recently at the 2024 British Grand Prix. It is important for people to check on the authenticity before sharing so as to avoid the spreading of misinformation.

• Claim: A Viral photo of Rowan Atkinson aka Mr. Bean, lying on a bed in a sick condition.
• Claimed on: X, Facebook
• Fact Check: Fake & Misleading