#FactCheck - Viral Videos of Mutated Animals Debunked as AI-Generated

Introduction

The European Union has fined the meta $ 1.3 billion for infringing the EU privacy laws by transferring the personal data of Facebook users to the United States. The EU fined Meta’s business in Ireland. As per the European Union, transferring Personal data to the US is a breach of the General data protection Regulation or European Union law on data protection and privacy.

GDPR Compliance

The terms of GDPR promise to gather users’ personal information legally and under strict conditions. And those who collect and manage personal data must protect users’ personal data from exploitation. The GDPR restricts an organisation’s capacity to transfer personal data outside the EU if the transfer is solely based on that body’s evaluation of the sufficiency of the personal data’s protection. Transfers should only be made where European authorities have determined that a third country, a territory within that third country, or an international organisation provides acceptable protection for data protection.

Violation by Meta

The punishment, announced by Ireland’s Data Protection Commission, might be one of the most significant in the five years since the European Union passed the landmark General Data Protection Regulation. According to regulators, Facebook failed to comply with a 2020 judgment by the European Union’s top court that Facebook data transferred over the Atlantic was not sufficiently safeguarded from American espionage agencies. However, whether Meta will ever need to encrypt Facebook users’ data in Europe is still being determined. Meta announced it would appeal the ruling, launching a potentially legal procedure.

Simultaneously, European Union and American officials are negotiating a new data-sharing pact that would provide legal protections for Meta and scores of other companies to continue moving information between the US and Europe. This pact could overturn much of the European Union’s Monday ruling.

Article 46(1) GDPR Has been violated by the meta, And as per the Irish privacy.  

What is required by the GDPR before transferring personal information across national boundaries?

Personal data transfers to countries outside the European Economic Area are generally permitted if these nations are regarded to provide a sufficient degree of data protection. According to Article 45 of the GDPR, the European Commission evaluates the degree of personal data protection in third countries.

The European Union judgment demonstrates how government rules are upending the borderless way data has traditionally migrated. Companies are increasingly being pressed to store data within the country where it is acquired rather than allowing it to transfer freely to data centres around the world as a result of data-protection requirements, national security laws, and other regulations.

The US internet giant had previously warned that if forced to stop using SCCs (standard contractual clauses) without a proper alternative data transfer agreement in place, it would be compelled to shut down services such as Facebook and Instagram in Europe.

What will happen next for Facebook in Europe?

The ruling includes a six-month transition period before it must halt data flows, meaning the service will continue to operate in the meantime. (More specifically, Meta has been given a five-month transition period to freeze any future transfer of personal data to the United States and a six-month deadline to terminate the unlawful processing and/or storage of European user data it has previously transferred without a legitimate legal basis. Meta has also stated that it will appeal and appears to seek a stay of execution while it pursues its legal arguments in court.

Conclusion

The GDPR places restrictions on transferring personal data outside the European Union to third-party nations or international bodies to ensure that the GDPR’s level of protection for individuals is not jeopardised. But the meta violated the European Union’s privacy laws by the user’s personal information to the US. Under the compliance of GDPR, transferring and sending personal information to users intentionally is an offence. and presently, the personal data of Facebook users has been breached by the Meta, as they shared the information with the US.

Introduction

Assisted Reproductive Technology (“ART”) refers to a diverse set of medical procedures designed to aid individuals or couples in achieving pregnancy when conventional methods are unsuccessful. This umbrella term encompasses various fertility treatments, including in vitro fertilization (IVF), intrauterine insemination (IUI), and gamete and embryo manipulation. ART procedures involve the manipulation of both male and female reproductive components to facilitate conception.

The dynamic landscape of data flows within the healthcare sector, notably in the realm of ART, demands a nuanced understanding of the complex interplay between privacy regulations and medical practices. In this context, the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011, play a pivotal role, designating health information as "sensitive personal data or information" and underscoring the importance of safeguarding individuals' privacy. This sensitivity is particularly pronounced in the ART sector, where an array of personal data, ranging from medical records to genetic information, is collected and processed. The recent Assisted Reproductive Technology (Regulation) Act, 2021, in conjunction with the Digital Personal Data Protection Act, 2023, establishes a framework for the regulation of ART clinics and banks, presenting a layered approach to data protection.

A note on data generated by ART

Data flows in any sector are scarcely uniform and often not easily classified under straight-jacket categories. Consequently, mapping and identifying data and its types become pivotal. It is believed that most data flows in the healthcare sector are highly sensitive and personal in nature, which may severely compromise the privacy and safety of an individual if breached. The Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 (“SPDI Rules”) categorizes any information pertaining to physical, physiological, mental conditions or medical records and history as “sensitive personal data or information”; this definition is broad enough to encompass any data collected by any ART facility or equipment. These include any information collected during the screening of patients, pertaining to ovulation and menstrual cycles, follicle and sperm count, ultrasound results, blood work etc. It also includes pre-implantation genetic testing on embryos to detect any genetic abnormality. 

But data flows extend beyond mere medical procedures and technology. Health data also involves any medical procedures undertaken, the amount of medicine and drugs administered during any procedure, its resultant side effects, recovery etc. Any processing of the above-mentioned information, in turn, may generate more personal data points relating to an individual’s political affiliations, race, ethnicity, genetic data such as biometrics and DNA etc.; It is seen that different ethnicities and races react differently to the same/similar medication and have different propensities to genetic diseases. Further, it is to be noted that data is not only collected by professionals but also by intelligent equipment like AI which may be employed by any facility to render their service. Additionally, dissemination of information under exceptional circumstances (e.g. medical emergency) also affects how data may be classified. Considerations are further nuanced when the fundamental right to identity of a child conceived and born via ART may be in conflict with the fundamental right to privacy of a donor to remain anonymous. 

Intersection of Privacy laws and ART laws: 

In India, ART technology is regulated by the Assisted Reproductive Technology (Regulation) Act, 2021 (“ART Act”). With this, the Union aims to regulate and supervise assisted reproductive technology clinics and ART banks, prevent misuse and ensure safe and ethical practice of assisted reproductive technology services. When read with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other ancillary guidelines, the two legislations provide some framework regulations for the digital privacy of health-based apps.

The ART Act establishes a National Assisted Reproductive Technology and Surrogacy Registry (“National Registry”) which acts as a central database for all clinics and banks and their nature of services. The Act also establishes a National Assisted Reproductive Technology and Surrogacy Board (“National Board”)  under the Surrogacy Act to monitor the implementation of the act and advise the central government on policy matters. It also supervises the functioning of the National Registry, liaises with State Boards and curates a code of conduct for professionals working in ART clinics and banks. Under the DPDP Act, these bodies (i.e. National Board, State Board, ART clinics and banks) are most likely classified as data fiduciaries (primarily clinics and banks), data processors (these may include National Board and State boards) or an amalgamation of both (these include any appropriate authority established under the ART Act for investigation of complaints, suspend or cancellation of registration of clinics etc.) depending on the nature of work undertaken by them. If so classified, then the duties and liabilities of data fiduciaries and processors would necessarily apply to these bodies. As a result, all bodies would necessarily have to adopt Privacy Enhancing Technologies (PETs) and other organizational measures to ensure compliance with privacy laws in place. This may be considered one of the most critical considerations of any ART facility since any data collected by them would be sensitive personal data pertaining to health, regulated by the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 (“SPDI Rules 2011”). These rules provide for how sensitive personal data or information are to be collected, handled and processed by anyone.

The ART Act independently also provides for the duties of ART clinics and banks in the country. ART clinics and banks are required to inform the commissioning couple/woman of all procedures undertaken and all costs, risks, advantages, and side effects of their selected procedure. It mandatorily ensures that all information collected by such clinics and banks to not informed to anyone except the database established by the National Registry or in cases of medical emergency or on order of court. Data collected by clinics and banks (these include details on donor oocytes, sperm or embryos used or unused) are required to be detailed and must be submitted to the National Registry online. ART banks are also required to collect personal information of donors including name, Aadhar number, address and any other details. By mandating online submission, the ART Act is harmonized with the DPDP Act, which regulates all digital personal data and emphasises free, informed consent.

Conclusion

With the increase in active opt-ins for ART, data privacy becomes a vital consideration for all healthcare facilities and professionals. Safeguard measures are not only required on a corporate level but also on a governmental level. It is to be noted that in the 262 Session of the Rajya Sabha, the Ministry of Electronics and Information Technology reported 165 data breach incidents involving citizen data from January 2018 to October 2023 from the Central Identities Data Repository despite publicly denying. This discovery puts into question the safety and integrity of data that may be submitted to the National Registry database, especially given the type of data (both personal and sensitive information) it aims to collate. At present the ART Act is well supported by the DPDP Act. However, further judicial and legislative deliberations are required to effectively regulate and balance the interests of all stakeholders.

References

• The Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011
• Caring for Intimate Data in Fertility Technologies https://dl.acm.org/doi/pdf/10.1145/3411764.3445132 
• Digital Personal Data Protection Act, 2023
• https://www.wolterskluwer.com/en/expert-insights/pharmacogenomics-and-race-can-heritage-affect-drug-disposition  

Introduction

In the multifaceted world of international trade and finance, cross-border transactions constitute the heart of economic relationships that span the globe. The threads that intertwine forming the fabric of global commerce are ceaselessly dynamic and exhibit an intricate pattern of complexity especially when it comes to the regulated movement of capital. It's a domain where economies connect, where businesses engage in sublime commerce, and where technology and regulation intersect at critical juncture. These guidelines will play a critical role in the regulation of capital, fortification of financial integrity, and transparency of regulatory and cross-border payments. The key highlights of this regulation include strict pre-authorization for non-bank entities, mandating specific accounts for import and export PA-CBs and a transaction ceiling of 25,00,000 Rupees.

The Vigilance of RBI 

The Reserve Bank of India (RBI), ever vigilant in its shepherding role over the nation's financial stability and integrity, has taken decisive strides to dispel the haze that once clouded this critical sector. With the issuance of a revelatory circular dated October 31, 2023, the RBI has unveiled a groundbreaking framework that redefines the terrain for these pivotal financial entities, aptly christened as Payment Aggregators – Cross Border (PA-CB). In deploying this comprehensive array of regulations, the RBI demonstrates a robust commitment to harmonizing and synchronizing the oversight of payments within the country's financial fabric, extending its meticulous regulatory weave from domestic Payment Aggregators (PAs) to the PA-CBs, a sector previously undistinguished in formal oversight.

The prescriptive measures announced by the RBI are nothing short of a regulatory beacon that cuts through the fog of uncertainty, illuminating a clear path forward for entities dedicated to facilitating cross-border payment transactions pertaining to the import and export of permissible goods and services in India through online modes. Inclusiveness is a hallmark of the RBI’s directive, encompassing a diverse cadre of financial actors, ranging from Authorized Dealer (AD) banks and conventional Payment Aggregators (PAs), to the emergent breed of PA-CBs actively engaged in processing these critical international payment transactions.

Key Aspects of Regulation

One of the most striking aspects of this new regulatory regime is the RBI's insistence on pre-authorization. All non-bank entities providing PA-CB services are impelled to apply to the apex bank for authorisation by April 30, 2024. This is far from a perfunctory gesture; it represents a profound departure from the bygone era when these entities functioned under a patchwork of provisional guidelines and ad-hoc circulars. Indeed, with this resolute move, the RBI signals its intention to embrace these entities within its direct regulatory gambit, an acknowledgement of the shifting tides and progressive intricacies characteristic of cross-border payments.

The tapestry of new rules is complex, setting forth an array of prerequisites for entities aspiring for authorization. For instance, non-bank PA-CBs are obliged to register with the Financial Intelligence Unit-India (FIU-IND) as a preliminary step before commencing the application process. Moreover, the financial benchmarks set are notably rigorous. Non-banks must boast a minimum net worth of ₹15 crores at the time of the application—a figure that escalates to a robust ₹25 crores by the fiscal deadline of March 31, 2026.

Way Forward

As if these requirements weren't indicative enough of the RBI’s penchant for detail and precision, the guidelines become yet more granular when addressing specific types of PA-CBs. Import-only PA-CBs are mandatorily obliged to maintain an Import Collection Account (ICA) with an AD Category-I scheduled commercial bank, while export-only PA-CBs are instructed to maintain an Export Collection Account (ECA), which can be maintained in Indian Rupees (INR) or any permissible foreign currency. The nuance here is palpable; payments for import transactions must be received in a meticulously managed escrow account of the PA, prior to being funneled into the ICA for smooth settlement with overseas merchants.

Conversely, export-only PA-CBs' proceeds from international sales must be swiftly credited to the relevant currency ECA. This meticulous accounting ensures that the flow of funds is both transparent and traceable, adhering to the utmost standards of financial probity.

Yet, perhaps the most emphatic of the RBI's pronouncements is the establishment of a transaction ceiling. PA-CBs have their per-transaction limit capped at ₹25,00,000 for each unit of goods or services exchanged. This calculated move is transparent in its objective to mitigate risk—a crucial aspect when one considers the potential implications of these transactions on the country’s fiscal health and the integrity of its financial systems.

It is no exaggeration to declare that with these guidelines, the RBI is effectuating a seismic shift in the regulation of cross-border payment transactions. There's a fundamental transformation taking place—a metamorphosis—from a loosely defined existence of PA-CBs to one of distinct clarity, under the direct and unswerving supervisory gaze of the regulator. The compliance burden, indeed, has become heavier, yet the return is a compass that points decisively towards secure harbours.

As we embark upon the fresh horizons that these rules bring into view, it is imperative to acknowledge that the RBI's regulatory innovations represent far more than a mere codification of dos and don'ts. They embody a visionary stride towards safeguarding and fortifying the architecture of international payments, a critical component of India's burgeoning presence on the world economic stage.

Conclusion 

The journey ahead, as we navigate these newly charted waters with the RBI's guidelines as our steadfast North Star, will no doubt be replete with challenges, adaptations and learning curves for the array of operational entities. But it is with confidence we can say, the path is set; the map is clear. The complex labyrinth of cross-border financial transactions is now demystified, and the RBI's clarion call beckons us towards a future marked by regulation, security, and above all else, reliability in the cosmopolitan tapestry of global trade. RBI’s guidelines provide a comprehensive framework for standardizing cross-border financial transactions in India. This decision is a monumental step towards maintaining cyber peace in cyberspace. 

References:

• https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12561&Mode=0
• https://www2.deloitte.com/in/en/pages/tax/articles/tax-alert-Regulation-of-payment-aggregator-cross-border-pa-cb.html
• https://www.jsalaw.com/newsletters-and-updates/rbis-new-guidelines-to-govern-payment-aggregators-in-cross-border-transactions/ 

‍