Overview of Data Protection & Privacy Laws in India
INTRODUCTION
Digitization, advances in technology, and the rise of e-commerce platforms have been the norm in recent years, especially in light of the COVID pandemic. On each online platform, users visit, register, and make purchases to get personal information and data as customers. However, because India doesn’t have any explicit data protection laws, the collection, use, and disclosure of this data are essentially unregulated.
A Committee of Experts has been established by the Indian government to investigate various data protection-related concerns and make recommendations for a data protection law.
This article focuses on
- Goals and objectives
- What is data in data protection?
- The Legislative Approach to Data Security and Privacy
- Data Privacy and Personal Data Protection Act 2019
- FAQs (frequently asked questions)
GOAL AND OBJECTIVE
The purpose is to establish a framework for organizational and technical measures in data processing, laying down standards for social media intermediary, cross-border transfer, and accountability; to provide for the protection of individuals’ privacy with regard to their personal data; to specify the flow and use of personal data; to build a relationship of trust between people and entities processing the data; to protect the fundamental rights of individuals whose personal data are processed.
WHAT IS “DATA” IN DATA PROTECTION?
Data refers to all information and materials created and acquired during the performance of the services, including survey plans, charts, recordings (audio and/or visual), pictures, curriculum, graphic representations, computer programes, printouts, notes, and completed or uncompleted documents that can be used to forecast the future of the entity or the individual.
Data can be of two types:
Personal Data
In simpler terms, personal data is any information that refers to features, qualities, or other qualities that could be used to uniquely identify a person.
Non-Personal Data
Non-personal data consists of compiled information that cannot be used to identify a specific person. For instance, a person’s position would be considered personal data, as opposed to information generated from hundreds of different locations, such as traffic flow statistical data.
THE LEGISLATIVE APPROACH TO DATA SECURITY AND PRIVACY
Currently, there is no proper legislation protecting data or privacy in India. However, the Information Technology Act of 2000 and the Indian Contract Act of 1872 are the relevant laws in India that deals with data protection. In the near future, India is likely to implement a codified law on data protection.
The Information Technology Act, 2000 (“IT Act”) addresses concerns related to civil and criminal penalties for misuse and breach of contract involving personal data. The two sections of the IT Act are broadly explained as follows:
Section 43A-Damages for data protection failures
If a private company fails to implement and maintain reasonable security policies and procedures while handling sensitive personal data or information on a computer resource that it owns, controls, or operates, and as a result causes wrongful loss or wrongful gain to any person, such company shall be liable to pay damages by way of compensation to the person so affected.
Section 72A-Penalties for disclosing information in violation of a valid contract
Any person, including an intermediary, who has obtained access to any material containing personal information about another person while performing services under the terms of a valid contract is prohibited from using that information, except as otherwise provided in the IT Act or any other law currently in effect.
The Indian Contract Act, which is mainly founded on common law principles, gives the parties to a contract the option to include clauses that are appropriate for protecting data, such as confidentiality clauses and other privacy protections.
However, due to their limited scope, these laws are recognised as being insufficient. As a result, the Personal Data Protection Bill, a comprehensive proposed law, was presented in 2018 to alter the legal framework. It aims to provide the appropriate legal framework and build the appropriate data infrastructure so that India may fully benefit from the power of data.
DATA PRIVACY AND PERSONAL DATA PROTECTION BILL, 2019
The Sri Krishna Group was established by the court as a special committee to draft a bill on personal data. On July 27, 2018, a report was delivered by the committee led by BN Krishna, a retired Supreme Court justice. The government drafted the Personal Data Protection Bill 2019 (“PDP“) which was then promptly referred to the Joint Parliamentary Committee (JPC) and has not yet been put into effect since the committee found the framework to be unsuitable for the rapidly changing technological environment.
Clause 35 of the PDP grants the government protection and allows it to access any user’s information as well as track information about the citizens of the nation. The government has complete authority to monitor people and their data. The terms “data processor” and “data fiduciary” are proposed in the PDP Bill. The bill protects people by penalizing entities who collect user data without their consent. In regards to business operations in India and the offering of products or services to individuals, the Bill will not only apply to persons in India but also to persons outside India.
Landmark Judgment
Although data can be used for benefit, the arbitrary and unauthorized use of data, particularly personal data, has raised questions about an individual’s privacy and autonomy. The right to privacy is recognised as a basic right in the Indian Constitution. This constitutional right has a significant impact on Indian law, which affects policy and judicial activity and serves as a check on legislative and executive action.
In a landmark decision by Justice K.S. Puttaswamy & another Vs. Union of India, (2017) 10 SCC 1, the right to privacy has been recognised by the Supreme Court of India as a fundamental right under Article 21 of the Constitution as a component of the rights to “life” and “personal liberty”. The court ruled that everyone should be able to control how their identity is used for commercial purposes and that this right gives people the exclusive right to commercially exploit their identity and personal information, to control the information that is available about them on the internet, and to disseminate certain personal information for specific purposes only. For the first time, the Supreme Court has explicitly recognised a person’s right to access their own personal information.
CONCLUSION
The issues discussed are essential for the security of both the Indian nation and the average Indian citizen. Considering the facts, it may be inferred that even though the Indian IT Act and the additional legislation, rules, and regulations have advanced significantly since the beginning, they still lag in providing adequate data protection and protection against cyber threats.
There are many challenges and situations to take into account when creating data protection and privacy laws in India. For example, there is the paradoxical problem of preserving personal data anonymity while attempting to identify the real offender of an online crime due to identity theft and spoofing, allowing anyone sitting anywhere in the world to commit crimes.
While there is a strong case to be made for the PDP Bill and a need for new data protection legislation in India, it could also be argued that the Indian government has moved from minimum to excessive regulation of cyber and data security over time. The PDP Bill gives the Indian government overreaching powers, such as the ability to define what matters as critical personal data. Many foreign entities believe the changes that would result from this legislation are too difficult to comply with. Consequently, even though the joint parliamentary committee’s suggested version of the PDP Bill may be adopted by the Indian government, some crucial issues must still be resolved.
FAQs (FREQUENTLY ASKED QUESTIONS)
1. What legal framework exists in India for data protection?
The Information Technology Act, 2000 and the rules issued thereunder, particularly the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, provide the current basis for data protection laws in India.
2. What does the definition of “personal information” in the IT Rules mean?
Personal information pertains to a natural person that, directly or indirectly, when combined with additional information already accessible or likely to be available to a body corporate, is capable of identifying that person.
3. What types of private information or sensitive personal data are prohibited by the IT Rules?
In accordance with the IT Rules, the following categories of personal information may be considered sensitive: Passwords; financial information; health parameters (including physical, physiological, and mental health conditions, as well as medical records or histories); sexual orientation; and biometric data.
4. What qualifies as a body corporate for the purposes of the IT Act?
Any corporation, including a firm, a single proprietorship, or other group of people involved in business or professional activity, is referred to as a body corporate.
5. Is permission needed in order to gather sensitive personal information or data?
Yes, before collecting sensitive personal data or information indicating its intended use, a body corporate or any person acting on its behalf must secure the provider’s written consent via letter, fax, or email.
REFERENCES
https://digitalindia.gov.in/writereaddata/files/6.Data%20Protection%20in%20India.pdf
https://www.natlawreview.com/article/privacy-data-protection-capsule-india-s-turn-world-stage
https://www.linklaters.com/en/insights/data-protected/data-protected—india#
https://iclg.com/practice-areas/data-protection-laws-and-regulations/india