DATA PROTECTION LAWS

Introduction

The Constitution of India provides citizens with basic Human Rights (Fundamental Rights) which are inalienable and inherent. Some rights are expressly mentioned in such documents while others are interpreted by the courts. Among all the rights provided to us, the Right to Privacy (as evolved through Judicial interpretation) is an essential right considering the evolution of technology taking place. Data protection is a species of privacy and an international phenomenon these days. The idea is of establishing rights perspective data protection as a Human right. If an individual has a right to privacy, then it impliedly includes the right to protection of data. In India, this right is identified under the fundamental right to life and personal liberty.[1]

The right to privacy also finds its reference in the Universal Declaration of Human Rights and International Covenants of Civil and Political Rights, Convention on the Rights of the Child, European Convention on Human Rights.[2]

Development of Privacy in India

The Constitution of India does not specifically guarantee a "right to privacy". However, through various judgments, Indian courts have interpreted the other rights in the Constitution as giving rise to a right to privacy primarily through Article 21, the right to life and liberty.

In the case of Justice K.S.Puttuswamy (Retd.) & Another v. Union of India[3], while discussing the issue of privacy in light of the Unique Identity Scheme (Aadhar), the question before the Apex court was whether such a right is guaranteed under the Constitution and if it is, what is the source of this right, given that there is no express provision for privacy in the Indian Law. The Attorney General of India argued that privacy is not a fundamental right guaranteed to Indian citizens. The nine-judge bench of the Supreme Court unanimously recognized that the Constitution guaranteed the right to privacy as an intrinsic part of the right to life and personal liberty under Article 21.

The Court overruled M.P. Sharma[4], and Kharak Singh[5] in so far as the latter did not expressly recognize the right to privacy.

Concept of Data Protection

“Data protection is commonly defined as the law designed to protect your personal information which is collected, processed and stored by automated means or intended to be part of a filing system.”[6]

Data Protection acts like an instrument that can be used by a citizen or consumers to have the means to exercise the Right to Privacy and to protect themselves and their information against any abuse. It can also be defined as the set of privacy laws, policies, and procedures that aim to minimise intrusion into one's privacy caused by the collection, storage, and dissemination of personal data.

Personal information in this aspect can be any kind of information (which may include a single piece of information or a set of information) that can personally identify an individual.

For example, somebody’s name, address, national identification number, date of birth or a facial image, vehicle registration plate numbers, credit card numbers, fingerprints, a computer's I.P. address, CCTV video footage, or health records. Personal information can also be categorically differentiated as more sensitive than others, and therefore subject to stricter rules; this includes racial or ethnic origin, political views, religion, health, and sex life. Such information cannot be collected or used at all without one’s specific consent.

Need for Data Protection Law in India

India ranks second in terms of most populous country in the world. For tackling the internal and external security challenges, it is essential that the state keeps a strict vigilance and surveillance over people. To do so, it is vital to keep a check on the data and its security. Another major threat faced by people is the leaking of personal information like the details of bank accounts and mobile numbers, which may pose a threat to privacy.

As India gets data mature over the years, and enforceable model will be necessary.

Data Protection in other countries

The European Union has brought about a General Data Protection Regulation that will apply to the organizations located within the E.U. as well as outside if they process personal data.

Argentina has a Personal Data Protection Act 2000, which applies to any person or entity in the country that deals with personal data. It provides that data can only be collected with consent, and the subjects have the right to access, correct and delete data. Currently, they are working upon a new bill with stringent measures according to the changing need of time.

Australia’s Privacy Act 1988 is the key privacy law that governs both the public and private sectors.

Canada has 28 federal, provincial, or territorial statutes governing data protection and privacy in the country.

China's new data privacy law, Information Technology – Personal Information Security Specification, contains more strenuous requirements than the GDPR. The law (referred to as 'The Standard') contains provisions related to transparency, personal right over data, and consent.

The U.S. has no single data privacy legislation. It relies on a “combination of legislation, regulation and self-regulation" rather than government intervention alone. There are approximately 20 industry- or sector-specific federal laws, and more than 100 privacy laws at the state level (in fact, there are 25 privacy-related laws in California alone).

The most prominent national laws include the Privacy Act 1974, the Privacy Protection Act 1980, the Gramm-Leach-Bliley Act 1999, the Health Insurance Portability and Accountability Act 1996, the Fair Credit Reporting Act 2018. According to the report of the United Nations Conference on Trade and Development,” 107 countries (of which 66 were developing or transition economies) have put in place legislation to secure the protection of data and privacy. In this area, Asia and Africa show a similar level of adoption, with less than 40 percent of countries having a law in place."[7] UNCTAD also has Data protection regulations, and international data flows [8]that tells about the data protection law on a global level.

Hence, various countries have framed legislation on data protection laws.

Data Protection Laws in India

The right to privacy has been given paramount importance after the Supreme Court's decision, but still, there exists no such specific legislation for Privacy and Data Protection.

The Information Technology Act, 2000 [9] the act contains specific provisions intended to protect electronic data (including non-electronic records or information that have been, are currently or are intended to be processed electronically). Section 43A of the I.T. Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.[10]

It distinguishes both ‘personal information’ and ‘sensitive personal information’. The Delhi High Court in the case of Union Public Service Commission v. R.K. Jain[11] has tried to distinguish private information and personal information by stating that personal information is a broader concept which covers all private information like family, marriage, motherhood, an employee is primarily a matter of employer-employee known as personal information that is governed by service rule.

The Act also states that any corporation seeking sensitive personal data, must draft a privacy policy that is to be published on the website of corporate, and it must include the purpose of details being collected along with its use. Reasonable confidentiality of data must be maintained, and the information should be retained only till the time needed.

The 2011 Rules also provide Grievance Office, who shall be responsible for addressing grievances of information providers within one month for resolution of such Grievances.

Information Technology Act under section 72A provides for the punishment for disclosure of information in breach of lawful contract and imprisonment under the I.T. Act may be for a term not exceeding three years or with a fine which may be Rs.5 Lakh or with both.

The Indian Penal Code, 1860, does not specifically deal with data protection laws or breach of data privacy, but the liability can be inferred from the related crime. For example, section 403 imposes a criminal penalty for dishonest misappropriation or conversion of "movable property.

The Indian Copyright Act, 1957, prescribes mandatory punishment for piracy of copyrighted matter commensurate with the gravity of the offence. Section 63B of the Indian Copyright Act provides that any person who knowingly makes use on a computer of an infringing copy of computer program shall be punishable for a minimum period of six months and a maximum of three years in prison.

India moved one step forward when the Draft Data Protection Bill, 2018 was tabled in the by Justice Sri Krishna Committee, which provides for setting up of a data protection Authority by the Central Government, which will comprise of six full-time members appointed for a five-year term. Section 60 of the bill details the power and functions of the Authority, like taking action in response to a breach of data etc.

Highlights of the Bill:

• The bill distinguishes between personal data and sensitive personal data
• The bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. Processing is of data allowed only if the individual gives consent, or in a medical emergency, or by the state for providing benefits. The data principle is not restricted to Indian citizens, and they have several rights with respect to their data, such as seeking a correction or seeking access to their data, which is stored with the fiduciary.
• The data fiduciary such as a private or public entity has certain obligations towards the individual while processing the data, such as notifying the data principle of the nature and purposes of data processing.
• The bill allows exemptions for certain kinds of data processing, such as processing in the interest of national security, for legal proceedings, or for journalistic purposes, Prevention, detection, investigation and prosecution of contraventions of law; Research, archiving or statistical purposes; Personal or domestic purposes; Journalistic purposes; Manual processing by small.
• The bill requires that a serving copy of personal data be stored within the territory of India. Specific critical personal data must be stored solely within the country.
• A national-level Data Protection Authority (DPA) is set up under the bill to supervise and regulate data fiduciaries.
• The data fiduciary needs to inform the DPA of a data breach if it is likely to harm the individual. There may be a conflict of interest while assessing whether an offence is to be reported, as the fiduciary is regulated and evaluated by the DPA on several parameters, including instances of data breaches.
• The bill provides for some essential individual rights like the right of access to data, Right to rectification of errors, Right to deletion, Right to object processing, Right to data portability, Right to object marketing, Right to complain to the relevant data protection authority, etc.

Challenges:

Though the draft bill addresses various issues of the personal data ecosystem in India and clearly articulates the rights of individuals, it falls short on key landmines that form the nucleus of the data protection framework. The bill does not provide the guidelines for processing of data in a ‘fair’ and ‘reasonable’ manner. Such an absence will result in different standards of application of this rule. Another drawback the bill faces is that the DPA has to be reported of any breach. Should fiduciary be given the discretionary power to decide which breach is reportable? Also, the bill provides certain exemptions to processing of data for national security, legal proceedings, etc. But there exist no safeguards for protection of this data.

The processing of data for functions of the state does not require consent. The Justice Srikrishna Committee Report had argued that the validity of consent given by the individual while availing State welfare benefits is questionable, given the imbalance of power between the citizen and the state.[12]

The bill provides filing of complaint only if the violation of any provision has caused harm or may cause damage, but it does not offer any provision for infringement of rights

The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad in December 2019. The bill seeks to provide for the protection of personal data of individuals and establishes a Data Protection Authority for the same. It seeks to set up a data protection authority to protect the interests of individuals.

Conclusion

The lack of legislation governing data protection has been a matter of concern. Even though the data protection laws have not been specified in a statute, the Indian government has started working upon bringing stricter means to prevent misuse of personal data of people. If the data protection bill is brought in force, it will prevent the misuse of data and ensure the privacy of Indian citizens.

_________________________________________________________________________________________

[1] Article 21, Constitution of India

[2] Article 12 of the universal declaration of human rights

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Article 17 of the International Covenant on Civil and Political Rights states: No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to criminal attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Article 16 of the convention on the Rights of Child. No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to criminal attacks on his or her honour and reputation. The child has the right to the protection of the law against such interference or attacks.

Article 8 of the European Convention on Human Rights: Everyone has the right to respect for his private and family life, his home, and his correspondence. Here shall be no interference by a public authority with the exercise of this right except such as is by the law and is necessary in a democratic society in the interests of national security, public safety or the economic well being of the country, for the prevention of disorder or crime, for the protection of health or morals, or the protection of the rights and freedoms of others.

[3] KS Puttuswamy vs Union of India 2017 10 SCC OnlineSC762

[4] M. P. Sharma And Others vs Satish Chandra, 1954 AIR 300, 1954 SCR 1077

[5] Kharak Singh vs The State Of U. P. & Others, 963 AIR 1295, 1964 SCR (1) 332

[6] Privacy International[GB], https://www.privacyinternational.org/node/44

[7] https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx

[8] https://unctad.org/en/PublicationsLibrary/dtlstict2016d1_en.pdf

[9] https://www.prsindia.org/billtrack/the-information-technology-rules-2011-1908

[10] https://www.roedl.com/insights/india-eu-gdpr-data-privacy-law

[11] W.P.(C) 1243/2011 & C.M. NO.2618/2011

[12] https://www.prsindia.org/billtrack/draft-personal-data-protection-bill-2018

[Author: Ms. Deeksha Chugh]