In 2017, the Supreme Court of India pronounced a landmark judgmentdeclaringthe right to privacy as a fundamental right under the framework of the right to life (Article 21) as per ourConstitution. However, a standalone and comprehensive privacy law does not exist in India. Currently, the Information Technology Act 2000 read with supplementary Rules,actsas the legal cornerstone to ensure the protection of personal information.
Lawmakers and regulators progressively recognize the importance of data for economic and technological growth. Hence, 2021 witnessed key developments in the data privacy and personal data protection space across various sectors.
In terms of legislation, the Joint Parliamentary Committee's report on the proposed data protection law has given the Data Protection Bill of 2021 a new tone and tenure.The Reserve Bank of India developed restrictions forpayment aggregatorsandlending applications, while the Bureau of Indian Guidelinesformulateddata privacy standards as an assurance framework for enterprises. The central government also pushed out due-diligence rules for internet intermediaries to regulate.
What was 2021 about from a privacy and personal data protection vantage point?
These developments result from the meteoric adoption of technology, powered by enormous data sharing networks created by private and public entities. These networks depend on the personal data of individuals. In the absence of adequate privacy safeguards, there is a risk that personal data may be subjected to unauthorized access.
Data Protection Bill 2021
The JPC's report paved the way for India's data privacy and protection legal regime. The bill is yet to be tabled in the Parliament. However, a key point of discussion is that the bill in its current form proposes deviations from its earlier two predecessors (2018and2019drafts).
A noteworthy change is in the form of exemptions extended to government agencies with respect to data processing. This exemption may be examined in the light of the recent Supreme Courtjudgmentin the Pegasus spyware case, which involves allegations against the central government for conducting surveillance on Indian citizens. The Hon'ble Court constituted a committee to assess the violation of the right to privacy and make recommendations on the current surveillance laws to boost data protection practices. Hence, a prudent approach would be to consider bringing government agencies under the umbrella of DPB to ensure individual privacy and enhance cybersecurity.
Under the latest draft, the DPB seeks to regulate the collection, storage, transfer and use of personal data. In addition, it extends the provision to foreign-based entities in case Indians are subjected to their data processing activities.
The bill's main tenets include: Individual consent, data breach notification, transparency (prior notice and privacy policy describing data processing practices), purpose-based processing, technical security, and rights of individuals who part away with personal data such as name and email ID, or sensitive personal data such as a social security number. Individuals would have more control over the processing of their data with these rights, as they would be able to remove, correct and access their data easily.
In August 2021, jurisprudence in privacy rights management was formulated. The Madras High Courtdismissed a petitioner's right to be forgotten, seeking to have his criminal and court records expunged following his acquittalfrom the case. The court issued the dismissal because the fulfillment of a task in public interest trumped the individual's right to privacy. The court further stated that these rights would be more effectively implemented after India passed a data privacy law.
Several requirements set forth by the JPC's report and revised DPB are worth ruminating over. Take, for instance, the data localization norms applicable to sensitive personal data and critical personal data (yet to be defined by the central government). The flow of data from India to a country abroad would be restricted.
These norms are perhaps a manifestation of India's economic, national security and data protection concerns. Data of Indians is to be stored primarily in India and may be transferred if the individual provides consent, a contract duly approved by the DPA is in place, or the receiving entity can demonstrate compliance with applicable data protection laws. The receiving entity could also implement adequate technical (e.g., encryption and access control) and administrative (e.g., privacy policy and breach management process)safeguards for validating such data transfers.
The glaring concerns with localization norms are the costs and technical capabilities required to segregate data and create a single point of failure,as data would have to be stored only in a server-based in India, as opposed to the conventional practice of utilizing distributed servers across various jurisdictions.
The bill relies heavily on consent as a parameter for processing data, mandating organizations to enable individuals to put in placea consent manager platform to gain, withdraw, review, and manage consent in an accessible, transparent, and interoperable manner. Though the idea seems novel, it falls in uncharted waters.
As we await the passage of this bill in the Parliament, we can deduce that it requires organizations to revamp their operational practices in relation to data-related processes and embed privacy within their business procedures.
Banking and finance
Building on the privacy principle ofdata minimization, wherein only those data elements are to be collected and stored that are aligned for processing; the RBI released "Guidelines on Regulation of Payment Aggregators and Payment Gateways." These guidelines seek to restrict payment aggregators who facilitate payments between users and merchants using electronic/online payment modes from storing cards and associated data (e.g., card number and CVV).
RBI also recognized the growing dearth of data security and privacy in the digital lending sector.Since there has been an exponential penetration of digital lending applications, RBI formulated a working group to assess the maturity of privacy practices implemented and recommended that data should only be stored in Indian servers.
The scope of the assessment would include transparency of data processing activities, whether a privacy notice or policy is in place, consent mechanism, and rights management to help users amend or delete their data. The working group would also study the breach of purpose limitation requirements, as often customers' data is used to harass them.
Bureau of Indian Standards on data privacy
IS 17428is the latest standard issued by BIS to govern data privacy assurance practices of organizations. This standard will provide a framework to establish, implement, maintain and update data privacy management practices. The standard has two parts to it. The first provides for technical and administrative requirements to protect the privacy of personal and sensitive data right when designing a product or service that would involve the collection of an individual's data. The second part enumerates certain guidelines to augment the implementation of the requirements in the first part of the standard.
While the first part is mandatory to ensure compliance with the standard, the second part is merely a suggestion. Since India does not have a comprehensive data privacy law, it would be noteworthy to read this standard in conjunction with the compliancerequirementsunder the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to develop secure data privacy practices as per standards such asIS0 27001.
The grey area here is the lack of guidance on whether implementing the latest standard would be sufficient to comply with SPDI Rules. Therefore, organizations would be obligated to implement IS 17428 and treat it as a reference point to comply with SPDI Rules and the upcoming data protection law.
Communications
Inattempting to balance privacy rights on the weighing scale of national security and public order, the Ministry of Electronics and Information Technology codifiedInformation Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules provide due diligence requirements, and the idea is to identify the first originator of any information transmitted over social media and messaging platforms. However, this requirement does not extend to the contents of electronic messages. Currently, this traceability requirement is being reviewed by the Delhi High Court to adjudicate its constitutionality vis-à-vis the right to privacy. Although the government has clarifiedthat it has no intentions of violating the right to privacy, it remains to be seen if the extent of mandated disclosures would impinge on the actual contents of the messages being communicated, as the basis for tracking is State sovereignty and security.
Technology and finance writer Byrne Hobart famously remarked that"the whole point of communicating is to violate your own privacy in a controlled way."Perhaps these words have inspired WhatsApp, currently underlegal scrutinyfor the terms of an amended privacy policy. According to the policy, users can "opt-in" to share data with Facebook to continue using WhatsApp services. The Competition Commission of India launched an investigation into the potential impact of WhatsApp's new rules on the Indian market. The main concern is that the opt-in violates the essential characteristics of legitimate consent (transparent, withdrawable and free of consequences such as denial of services).
The road ahead
Regulators, legislators, the judiciary and industry can expect 2022 to be a busy year. It's been more than three years since the EU General Data Protection Regulation went into effect, and India is on the verge of following the EU's lead and streamlining its data protection regulations, even though there are reports on a possible re-draft of the bill. The interplay of sector-specific regulations and a general law on data protection would possibly trigger deliberations and actions on a wide array of privacy concerns. Moreover, with the rapid adoption of cutting-edge technologies such as blockchain and AI, it would be a worthy endeavor to track and study how the current bunch of regulations would be applied to frameworks based on decentralization and anonymization. Meanwhile, organizations should consider conducting periodic audits and assessments of their privacy procedures to better visualize the types of data they collect, its flow within the company, storage timelines and locations, and initiate remediation steps to close any gaps they observe.
Photo by Srikanth D on Unsplash
FAQs
What is India data privacy Act 2021? ›
The Bill allows the Indian government to exempt the processing of personal data of data principals outside India by data processors (or a class of data processors) incorporated in India who process such data pursuant to a contract with a person outside India.
What is the data privacy regime in India? ›Data protection safeguards sensitive data against loss, manipulation, and misuse. The Hon'ble Supreme Court of India established the right to privacy as a fundamental right under Article 21 of the Constitution of India as part of the right to life and personal liberty in the case of Justice K.S. Puttaswamy v.
How right to privacy was evolved in India? ›Right to privacy was derived from "protection of life and personal liberty" enshrined under article 21 of the Indian constitution and the discussion on case laws is essential for better understanding of this utmost significant right in the present scenario.
Which article is evolution of right to privacy in India? ›Right To Privacy And Constitution of India
On August 24th, 2017, Supreme Court has given its verdict on Right to privacy inJustice K S Puttaswamy V Union of India, declaring it as a fundamental right of a citizen. This judgment has finally put an end to the long historical legal battle from the past 40-50 years.
Importance of Data Privacy Laws in India:
With the rise of technology and social media, companies are collecting more data than ever. This has created a situation where we give away our personal information to advertisers, marketing firms and other organizations without realizing it.
There is no exclusive data protection law in India. The privacy and data protection is mandated under Section 43A of Information Technology Act, 2000. It is read along with Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
What are the four parts of privacy in India? ›Indian privacy law is evolving in response to four types of privacy claims: against the press, against state surveillance, for decisional autonomy and in relation to personal information.
Which law in India focuses on data privacy and information technology? ›Data protection in India is covered by the Information Technology Act 21 of 2000 (also known as the IT Act) and related IT Rules.
Is India covered by GDPR? ›India has followed the EU's GDPR in allowing global digital companies to conduct business under certain conditions. In 2017, the Supreme Court of India ruled that privacy is a constitutional right of Indian citizens.
What is the conclusion on right to privacy in India? ›No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Article 8- European Convention on Human Rights- “1. Everyone has the right to respect for his private and family life, his home and his correspondence.
What is the evolution and development of the Right to Information Act in India? ›
National Campaign for People's RTI – Formed in 1996; formulated initial draft of RTI law for the Government. Tamil Nadu became first Indian state to pass RTI law in 1997. Freedom of Information (FOI) Act, 2002 passed. Thereafter, Bill for the RTI Act, 2005 was passed and became fully operational on October 12, 2005.
Do companies have right to privacy in India? ›The privilege against self-incrimination and right of privacy of the citizens find deep roots in jurisprudence. Section 206 of the Companies Act, 2013 (the "Act") gives the Registrar of Companies (the "ROC") the power to call for information, inspect books and conduct inquiries in respect of any company.
Is right to privacy an absolute right in India? ›The Right to Privacy is not absolute
In the Supreme Court judgement (“Ritesh Sinha Judgement”), a three-judge bench of the Supreme Court of India observed that the fundamental right to privacy is not absolute and is limited by certain factors instead.
In Griswold, the Supreme Court found a right to privacy, derived from penumbras of other explicitly stated constitutional protections. The Court used the personal protections expressly stated in the First, Third, Fourth, Fifth, and Ninth Amendments to find that there is an implied right to privacy in the Constitution.
Is right to privacy not a fundamental right in India? ›Analysis. A nine-judge bench ruled that the Right to Privacy is a fundamental right for Indian citizens. Thus, no legislation passed by the government can unduly violate it.
What is the importance of data security in India? ›Data Security in DBMS
A database management system ensures data protection and privacy by ensuring that only authorized users have access to the database and by performing permission checks whenever sensitive data is accessed. In recent times, securing data has become increasingly important.
Data privacy is important because it is a protection of your data to prevent the lack of access control to your personal information that can put you at risk for a variety of cybersecurity threats.
What is sensitive personal data in India? ›What are the categories of sensitive personal data? According to the SPDI Rules, sensitive personal information or data refers to passwords, financial information, physical, physiological, or mental health conditions, sexual orientation, medical records and history, and biometric information.
What are the 3 key aspects of privacy? ›According to Ruth Gavison, there are three elements in privacy: secrecy, anonymity and solitude. It is a state which can be lost, whether through the choice of the person in that state or through the action of another person.
What are the 5 pillars of privacy? ›- Appointment of a Data Protection Officer (DPO) ...
- Conducting of privacy impact assessment (PIA) ...
- Formulation of a privacy management program (PMP) ...
- Execution of data privacy and protection measures. ...
- Preparation of data breach management protocols.
How is India data protection bill different from GDPR? ›
While the GDPR and the Bill both recognise consent of individuals as one of the legal bases for processing personal data, the latter has introduced the novel concept of 'consent managers'. Consent managers are data fiduciaries who may, on behalf of the data principals, collect and manage consent provided by them.
Which cases are related to right to privacy in India? ›In the landmark case of R. Rajagopal vs. State of Tamil Nadu (1994 (6) SCC 632, the court opined, “The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognised.
What is the difference between right to information and right to privacy in India? ›The right to privacy was considered to be inherent in the right to life as stated in Article 21 of the Constitution of India. On the other hand, the right to information acquires the constitutional right of freedom of expression guaranteed to all citizens under Article 19(1)(a) of the Constitution.
What is the impact of right to information in India? ›Due to the enactment of RTI there has been a positive atmosphere of accountability and transparency between the Government officials and the citizens. And this positive change has led to a better working of governmental organs and achieve the role of an ideal form of government.
What is Right to Information Act in India and why it is important step towards human rights? ›This act was enacted in order to consolidate the fundamental right in the Indian constitution 'freedom of speech'. Since RTI is implicit in the Right to Freedom of Speech and Expression under Article 19 of the Indian Constitution, it is an implied fundamental right.
When did the Government in India implement the right of information? ›The Right to Information Act will come into force w.e.f. 12th October, 2005. The Act extends to the whole of India except Jammu & Kashmir. It provides a very definite day for its commencement i.e. 120 days from enactment. It shall apply to Public Authorities.
Do we have a right to privacy under the Constitution? ›The Third Amendment protects the zone of privacy in the home. The Fourth Amendment protects the right of privacy against unreasonable searches and seizures by the government. The Fifth Amendment provides for the right against self-incrimination, which justifies protection of private information.
What is surveillance and right to privacy in India? ›The Right To Privacy Under Surveillance Allowances In India
The IT Act authorizes the Government under Section 69 to conduct surveillance of internet data, on various broad grounds relating to the nation's interests.
For example, individuals may assert a privacy right to be “let alone” when the press reports on their private life or follows them around in an intrusive manner on public and private property.
When did data privacy become an issue? ›It wasn't until the middle of the 20th century that 'data privacy' began to come into focus. As data collection tools became more sophisticated, companies began to experiment with personal data collection in various forms, including mailing lists and collecting customer banking information.
How has the right to privacy been violated? ›
unreasonable intrusion upon the seclusion of another, appropriation of the other's name or likeness, unreasonable publicity given to the other's private life, and. publicity which unreasonably places the other in a false light before the public.
What are the 4 types of invasion of privacy? ›Those four types are 1) intrusion on a person's seclusion or solitude; 2) public disclosure of embarrassing private facts about a person; 3) publicity that places a person in a false light in the public eye; and 4) appropriation, for the defendant's advantage, of the person's name or likeness. 1.
Is right to privacy a freedom? ›Legally, the right of privacy is a basic law which includes: The right of persons to be free from unwarranted publicity. Unwarranted appropriation of one's personality. Publicizing one's private affairs without a legitimate public concern.
How far is right to exploitation relevant in India? ›The Right against Exploitation is enshrined in Articles 23 and 24 of the Indian Constitution. These are important Fundamental Rights that guarantee every citizen protection from any kind of forced labour.
How many Fundamental Rights are there in India? ›The Constitution offers all citizens, individually and collectively, some basic freedoms. These are guaranteed in the Constitution in the form of six broad categories of Fundamental Rights, which are justifiable.
Does Indiana have data privacy laws? ›The Indiana Data Privacy Law requires controllers to: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to disclosed purposes for which such data is processed. Adopt and implement reasonable administrative, technical, and physical data security practices.
Is India under GDPR? ›SIMILARITIES AND DIFFERENCES BETWEEN IT ACT AND GDPR. The IT Act and GDPR both have an object to control and regulate the transferring of data for e-commerce. On the other hand, the GDPR is more concerned to safeguard the EU citizens and their rights, however the same is missing in the Indian IT Act.
Which state has best data privacy laws? ›California. California led the charge in being the first state to enact comprehensive data privacy legislation via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). CCPA, signed into law on June 8, 2018, and which went into effect on Jan.
What 5 states have data privacy laws? ›Five states—California, Colorado, Connecticut, Utah and Virginia—have enacted comprehensive consumer data privacy laws. The laws have several provisions in common, such as the right to access and delete personal information and to opt-out of the sale of personal information, among others.
What level is invasion of privacy in Indiana? ›What are the Penalties for Invasion of Privacy in Indiana? Invasion of privacy is a Class A misdemeanor, but can be charged as a Level 6 felony if a person has a prior unrelated conviction for invasion of privacy. Invasion of privacy charges are serious and can put you at risk of jail time.
Who regulates data protection in India? ›
Data Protection Framework | Ministry of Electronics and Information Technology, Government of India.
How does GDPR apply to Indian companies? ›Even companies outside the EU that handle the personal data of individuals within the EU must abide by the regulation. Hence, Indian firms that process the personal data of individuals within the EU must follow the GDPR.
Is there any data classification system in India? ›Personal Data Protection Standard of India (PDPSI) is the standard being developed by Cyber Law College of Naavi to assist the compliance of Personal Data Protection regulations in India.
Does India have right to privacy? ›Right to Privacy – Article 21
According to this article, every person – citizens and non-citizens have the right to live and the right to have personal liberty. The state can't deprive any person of these two rights except under procedure as prescribed by the Indian Penal Code.
The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects' rights.