With data being borderless and accessible, sovereign states often face the challenge of governing and regulating data. Across civilisations and generations, we have witnessed how evolution is inextricably linked to the exchange of information and ideas - that is exactly why the free flow of data is crucial and hence, regulation is inevitable.
The challenge of regulation primarily relates to the possibility of jurisdictional conflict of data protection laws around the world and the need for balance between overlapping fundamental rights.
While we see that the European Union, California, and South Africa have enacted the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Protection of Personal Information Act (POPI Act) respectively, balancing the competing interests of stakeholders in the Democratic Republic of India seems to be taking longer than expected.
Also Read:
In the context of understanding data, it becomes important to think through the impact that each type of data creates. Such impact has led to the need for segregation into personal data, sensitive personal data, critical data, and non-personal data.
The Personal Data Protection Bill, 2019 ("PDP Bill"), follows a long line of privacy jurisprudence in India that has been influenced by global developments as well as the country's own constitutional jurisprudence. Though the constitution does not explicitly mention the right to privacy, Indian courts have held that the right to privacy exists under the right to life guaranteed under Article 211. Since the recognition of right to privacy as a constitutionally protected fundamental right, the Data Protection Bill, 2019 has been formulated to fulfill the twin objectives of protecting personal data while unlocking the data economy.
In the context of the framework for data protection adopted internationally, Lee A. Bygrave has set out the basic tenets that they entail:
- Single statute legislation to ensure clarity and coherence
- Independent enforcement body to oversee the implementation of legislation
- Broad framework of laws to enable smooth adoption of modifications in line with the changing needs of technology and innovation
- Advisory body for regulator to aid effective understanding and implementation of laws by the enforcement body
The key objectives for the data protection regime in India are set out below:
I. Need for single statute legislation and addressing ambiguities in the current framework
Regulatory ambiguity and inaction have been the primary reasons why instances of data breach have been grossly undervalued. Lack of awareness on the importance and impact of personal data may be called into question only after such primary reasons are addressed.
In the absence of a single statute legislation for protection of data in India, suitable remedies and preventive mechanisms have been provisioned under several sector-specific regulations and other legislations including the Information Technology Act, 2000 ("Act") and relevant rules formulated under the act, Payment and Settlement Systems Act, 2007, Indian Telegraph Act, 1885 and SEBI Data Sharing Policy, 2019 and RBI Guidelines on Cyber Security Framework for Banks and Information Security, 2016. Such a fragmented set of rules and vague redressal procedures necessitate the enactment of the PDP Bill.
The changing trends in technology expose us to loopholes in the established set of laws and one such issue is in relation to section 43A of the Act.
Firstly, the definition of 'body corporate' as defined thereunder is broad and includes a company, firm, sole premiership or other associations of individuals. However, the collection of personal or sensitive personal data by an 'individual' has not been contemplated under the purview of such definition.
Secondly, the responsibility for the protection of data is imposed only on body corporates engaged in 'commercial or professional activities' and it appears to be arbitrary discrimination to exclude NGOs, not-for-profit organisations, or government entities as such.
Thirdly, a body corporate has an option to choose among three varying degrees of compliance i.e. (a) contractual compliance by setting out reasonable security practices and procedures in the form of an agreement; or (b) comply with any law providing for protection of sensitive personal data or information; or (c) comply with such reasonable security practices and procedures prescribed by the central government in consultation with professional bodies or associations that they may deem fit. Such options create absolute chaos in implementation and a body corporate can easily navigate and 'shop' for the most lenient security practice or procedure.
In addition to the above, there are several instances of dysfunctional and non-functional grievance redressal mechanism which urgently need to be revived and relooked. Several problems with implementation often plague the enforcement mechanism due to periodic delays in appointments to the adjudicatory mechanisms created under the act.
Also Read:WhatsApp vs govt: Can traceability and encryption co-exist?
II. India's commitment under international law
Article 51 of the Constitution of India, which forms part of the Directive Principles of State Policy, requires the state to endeavour to "foster respect for international law and treaty obligations in the dealings of organised people with one another".
Privacy is a fundamental human right specifically recognised under Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights ("ICCPR"). The Protection of Human Rights Act, 1993 has referred to the ICCPR as a human rights instrument and the latter makes it mandatory for states to take steps for realisation of such right and ensure protection against interference by private parties.
III. Demonstrating preparedness to meet internationally accepted standards of data protection
In this day and age of information, it becomes inevitable for India to develop a robust and timeless regulation that has the ability to demonstrate compliance warranting the transfer of data from foreign jurisdictions. Such regulation is a precursor to receiving seamless data transfer, especially from the EU and UK regions which are emerging as global leaders in privacy regulation and data protection.
Therefore, it becomes important for India to set out a lucid set of rules for ensuring legitimate cross-border transfer of data and afford the same level of data protection to those residing in India and other countries. The need has been further backed by a significant development in global data protection law wherein the Court of Justice of the EU invalidated the EU-US privacy shield and read down the inviolability of the standard contractual clauses.
The privacy shield is an adequacy decision issued by the European Commission regulating data transfers between the US and any member state of the EU or the European Economic Area data transfer framework. Such a landmark decision has been passed due to the operation of surveillance laws in the US and it has thus been found that the privacy shield does not provide adequate protection of data protection rights of an individual that is similar to the General Data Protection Regulation.
IV. Data localisation and boosting domestic digital economy
Digital sovereignty is the right of a state to govern its network to serve its national interests, the most important of which are security, privacy, and commerce. The need to provide local residence to data in India stems from the fact that India is a nation state and therefore would treat the data generated by its citizens as a national asset. Such national asset may be required to be stored and guarded within national boundaries subject to the security and strategic interests of India.
Also Read:PUBG Mobile Indian Twin in trouble for sharing data withChinese servers
V. Preventing privacy harms and exclusion
There exists visible inequality in bargaining power between individuals and entities that process personal data, and it becomes important to mitigate the harms flowing from such disbalance. Such harm may take various forms, including subjective and objective harm as contemplated by M. Ryan Calo or architectural harm, often contended by Daniel J. Solove.
Interestingly, Solove has also dealt with the problem of aggregation which arises from the fusion of small bits of seemingly innocuous data. In face of such harms, it is crucial to facilitate a framework that vests the rights of a data principal in an individual who shares personal data and therefore, becomes the focal actor in the digital economy.
The data protection framework is required to embody a relationship created on fundamental expectation of trust between the data principal and data fiduciary. Such forms of privacy harms and principles of decisional autonomy have been re-instated in the Puttaswamy I judgement.
VI. Curing problems associated with information asymmetry and need for facilitating data ownership
The findings from Cambridge Analytica indicated that data subjects had little or no knowledge that their activity on Facebook would be shared with third parties for targeted advertisements around the US elections. 12 Data gathering practices are usually opaque and take complex privacy forms that users have little control over.
Inadequate information on data flows due to artificial intelligence tools often worsen the relationship between data principal and fiduciary. The state is especially able to exercise substantial coercive power and remains largely unregulated for the collection and processing of personal data and thus, majorly contributing to the formation of information silos.
Thus, the objective of a data protection framework is to make the data principal as the owner of their own personal data and make provisions including the right to access, correction, deletion, and updating of respective data.
VII. Imparting differential protection to each class of data
As discussed above, the need for segregation of data sets into personal data, sensitive personal data, critical personal data, and non-personal data is assuming importance in today's age of data economy. Processing of each data set is likely to have a peculiar impact, for instance, health data set of an individual vs. personal details including the name and age of an individual. Therefore, according enhanced level of protection in terms of restrictions on cross-border transfers in case of critical personal data becomes necessary.
VIII. Extra-territorial application of data protection laws
Free flow of data across borders for the purpose of innovation and exchange requires that effective remedy is readily available to deal with any instance of breach.
IX. Mandate prior consent and adherence to principles of data protection
This flows from the need to establish rights of data ownership in today's era of clip wrap agreements and standard form contracts. In this context, it becomes important to ensure a constructive content mechanism is in place and suitable principles of data protection are followed.
X. Remedy and prevent problems of free data flows and data sharing practices
Deficiencies in the regulation of data flow in India are merely a consequence of a simplistic assumption that data flows are an unadulterated good. Such regulation becomes important to ensure an orderly digital market which shall lead to a win-win situation for citizens, nations, and multinational corporations.
To conclude, while each of the objectives set out above form the building blocks for the enactment of the PDP Bill, the need for protecting privacy as a matter of fundamental right and demonstrating preparedness to meet widely accepted standards of data protection in the international community tops the list.
It is indeed crucial to respect the need for a reasonable timeline for the introduction and enforcement of such regulation as we eagerly look forward to the monsoon session of Parliament. Until then, the government and industry bodies can cooperate and focus on capacity and infrastructure building, data literacy, and understanding technological innovations better.
(The author is a technology law and policy fellow with Daksha fellowship, Sai University, Chennai, and a law graduate from Government Law College, Mumbai.)
FAQs
What is the purpose of Data Protection law in India? ›
Reasonable safeguards are to be undertaken to ensure that there is no unauthorised collection or processing of personal data. This is intended to prevent personal data breach; and. The person who decides the purpose and means of processing of personal data should be accountable for such processing.
Why are data protection laws important in India? ›Need for data protection laws
It gives people access to their data, establishes accountability standards for businesses that process it, and includes redressals for improper or harmful processing. Data protection laws also provide remedies for false profiles and fraud that can also be made using stolen information.
What is the purpose of the Data Protection Act? The Act seeks to empower individuals to take control of their personal data and to support organisations with their lawful processing of personal data.
What is the data protection rule in India? ›The Right to Privacy is a fundamental Right covered within the ambit of Right to life and personal liberty under Article 21 which can be curtailed via procedure established by Law which is just, fair and reasonable as laid down in Maneka Gandhi v UOI[6].
How is India data protection bill different from GDPR? ›While the GDPR and the Bill both recognise consent of individuals as one of the legal bases for processing personal data, the latter has introduced the novel concept of 'consent managers'. Consent managers are data fiduciaries who may, on behalf of the data principals, collect and manage consent provided by them.
Who regulates data protection in India? ›Data Protection Framework | Ministry of Electronics and Information Technology, Government of India.
What are three benefits of the Data Protection Act? ›- Easier business process automation. ...
- Increased trust and credibility. ...
- A better understanding of the data being collected. ...
- Improved data management. ...
- Protected and enhanced enterprise and brand reputation. ...
- An even privacy playing field. ...
- Takeaway.
- used fairly, lawfully and transparently.
- used for specified, explicit purposes.
- used in a way that is adequate, relevant and limited to only what is necessary.
- accurate and, where necessary, kept up to date.
- kept for no longer than is necessary.
You may be subject to: private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals. reputational damage. loss of consumer trust.
Is data protection law passed in India? ›In 2017, the Supreme Court of India recognized the Right to Privacy as a fundamental right under the Constitution and laid down certain privacy principles relevant to informational privacy (i.e., data privacy).
What are the penalties for data protection in India? ›
In the proposed Digital Protection Data Bill (DPDB) 2022, data fiduciaries are subject to fines of up to Rs 500 crore for non-compliance.
Does GDPR apply to Indian citizens? ›India's undertaking on data protection. As mentioned above GDPR is only applicable to EU-related people and the companies and organizations that target people resident in the EU. We saw what is GDPR and its applicability and its functions.
What is the US equivalent of the GDPR? ›What is the US equivalent of GDPR? The CCPA (California Consumer Privacy Act) is the US equivalent of GDPR. This comprehensive data privacy act gives Californian residents greater transparency and control over how businesses collect and use their personal information.
What are sensitive data protection rules in India? ›Data categorisation under SPDI Rules
The SPDI Rules define Personal Information as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”
Data protection law sets out what should be done to make sure everyone's data is used properly and fairly. You probably have personal data about your customers and clients such as names, addresses, contact details. You might even have sensitive information such as medical data.
What are the two principles of the Data Protection Act? ›Integrity and confidentiality (security) Accountability.
What is the name of the main data protection law? ›The GDPR also mandates that personal data is maintained safely; in part, the regulation says personal data must be protected against "unauthorized or unlawful processing, and against accidental loss, destruction or damage."
What is not covered by the Data Protection Act? ›the right to be informed; all the other individual rights, except rights related to automated individual decision-making including profiling; the communication of personal data breaches to individuals; and. all the principles, but only so far as they relate to the right to be informed and the other individual rights.
What are the 7 golden rules of data protection? ›Necessary, proportionate, relevant, adequate, accurate, timely and secure: Ensure that information you share is necessary for the purpose for which you Page 2 are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely (see ...
Who needs to follow data protection act? ›At the heart of it are eight common sense rules known as the 'data protection principles' that all organisations collecting and using personal information are legally required to comply with. The law provides stronger protection for more sensitive information such as: Ethnic background. Political opinions.
How long does data protection last? ›
The answer depends on the type of data. For applicant data, we recommend six months. For payroll information, three years. For employee records, six years.
Can I sue for data protection breach? ›Under data protection law, you are entitled to take your case to court to: enforce your rights under data protection law if you believe they have been breached. claim compensation for any damage caused by any organisation if they have broken data protection law, including any distress you may have suffered, or.
Are there data protection laws in the US? ›The federal government passed the U.S. Privacy Act of 1974 to enhance individual privacy protection. This act established rules and regulations regarding U.S. government agencies' collection, use, and disclosure of personal information.
Is data privacy a human right in India? ›In various judgments the Supreme court has recognized the right to privacy as a fundamental right emanating from Article 21 of the Constitution of India.
How much compensation for data breach in India? ›Section 45 of the IT Act is a residuary clause that states that whoever contravenes any rules made under the IT Act, for the breach of which no penalty has been separately provided, shall be liable to pay compensation or penalty of up to 25,000 rupees.
Can a company refuse to delete my data in India? ›Anything else has to be removed and their is no justification not to once a request is submitted. You are legally obliged to destroy all identifiable data other than the specific exemptions.
Is data breach a criminal Offence in India? ›Even though there is no data protection law in place to demand action by the state on violations that involve the fundamental right to privacy, the Information Technology Act of 2008 has provisions to hold liable parties accountable.
Why data protection is important for a country? ›Data protection safeguards information from loss through backup and recovery. Data security refers specifically to measures taken to protect the integrity of the data itself against manipulation and malware. It provides defense from internal and external threats. Data privacy refers to controlling access to the data.
Why individual data privacy is important in India? ›Importance of Data Privacy Laws in India:
With the rise of technology and social media, companies are collecting more data than ever. This has created a situation where we give away our personal information to advertisers, marketing firms and other organizations without realizing it.
In August 2022, the Government withdrew India's draft data protection law, the Personal Data Protection Bill, 2019 ('the Bill') in light of the industry and political pushback. Instead, the Government intends to introduce a comprehensive legal framework to regulate privacy within the digital ecosystem.
Which country has the strongest data protection laws? ›
The country with the strictest data privacy laws related to the internet is Iceland. Many people have referred to Iceland as Switzerland for data. It has incredibly strict privacy laws, and these laws were passed in 2000.
Which country has the best data protection laws? ›Switzerland has guaranteed its citizens the right to privacy under its constitution and enacted regulations. The Swiss Federal Data Protection Act (DPA) prohibits personal data processing without the individual's consent the data relates to.
Which country has the best data protection? ›Which country is considered to be the leader in privacy and data protection? Scandinavian countries are generally regarded as having some of the best data and privacy protection laws in the world. This includes Sweden, Norway, Denmark, and Finland.
Is data privacy a fundamental right in India? ›Under the CrPC, the police need to obtain a warrant to enter your house or arrest you. The same principle should apply if they're dealing with data, because data privacy is also a fundamental right under Article 21.
What is right to privacy and data protection in India? ›The Constitution of India: The Constitution of India does not explicitly mention the right to privacy or data protection. However, the Supreme Court of India has recognized the right to privacy as a fundamental right under Article 21[1] of the Constitution, which guarantees the right to life and personal liberty.