Name: V. Mangala
Institution: Siddharth College of Law, Mumbai University
Year: 3rd year of 3year LL. B course
Name: Eshan Atul Borikar
Institution: Siddharth College of Law, Mumbai University
Year: 3rd year of 3year LL. B course
The article highlights the loopholes in the current legal framework for data protection and data privacy. This article, through various instances, draws attention towards frequent data breaches and impact on millions of users and further emphasizes the need to legislate a robust data protection law within the nation. The article critically tests the roles of stakeholders to protect the commercial, personal and sensitive data. With the aid of judicial precedents, Article puts weightage on the importance of privacy and the judiciary’s role in safeguarding the rights. It proposes a way forward to deal with data privacy and data protection. Gary Kovacs says that “Privacy is not an option, and it shouldn’t be the price we accept for just getting on the internet.”
Keywords: Data protection, Cyber-attacks, Stakeholders, Data breaches, Privacy
How many of us read the fine print given in the terms and conditions? Do we bother about the permissions granted or privacy details, or do we blindly download apps, thinking it’s safe since many others are doing so?
People do not bother about the permissions, thinking that they are getting a service for free. They do not realize that there is no such thing as a free lunch. The unfortunate fact is that the law is unable to keep up with the pace of technology. The Acts, Rules, and Regulations take a lot of time to be legislated and enacted. Further, it is impossible to foresee all the different issues and needs that might arise in the future, thereby creating a need to repeatedly amend such laws. Such amendments are also not easy. Amending a law is a time-consuming process that involves a lot of complexities. Hence, there is a need for creating such laws and regulatory bodies to constantly monitor activities that involve technology, especially if it concerns the safety and privacy of humans’ daily activities.
India is a party to two international instruments containing privacy protections. These are the Universal Declaration on Human Rights and the International Covenant on Civil and Political Rights. In the present scenario, India is not a party to the convention on the protection of personal data which is equivalent to the General data protection regulation formulated European Union. The general data protection regulation is among the stringent regulations for data protection and privacy. Such regulations are required to protect the fundamental rights of the citizens and to reduce the data breach,
From the national perspective, the Information technology Act, 2000 and the Indian Telegraph Act, 1885 regulate digital and telephonic surveillance. The strongest legal protection provided to India’s personal information is under section 43A and section 72A of the Information Technology Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. The provisions of the Information Technology Act, 2000 and rules require a body corporate who ‘receives, possesses, stores, deals, or handles’ any ‘sensitive personal data to implement and maintain ‘reasonable security practices,’ failing which they are held liable to compensate those affected. Only the body corporates fall under the purview of the said act, and exclusion of others does not serve the purpose of data protection in the long run. The Information and technology act has not clearly defined the term ‘data breach,’ nor has it defined the term ‘consent.’ This makes the application of law more complex. The present acts and rules are not sufficient for the far-reaching impact of data violations.
CONCERNS ABOUT DATA SAFETY
We need to assess the risks involved while dealing with sensitive data closely.The data consists of structured and unstructured data. Structured data involves the traditional forms of data, mainly in the form of text whereas unstructured data is the information that either does not have a pre-defined data model or is not organized in a pre-defined manner and includes photos, videos, and social media interactions.
PERSONAL DATA AT RISK
The upsurge of technology is raising several issues for society and mankind. One of the common issues is data storage and its handling. The e-commerce players and other technological companies are generating large amounts of data dailydaily to undertake data analytics to improve the consumer experience. Technological advancements like google home, apple smartwatches, and Alexa of amazon are collecting users’ data on a large level to improve the experience. In Portland, Oregon, a woman discovered that her Echo had taken it upon itself to send recordings of private conversations to one of her husband’s employees. The improvement of the consumer experience is also increasing the risk of data mishandling and invading personal privacy. The Information technology is used for all kinds of surveillance tasks. It can be used to augment and extend traditional surveillance systems to identify specific individuals in the crowd by using face recognition technique or to monitor specific places for unwanted behavior. This exposes the privacy of individuals and violates their fundamental rights.
Technological inventions are acting as an aid to manage the data, but at the same time, they can adversely affect the privacy of an individual to a greater extent. The classic example of one of such technological developments is cloud computing, which provides the technological players with a virtual space to store their data. With the help of its virtual address, the companies can easily access data stored with cloud computing, but such data stored through cloud computing is also prone to cyber-attacks.
CYBER ATTACK A TOOL FOR DATA BREACHES
A primary threat to society is hackers. They use various strategies to breach data and then demand a sum of money to restore the data, but still, the danger of abuse of data remains intact. Recently in 2020, there was a massive data breach on an education platform Unacademy portal wherein 22 million users were affected, and the sensitive data of users were sold on the darknet. In October of 2020, the data breach of big basket exposed around 20 million users. Global entities like Twitter and Facebook are also suffering from constant data breaches. The data, whether personal or commercial, its breach increases the adverse impact on the people and organizations collecting and generating sensitive data.
ROLE OF STAKEHOLDERS
The industry’s role in data protection is crucial; no doubt that data protection is a burning issue in various countries across the globe. The tech entrepreneurs worldwide are striving hard to protect the data but due to the huge quantum of data being generated every minute of every day. However, until date, none of the tech entrepreneurs have developed a robust solution for data protection. In recent years, tech companies have become huge in terms of operations. Now it has,,become difficult for such companies to track, monitor, and prevent data breaches. Data collected by tech companies is susceptible in nature due to the simple fact that such data can gauge the habits, likes, dislikes of users. The situation further aggravates when the grey and black hat hackers use such data to exploit the users and fulfill their ulterior goals. The United States Congress recently grilled the top executives of Amazon, Facebook, Google, and Apple in an Antitrust hearing for anti-competitive practices and the data breaches in recent time. The domestic companies having a global presence like Tata Consultancy, Reliance Jio, Infosys, and Wipro should also proactively Contribute to the protection of personal and commercial data. All the Stakeholders and domain experts should work in harmony to find a robust solution to reduce the data breach and protect privacy in the long run.
The judiciary should play a more proactive role in regulating the data and service providers. The Supreme court of India pronounced a Landmark Judgement, In the case of Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India the judgment states that,
“…Life and personal liberty are inalienable rights. These are rights that are inseparable from a dignified human existence. The dignity of the individual, equality between human beings, and the quest for liberty are the foundational pillars of the Indian constitution.”
“It is privacy which is a powerful guarantee if the state were to introduce compulsory drug trials of non-consenting men or women. The sanctity of marriage, the liberty of procreation, the choice of family life, and the dignity of being are matters which concern every individual irrespective of social strata or economic wellbeing. The pursuit of happiness is founded upon autonomy and dignity.
Both are essential attributes of privacy which makes no distinction between the birthmarks of individuals.”
“Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate from the State andalso from non-State actors. We commend to the Union Government to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the State. The legitimate aims of the State would include, for instance, protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the Union Government while designing a carefully structured regime for protecting the data.” The judgment pronounced by the court was an unprecedented one and considered the right to privacy as a fundamental right. Still, it didn’t enlist any guidelines for data protection, and privacy remained compromised. The grey area remained unaddressed, and there is a dire need for legislation to protect the data from breaches.
A WAY FORWARD
This article proposes that the central government should chalk out a fund called Data Protection User Education Fund,Data Protection User Education Fund, commonly called DPUEF. The users and various organizations are still unaware of the perils of the data breach. This fund will help in educating the users regarding privacy and data protection. Various NGOs, social workers, and tech entrepreneurs should take proactive steps to make users aware of their rights and the probable danger of data breaches. They can create awareness with the help of street plays, competitions, seminars, and any other ethical way preferred by the organizer. The central government should provide certain financial aid to such organizations from DEUPF. To motivate them and improve user awareness. The Special Fund for data protection will increase consumer awareness and increase consumer awareness, increase consumer awareness, raise consumer awareness, and even encourage the users to report the data breaches.
The Current system of redress is not efficacious, and it is time-consuming. The ,sedentary behavior of authorities towards data protection and privacy compared to other offences increases citizen’s and organizations’ agony. As the CAG aptly puts it: “The inaction of the Ministry of Information and Technology defeated the very purpose for which CyAT was formed and also resulted into an expenditure amounting to `Rs. 27.64 crore for the period 2011-12 to 2015-16 on its establishment.” The government should strive to introduce a concrete law for data protection, and it will not only ensure the safety of the users but will also ensure safety from abuse of data and ensure the right to privacy. The protection of commercial and personal data is a need of an hour.
Whereas information technology is typically seen as the cause of privacy problems, there are several ways in which information technology can help to solve these problems. There are rules, guidelines, or best practices that can be used for designing privacy-preserving systems. It is of utmost importance that we figure out a way to balance humans’ technology and privacy. Letting go of technology is not a viable option, and it would take us centuries back. Being blinded by the advancing technology and not caring about privacy in order to hold on tight to the perks of technology is something that absolutely cannot be considered as this would become the catalyst of human destruction down the line. Hence, the most prudent method to follow would be to strictly consider data protection and privacy while taking each step to ensure the safety in existing technology and allow permission to each new technological innovation. Bruce Schenier rightly says it rightly says it rightly says it, “Data is the pollution of the information age, and protecting privacy is the environmental challenge.”