India is one of the world’s largest democracies, but there is no ‘singular piece of legislation in India currently to address the significant issue of privacy. We are in an information age. With the growth and development of technology, more information is now readily available. The information explosion has manifold advantages but also some disadvantages. The access to information, which an individual may not want to give, needs privacy protection. The right to privacy is claimed qua the State and non-State actors. Recognition and enforcement of the same may require legislative intervention by the State. The idea of the new data protection regulation is to have umbrella legislation that is the personal data protection bill in the making; hopefully, the sectoral regulators and emphasis on personal data of individuals would fit into this giant umbrella, and we would have a very robust ecosystem on privacy.
Keywords: Privacy, Personal Data, Data Principal, Control Framework
Data Protection comprises data protection laws, policies, and procedures to minimize the intrusion of personal data into one’s privacy by gathering, storing, and distributing it. Data protection refers to the use of policies and strategies to reduce intrusion into an individual’s privacy caused by collecting and using their personal data. Data can be broadly classified into two types: personal and non-personal data. Personal data pertains to characteristics, traits, or attributes of identity, which can identify an individual. Non-personal data includes aggregated data through which individuals cannot be identified. For example, while an individual’s location would constitute personal data, but information derived from multiple drivers’ locations, often used to analyze traffic flow, is non-personal data.
In recent times, technology has far surpassed legislation, and laws play a catch-up game worldwide. We have seen that laws are being drafted or changed to correspond with the new digital ecosystem globally. In India, we have some legal provisions. Still, we do not have any specific umbrella legislation. In India, data privacy laws were long-held ambiguity. Although, The Supreme Court ruled in 2017 that the Indian constitution provided every citizen with a fundamental right to privacy. The new legislation is still in the making—The Personal Data Protection Bill 2019, currently scrutinized by experts and stakeholders by a Joint Parliamentary Committee.
The importance of data and data flow was the focus of one of the silver linings of the year. In line with this, the Government of India took essential measures in the 2020 regulation of technology policies and data such as non-personal data, health data, financial data, e-commerce, and other consumer services. However, Behind the curtains of the upcoming, legislation we also have the Information Technology Act. Section 43 A and Section 72 A are essential sections under this Act, and Section 43 A discusses sensitive personal data. In contrast, Section 72 A discusses personal data. In accordance with Section 43, there are a set of rules, which can be shortly called sensible personal data rules, which give you an abundance of requirements for sensitive data to follow. In addition, industry regulatory authorities naturally dictate their regulating bodies: for instance, the Reserve Bank of India, which speaks to NBF banks, sees the eye of IRDAI dictating the insurance players and the presence of the Indian Penal Code, the Indian Contract Act, and so on.
NEED FOR REGULATION
Data protection and privacy are crucial for an emerging data-driven economy such as India. The country is steadily progressing from a data-poor economy to a data-rich economy. But this legal arena has long been in the government’s backhand for legislative purposes, mainly the underemphasis on India’s data privacy laws and the importance of his data not known to a layperson. This lack of awareness and gravity has made users vulnerable to large companies that exploit these weaknesses and therefore misuse the data. The collection and analysis of personal data by individuals have many advantages. The private and public sectors both collect and use personal data on an unequalled scale for various purposes. Although data can be used for a benefit, the unregulated and arbitrary use of data, in particular personal information, raises concerns about the confidentiality and self-reliance of a person. In the Puttaswamy judgement, the Supreme Court recognized that privacy is a fundamental right that was the subject of the historic judgment.
In this light, the formulation of a data protection law is an hour for India to take advantage of the digital economy and mitigate the consequences. Therefore, a need for specific legislation in the field should cover all aspects of data protection – the what, how, and by whom – is essential. What are the safeguarded data? Is personal data protection merely sufficient? What about business data and data? To ensure that data protection is regulated effectively, what all authorities need India to establish? These are just some of the many concerns raised by data protection. But for the data protection regulation in India, a few fundamental principles can be kept in mind :
- Technology agnosticism – The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.
- Holistic application – The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for specific legitimate state aims.
- Informed consent – Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the criteria above.
- Data minimization – Data that is processed should be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.
- Controller accountability – The data controller shall be held accountable for any data processing, whether by itself or entities with whom it may have shared the data for processing.
- Structured enforcement – Enforcement of the data protection framework must be a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralized enforcement mechanisms.
- Deterrent penalties – Penalties on unlawful processing must be adequate to ensure deterrence.
Over the course of the Indian government has understood the gravity of the changing scenario in the data protection arena and acted upon it by establishing a Committee of Experts to develop India’s data protection framework. The Committee submitted a draft personal data protection bill and an accompanying report, entitled “A Free and Fair Digital Economy: Privacy Protection, Empowering Indians,” following a public consultation on a white paper. Ultimately, in December 2019, the Personal Data Protection Bill came before Parliament.
THE DATA PROTECTION BILL, 2019 – WHAT IT ADVANCES
The Personal Data Protection Bill, 2019, was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to protect the personal data of individuals and establishes a Data Protection Authority for the same and is currently being examined by the Joint Parliamentary Committee. It will be deliberated in the budget session before it becomes law. The PDP Bill focuses mainly on the people of India and their privacy. It aims to give Indians more control over their personal information and build a culture of respect for the privacy of individuals. It also seeks to balance the importance of security and innovative technology of personal data to ensure that people benefit ethically and fairly from their data.
The Bill governs the processing of personal data by:
- companies incorporated in India, and
- foreign companies dealing with the personal data of individuals in India.
Personal data pertains to characteristics, traits, or attributes of identity, which can identify an individual. The Bill categorizes specific personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government in consultation with the Authority and the concerned sectoral regulator. The Bill provides the data principal with certain rights concerning their data that includes seeking confirmation on whether their data has been processed, seeking correction, completion, or erasure of their data, seeking transfer of data to other fiduciaries, and restricting continuing disclosure of their data, if it is no longer necessary or if consent is withdrawn. Any processing of personal data can be done only based on permission given by the data principal. The Bill lays down the various nuances surrounding data and aims to establish strict regulation on data protection.
There must be an everlasting shield on citizens’ privacy, and it must be regarded as the primary end objective of data protection laws. Such a clear sense of direction can rectify the competing interests of the State’s welfare and surveillance agendas, the private sector’s enormous appetite for personal data, the need for community data to facilitate bottom-up innovation, and the ability of individuals to exercise their right to privacy.
The PDP bill seems to have a clear focus on empowering citizens by giving them considerably more control over their data. The Bill would undoubtedly change the way Indians deal with and perceive their data and that of others. Once the Bill becomes a law, it would also help improve data management practices and data-related awareness in society. For example, businesses would also have to deal with personal data more seriously. They would have to relook at all their data processing activities. The Bill classifies personal data into three categories, making it possible for data fiduciaries to be more responsible for processing them. Establishing a regulatory sandbox will greatly help start-ups driven by technology at an early stage because it will exempt them from complex procedures and compliance with the bill provisions. Once enacted and made into a law, it has an overall effect on Indian enterprises and MNCs as they must ensure that their data processing complies with the provisions of the legislation. It would pave the way for a more robust data security and privacy control framework and guidelines in India, similar to those established globally.
Abhishek Vishwanath [ BA.LLB (Hons.)]
School of Law, CHRIST (Deemed to be University) Bangalore