DATA PRIVACY LAWS IN INDIA

ABOUT THE AUTHOR


This article has been written by Sandra Paul, a Law student

at Christ University, Bangaluru.


INTRODUCTION

Data is the new currency of the 21st century. Technological advancements have not only turned the world into an interconnected global village but has also considerably diminished the once flourishing concept of privacy. The advent of smartphones, social media platforms and e-commerce has transformed the local platforms of trade and inter-country or rather intercontinental commerce to global import-export space. Website cookies and word searches enable data fiduciaries to collect our thoughts and transform it into our marketing preferences . Personalised advertisements, search suggestions, food-travel-technology commercials that exactly matches our interests, the contact location, media files etc accesses that we provide while downloading apps from the play store are seemingly harmless examples of technology intruding our privacy to personalize their services.

India which opened its market to the globe in 1991 still stands with the tag of “developing country” and continues to further open itself to global players to make further investments. This is essentially a reason which slackened developments in privacy and data privacy legislation.

EVOLUTION

The Supreme court had previously in the case of Kharak Singh vs UOI held that right to privacy was not a constitutional Right. This exact Judgement was reversed in the case of Justice Puttuswamy and Ors vs UOI where the SC held that The right to privacy was enshrined in Article 21 of the Constitution and that Right to informational privacy was a subset to this. It further said that “Information about a person and right to access that information also needs to be given protection”. “every person should have the right to control the commercial use of his/her identity and that the right of individuals to exclusively commercially exploit their identity and personal information, to control the information available about them on the internet and to disseminate certain personal information for limited purposes alone”.

The same judgement also emphasizes that fundamental rights are enforceable only against the state and instrumentalities of the state and Supreme court in the same judgement recognized the that enforcing the right to privacy against private parties may require further legislative intervention.

The personal data protection Bill,2019 was important in two aspects, First that it was the first cross-sectoral legislation that can be equally applied to all fields in law. This meant that the previous provisions in the information technology Act, 2000 through Section 43A would get repealed. Also, this impliedly upheld the common law principles of equity and law of Breach of Confidence. The Aadhar (targeted delivery of financial and other Subsidies Act)2016, was key legislation, which while upholding the right to privacy also allowed the government to access personal information for specific purposes. The lack of rules to segregate critical personal data from non-critical and non-personal data along with no other compliance measures led to the formation of the Sri Krishna Committee which after also studying EU’s GDPR came up with a draft on which the current PDP Bill lies.

PERSONAL DATA PROTECTION BILL

The new PDPA Bill consists of 14 chapters. It brings out important provisions such as the duties of the data fiduciaries who decide how the data at hand should be processed. It can be the state or a company. A well-known example would be the Cambridge Analytica scandal. In this case, Facebook would be the Data Fiduciary that is the entity which decides as to how and how much of data to be processed and Cambridge Analytica would be the data processor which though important is not explicitly mentioned in the Act. It lays down restrictions on processing personal data and lays down the consent requirements while processing the accessible personal data. Moreover, it also specifies the data types which require consent before processing.

It even classifies data into personal and sensitive personal data and highlights how this categorization takes place. It also talks about the situations in which personal data can be procured without consent. Another highlight would be the rights granted to the data principals such as the right to confirmation and access, the right of erasure etc. The important part comes when the provisions talk of the restrictions for transferring personal data outside the country particularly in a situation where the Indian government is promoting MNC’s to invest in India.

Another highlight feature is the setup of the data protection authority who is to safeguard and implement the data protection regime in India. Penalties and exemptions have been allotted a chapter. The act also provides for an effective redressal mechanism by authorizing an appellate tribunal specifically for this purpose.

PITFALLS

Experts point out three important deficiencies in the method which would be followed to implement the bill. Firstly, the bill increasingly relays on strengthening the consent based mechanisms for data protections which the experts believe would not benefit in the long run. The increased disclosure requirements to users about the usage of their data would lead it to becoming less effective and further counter productive leading individuals to take less responsibility while sharing their data.


Secondly, the preventive framework proposed in the bill could significantly raise the compliance cost for private businesses who are small-medium industries. Also the Bill could compel the businesses to share non-personal data which could have deleterious effects.

The third major issue with the bill is the proposed setup of the Data Protection Authority (DPA). This body will be tasked with regulating the provisions of the bill to frame regulations on issues such as mechanisms for taking consent, limitations on the use of data, and cross-border transfer of data etc. Considering India’s low regulatory capacity this could either lead to under regulation or over regulation.

REFERENCE:

Websites:

1) Carnegie India https://carnegieindia.org/2020/03/09/will-india-s-proposed-data-protection-law-protect-privacy-and-promote-growth-pub-81217#:~:text=In%20December%202019%2C%20the%20government,for%20data%20protection%20in%20India.&text=Union%20of%20India%20held%20that,a%20fundamental%20right%20to%20privacy.

2) https://www.prsindia.org/billtrack/personal-data-protection-bill-2019

Cases:

1) Kharak Singh Vs Union of India 1963 AIR 1295

2) Justice K.S Puttuswamy Vs UOI WRIT PETITION (CIVIL) NO 494 OF 2012

3) State of NCT Delhi vs Unique Identification Authority India (2018)

1/21