Ultimate Guide to Data Privacy and Data Protection Laws In India

“For the first time, he perceived that if you want to keep a secret, you must also hide it from yourself. ” – George Orwell, 1984

With nearly 450 million Internet users and a growth rate of 7-8%, India is well on the path to becoming a digital economy, which has a large market for global players. Source: DigitalIndia. gov. in

The Statutory Landscape in India

IT Act 2008, Section 43 :

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.

Data Protection in India comes within the purview of the Information Technology Act, 2000 and the Law of Contracts as well as the Constitution of India.

Provisions of Information Technology Act, 2000

Section 43: This Section provides for a penalty for unauthorized use of a computer, computer software or computer network or unauthorizedely downloading, extraction and copying of data are also covered under the same penalty. There is also a penalty for unauthorized introduction of computer viruses of contaminant and for assisting unauthorized access. The maximum amount of penalty is one Crore.

Section 65: This Section provides that “Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

Section 66: Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack. This section imposes the penalty of imprisonment of three years or fine up to two lakh rupees or both on the hacker.

Section 70: This Section under sub- section 70(g) stipulates that “any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

Section 72: This Section Provides that “any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book. register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

Law of Contract

Data may be protected under the Law of Contracts by drawing out agreements such as Non-Circumvention And Non-disclosure agreement, user licence agreements and referral partner agreements. Agreements such as these contain confidentiality and privacy clauses and also arbitration clauses.

The Personal Data Protection Bill, 2006

This Bill has been introduced in the Rajya Sabha on December 8th 2006. The purpose of this bill is to provide protection of personal data and information of an individual collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial or other purposes and entitle the individual to claim compensation or damages due to disclosure of personal data or information of any individual without his consent and for matters connected with the Act or incidental to the Act.

The Personal Data Protection Bill, 2019

After numerous discussions and deliberations, the committee headed by Justice B. N Srikrishna proposed a draft bill. On December 11, 2019, the Minister of Electronics and Information Technology tabled the Personal Data Protection Bill in the Lok Sabha. Much to the shock of the general public, it omitted all safeguards mentioned in the draft bill. It lacked the essentials of valid legislation, the objective or intent, proportionality and reasonability.

Cons

The tabled Bill overlooks the severe concerns of state surveillance. The Bill provides for no objective. It is unclear as to what the Bill seeks to achieve. It is vague. Further, it fails to lay down the circumstances for the invocation of the power, the exact persons to execute the power or the procedure it needs to fulfil. The most significant change from the proposed draft bill is the extensive grounds with which the Central Government can eliminate governmental agencies from the purview of the requirements of the Bill. The draft bill proposed the appointment of independent representative stakeholders as the Data Protection Authority of India. However, in the new Bill, the authority consists of government nominees. Therefore, it gives complete autonomy to the government. It blatantly disregards the principles of proportionality and reasonability. Also, the new Bill dilutes the mandates for the data localisation requirements. The draft bill necessitated the need for mirroring all personal data in India. However, the new Bill introduces such standards for critical and sensitive personal data.

Pros

On the flip side, a few changes were welcome by the general public. The draft bill, gave powers to the Central government to formulate suitable policies for the new digital economy, including measures for the growth, security, integrity, prevention of misuse of the non-personal data. The draft bill failed to define what it meant by non-personal data. However, the new Bill defines non-personal data. Further, it empowers the Central government to direct any data fiduciary or processor to provide all anonymised personal data or non-personal data. Another useful inclusion is the right to erasure. It enhances principal data rights to request the erasure of data which finds no use any longer for processing. Such a right was missing from the draft bill. The new Bill also introduces the concept of consent managers which was not present in the draft Bill. It means a data fiduciary which enables a data principal to gain, withdraw, review and manage their consent through an accessible, transparent and interoperable platform.

The new Bill comes as a disappointment, especially after the unequivocal judgment by the nine-judge Bench of the Supreme Court of India on the right to privacy. The judgment contains specific language that the Bill is a measure to realise the fundamental right. Nevertheless, the new Bill serves a political economy which at first appearance is attractive in its promise of taking us away from the cloudy maxims of constitutionalism and delivering us a digital utopia. However, to achieve the same, we have to not only emphasise on the finer text of the new Bill but also reframing the significant parts of its intents and objectives.

Indian Approach to Data Protection & Privacy (Seven Principles)

01. Technology agnostics

The law must be technology agnostic. It must be flexible to take into account changing technologies and stand.

02. Holistic application

The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims.

03. Informed consent

Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful.

04. Data minimization

Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes.

05. Controller accountability

The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data.

06. Structured enforcement

Enforcement must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralized enforcement mechanisms.

07. Deterrent penalties

Penalties on wrongful processing must be adequate to ensure deterrence.

Parts of the Draft White Paper Released by the Govt. of India

The Need for Data Privacy Laws and Regulations in India

Making a phone call, wearing a fitness tracker or owning a social media account, all include the transmission and dissemination of millions of bytes of personal data to private and public entities. The usage of such acquired data is beyond the imagination of an ordinary unsuspecting user. Data handlers exploit such personal data of individuals and monetise them. However, the dangers to data privacy are not just undue enrichment of the third parties.

Facebook- Cambridge Analytica data scandal

The 2018 Facebook- Cambridge Analytica data scandal reveals the challenges within. Cambridge Analytica collected and harvested the personal information of millions of its Americans Facebook users without consent and sold the data for political campaigning. There are speculations that the scandal had an overwhelming role to play in the 2016 presidential campaigns. Further, the Indian brainchild, the Aadhar scheme which aims to standardise the data collection and simplify the dispersal of Government benefits is a repository of the world’s most massive biometric data. The scope of using or exploiting the data is manifold. Moreover, on the flip side of excessive data regulation is

The bounds and seams of such a territory remain yet unchartered. Fortunately, the world Governments realised in time, the grave ethical violation of data infringement and its profound ramifications on world dynamics. Therefore, data protection and data have become the need of the hour.