29/06/2023
LAWS GOVERNING DATA PROTECTION AND DATA PRIVACY IN INDIA
ABSTRACT
Data refers to all information and materials created and acquired during the provision of the services, including survey plans, charts, recordings (audio and/or visual), pictures, curricula, graphic representations, computer programmes, and printouts, notes, and completed or uncompleted documents that can be used to forecast the future of the entity or the individual.
Data protection refers to the practices and measures taken to safeguard the privacy, confidentiality, integrity, and availability of data. It involves the protection of personal information and sensitive data from unauthorized access, use, disclosure, alteration, or destruction.
In the digital age, data protection has become increasingly important due to the widespread collection, storage, and sharing of data. Individuals, organizations, and governments must take steps to ensure that data is handled in a responsible and secure manner.
The proper handling of data by a website or platform is known as data privacy. Internet users have faith in the middlemen, knowing that the data a website collects is secure and private. The relationship between the internet user and the intermediary needs to be trustworthy; otherwise, the person's online identity and privacy will be exploited. Trust is a crucial component of any successful relationship.
There is no set restriction on the amount of data that a website or organisation may gather in the current digital age that has been declared by the Indian law. Here are some categories of data privacy.
DATA PRIVACY
ADVANTAGES
Stop the government from monitoring the citizens.
Make sure those who steal, and misuse data are held accountable.
establishes boundaries.
guaranteeing the management of personal data.
Ensure that people can express themselves freely.
In India, there is no legislative framework approved on Data Privacy.
Right to privacy: A fundamental right
The Advocate General of India responded on behalf of the union in the case Justice K.S. Puttaswamy v. UoI (2017) 10 SCC and claimed that the right to privacy is not a basic right and is not included in the constitution. The Indian Constitution's Article 21 protects the right to privacy as a basic right, according to the Supreme Court's majority ruling. In this case, Justice K.S. Puttaswamy, a retired High Court judge, contested the legality of the Aadhar Act and the use of biometrics and other personal data collected from individuals.
There are 2 sections relating to data disclosure and failure to protect data, in the Information Technology Act, 2000.
Section 43A. Compensation for failure to protect data.
When a body corporate negligently fails to implement and maintain reasonable security practises and procedures and causes a person to suffer wrongful loss or wrongful gain as a result, that body corporate shall be liable to pay damages by way of compensation to the person so affected. This liability shall arise from the body corporate's possession, dealing, or handling of sensitive personal data or information in a computer resource that it owns, controls, or operates.
Section 72A. Punishment for disclosure of information in breach of lawful contract.
Except as otherwise provided in this Act or any other law currently in effect, any person, including an intermediary, who while providing services under the terms of a legitimate contract obtained access to any material containing personal information about another person, discloses that material without that person's consent or in violation of a legitimate contract with the intention to cause or knowing that he is likely to cause wrongful loss or wrongful gain is prohibited.
Data Privacy and Personal Data Protection Bill, 2019
The Sri Krishna Committee was established by the court as a special committee to develop a bill on personal data. On July 27, 2018, a report was delivered by the committee led by BN Krishna, a retired Supreme Court justice. The government drafted the Personal Data Protection, 2019 bill, which was then promptly referred to the Joint Parliamentary Committee (JPC) and has not yet been put into effect since the committee found the framework to be imprecise and unsuitable for the rapidly changing technological environment. To adopt the made bill, 5 extensions have been requested since 2019. Clause 35 of the PDP, 2019, grants the government protection and allows it to access any user's information as well as track information about the nation's citizens. [1]
The government had complete authority to monitor individuals and their online activity (if necessary). The issue should be governed by legislation because it is now a national security risk. 'Data fiduciary' and 'data processor' are notions put out in the PDP Bill. According to the GDPR, a "data fiduciary" and a "data processor" are equal to the terms "controller" and "processor." The bill protects people by fining companies who collect user data without their consent. In regards to business performed in India, the offering of products or services to individuals in India, or the profiling of individuals, the PDP Bill will not only apply to persons in India but also to persons outside India.
Status of the PDP Bill,2019
The Joint Parliamentary Committee started working on the report on purpose in 2019. The committee was discussing a number of clauses and provisions, most notably Clause 35 of the bill, which exempts the government from responsibility for maintaining public order and the national interest. After two arduous years, on November 22, 2021, the committee authorised sending the bill to the parliament for consideration during the following session. The committee made a slight amendment to the exemption language, and although while the state has the authority to exempt itself from the applicability, it should only be utilised in extreme cases.
Additionally, the committee had suggested that all social media companies open up offices in India and establish a media regulating authority to control the flow of content. There are prevailing claims that it lacks sufficient protections for an individual's right to privacy. Additionally, the committee had stated that there was no clause addressing data collecting by device makers.
DATA PROTECTION
The Information Technology Act, 2000 (IT Act) and Indian Contract Act, 1872 are currently the data protection legislation in India because there isn’t any special legislation for this matter yet.
NEED FOR DATA PROTECTION LAWS
The data protection laws specify what must be done to guarantee that personal data is handled morally and appropriately. The collection, use, transfer, and disclosure of personal data, as well as its security, are all governed by data protection legislation. People are given access to their data, accountability requirements are established for companies that process it, and remedies are provided for improper or harmful processing.
In addition to offering remedies for fraudulent activity and false profiles that can be created using stolen data, data protection laws do the same. Data protection laws are important because when information gets into the wrong hands, it can endanger people's safety in a number of ways, including their economic security, physical safety, and personal integrity.
The Information Technology Act of 2000
The Information Technology Act of 2000 was passed on October 17, 2000. The primary Indian law addressing e-commerce and cybercrime issues is this one. The Act was passed in an effort to combat cybercrime, support online transactions, and advance e-governance. Law's main objectives are to diminish or completely eradicate cybercrimes while facilitating legitimate, trustworthy digital, computerised, and online operations.
In order to bring legal consistency among various countries, the United Nations Commission On International Trade Law (UNCITRAL) adopted the UNCITRAL Model Law on Electronic Commerce (E-commerce) in 1996. This prompted the Government of India to enact legislation for India based on the UNCITRAL guidelines, which was later revised and approved by the Ministry of Electronics and Information Technology and became known as the Information Technology Act. India changed its cyberlaws, becoming the eleventh country to do so.
Section 69 of the Information Technology Act, 2000
It states that the government may request the disclosure of any information in the public interest if doing so would put India's national security, sovereignty, and integrity at risk, as well as its defence, security, friendly relations, or public order when there are legal or fraudulent violations.
Section 69A of the Information Technology Act, 2000
For similar reasons and grounds (as set forth above), the central government may order that any government agency or intermediary restrict public access to any information created, communicated, received, stored, or hosted on any computer resource under Section 69A. The term "intermediaries" would also include search engines, online marketplaces, cybercafés, auction and payment sites, telecom service providers, network service providers, Internet service providers, and web hosting companies. Such demands to restrict access, nevertheless, would need to be accompanied by written arguments.
Section 69B of the Information Technology Act, 2000
The national government may authenticate any government institution to monitor and gather traffic data or information generated, transmitted, or received over any computer resource by publication of a notice in the Official Gazette. This is done for the purposes of enhancing data security and identifying, analysing, and preventing invasion or computer contamination in the country. The ability to track and collect traffic statistics or information is granted by Section 69B.
DEVELOPMENT OF DATA PROTECTION LEGISLATIONS
In the case of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), the Supreme Court of India declared the right to privacy and data protection to be a fundamental right. Additionally, the current legal framework for privacy is outlined in the Information Technology Rules, 2011 (IT Rules, 2011), which regulates the "collecting, receiving, possessing, storing, dealing, handling, retaining, using, transferring, disclosing sensitive personal data or information, security However, this clause is viewed as being insufficient since, among other things, it does not address the exploitation of data gathered from children, data breaches by companies outside of India, or the narrow definition of sensitive data.
PERSONAL DATA PROTECTION BILL, 2018
The Personal Data Protection Bill, 2018, was the initial draught of the legislation produced by the Justice Srikrishna Committee, which was charged by the Ministry of Electronics and Information Technology (MeitY) with writing data protection legislation for India. This plan was implemented by the government and presented to Lok Sabha, but it was referred back for revision for the following reasons:
The new clause about data localization may have caused the most public uproar. Data fiduciaries are required by law to store "at least one serving copy" of customer information on a server or at a data centre located in India. Making it easier for law enforcement to obtain this information is the sole justification for such a rule.
This brings to the second problem with the bill: if authorised and in compliance with legal procedure, it allows the processing of personal data for state security purposes. Additionally, it permitted the processing of personal data for the purposes of criminal investigation, detection, and prosecution. The state's access to all personal data poses a major threat to the right to privacy since India's laws preventing state surveillance are insufficient.
Not to mention, the draught law created a regulatory framework that was not sufficiently independent: the regulatory system was strongly influenced by the central government and was open to commercial capture. The proposed legislation gave the central government the authority to choose the members of the data protection body, as suggested by an independent panel. The appointment may continue for five years, which was a relatively short time for a new organisation to get up to speed and gain the independence it requires to work effectively as a regulator.
Personal Data Protection Bill, 2019
The Personal Data Protection Bill, 2019, which was introduced after that, was later withdrawn amid promises of a replacement policy that would respect India's complex legal framework and take into account the other 81 changes recommended by the Joint Parliament Committee.
Data Protection Bill, 2021
A single piece of legislation, the Data Protection Bill, 2021, was proposed by the committee and would apply to both personal and non-personal datasets. The advice in the report to move towards complete localization of data was contested. The scrapped measure had also proposed a data protection authority. It had also recommended explicitly stating the flow and usage of personal data as well as defending the rights of individuals for whom the personal data are processed. This is done as it develops the framework for the cross-border transfer, accountability of entities processing data, and potential remedies for unauthorized and harmful processing.
Digital Personal Data Protection Bill 2022 (DPDP Bill, 2022)
The Digital Personal Data Protection Bill (DPDP Bill, 2022) now governs all digital handling of private data. This would include any personally identifiable data collected offline or online and handled in a digital manner. This measure will have an impact on the legal protections provided to clients of Indian start-ups conducting business abroad, which will reduce their competitiveness. The bill, which exempts data fiduciaries in India who process personal data belonging to Indian nationals from applying to most of its safeguards, further supports this opinion. In the upcoming session of the parliament in 2023, this draught is anticipated to be submitted for approval.[2]
IMPORTANT CASE LAWS
Suhas Katti v. The state of Tamil Nadu
In the case of Suhas Katti v. The state of Tamil Nadu (2004) involved a complaint made by the victim under Sections 67 of the IT Act and 469 and 509 of the Indian Penal Code, 1860. The accused posted obscene comments about the victim in several groups in an effort to humiliate the woman. He revealed her telephone number and started a bogus account in her name in an effort to damage her image. The court determined that the accused was guilty in accordance with the aforementioned Sections. Because it inspired people all around the country to come forward and report instances of online abuse, this case is significant.[3]
Amar Singh v. Union of India
In Amar Singh v. Union of India (2011), the petitioner contended that his telecom service provider had secretly recorded his calls. He claimed that the purported monitoring went against his fundamental right to privacy guaranteed by Article 21 of the Indian Constitution. The service provider said that it was following orders from the relevant authorities (the NCT government). This case is noteworthy in light of Sections 69, 69A, and 69B of the IT Act, 2000. A telecom service provider engages in public-facing activity, the Court observed. It is necessary for it to act responsibly and rationally. In addition, the court ruled that when government orders "to tap phones" contain significant flaws, the service provider must verify their validity. The court additionally ordered the establishment of specific guidelines and regulations by the national government in order to prevent unauthorised call interception.[4]
CONCLUSION
When done with transparency and for the correct reasons, data protection is effective. For the intended use, the data acquired should be precise. A minimal amount of data should be required, and the website owner should be held accountable. A requirement for precision exists. Due to occurrences of privacy breaches and the advancement of technology, internet users have become more aware about internet privacy. Check your accounts' privacy settings frequently. You might be disclosing more details to strangers than just your name and age.
In terms of privacy and data protection, the year 2021 was a turning point for the country. In response to the urgent necessity for thorough data protection regulations, numerous legislative and executive actions were required. Undoubtedly, India has a long way to go before figuring out what will work best for a country like ours, especially given how poorly understood data privacy is here. To grant these rules and regulations legislative authority, India has made and is still making a number of attempts. It is important to educate people about their rights to privacy and the legal framework governing it, as well as to implement the necessary regulations for its administration.
