Posted inCyber Law

An Analysis On Data Protection In India

An Analysis On Data Protection In India

Abstract

The development and advancements in science and technology had compelled the legislature of the countries all over the world to bring new laws into existence. Data Protection laws is one among such laws, which emerged very recently to combat the cyber attacks against a person’s right to privacy. Right to privacy includes right to protect his/her data too. Now a days, data privacy and its protection is a concern of every individual due to the misuse of technological developments. Data Protection is a mechanism which talks about how to protect a person’s data from unauthorized access and malicious insiders. Indian constitution being a constitution which gives priority to rights than duties had already emphasized the importance of right to data privacy and its protection impliedly through Art. 21,19. Even though the Indian Penal Code, Information Technology Act and Right to Information Act talks about it, still India doesn’t possess a separate legislation for the data privacy and its protection. The purpose of this research paper is to study the existing legal status of Data Protection laws in India and also to check the current status of the proposed Personal Data Protection Bill and the challenges faced by the bill in our society etc. For this purpose I had used many statutes including Indian Constitution , Indian Penal Code , IT Act , RTI Act as primary sources of data and read many articles and books etc as my secondary sources of data.

Introduction

The concept of Data Protection is not a new concept for Indians. It is a part of our Upanishads which talks about meditation, which need to be done in a silent environment away from public interference and the concept of curtains defined in the classic literature works like Ramayana are the best example for that. In this 21st century, when the whole world is undergoing through a “Digital Revolution”, Government of India also envisaged the idea of digital world through its “Digital India” initiative very recently. But the question is, whether a country like India which doesn’t possess a specific statute for Data Protection will be able to succeed in this initiative? Here comes the importance of Data Protection. Every country which has a vision of complete digitalization and digital economy must have a strict, transparent and accountable data protection laws as its own. Through this research paper, I had tried to conduct an elaborated study on the concept of data protection, its importance in India, various statutes talking about it, its effect on society and also the Indian proposed bill on Personal Data Protection.

Research Objectives

  • To do a detailed study on the concept of Data Protection and its relation with Data Privacy in India.
  • To locate the current position of Data Protection under various statutes of India including Indian Constitution.
  • To know about the evolution, features and concerns of Personal Data Protection Bill and Srikrishna Committee recommendations.

Research Methodology

The methodology I used for this research paper is purely doctrinal in nature. I used Indian Constitution, Indian Penal Code and Information Technology Act as my primary sources and some renowned articles, blogs and some websites related to Data Privacy and Data Protection as my secondary source of data.

Research Question

  1.  Whether any Indian statutes talks about Data Protection? If yes, up to what extend?
  • What are the reasons for the delay in passing of the Personal Data Protection Bill and what are the related concerns?
  • What will be the effects of Data Protection on Society?

Concept Of Data Protection

‘Data Protection’ talks about a set of privacy laws, policies and procedures that intend to minimize interference into one’s privacy caused by the compilation, storage and distribution of personal data. Here the word Personal data means any information or data which speak about a person and he/she can be recognized from that information or data. Normally such data or information will be collected by the Government itself or by any private corporate body or by agency. In other words, data protection is a mechanism talking about the protection of data from any unauthorized access. The methods and extent of data protection varies from a person to business and business to government accordingly.

Need Of Data Protection In India

  1.  In this data economic world, the corporate bodies and big companies started to consider Data as an asset and also finds value in its storage, collection and distribution. In order to fulfill this vision, they started to protect their Big data.
  • Right to Privacy which (includes personal data)being a fundamental right in India, the government of India has an obligation to formulate and implement a legislation for Personal data protection.
  • In order to combat the rising cyber attacks like identity theft, data stealing and all, we need a specific legislation with strict sanctions and a redressive mechanism.

Data Protection Is A Right?

Data protection is a right because this it is interrelated to Right to Privacy (which includes privacy of data) a fundamental right in India. And no data privacy is possible without data protection. So data protection is also a right.

Statutes Relating To Data Protection

Indian Constitution:

The evolution of the constitutional right to privacy began in the 1950s, particularly in response to police surveillance of the accused and nighttime searches of homes. In M.P. Sharma v. Satish Chandra, the Supreme Court ruled that while search and seizure are within a police officer’s duties, conducting them at midnight violates Article 19(1)(f) of the Constitution. The Court clarified that a mere search does not infringe on property rights, and any seizure is temporary, making it a reasonable restriction on the right to privacy.

Subsequently, in Kharak Singh v. Union of India, the Court recognized that the right to liberty falls under Article 21. In R. Rajagopal v. State of Tamil Nadu, a Tamil weekly magazine’s editor, printer, and publisher sought to prevent the state from interfering with the authorized publication of the autobiography of Auto Shankar, a death-row prisoner. In a later case, Justice Jeevan Reddy explicitly affirmed that the right to privacy is inherently included within Articles 21 and 19 of the Indian Constitution.

Indian Penal Code, 1860

The Indian Penal Code (IPC) was established during British rule in India, with its first draft formulated in the 1860s under the leadership of Lord Macaulay. However, the IPC does not fully address the requirements of data protection in India, as Indian criminal law does not explicitly deal with violations of data privacy. Under the IPC, legal accountability for such breaches is linked to related offenses.

For instance, Section 403 prescribes penalties for the dishonest misappropriation or conversion of “movable property” for personal use. This raises questions about whose rights are being protected when such liability arises. Similarly, Sections 405 and 409 outline punishments for misappropriating another person’s property under the principle of breach of trust. Although Section 378 defines theft, there is no specific provision addressing the theft of data or information.

In such cases, there are two ways to approach legal rights. Fundamentally, crimes are committed against the state, making law enforcement and public order a crucial concern. Therefore, linking ‘data protection’ with the IPC in the context of legal rights is relevant. In this framework, the state can also be considered responsible for safeguarding an individual’s data.

Information Technology (Amendment) Act, 2008

Indian Parliament had made many efforts to bring the concept of data privacy under IT Act, 2000. This Act has been amended many times to meet the new challenges posed by the development of cyber world. Among them, the latest is 2008 Amendment Act. According to the Data Protection & Information Technology (Amendment) Act 2008, the words ‘data protection’ and the ‘Information Technology” has its own connotation with each other. The objectives of the Act precisely talks about the protection of the cyber related rights. This Act includes provisions to prevent the illegal use of computers, computer systems and data stored within. There are a number of other provisions related to ‘data protection’. The newly inserted section 43A and Section 72A of the Act also talks about the protection of data. The main drawback of this legislation is that the present provisions talking about the data security and confidentiality are insufficient to cover the newly emerged cyber-crimes.

Right To Information Act, 2005

In India, the implementation of the right to information allows citizens to access information held by public authorities, fostering transparency and accountability. Section 2(j) of the RTI Act defines the ‘right to information.’ However, a significant concern arises regarding the security of data held by public authorities, particularly digital data under clause (iv) of Section 2(j), and whether it is properly maintained. As a result, data protection under this Act is considered an essential aspect of individual rights.

In Bennett Coleman v. Union of India, the Court affirmed that freedom of the press includes the right of individuals to speak, publish, and express their opinions. Furthermore, it ruled that freedom of speech and expression encompasses the right of citizens to read and stay informed. Similarly, in Indian Express Newspaper (Bombay) v. Union of India, the Court emphasized that freedom of speech and expression is based on the principle that all individuals should have the ability to form and communicate their beliefs freely. Additionally, it highlighted the public’s right to know.

Later, in PUCL v. Union of India, the Court elevated the right to information to the status of a fundamental human right, essential for ensuring transparent and accountable governance. The Supreme Court further stated that the right to information is inherently embedded in Article 19 of the Constitution. This establishes a direct connection between these two concepts as rights-based principles.

Personal Data Protection Bill Of India (Pdb Bill )

Evolution Of PDB Bill

In India, the Supreme Court declared the right to privacy a fundamental right on August 24, 2017, in the landmark judgment of Justice K.S. Puttaswamy & Anr. v. Union of India & Ors. (“Right to Privacy Case”). Following this ruling, the need for legislation to safeguard individuals’ personal data and privacy became a significant concern.

As a response, in August 2017, the Central Government appointed a data protection committee led by retired Supreme Court judge, Justice Srikrishna. On July 27, 2018, the committee published a comprehensive white paper emphasizing the necessity of a data protection law in the country. Subsequently, in July 2018, the committee released the final draft of the Personal Data Protection Bill, 2018.

Later, with some modifications, the Personal Data Protection Bill, 2019 (“PDP Bill”) was introduced in the Lok Sabha. On December 12, 2019, the bill was referred to a Joint Parliamentary Committee (“JPC”) for further deliberation and review. After nearly two years of examination, the committee submitted its report with various recommendations and amendments.

Key Recommendation Of The Joint Parliamentary Committee (JPC)

A short summary of the same is given below

Change Of Name And Scope Of The Data Protection Bill:

The JPC recommended renaming the Personal Data Protection Bill (PDP Bill) to the Data Protection Bill to include non-personal data under its purview. However, stakeholders expressed concerns that merging personal and non-personal data within the same legislation could weaken the core objective of the original bill, which was specifically designed to protect personal data.

Selection Of The Data Protection Authority (DPA)

The original PDP Bill provided limited stakeholder involvement in the selection of the Data Protection Authority (DPA). The JPC proposed that the selection committee should include experts from technical, legal, and academic fields, alongside bureaucrats. However, this change could potentially place the DPA under indirect control of the Central Government, as all members of the selection committee would be appointed by the government.

Exemptions To Government

While The PDP Bill Granted Exemptions To The Government In The Interest Of National Security, The JPC Recommended Imposing Conditions On These Exemptions. It Suggested That The Government Should Only Be Allowed To Exempt Itself From The Law’s Provisions Through A Fair, Just, Reasonable, And Proportionate Process.

Data Breaches

The PDP Bill Required Companies To Report Personal Data Breaches Only When They Caused Harm To The Affected Individuals. The JPC Expanded This Requirement, Mandating The Recording Of All Types Of Data Breaches, Whether Related To Personal Or Non-Personal Data. Additionally, The Report Set A 72-Hour Deadline For Reporting Breaches.

Social Media Regulation

The original bill required stricter assessments of social media intermediaries. The JPC report, aiming to address the risks of fake news and fraudulent accounts, proposed mandatory verification of all social media users. It also criticized the Information Technology Act, 2000, stating that it had failed to regulate social media effectively. Furthermore, the report suggested treating social media intermediaries as “publishers” in specific cases, particularly when dealing with content from unverified accounts.

Children’s Data

The PDP Bill included provisions for protecting children’s data and introduced the concept of a guardian data fiduciary—a fiduciary that operates online services targeting children or handles large volumes of children’s data. However, the JPC recommended removing the concept of a guardian data fiduciary, arguing that it could dilute the primary objective of protecting children’s data.

Data Localization

The PDP Bill already included data localization provisions, but the JPC report further strengthened them. It strongly recommended that all data generated in India be stored within the country for national security reasons. Additionally, the report suggested that copies of all sensitive and personal data stored abroad should be transferred to India, ensuring that data from entities operating in India remains localized within the country.

Features Of The Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 (“PDPB”) was introduced on December 11, 2019, with the primary objective of safeguarding individuals’ personal data and ensuring their privacy. The bill also aims to establish the Data Protection Authority of India to oversee matters related to data protection. It is set to replace Section 43A of the Information Technology Act, 2000, which deals with compensation for corporate entities in cases of failure to protect personal data. Additionally, the bill outlines guidelines for the collection, processing, usage, disclosure, storage, and transfer of personal data.

Applicability

The PDPB will have application to the processing of personal data collected and stored by the government, any Indian company, by any citizen of India or by any body incorporated in India and comes within the territory of India. This Act will have application on any foreign companies dealing with personal data of Indian Citizens.

Obligations To Data Fiduciary

The collection, processing and storage of Personal Data can be done only for a lawful purpose. When it comes to processing of data, the controller or processor who acts as the data fiduciary have the following obligations to fulfil:

  • The bill proposes the establishment of the Data Protection Authority of India to safeguard individuals’ interests and prevent the misuse of personal data. Decisions made by the authority can be appealed before an Appellate Tribunal, and further appeals can be made directly to the Supreme Court.
  • The purpose must be clear and lawful.
  • Collection of Personal Data shall be limited to data that is required for to fulfill the purpose
  • Prior to collection and processing, a notice should be send to data subject.
  • Prior to processing, the controller have to get the consent of the data subject.
  • Rights to Data Subject – The bill grants individuals several rights concerning their personal data, including; the right to receive confirmation from the data controller about the processing of their data; the right to rectify inaccurate or incomplete data and update it whenever necessary, the right to data portability, the right to withdraw consent at any stage of data processing.
  • Data Protection Authority – The bill proposes the establishment of the Data Protection Authority of India to safeguard individuals’ interests and prevent the misuse of personal data. Decisions made by the authority can be appealed before an Appellate Tribunal, and further appeals can be made directly to the Supreme Court.
  • Restrictions on Transfer of data outside India – Sensitive personal data may only be transferred outside India for processing if the data subject gives explicit consent. However, such data must also be stored within India.

  • Exemptions – The central government has the authority to exempt any government agency from the application of this law if deemed necessary for Protecting the sovereignty and integrity of the country, Ensuring national security, Maintaining friendly relations with foreign nations.

Concerns Related To Personal Data Protection Bill, 2019

  • This bill acts as a double-edged sword. While it safeguards the personal data of Indian citizens by granting specific rights to data subjects, it also empowers the central government to exempt its agencies under certain conditions.
  • Additionally, the bill allows the central government to process citizens’ data, including sensitive personal data, at any time without requiring their consent.

Effect Of Data Protection Law On Society

In today’s interconnected world, society is linked by an invisible thread of information through online platforms such as Facebook, Skype, WhatsApp, and Twitter. People not only rely on these platforms for accessing information but also for storing and sharing their data with others globally. Hence, it is crucial to safeguard this shared and stored data from misuse by individuals or agencies through robust legislation.

In the digital era, where data is considered both a part of privacy and a valuable asset, the government has a responsibility to ensure its protection. The open availability of vast amounts of data increases the risk of cybercrimes such as identity theft, data misappropriation, hacking, and other malicious activities. Data protection also involves securing information from unauthorized access.

Social media, a form of internet-based communication, includes various types such as blogs, microblogs, wikis, websites, and widgets. In recent years, social networking platforms like Facebook, Twitter, and WhatsApp have gained immense popularity across all age groups. While their primary purpose is to foster digital connections, many users are unaware that the data they share online is vulnerable to breaches, potentially leading to crimes and security threats.

Conclusion

With numerous organizations relying on computers to store and process individuals’ information, there is always a looming risk that this data could be misrepresented, accessed by unauthorized entities, and subsequently misused. Following demonetization, the government has taken several steps to promote digital payments and move towards a cashless economy. This shift highlights the urgent need for a robust legal framework to ensure the privacy and protection of data belonging to individuals and organizations in India.

Unlike the UK, Australia, and other European nations, India lacks a stringent Data Protection law. Although the Supreme Court has expanded the scope of privacy and data protection, recognizing it as a fundamental right of every Indian citizen, the existing laws remain insufficient to guarantee full protection of this right. Therefore, a comprehensive Data Protection Law is essential to provide greater clarity and effective enforcement of data privacy rights.

Suggestions

  1. A constitutional amendment can be introduced to recognize data protection as a fundamental right, along with the development of a National Policy on Data Protection Law to ensure that individuals have control over the collection and transmission of their personal information.

  2. Similar to the National Information Commission, a National Data Privacy and Protection Commission can be established to safeguard data privacy and provide an effective grievance redressal mechanism.

  3. In today’s digital age, where data is a valuable asset, it must be properly regulated. Therefore, additional laws and regulations should be introduced to ensure adequate data protection.

  4. The Personal Data Protection Bill, 2019, should be revised to prioritize user rights and emphasize the importance of user privacy.

  5. While strengthening the right to information, the government must also take necessary measures to protect the privacy of citizens.

References

  1. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4005750
  • https://www.researchgate.net/publication/380721493_Data_Privacy_and_Protection_in_the_Digital_Age_Emerging_Trends_and_Technologies
  • https://ijirl.com/wp-content/uploads/2022/03/AN-ANALYSIS-ON-DATA-PROTECTION-IN-INDIA.pdf
  • https://www.researchgate.net/publication/50273874_Privacy_and_Data_Protection_in_Cyberspace_in_Indian_Environment

Author: Eeshaan Omkar is a law student at KIIT School of Law, Kalinga Institute of Industrial Technology (KIIT), Bhubaneswar, Odisha

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *