October 17, 2018

Rate This Article
1 Star2 Stars3 Stars4 Stars5 Stars (2 Votes, Average Rating: 5.00 out of 5)

The Evolving Data Protection Regime In India

- Anuradha, Senior Associate [ Advaita Legal ]
- Abhinava Jayaswal, Associate [ Advaita Legal ]

We live in the 21st century where almost everything around us can be summarized into some form of data secured on computers; this poses a threat we must address...

'Privacy’ is a term that originates from the word ‘Private’ which is the opposite to ‘Public’. In simple words, privacy is an attribute relating to an individual/person, which is not meant for public consumption or the state of being free from public attention. The idea of privacy being fundamental to our existence has also been accepted and acknowledged by the apex court of this country in a historic judgment declaring privacy as a fundamental right guaranteed under Article 21 of the Constitution of India.

The court declared that privacy constitutes an intrinsic part of the right to life and personal liberty. It also recognized that privacy is a multidimensional construct, encapsulating within it various rights such as informational privacy, bodily-integrity, and self-determination. The court also noted both the positive and negative obligations arising out of the fundamental right to privacy and the dangers faced from private actors. The court clarified that the right to privacy is not absolute and that the state can place reasonable restrictions on it in the interest of fulfilling objectives such as protecting national security, preventing and investigating crime, encouraging innovation, and preventing the dissipation of social welfare benefits.

Living in the 21st century where almost everything around us can be summarized into some form of data secured in the computers. We have already seen the impact in the recent fiasco caused by Facebook where the data of 87 million users that also includes 5 lakh Indian users, was shared with Cambridge Analytica. This reminded the world of the alarming consequences that may arise due to inefficient and inappropriate privacy laws and data protection measures in the global scheme of things where the world has literally become one because of the Internet.

The much-awaited Data Protection Bill 2018 makes ‘individual consent’ the keystone of data sharing. For consent to be valid, it should be free, informed, specific, clear and capable of being withdrawn. For SPDI, consent will have to be explicit. The Bill is largely based on the principles of the GDPR

With data privacy concerns on the rise, we saw some stringent regulatory requirements like EU GDPR coming into force. These regulations are not just about data privacy but it also redefines the way different businesses around the world and specifically in EU engage with people and the way they practice data protection and its management.

India, on the contrary, is yet to get a specific piece of legislation on the issue of data privacy and protection laws. A number of domain-specific laws have been introduced to protect users’ data. The Information Technology Act, 2000, along with its Rules on Sensitive Personal Data Information (SPDI), is one of the most significant steps towards protecting data privacy. However, the SPDI rules are only applicable to corporate entities, not to any arm of the government. The protection of data privacy under these rules is further restricted to such personal information which consists of information relating to password, financial information such as Bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information etc.

Recognizing the dire necessity to have a complete data privacy framework to provide for overall governance and protection of privacy of data, in August 2017, the government constituted a 10-member committee of experts headed by former Supreme Court Judge, Justice B.N. Srikrishna to study various issues relating to data protection and make specific suggestions on the principles to be considered for data protection as well as propose a draft Data Protection bill.

The objective was to ensure growth of the digital economy while keeping personal data of citizens secure and protected. The Committee by way of preliminary suggestions released a White Paper on November 27, 2017 and stated that a framework to protect data in the country should be based on seven principles: (i) law should be flexible to take into account changing technologies, (ii) law must apply to both government and private sector entities, (iii) consent should be genuine, informed and meaningful, (iv) processing of data should be minimal and only for the purpose for which it is sought, (v) entities controlling the data should be accountable for any data processing, (vi) enforcement of the data protection framework should be by a high powered statutory authority, and (vii) penalties should be adequate to discourage any wrongful acts.

After almost a year of deliberations and consultations, the Committee has submitted its Report and the draft Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology on July 27, 2018. Even before the committee submitted its report, the Telecom Regulatory Authority of India (TRAI) issued Recommendations on “Privacy, Security and Ownership of the Data in the Telecom Sector” with a view that the larger issues relating to data protection framework applicable in general to all sectors of the economy would in any case be addressed by the Committee and therefore, TRAI considered only the Telecom Service Providers (TSPs) - which provide the connectivity and communication services; devices - which an end user uses to access the network and services; and the users of telecommunication services themselves.

The recommendations stated that the existing framework for protection of personal information / data of telecom consumers is not sufficient and till such time a general data protection law is notified by the Government, the existing Rules / License conditions applicable to TSPs for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. TRAI further recommended that the concept of “Data Minimization” should be inherent to the Privacy by Design principle implementation.

The much-awaited Data Protection Bill 2018 makes ‘individual consent’ the keystone of data sharing. For consent to be valid, it should be free, informed, specific, clear and capable of being withdrawn. For SPDI, consent will have to be explicit. The Bill is largely based on the principles of GDPR.

The Bill provides for setting up of a Data Protection Authority (DPA) which will be an independent regulatory body responsible for the enforcement and effective implementation of the law. The DPA is vested with the power to categorize certain fiduciaries as ‘significant data fiduciaries’ based on their ability to cause greater harm to data principals as a consequence of their data processing activities. The Bill recognizes the service provider as a data fiduciary, as the individual (data principal) is dependent on the service provider to avail the services offered. This categorization will be based on an assessment of volume shared, disclosed, collected or otherwise processed in India. However, in respect of processing by data fiduciaries that are not present in India, the law shall apply to those data fiduciaries which are carrying on business or any other activities in India. Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India.

The Bill imposes strict regulations on cross border transfer of personal data and requires every data fiduciary to store one serving copy of the personal data on a server or data center that is located within the territory of India. Also, the Central Government may in due course of time notify the categories of ‘critical personal data’ to be processed only on a server or data center located in India.

However, the Bill gives the Central Government the power to exempt such companies which only process the personal data of foreign nationals not present in India. The prospective law will cover processing of personal data by both public and private entities.

The Committee in its Report has identified a list of 50 statutes and regulations which have a potential overlap with the data protection framework. The Report also mentions that the concerned ministries may take note of this and ensure appropriate consultation to make complementary amendments.

The Bill is a step in the right direction. However, there are basic aspects of privacy rights that have not been recognized. For instance, ownership of data for one has been completely ignored. The Bill treats data as a matter of ‘trust’ and not property unlike under the GDPR. The right to be forgotten/erasure has only been addressed partially. Also, the Bill has attracted criticism for proposing to amend the Right to Information Act, 2005. It was pointed out that such an amendment would increase the scope of rejection of information by Public Authorities and perpetuate corruption in Public Service.

We can hope for an all-embracing law in the form of a Data Protection Act.

Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.

Related Post

follow us

Publication & Enquiries

phone icon  +91 8879635570/8879635571

mail icon