This article is written by Supriya R, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.

Introduction

”Privacy is not an option, and it shouldn’t be the price we accept for just getting on the internet.” – Gary Kovacs. The term ‘data’ is defined in the Cambridge dictionary as ‘information, especially facts or numbers, collected to be examined and considered and used to help decision-making or information in an electronic form that can be stored and used by a computer.’

Section 2 (1) (o) of the Information Technology Act, 2000 defines the term ‘data’ and it ‘means a representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and maybe in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.’ 

Hence, data basically has one or both of these criteria as mentioned below:

1. A set of facts which is collected for research purposes or analysis;
2. information stored in electronic format in a computer.  

Now that we know what data is and how it is collected and stored, we need to know what happens to the protection of this data. For example, we fill out various forms online while applying for a job /in person while making a payment in a restaurant, we voluntarily part with critical data/information about ourselves. How do we know the data/information that we share is protected? Is there legislation that protects such data available in the public domain?

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR’s primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Inspired by the GDPR, the Personal Data Protection Bill (PDP Bill) was proposed in the year 2019 to bring about a comprehensive overhaul to India’s current data protection regime, governed by the Information Technology Act, 2000 (IT Act) and the rules thereunder. This Bill, however, is being subject to revisions for want of an airtight privacy regulatory authority.

Until PDP Bill is passed as legislation by the Rajya Sabha, the current data protection regime under the IT Act will remain as the primary legislation on this matter. However, the idea behind passing the IT Act was to primarily deal with cybercrime and the data received via e-commerce. Hence, the Act and the related rules strive to protect such sensitive data and process the same as “personal sensitive data or information” available with a body corporate and any disclosure of such information is a punishable offense with imprisonment for a term extending to three years and fine extending to Rs 5,00,000. 

Why must data be protected?

Let’s say, someone has access to your credit card information and hacked the data (from an online platform where it was collected and stored but not secured) and has tried using this information to purchase something online. Immediately, the same is notified by your banker and one can contact the banking ombudsman and raise a claim to retract the purchases not made by the owner of the card. This is a sample of what happens when one piece of data is leaked.

Imagine the same happening at a large scale, where a bank did not make necessary protocols to safeguard the data available with them or an online social media site with millions of users claims to have accidentally transferred data of their users to a third party, the person who has these data can have access to the personal information of millions of people and the same can be used to make money by duplicating credit cards and using personal information for fraud, identity theft, and even blackmail. They can also sell this data in bulk on the dark web and make a lot of money in return. The cybercriminals and hackers are out to steal sensitive information in bulk (generally called ‘Phishing’) and if they target a specific audience (users of a social media website), the same amounts to ‘Spear Phishing.

What is data privacy?

Data privacy is a subset of data security. Data privacy is basically all the personal information that an entity collects, stores and shares and to do with how it controls access to such sensitive data. ‘Personal data can range from names, addresses, phone numbers to usernames, passwords, thumb impressions, credit/debit card information, etc. 

Data privacy deals exclusively with the personal information of an individual and countries like Europe, the USA, and others have strict data protection policies in place where they’re expected to store, control, and eventually delete these sensitive data available with them as per the laws in force. 

The moment you click the golden words ‘I accept’ on visiting a website, you’ve just given access to your personal data. Because even Cookie Ids are considered personal data under the GDPR regime.

Further, GDPR exclusively asks the companies to list out in the ‘privacy policy on their website how the data is collected, for how long the data is stored, and how it is utilized. Even if one fills out a form online, one gets a mail about their option to withdraw their personal data at any point in time as they wish and if they choose to do so, their data will be deleted by the party who has stored this data in their database. However, in a country like India, this is still at a very nascent stage, and until legislation is passed to cover all aspects of personal data, it will remain a grey area apart from what is covered under the Information Technology Act.

Hence, data privacy is predominantly controlled by the internal stakeholders by way of drafting a strong privacy policy and execution of the same for the benefit of the organization.

What is data security?

Data security is the big daddy of data protection. Data security is the defense mechanism created by an organization against all kinds of data threats that they may face with respect to the data available with them. Basically, firewall protection/installing anti-viruses/multi-factor authentication are some of the measures taken by organizations with respect to the protection of the data available with them. In the case of data security, we are buying and installing another person’s software to secure the data by making them responsible for the same by way of pre-identifying the vulnerabilities. Now that it is clear as to what is data privacy and data security, let’s head to understand what amounts to the data breaches.

What is a data breach?

A data breach is the breach of trust of secure/private information and release of the same to an untrusted environment. A data breach can be either intentional or unintentional. It can also be identified as data leak, data spill, etc. It amounts to a security violation of sensitive, confidential data by an unauthorized individual or an organization. Facebook constantly comes under the scanner with regard to data breaches including their data breach in the year 2016-17 during US elections which came to light early this year.

Conclusion

In a landmark judgment delivered in August 2017 (Justice K.S Puttaswamy & another v. Union of India), the Supreme Court of India has recognized the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty”. “Informational privacy” has been recognized as being a facet of the right to privacy and the court held that information about a person and the right to access that information also needs to be given the protection of privacy. 

The court stated that every person should have the right to control the commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This is the first time that the Supreme Court has expressly recognized the right of individuals over their personal data.

The Government of India, therefore, constituted a committee to propose a draft statute on data protection. The committee proposed draft law and the Government of India has issued the Personal Data Protection Bill 2019 (“PDP Bill”) based on the draft proposed by the committee. This will be India’s first law on the protection of personal data and will repeal Section 43A of the IT Act.

Till then, every organization must scrupulously engage in educating the necessity of data privacy, data security. They need to draw out detailed plans to safeguard the data collected and stored.

References

1. https://www.advocatekhoj.com/library/bareacts/informationtechnology/2.php?Title=Information%20Technology%20Act&STitle=Definitions
2. https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/spear-phishing-101-what-is-spear-phishing
3. https://www.zdnet.com/article/how-cambridge-analytica-used-your-facebook-data-to-help-elect-trump/
4. https://www.zdnet.com/article/data-privacy-and-data-security-are-not-the-same/
5. https://www.linklaters.com/en/insights/data-protected/data-protected—india

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: