This article is written by Shubhang Gupta, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from Lawsikho.com. Here he discusses “Importance of Data Protection and Privacy policies in Cyber Law”.
Table of Contents
Introduction
These days a term data protection has become synonymous with other rights of the citizens which are guaranteed by the state. With the beginning of the 21st century, there has been a sharp increase in the development of technology, which subsequently has become an integral part of human life. Today, these technologies have connected to the day to day life of a human being in such a way that, these technologies holds important data related to a user. That’s why data protection has become so relevant in safeguarding the interest of an individual.
This data related to an individual can also be collected by the websites. We will look into these concepts in detail.
Importance of data protection in cyber law
With steady development in the Artificial Intelligence (AI) many software applications like Facebook, Google etc. have developed which not only collect and store the personal data of the user but can also further process the data for any other purpose. In the year 2018, the case of Cambridge Analytica has raised the eyes of many states over the protection of personal data of their citizens. There are about 80 countries around the world who had implemented various privacy policies like GDPR (General Data Protection Regulation) in European Council, Brazil internet Act, 2014 in Brazil, Personal Information Protection and Electronic Data Act (PIPEDA) in Canada, etc. to protect their citizen’s personal data.
This huge number of countries apparently reflects the concerns of many states over the security of their citizen’s personal data. The implementation of various legislations around the world, therefore, includes data protection as one of the branches in cyber law.
Data Protection under General Data Protection Regulations (GDPR)
In recent time, GDPR was implemented by the European Council (EU) in 2018 and comes as one of the stringent legislation to protect the personal data of the people of the European Union. This regulation has proved as a major development in the field of privacy law. With the implementation of this regulation, there has been a major impact on the big tech companies like Google, Facebook etc, and also on many e-commerce sites. This regulation has certainly set new jurisprudence in the space of cyber law. With the implementation of GDPR, the whole domain of privacy rights has gone to the next level. Let’s discuss some of its features briefly which has put this regulation far way more ahead with the other regulations around the world.
- Right to erasure[1]– under GDPR, the data subjects have the right to erase their data, having stored with any data controller or processor.
- Right to data portability[2]– under GDPR, the data subjects have the right to port their personal data concerning himself/themselves to one data controller or processor to another.
Data Protection under Indian law
In India, till now there is no exclusive law pertaining to the rights of an individual’s privacy. Only there is Information Technology act, 2000, which deals with cyber crimes and provides remedies against the violation of the act. The act contains few provisions related to the individual’s privacy but they are not exhaustive in nature.
Under section 43A of the Information Technology Act, 2000[3], a body corporate who is possessing, dealing or handling any sensitive personal data or information of an individual, and is negligent in implementing and maintaining reasonable security practices in protecting the data and results in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is important to note that there is no maximum limit specified in the act for the compensation that can be claimed by the affected party in such circumstances.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011Â deals with the protection of “Sensitive personal data or information of a person”, which includes the personal information relating to:
- Passwords;
- Financial information such as bank account or credit or debit card or other payment instrument details;
- Sexual orientation;
- Medical records and history; and
- Biometric information.
Under section 72A of the Information Technology Act, 2000[4], disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years and fine extending to Rs 5,00,000.
Under Section 69 of the Act[5], which is an exception to the general rule of maintenance of privacy and secrecy of the information, provides that where the Government is satisfied that it is necessary for the interest of:
- the sovereignty or integrity of India,
- defence of India,
- security of the State,
- friendly relations with foreign States,
- public order,
- for preventing incitement to the commission of any cognizable offence relating to above, or
- for the investigation of any offence.
Penalty for the Breach of Confidentiality and Privacy under the act
Section 72 of the Information Technology act, 2000 doesn’t specify the provision relating to the breach of privacy by the data processor but talks about a circumstance under which any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, such person shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000 or with both.
Future legislation related to data protection in India
In the near future, it might be possible that India will have exclusive legislation related to Protection of personal data of an individual in India. In 2017, the central government had appointed Justice BN Srikrishna Committee and this committee had released a white paper on Data Protection law in India. In 2018, the central government had presented the personal data protection bill in the parliament but subsequently, this bill was replaced by the personal data protection bill, 2019.
It is evident from the draft of the abovementioned bill that, the bill has been formulated on the basic principles, which were incorporated by the EU General Data Protection Regulations (GDPR). As it becomes necessary to create a balance between the rights of the citizens and the right to practice a trade and economic activities by an entity.
What is a privacy policy?
A privacy policy is a legal document that discloses the way a party gathers, uses, discloses, and manages a customer or client’s data. It fulfils a legal requirement to protect a customer or client’s privacy[6].
Such privacy policy must provide the following[7]:
- clearly and easily accessible statements of its practices and policies;
- clearly state the type of personal and sensitive personal data or information collected by the business;
- purpose of collection and usage of such information;
- about disclosure of information including sensitive personal data or information collected; and
- Reasonable security practices and procedures adopted by it.
Elements of a privacy policy
The following are the main elements which shall be consisted of a privacy policy, are as follows:
- Consent: The most crucial component of a privacy policy is ‘consent’. In this regard, the Supreme Court in K.S. Puttuswamy[8] has made important observations.
- Purpose of information collected.
- Disclosure of information.
- Security practices.
Conclusion
With the skyrocketing development in the field of technology, interference of it in the life of human beings has been increasing. It is well known that data is becoming the “New Oil” and Data protection is becoming the “New Pollution Control”. The implementation of the GDPR has provided, in a real sense, many rights to the Europeans pertaining to protect their personal data from any unlawful processing by the data controller. With the increase in the digital population of a country like India, data protection and data privacy are key issues at the moment. Every internet user intentionally or unintentionally leaves her/ his digital footprint in the form of personal data when browsing the internet. In such a scenario it becomes utmost important to have exclusive legislation like GDPR to regulate data protection and data privacy.
It is also important for the business to craft such a privacy policy, which not only protects the rights or interests of a user/ client but also fulfils the requirement of a business. The business should consider the formation of terms of use and privacy policy as an art rather than just a long-form.
References
[1] Article 17 of the GDPR.
[2] Article 20 of the GDPR.
[3] Section 43A of the Information Technology Act, 2000.
[4] Section 72A of the Information Technology Act, 2000.
[5] Section 69 of the Information Technology Act, 2000.
[6] https://en.wikipedia.org/wiki/Privacy_policy.
[7] See Rule 4 of the Sensitive Information Rules.
[8]  See Justice Puttuswamy v. UOI, Writ Petition (Civil) No. 494 of 2012 decided on August 24, 2017.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:
https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.
