In this article, Akshaya Babu Vaddiraj pursuing M.A, in Business Law from NUJS, Kolkata discusses Data Protection Laws In India.
INTRODUCTION
The term ’Data’ is often used in synonymous with the terms ‘information’. Data is nothing but systematic collection of information and storage of the same over a period of time on a particular branch of knowledge or in respect of a particular field of activity such as date on usage of chemicals and fertilizers by farmers, data on functioning of Government run hospitals, data on consumption of alcohol, data on road traffic on a particular section of the road, data on student activities in a college or university. Like-wise data can be any information which is collected either in physical form or in electronic form. Further data can be public data or private data. Public data is such information which is available in the public domain like newspapers, televisions and such other public domains, Govt. offices, or with mass media or data that is available or accessible to all without any restrictions. Private data is basically data relating to private persons which can be individuals, institutions, organizations, companies or any other entity.
The issue of protection of data is as old as the collection and possession of data. If data which is personal or which is privy to a particular person under law of the land, such persons are entitled to own, retain and deal with it as they feel it appropriate. The law relating to owning and possessing of movable property will equally apply to private data. However, there is an issue as to the ownership of private data which is in intangible form. Similarly, there are issues as protection of private data which are intangible forms like computer data base, electronic data, mails and such other information. The issue of protection of data has become more relevant with the advent of new technologies like internet, mobiles, televisions, computers and such others in modern technologies which communicate and transmits data in a split of seconds.
Though the technology advancements vis-à-vis data, data mining are truly advancement of human beings, but the flip side of this technological advancement is misuse and abuse of data when private data / privileged data / confidential data is stolen, plagiarized, pilferage, copied and misused in such other unauthorized manners, the real owner/beneficiary of such data would be a looser and this is where the state has to step to provide legal framework for protection of data of people who own it or who are legally entitled to use or deal with it appropriately for their requirements. The Constitution of India protects individual liberty and also protects right respect to hold the property. Further, the Constitution also ensures right to livelihood and liberty to all its citizens. Thus if you look at data as a private property of citizens such data is required to be protected under the legal framework of the country.
Prevalent Laws governing data protection in India
In India, as of now there is no specific law in relation to data collection, storage, data mining and data protection. There are certain legislation and subordinate legislation which covers this subject. Amongst these Laws important ones are:
- Constitution of India
- Indian Contract Act, 1872
- Information Technology Act, 2000 and rules made thereunder
- Indian Penal Code, 1860 and
- Copy Right Act
CONSTITUTION OF INDIA
The Constitution of India recognized right to privacy which in other words is a right to have a privacy of data. One of the basic features of our Constitution is that it guarantees civil liberties to the citizens of India in the form of certain Fundamental Rights. Now a citizen owning private data will be considered as data as his private property to eke his livelihood and therefore protection of such database falls within the reach of the means of Right to Livelihood under Article 21 of the Constitution of India. Right to Livelihood of a citizen cannot be taken away except by a due process of law. Further our existing legal framework recognizes citizens’ right on his /her property, without any restrictions and state cannot deprive the right to have private property except by due process of law. The Right to have data protection of a citizen thus can be well considered within the scope of Fundamental Rights under Article 21.
INDIAN CONTRACT ACT, 1872
Indian Contract Act is generally based on the common law principles and the Contract Act provides space to the parties to a contract to have appropriate clauses in the contract for protection of data like confidentiality clause, confidentiality etc.
INFORMATION TECHNOLOGY ACT, 2000
Information Technology Act, 2000 is one piece of legislation that was brought in by the Parliament to provide a legal framework for entire virtual eco system such as e-commerce, electronic contracts, e-mails and so and so forth. Today after more than 15 years of passing of this Act, the e-commerce has grown by leaps and bounds in all aspects of business and also in the working of the Governments and aslo in spheres of life working and it is likely to grow at a further rapid pace in future. Under such circumstances the Information Technology Act, 2000 has become more relevant than ever as it covers various aspects of applications of Information Technology. One of the activity which is covered under this Act is Data Protection. The Information Technology Act provides framework to stop misappropriation of computer network systems, database and imposes heavy penalties in the Act against Cyber Crimes.
Section 43 A of the Information technology Act explicitly provides that “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected”
Further Section 72 A provides that “Punishment for disclosure of information in breach of lawful contract. -Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both”
Thus every person who is possessing or dealing with personal data or information as an obligation to be not to be negligent and as an obligation to have reasonable security practices and procedures thereby no wrongful Laws or wrongful gain takes place to any person.
Further, the Government of India notified a new set of rules named the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act with an objective to ensure reasonable security practices and procedures. The Companies and other body corporates and other organizations have to follow and comply with these Rules while handling sensitive personal data.
Salient features of these Rules
- Rule 3 of these rules provides a list of things which are considered as sensitive personal data such as financial information of the individuals, sexual orientation of the individuals, credit or debit card information
- As per Rule 4 Companies and other body corporates shall have to provide a privacy policy for dealing with personal information and sensitive data and it also requires that the policy should be available on the website of the body corporate. The policy shall include all the necessary details for e.g. type of personal data collected, statements of practices, purpose of collection, provisions related to disclosure and security practices
- In Rule 5 states various provisions are detailed which govern the collection of information by the
- The Companies and other body corporates shall not collect sensitive personal data without obtaining consent in writing or by fax or e-mail form the provider regarding the purpose for which the data is being
- Any personal information or sensitive data shall not be collected unless and until it is for a lawful purpose and the collection is necessary for the fulfillment of that particular
- The provider shall be made aware of the facts as to the information collected, its purpose, its recipients and the agencies that are collecting and retaining the
- The information collected shall be used only for the purpose for which it is collected and shall not be retained for a period longer than which is required.
- However, the Companies and other body corporates shall not be responsible for the authenticity and reliability of any personal data or sensitive
- The provider shall be given an option to opt out of providing such information along with an option to withdraw his consent to the collection at any later stage as
- The Companies and other body corporates shall keep the data secured and it shall designate a grievance redressing body for any discrepancies arising in
- Rule 6 requires that the Body Corporate shall seek the consent of the concerned provider before disclosing the sensitive data to a third party, unless such disclosure was agreed by the parties through any
- However, such information can be shared without any prior consent with government agencies mandated under law or any other third party by an order under the law, who shall be under a duty not to disclose it
- Rule 8 clarifies that a company or other body corporate shall be considered to have complied with reasonable security practices if they have implemented and documented the standards of these security
- Rule 8 (2) mentions the name of one such ISO security standard for data protection. However, any person or agency that are following any code of best practice other than that mentioned in rule 8(2) shall get their code duly approved by the Central
- The Companies and other body corporates and agencies who have implemented either ISO standards or any other standard duly approved by the central government shall be considered to have implemented security measures provided that such codes have been audited on a yearly basis by independent auditors approved by the
Limitations of IT Rules
The above Rules though are step towards having specific law for data protection but are not comprehensive enough. These Rules deals with only protected data as defined in the Rules. There is no comprehensive legislation governing and regulating every activity relating to data and have stringent provisions for protecting the data.
INDIAN PENAL CODE ACT, 1860
Indian Penal Code Act, 1860 as amended essentially is a penal law that has been in enforced in the country to prevent data theft. Indian Penal Code has amended data as part of the definition of ‘movable property’ thereby the misappropriation or theft of data now constitute an offence within the meaning of Indian Penal Code.
COPY RIGHT ACT, 1957
Under the Copy Right act, 1957 as amended computer database is included in the definition of literary work and thereby copying of computer database amongst infringement of Copy Rights Act which attracts criminal remedies.
As can be seen from the above legislation that the legal provisions relating to data protection are spread over in various legislations, there are several legislations to these legislations. There is no comprehensive legislation with respect to data protection. Therefore in the recent judgment of the Hon’ble Supreme Court in the case of Justice K. Puttaswamy Vs. Union of India, Supreme Court noted that Government of India appointed a Committee under the
Chairmanship of Justice B.N. Sri Krishna, which is working towards drafting a legislation for data protection and the committee is expected to submit a draft legislation to Government of India.
RECENT SUPREME COURT JUDGMENT ON DATA PROTECTION LAWS
Data protection laws in India have assumed a high legal sanctity and importance in the light of the fact that in its recent judgment, the 9 judge bench of the Hon’ble Supreme Court in the case of “Justice K. Puttaswamy Vs. Union of India” (Judgment was delivered on 24.08.17) it was held that “Right to privacy is protected as intrinsic part of the right to life and personal liberty under Article 21 of the India Constitution and part of the freedom guaranteed by part III of the Constitution”. Thus, the Hon’ble Supreme Court recognized Right to Privacy as a Fundamental Right.
One of the important consequence of recognizing Right to Privacy as a Fundamental Right is any action of the State or any private party to intrude or threatens to intrude into the privacy of an individual will be a breach of Fundamental Right if such action is not permitted by law. Further such law has to withstand the test of aligning with the basic structure of the Constitution. Taking this analogy further, data of an individual or data of a person is private to that person and such person is entitled to have protection of that privacy. It is this issue which the Supreme Court was deliberating in another matter relating to the challenge to the Aadhaar Card Scheme initiated by the Government of India. As it can be seen in the recent times Aadhaar Card Scheme is a program initiated by the Government of India under UIDAI Act (‘The Aadhar Law)’, whereby the Government is empowered to make Aadhaar Card compulsory for every citizen irrespective of the age, caste, creed or any other consideration. The Aadhaar law empowered the Government to make every activity like opening of bank account, purchasing of properties, admissions to schools and colleges, purchasing of gold ornaments, applying for job, applying for any subsidies from Government, even for buying an air travel ticket the Aadhaar has been made mandatory. All banks in the Country have been instructed to coordinate and ensure that PAN Card and Aadhaar Card are coordinated in a symmetry, uniformity is brought in to avoid duplicate and fake identity cards. The Government also under this Law is proposing to ensure that even for exercising Right to Vote in the Country having the Aadhaar Card is mandatory. Thus, under this Aadhaar Law, the Government is attempting to bring all prevalent identity cards like Voter Id card, PAN Card and such other cards brought under one umbrella of Aadhaar card. The justification the Government gives for Aadhaar card is to prevent tax evasion and various other reasons which are stated to be in public interest. However, the Aadhaar Card Scheme came under challenge in the Supreme Court stating that Aadhaar Law is infringing Fundamental Right of the citizens as every citizen has to share his or her private information to the Government compulsorily and the citizens are not sure of the protection of their private data. This challenge in a series of writ petitions provoked the Hon’ble Supreme Court to deliberate further as to see whether the right to privacy is a fundamental right framework of the Constitution of India. During the arguments in the Aadhaar case, it was argued that Right to Privacy is not a Fundamental Right as has been held by Supreme Court way back in 1954 in the case of M.P. Sharma Vs. Satish Chandra. This judgment was a judgment passed by a Bench of the Supreme Court consisting of 8 judges as to 1954, M.P. Sharma case, the Aadhaar Bench referred to the Chief Justice recommending to constitute a 9 Judge Bench to give their opinion as to whether Right to Privacy is a Fundamental Right or not.
In this backdrop, the 9 Judge Bench of the Supreme Court had unanimously held that Right to Privacy is a Fundamental Right and part and parcel of Article 21 of the Constitution. The important ramification of this judgment is the executive and the State cannot intrude into Fundamental Rights of the Citizen without due process of Law meaning thereby Right to Privacy of a citizen cannot be taken away by the State without due process of Law. In other words no Government Official, no authority will have a right to question or demand personal details of individuals except as provided in Law.
The following are the pertinent conclusions drawn by the Hon’ble Supreme Court after reviewing and examining the law relating to privacy across the Globe and also in India:
- Life and personal liberty are inalienable rights. These are rights which are inseparable from a dignified human existence. The dignity of the individual, equality between human beings and the quest for liberty are the foundational pillars of the Indian Constitution;
- Life and personal liberty are not creations of the These rights are recognised by the Constitution as inhering in each individual as an intrinsic and inseparable part of the human element which dwells within;
- Privacy is a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the Elements of privacy also arise in varying contexts from the other facets of freedom and dignity recognised and guaranteed by the fundamental rights contained in Part III;
- Judicial recognition of the existence of a constitutional right of privacy is not an exercise in the nature of amending the Constitution nor is the Court embarking on a constitutional function of that nature which is entrusted to Parliament;
- Privacy is the constitutional core of human dignity. Privacy has both a normative and descriptive function. At a normative level privacy sub-serves those eternal values upon which the guarantees of life, liberty and freedom are founded. At a descriptive level, privacy postulates a bundle of entitlements and interests which lie at the foundation of ordered liberty;
- Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be left alone. Privacy safeguards individual autonomy and recognises the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy. Privacy protects heterogeneity and recognises the plurality and diversity of our culture. While the legitimate expectation of privacy may vary from the intimate zone to the private zone and from the private to the public arenas, it is important to underscore that privacy is not lost or surrendered merely because the individual is in a public place. Privacy attaches to the person since it is an essential facet of the dignity of the human being;
- This Court has not embarked upon an exhaustive enumeration or a catalogue of entitlements or interests comprised in the right to privacy. The Constitution must evolve with the felt necessities of time to meet the challenges thrown up in a democratic order governed by the rule of law. The meaning of the Constitution cannot be frozen on the perspectives present when it was adopted. Technological change has given rise to concerns which were not present seven decades ago and the rapid growth of technology may render obsolescent many notions of the present. Hence the interpretation of the Constitution must be resilient and flexible to allow future generations to adapt its content bearing in mind its basic or essential features;
- Like other rights which form part of the fundamental freedoms protected by Part III, including the right to life and personal liberty under Article 21, privacy is not an absolute right. A law which encroaches upon privacy will have to withstand the touchstone of permissible restrictions on fundamental rights. In the context of Article 21 an invasion of privacy must be justified on the basis of a law which stipulates a procedure which is fair, just and reasonable. The law must also be valid with reference to the encroachment on life and personal liberty under Article 21. An invasion of life or personal liberty must meet the three-fold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them; and
- Privacy has both positive and negative content. The negative content restrains the state from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the state to take all necessary measures to protect the privacy of the
- Decisions rendered by this Court subsequent to Kharak Singh, upholding the right to privacy would be read subject to the above
- Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the Union government while designing a carefully structured regime for the protection of the data. Since the Union government has informed the Court that it has constituted a Committee chaired by Hon’ble Shri Justice B N Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with appropriately by the Union government having due regard to what has been set out in this judgment.
Conclusion
The above-mentioned judgment is the best thing to happen for Indian law as it paves the way and lays the benchmark for all future laws and executives actions which interfere / intrudes into the privacy of citizens which includes protection of their data as well.