This article has been written by Saurojit Barua, pursuing a Diploma Programme in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
In layman’s terms, ‘Privacy’ means keeping personal information and matters secret or within oneself. In broad terms, ‘Privacy’ means to have control over one’s personal information, its method, and mode of collection, and keeping it free from interference and intrusion. Earlier the term ‘Privacy’ was ordinarily used in philosophical, political, and in legal discussions. The concept of privacy was coined by Aristotle. He distinguished it into public and private spheres which were associated with political activities, family, and domestic life respectively. However, in modern times, the term ‘Privacy’ is difficult to measure and define. With the improvement of technology, it is hard to achieve it. It had given rise to some fundamental questions related to human relationships, liberty, and autonomy. Also, philosophical analysis is required to ensure whether the technology is serving humankind or vice-versa. Philosophical inputs play a vital role as there are many challenging questions surrounding the notion of privacy. Therefore, we should not reduce the question of privacy into the matter of binary law as we may risk impeding important discussion surrounding mankind.
Online privacy : need of the hour
Online privacy, also known as internet privacy or digital privacy, refers to the amount of confidential information an internet user is sharing while browsing. Around the world, online privacy is a growing concern, especially with all its intricacies and loopholes. Businesses try to gain personal information as much as possible. They track your activities online and tailor advertisements of various products and services as per your preferences. Also, people keep on sharing their life on social media and keep losing their boundaries and expose themselves. Keeping personal information private is extremely essential. Therefore, it is essential to understand internet rights for controlling your online privacy and making smarter decisions since all that is required to access information is actually one click.
In the 21st century, data privacy is important. It refers to the amount of information or data a customer is willing to share for an intended purpose. An organisation collecting personal data must ensure that it takes all necessary precautions to protect and preserve the data and no third party can have access to it. It is an increasing topic of scrutiny. An individual has the right to control its personal information collected and used. For example, a person may be comfortable introducing himself to a stranger and would not mind disclosing his name but he may not disclose his address or other details to that stanger.
The concept of data privacy is applied to all critical personal information. It is also known as personally identifiable information (PII) and personal health information (PHI). It can include social security numbers, health or medical records, financial data among the various other sensitive personal information that a person needs to control and protect.
Importance of the right to data privacy
The importance of the right to data privacy are:
1. Prevents the government from spying on its people
It is the responsibility of the government to protect its citizens. However, often the government crosses the line of surveillance. The issue of privacy was brought into notice in 2013 when Edward Snowden blew the whistle on the NSA’s spying program. Further, it is very tricky in maintaining a balance between national security, freedom of speech and expression, and surveillance. Therefore, it is generally agreed that the government should have some reason to spy upon an individual.
2. Preventing the prospect of personal data being used for someone else’s benefit
Personal information is a very powerful tool and it can be very dangerous if it falls under the wrong hands. For example, Cambridge Analytica is an organisation that was caught collecting information from Facebook without the consent or knowledge of an individual. They were using it to influence the voters with political advertisements. Therefore, it is important for social media sites and technology companies to protect their personal information.
3. Privacy rights ensures that the data thief is held accountable
Privacy is recognised as a fundamental right. There are heavy consequences for breaching it. Government or corporation are restricted to steal or misuse once personal information for its gain. Therefore, privacy rights are important for protecting the right to privacy.
4. Privacy rights help maintain social boundaries
Maintaining social boundaries is important for a healthy relationship and career. Earlier putting up boundaries meant refraining from speaking but now with the advent of technology, keeping personal information online can be very complicated. Also, it is very risky in sharing our personal information online as we do not want a Stranger to know about ourselves. Thus having control over them gives us peace of mind.
5. Privacy rights help in building trust
Privacy rights build trust. People feel confident that their personal information is kept safe and secure. Also, people feel protected knowing that there will be consequences if someone breaks the trust.
6. Privacy rights controls the data
Privacy rights ensure that once data can only be accessed and used on their consent. It is important to have control over its information or else people would be vulnerable to powerful forces in society.
7. Protection of freedom, speech and thought
Privacy rights allow us to speak and express our opinion on various factors. In absence of it, life would be very difficult as a person could have been monitored and prosecuted for a negative opinion. Thus, privacy rights protect your ability to think and say what you want without fear of an all-seeing eye.
8. Privacy rights let us engage freely in politics
In a society, politics plays a big role in its well-being. The casting of a vote plays a big role in electing the right leader. It is a confidential matter so that people do not face any negative consequences for electing one over another. Therefore, privacy rights let you follow your own opinion on politics without anyone else seeing it.
9. Privacy rights protect the reputation
In the era of social media, we often post something online which we regret later. Privacy rights give us the power to remove that information. The European Union (EU) addresses this as the “Right to be Forgotten” law. Thus, it helps people to remove their personal information available over the internet. An example of destroying a person’s reputation is “Revenge Porn”, it is a violation of privacy.
10. Privacy rights over finances
An individual and corporation must protect their confidential information. One must reveal its financial or credit or debit card data to anyone. Also if someone is sharing these data with a specific entity or a person, they must take every possible step to protect the information shared with them.
Private data : information that is not to be viewed by the public
Private data is information that is expected not to be viewed by the public, is a fundamental right of every individual and corporation. It is important for maintaining safety, security, and quality of life.
Difference between data privacy and data protection
Data privacy and data protection are interconnected and often used interchangeably. Data privacy is a fundamental right and is recognised under the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and various other international covenants. The Constitution of India also recognises the right to privacy under Article 21. The term ‘data protection’ means the tools, mechanism, and policies to secure the data to access by a third party without its owner’s consent. It is also known as data security.
Point of distinction
1.Data protection does not ensure data privacy.
Data privacy is defined as the one having authorised access to the data. It
It focuses on protecting the data from unauthorised access. It serves as a technical control over one’s data.
2.One addresses regulations while the other addresses mechanisms.
Data privacy is a form of regulation that governs and controls the data shared with an entity.
Data protection is the mechanism that enforces the policies and regulation into motion and prevents it from unauthorised access or use.
3. Firms ensure protection & user controls privacy
Data privacy is controlled by the user.
It is the company’s responsibility of protecting the data and ensuring the level of privacy set by the users. The company must take precautions for protecting the data.
4. Data Security from Sales Vs. Security from Hacks
Data privacy is concerned about the information not being sold either online or offline.
Data protection is concerned with keeping the information safe from hackers.
5. Data protection without privacy is not possible.
Data privacy is to have control over your data and use of it.
Data protection ensures that your data is protected from unethical intervention and access.
6. Privacy-related questions need to be answered, firstly.
Data privacy measure precedes the query of security. We often overlook and avoid this fact.
Data protection is the act of safeguarding the data already obtained.
While discussing the above differences between data privacy vs data protection we can draw the inference that it is hard to have true data privacy without data security.
Governing laws of online privacy and data protection
In European Union (EU)
General Data Protection Regulation (GDPR) is the core privacy legislation for European Union (EU). It was drafted in the year 2016 and came into effect in 2018. It replaces the 1995 Data Protection Directive 95/46EC. The aim of GDPR is to simplify the regulatory environment for business and to protect the personal data privacy of the EU’s citizens. It gives more power to an individual to control its data. The GDPR focuses on newer areas like Privacy rights, data security, data control, and governance.
GDPR recognises eight privacy rights for data subjects. It aims to have control of the data an individual is providing to an organisation. They are the right to be informed, the right to access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling.
GDPR protects the following data:
- Personal data that is related to identifying an individual like name, address, ID proof.
- Information related to web data such as IP address, cookies, and RFID tags.
- Special category information like Political opinion, sexual orientation, health and genetic data, biometric data, and racial or ethnic data.
GDPR is applicable to:
- A company or an organisation that is established or has a branch office in the EU and processes personal data as a part of its activities.
- A company that is operating from outside the EU but having or operating or monitoring the personal data of an EU citizen is also required to follow GDPR.
When the regulation will apply:
Suppose company A is established and operating from India but it is providing online educational classes all over the EU through its website. For accessing the class material an individual needs to login with a username and password and is required to fill the enrolment form. When the regulation will not apply: suppose company A is providing the service outside the EU and its customer can access their service from anywhere he wishes. For the customer visiting the EU accessing the material from there then the GDPR will not be applicable provided that Company A does not specifically target its service to an individual in the EU.
Following things are required to be complied
The role of the Data Protection Officer (DPO) is to identify the personal data collected and stored by an organisation and to follow a strict protocol to ensure that that data is protected. The following protocols, the company is required to comply under GDPR are:
- Data mapping: To ensure data security, DPO is required to know the content and the location of the data. In case the data is not mapped or incomplete then a discussion is to be held with the IT stakeholders. Moreover, for a comprehensive data protection plan, collaboration is required in all business areas, IT, legal and management departments. A third party like a cloud service vendor or data archive in possession of personal data on behalf of an organisation is required to comply with GDPR as well.
- Understanding the content of the personal data: A company should understand and identify the nature and store the data which is required of them. They should have knowledge about the kind of personal data they are storing and its legal obligations.
- Taking consent: Under GDPR, a company must take consent from an individual to store or transfer his personal data. Also, it gives rights to the individual to know where the data is stored and how it is processed. An individual can even reprimand for correction or deletion of their data. However, consent is not the only basis to process personal data. There are six legal bases under GDPR that can be applied for the processing of personal data, they are consent, legal obligations, vital interest, legitimate interest, and public task.
- Sending security alerts: Under GDPR a company has to send security alerts within 72 hours of becoming aware of any security breach to an individual or a company. The company should tell their customer what data is exposed. GDPR also introduces certain kinds of personal data breaches which are required to be reported to relevant supervisory authorities.
- Monitoring data transfer: Corporation must take every possible step to prevent unauthorised access to personal data. If any data is transferred outside the EU, GDPR requirements met be followed by a series of questions related to the content of the data. Also if the data is very sensitive then additional restrictions are to be imposed. The transfer can even be revoked information that is expected not to be viewed by the public.
Discussing the penalty for non-compliance
GDPR should not be taken lightly. All companies or organisations irrespective of their size are required to follow the rules of GDPR. Failing that, the company has to pay a hefty fine. That is, a company holding the data of an EU customer faced a fine of up to EUR 20 million or 4 percent of their total global revenue for the preceding fiscal year, whichever was higher. GDPR is implemented for a safe environment of data and the sustainable growth of a business.
In the United States of America
In the United States (US) there is no comprehensive law governing data privacy. The Federal Trade Commission Act (15 USC § 41 et seq.): this Act specifically does not deal with data privacy but it has a border jurisdiction. Under this Act, the authority can prevent a commercial entity from involved in unfair and deceptive trade practice. FTC does not regulate what information should be included in website privacy policies but to protect its customer, the authority under this act can issue regulations and enforce privacy laws. For example, FTC can take action against an entity under the following circumstances:
- In case the entity fails to implement and regulate the data security.
- If the entity fails to abide by the principle of self-regulation.
- If the entity is involved in a misleading advertisement.
- (COPPA): The aim of this act is to protect the children under the Children’s Online Privacy Protection Act under the age of 13. It governs and regulates the information collected online. Under the Act, parents are provided more control over the collection of the information. This act applies to any business or website if the goods and services are provided for children under the age of 13 and they collect, use or disclose your information. This legislation also applies to general audience websites that cater to people of all ages but also might be used by those under 13 years old, especially if those websites collect personal information from other websites or online services that cater to children. This Act is applicable to the companies situated within the US as well as outside the US if it caters to the children of the US.
State data privacy law
Apart from the federal law and regulation, there are hundreds of data privacy laws and regulations among the states, territories, or localities of the US. They are California Consumer Privacy Act (CCPA): This Act came into force from 1st January 2020. The aim of the Act is to provide a safeguard for Californians. CCPA allows the consumer to request the business to disclose the personal information they have collected along with the source or the purpose for collecting the information. The consumer can also request to delete the personal information that the business has collected over time. The consumer also has the option of opt-out of a business sale of their personal information and the business cannot discriminate against who can opt-out.
Stop Hacks and Improve Electronic Data Security (SHIELD) Act: This Act is also known as New York Shield Act and was passed in 2019. The Act amended the existing data breach act and imposes more data security on the entities for collecting information on New York residents. The act broadens the scope of consumer privacy. It aims to provide better protection to the resident of New York from data breaches.
Scenario in India
India does not have any standalone data protection law to protect personal information shared or received in electronic form. However, in the case of K.S. Puttaswamy vs Union of India, the Supreme court has recognised the right to privacy as a fundamental right under Article 21 of the Constitution of India.
Information Technology Act, 2000: the aim of this Act is to provide legal recognition to all the transactions done in electronic form. At the moment IT Act along with (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“the IT Rules”) are the law dealing, governing, and regulating cybercrime and electronic commerce. When the IT Act came into force in 2000, it lacked data protection and it was amended eventually in 2008 and two sections were inserted to fill the gap. Section 43A states that if any corporation is possessing any sensitive data and it fails to protect thereby another person incur a gain or causes wrongful loss to the person then the corporation would be made liable and must compensate the affected person.
And, Section 72A states the punishment for disclosure of information thereby causing a breach of lawful contract for which the person may be imprisoned for a term not exceeding three years or with a fine not exceeding rupees five lakhs or both. The scope and coverage of the IT Act are limited as the majority of the provision deals with sensitive personal data and information collected through computer resources. It does not take into account data localisation which was the main reason for banning Chinese apps in India.
The Personal Data Protection Bill 2019: The bill is the outcome of the landmark case K.S. Puttaswamy vs Union of India in which the right to privacy is recognised as a fundamental right. The Ministry of Electronics and Information Technology (MEITY) formed a 10-member committee led by the retired SC judge B.N. Srikrishna. The committee submits drafts recommendation on protection of personal data along with a report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” The aim of the bill is to protect the personal data of an individual and to establish data protection authority. An aggrieved person can also seek remedy under the bill.
Data is an asset of an individual or a company. All companies have data that includes personnel’s files, customer information, product details and management, trade secrets, etc., and decisions are made based on these data available. Protecting personals data mitigate risks of costly incidents, reputational harm, regulatory penalties, and other harms. It also builds trust among its customers. If a company fails to protect its data, a third person can gain access and use it for its own benefit. The company may incur loss due to a breach of data privacy and it may affect its goodwill or brand value as well. Data protection is important for an individual for the prevention of phishing scams, identity theft, and misuse of data by a third party. Therefore, data protection is important to ensure that a person’s rights and freedom are not violated, ensuring and fair and consumer-friendly commerce and provision of services, and preventing any harmful or life-threatening situation that may arise for not compiling the personal data protection regulation.
Students of LawSikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.