This article has been written by Pranav Patidar pursuing Diploma in Technology Law, Fintech Regulations and Technology Contracts and edited by Shashwat Kaushik. This article focuses on giving insight about the issue of data privacy in India and its concerned legislation in a comprehensive and understandable manner.
This article has been published by Sneha Mahawar.
What is data
Data is a piece of information collected for the purpose of processing to convey meaning, knowledge, and insight. Data can take various forms, including numbers, text, images, sounds, graphic representations, computer programmes, personal documents, and many more.
Further classification of data
Also referred to as personally identifiable information or sensitive information, which can become a means to identify the concerned individual. Personal data encompasses a wide range of information, some of which are name, contact number, financial information, health data, biometric data, geolocation, etc.
Non-personal data, also known as anonymous data, is data that cannot be used to identify an individual. Unlike personal data, it is comparatively less sensitive. Non-personal data includes weather data, traffic data, website analytics, scientific research data, and many more.
What is privacy
Privacy refers to the right and ability of an individual to control and protect personal data. It is the right of an individual to decide how and what to process their data. It is considered a fundamental right for everyone. The right to privacy under Article 21 of the Indian Constitution is a fundamental right guaranteed to all the citizens of India.
Violation of privacy
It is a violation or unauthorised intrusion of an individual’s personal information, private space, or the right to keep certain aspects of their life confidential. It mainly aims to collect confidential information.
Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others. This personal information can be one’s name, location, contact information, or online or real-world behaviour. Just as someone may wish to exclude people from a private conversation, many online users want to control or prevent certain types of personal data collection.
Importance of legislation for data privacy in India
The internet is used worldwide nowadays, and data is also being circulated on a large scale. At the same time, evolution is inextricably linked to the exchange of information and ideas. That is exactly why the free flow of data is crucial, and hence, regulation is inevitable and of paramount importance. In the age of the digital world, where data is considered the new oil and cases of data breaches have increased exponentially, it becomes the need of the hour to come up with appropriate legislation to govern and regulate the flow of data in order to protect individual’s rights to privacy.
Major data breaches of India
In the digital age, India has also experienced data breaches in the past few years. Some of them are:
Air India data breach
In May 2021, Air India reported a data breach. The personal data of around 4.5 million passengers worldwide was leaked. It happened due to a cyberattack on the service provider of Air India, SITA, which resulted in the breach of the personal data of passengers of Air India.
CAT data burglary
According to threat intelligence firm CloudSEK, personally identifiable information of around 190,000 applicants was leaked to the dark web in May 2021. Names, dates of birth, email IDs, mobile numbers, address information, candidates’ 10th and 12th grade results, details of their bachelor’s degrees, and their CAT percentile scores were all revealed in the leaked database.
Upstox data breach
Indian trading platform Upstox has openly acknowledged a breach of know-your-customer (KYC) data. Gathered by financial services companies to confirm the identity of their customers and prevent fraud or money laundering.
COVID-19 test results of Indian patients leaked online
In this data breach, around 1500 Indian citizens’ data was compromised. The lab test results of thousands of Indian patients have been leaked online by government websites. What’s particularly worrisome is that the leaked data hasn’t been put up for sale in dark web forums but is publicly accessible.
Above stated cases are only a few cases picked from a chunk of large no of data breach incidents. Many such incidents have happened in the past few years; hence, it is high time for proper legislation.
Preexisting legislations in India for data privacy
Formerly, there was no standalone legislation or act on data privacy in India; the use of personal data was regulated under the Information Technology (IT) Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The judicial activism brought privacy under the ambit of a fundamental right under the framework of Article 21 (right to life and personal liberty) of the Constitution. After the landmark judgement of Supreme Court Justice K.S. Puttaswamy (Retd) … vs. Union of India and Ors. (2017), data privacy standards were issued by the Bureau of Indian Standards (BIS); the most recent one was IS 17428. The standard seeks to provide a privacy assurance framework for organisations to establish, implement, maintain, and continually improve their data privacy management systems.
Some important provisions of Information Technology Act, 2000
- Section 66-C, Punishment for Identity Theft: It states that if any person uses the electronic signature, password, or any other unique identification feature of any other person fraudulently or with dishonest intention, they will be liable for a fine of up to 1 lakh rupees and shall be sentenced to imprisonment, which may extend to 3 years.
- Section 66-E, Punishment for Violation of Privacy: It says that if anyone publishes or transmits the image of a private area of any person without his or her consent and intentionally or knowingly in order to violate the privacy of that person, he or she shall be awarded imprisonment of up to 3 years or a maximum fine of up to Rs 1 lakh.
- Section 68, Power of Controller to Give Directions: It gives power to the controller to pass orders or to give directions to the authority or its employee to take appropriate measures in order to comply with the provisions of IT Rules 2000.
- Section 72, Penalty for Breach of Confidentiality and Privacy: It states that any person or authority who holds power under this rule and has access to any electronic record, book, register, correspondence, information, document, or other material or any sensitive data and discloses such information to another person without the consent of the concerned person shall be imprisoned for up to 2 years or with a fine of up to 1 lakh rupees.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 SPDI Rules
SPDI rules were enacted by the central government in 2011, which include provisions to regulate personal data or information and sensitive personal data or information. The Act stipulates security practises and procedures for handling personal data or information and sensitive personal data or information. The rules of this Act apply to all body corporates within India and bodies outside India that have their network located in India and collect, receive, possess, store, deal with, or handle the personal information of persons in India. Only digital data comes under the ambit of this law; no data collected in offline mode is covered under this Act.
Important provisions of SPDI Act
- Section 5: This section requires organisations to obtain consent, explain the purpose of the collection of data, and collect the data that is necessary.
- Section 6: This section says that a body corporate shall disclose sensitive personal data or information to any third party only after seeking consent from the owner of the data, who has provided that information under a lawful contract. Although, in cases of legal obligation, personal data can be processed without prior permission.
- Section 7: This section states that a body corporate may transfer sensitive personal data to any other body corporate in India or located outside India that ensures the same level of data protection as provided under SPDI rules. The transfer may be allowed if it is under contractual obligation to do so.
- Section 8: This section puts an obligation on a body corporate or a person to comply with reasonable security practises and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational, and physical security control measures that are commensurate with the nature of the information assets being protected.
Digital Personal Data Protection Act, 2023 (DPDPB)
The Digital Personal Data Protection Act is freestanding legislation that came into prominence in August 2023 for data privacy. It is looming legislation of utmost importance. As we have discussed earlier about the importance and need for standalone legislation governing data privacy, this Act came as a glimmer of hope.
History of Digital Personal Data Protection Act
In 2018, a committee of experts under the chairmanship of the retired Supreme Court judge, Justice BN Srikrishna, was formed by the Ministry of Electronics and Information Technology, Government of India, with the task of identifying data privacy legislation in order to improve it and make it more robust and comprehensive. In 2019, the Bill was accepted by the cabinet and passed by the Joint Parliament Committee (JPC). After reviewing it, the JPC tabled its report in December 2021, but it was withdrawn by the Indian Government. After much contemplation, the DPDP Bill 2023 was tabled, passed by the parliament, and gazetted on August 12, 2023.
Scope of the Act
Any type of personal data processing collected in digital or non-digital form and eventually digitised will fall under the ambit of the DPDP Act. Any data made publicly available under legal authority to do so is an exception under this rule.
The processing of digital personal data within the territory of India comes under the ambit of this law; it also applies to the processing of personal data outside the territory of India if such processing is connected to activity related to the offering of goods and services by data principals within the territory of India.
Definition of key terms of the Act
- Data fiduciary- is the person who, in coordination with others, decides the purpose and scope of processing personal data.
- Data principle- is the person whose personal data is being collected.
- Data processor- means any person processing personal data on behalf of a data fiduciary.
- Consent manager- a registered person on the board who acts as a single point of contact to enable a data principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
- Significant data fiduciary- it is a designated class of data fiduciary by the Central Government after taking account of the volume of the personal data processed, the risk to the rights of the data principal, the potential impact on the sovereignty of India, the risk of electoral democracy and security and the public order of the state.
Processing of personal data
Consent is the foremost requirement to process the personal data of the data principal, and in the case of a child or a person with a disability who has a lawful guardian, obtain the verifiable consent of the parent of such a child or the lawful guardian. The Act requires consent to be free, i.e., the consent should be specific, informed, unambiguous, and unconditional. Also, the request for the collection of personal data made by the data fiduciary should be written in a clear and concise manner so that it is easily understood by the user. The data principal under Section 6(4) has the right to withdraw consent at any time. After the withdrawal of consent by the user, the data fiduciary shall direct the data processor who is processing the data on behalf of the data fiduciary to stop processing the personal data of the user unless it is otherwise authorised.
Notice for consent
The data fiduciary must give notice to the data principal each time consent is sought. This notice should contain details about the processing of personal data. The notice should specifically state the data being processed and the purpose of such processing. Also, the notice should explain how data principals can exercise their rights, withdraw consent, and complain to the data fiduciary and board in case of any ambiguity. The data fiduciary is obligated to make consent notices easily accessible to the data principal, either in English or any other language specified under the eighth schedule of the Indian Constitution.
The Act provides a very narrow list of legitimate uses; rather, it provides “fair and reasonable purpose” and “public interest”. A data fiduciary can process the user’s data on a legitimate basis, but it is not absolute. Section 7 of the DPDP Act provides and expounds on the conditions under which such processing of data can be done; some of these include
- When the data principal voluntarily consented to such use of personal data.
- Under legal obligation to share individuals’ information with state or any government authority.
- legally obligated by any court order.
- To provide subsidies, benefits, services, certificates, licences, or permits to the data principal based on his/her prior consent or if the data is available in state-maintained records as specified by the central government.
- In case of medical emergency, provide medical care.
- Employment related purpose.
Cross border data transfer- the transfer of personal data of Indian citizens is allowed in all jurisdictions except those barred by the government.
Obligations of data fiduciaries under DPDP Act 2023
- A data fiduciary can process personal data for lawful purposes only after getting consent (as discussed above) from the data principal. The Act also has provisions for processing the data without consent in certain cases.
- The data fiduciary shall give notice prior to processing the personal data of the data principal, explaining the scope and nature of processing.
- A data fiduciary can engage, appoint, use or otherwise involve a data processor to process personal data on its behalf only under a valid contract.
- Appropriate technical and organisational measures should be taken to ensure effective observance of the provisions of DPDP Act.
- The data fiduciary shall take reasonable security safeguards to protect the personal data in its possession and prevent personal data breaches.
- If the consent is revoked by the data principal or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier, the data fiduciary shall stop processing the personal data unless retention is necessary for compliance with any law of the time being in force.
- Data fiduciaries are obligated to establish an effective mechanism to redress the grievances of data principals.
Significant data fiduciary (SDF)
A data fiduciary is designated as a significant data fiduciary by the Central Government based on the volume of sensitive personal data they are processing, the risk of electoral democracy, the security of the state, etc. It is also important for a significant data fiduciary to appoint an independent data auditor to ensure compliance with the DPDP Act and to implement additional safeguards such as periodic audits.
Rights and duties of data principal
Right to access personal information:
- The data principal has the right to collect from the data fiduciary the summary of personal data being processed and processing activities undertaken with the data.
- The data principal can seek information about all other data fiduciaries and data processors who are involved in the processing of personal data.
Right to correction and deletion:
- A data principal has the right to correction, completion, updating, and erasure of personal data.
Unless the data fiduciary is under a legal obligation to retain the data under any law in force, the data should be deleted.
Right to grievance redressal:
The data fiduciary shall have a grievance redressal mechanism that the data principal can seek in case of any omission by the data fiduciary or consent manager regarding the performance of their obligations or to exercise the rights provided under the DPDP Act.
Right to nominate:
In case of death or incapacity of the data principal, the data principal has the right to choose another person on his/her behalf in accordance with the provisions of the DPDP Act to exercise the rights.
Obligations of data principal
- The data principal, while exercising his rights, shall comply with all the applicable laws for the time being in force.
- The data principal shall provide correct information to the data fiduciary and shall not impersonate another person.
- The data principal shall not register false or frivolous complaints with the data fiduciary or the board.
The Act exempts the application of certain provisions for data processing for:
- Where the processing of personal data is under legal obligation Penalties and Adjudication
There is provision for a monetary penalty under this Act in cases of breach. The following conditions determine the penalty amount
- Duration, nature, and gravity of the breach.
- The type and nature of personal data breached.
- Actions taken to mitigate the effects and consequences of the breach and alacrity in taking such action.
Penalties for breaching the provisions are the following:
|If the data fiduciary does not take reasonable security safeguards for the prevention of personal data breaches under sub section (5) of Section 8.
|Up to two hundred and fifty crore rupees.
|Breach in giving notice to the board and concerned data principal about the breach of personal data under sub-section (6) of Section 8.
|Up to two hundred crore rupees
|If additional obligations in relation to children under Section 9 are not taken.
|Up to two hundred crore rupees.
|Additional obligations of the significant data fiduciary under Section 10 are not met.
|May extend to one hundred and fifty crore rupees.
|Breach of observance of duties under Section 15 of the Act.
|May extend to ten thousand rupees.
|If any term voluntarily accepted by the board under Section 32 is breached.
|Up to the extent applicable for the breach in respect of which the proceedings under Section 28 were instituted.
|Any other provision of this Act is breached.
|May extend to fifty crore rupees.
Concerns related to DPDP Act
While this law is much needed, the ambiguity and loopholes in it cannot be denied at the same time. There are many provisions that are a point of debate and concern among legal experts, especially the exemptions under this law. Let’s understand some key concerns about this law.
The government’s exemption under this law results in giving broad power
Under the law, the government has the power to issue notification to exempt any of its authority under the ambit of this law on the grounds of integrity of India, security of the state, maintaining public order, etc., which means that the government agency can collect personal data ignoring the safeguards provided under the DPDP Act for any purpose they want. There is also no set timeline for the government to retain personal data; it can retain the data for an unlimited period, which means the government has complete authority for mass surveillance. Also, processing personal data for investigative purposes can be done without government notice. So, it is affecting the privacy of citizens in one way or another.
Content blocking power of government
Under Section 37 of the DPDP Act, the government, on advice of the data protection board, can block access to websites or content in the interest of the general public. The phrase “in the interest of the general public” is very vague and not defined properly in the Act. The government has the same controversial blocking power under Section 69 of the IT Act 2000, which also gives power to the central government to block information on the grounds of sovereignty and integrity of India, security of the state, etc.
Right To Information Act
One of the major concerns under the DPDP Act is the amendment of the RTI Act. Section 44(3) of the DPDP Act amends Section 8(1)(j) of the RTI Act, which states that the government is under no obligation to provide citizens with any information related to personal information, the disclosure of which has no relationship to public interest or activity, provided that any information that cannot be denied to parliament should also not be denied to any person. But after amendments made under the DPDP Act, the scope of information that is exempt from disclosure is enlarged, which means the government is not obliged to provide information about any activity that has relevance to the public interest. Now officers are more likely to deny RTI requests, which will ultimately reduce transparency.
Compensation for victims
Victims of data breaches do not get any compensation for the losses they have incurred. Although the Act provides monetary punishment for data fiduciaries in cases of data breaches, it also removes Section 43A of the IT Act 2000, which provides for such compensation.
Monetary punishment measures for data principal
The user is charged Rs 10,000 by the Data Protection Board as a penalty in case of breach of any data principal’s obligation under the Act. There are no such provisions, even in the GDPR, which is considered the best data privacy law. The Act is meant for users, so this is definitely a concern that the government should look into.
The Act is silent about anonymised personal data, which seems to be a problem because anonymised personal data can also be processed to infer details about an individual, so the government should regulate the anonymized personal data too.
The above mentioned are some of the key concerns that the government should take into consideration and rectify.
The DPDP Act is indeed a step towards becoming a safe digital economy. It is a significant step towards solidifying India’s position as a global innovation hub. In today’s world, when data privacy is an issue; this law is of paramount importance, but owing to the fact that the Act is well structured with some flavour of GDPR, it has some loopholes and demerits too, which the government should look into and shall focus on improvising the law. Although the framework looks good and the Act has been passed but not enacted yet, it will be interesting to see how the Act is implemented and regulated in the future.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: