This article is written by Beejal Ahuja from the New Law College, Bharati Vidyapeeth University, Pune. This article aims to discuss the various aspects of the judicial interpretation of Data Protection and Privacy laws in India.
“Privacy is not something that I am merely entitled to, it is an absolute prerequisite.”
These are the words of “Marlon Brando”. Privacy is not just sitting alone in a room, it covers many aspects like non-disclosure of personal information, original work, business secrets, personal relationships and life, etc. It is a violation of a person’s right if his letters to another are published without his permission. As we are moving more and more towards the advancement of technology, there are increased chances of misusing it. India is witnessing a day by day increase in cybercrimes, as there are no specific or stringent laws for data protection. Data protection is there to protect the private information of an individual.
Indian Jurisprudence on Right to Privacy
The right to privacy is not clear or explicit, it has been subject to judicial interpretation in the Constitution of India. The judicial interpretation of the fundamental rights brings this right to privacy within the ambit of the fundamental right.
The ‘Right to Privacy’ in Indian Jurisprudence can be traced back to the late 1800s when it was upheld by the British local court that the privacy of a pardanashin woman to go to her balcony without any fear of anyone gazing at her from the neighbourhood. This jurisprudence has evolved ever since the right to privacy was read under Article 21, though the Constitution of India does not recognize it specifically. Article 21 states that “No person shall be deprived of his life or personal liberty except according to the procedure established by law.”
Evolution of Right to Privacy
M.P. Sharma and Ors. v. Satish Chandra, District Magistrate, Delhi and Ors.
In this case, the Supreme Court for the first time considered the question of, whether the ‘right to privacy’ is a fundamental right or not. It was challenged that the warrant issued for search and seizure under Sections 94 and 96(1) of the Code of Criminal Procedure was violating the right to privacy of a person. It was held by the Hon’ble Supreme Court that the power of search and seizure does not contravene any of the constitutional provisions. It was said to protect social security, the power for search and seizure is necessary and an overriding power to the State by law. It was said that the constitution-makers have not mentioned the right to privacy to be a fundamental right and have not anticipated it similar to that of the 4th Amendment in the U.S.
Kharak Singh v. State of Uttar Pradesh and Ors.
After the M.P. Sharma case, the question raised in this case was ‘whether the right to privacy was inclusive of Article 21’. The issue raised was whether the domiciliary visit for surveillance at night against the accused was violating Article 21 of the Constitution of India. It was held by the Hon’ble Supreme Court that such a visit was in contravention of Article 21, But the majority of judges were of the view that Article 21 does not include any provision for privacy, and hence the right to privacy can not be considered as a fundamental right. Also, they said that such surveillance does not violate Article 19 (1)(d), and the right to privacy is not a guaranteed right. Hence, keeping an eye on the movements of the suspect does not violate any fundamental rights under Part III of the constitution. Although the minority opinion of Hon’ble Mr Justice Subbarao was that privacy is an important facet of personal liberty.
Govind v. State of Madhya Pradesh
In this case, the issue was similar to that in the Kharak Singh case. It was held by the Hon’ble Supreme Court that the police regulations were not in conformity with the personal freedom of a person and the right to privacy is a part of fundamental right but it should be considered and looked upon according to each case or developed by case to case.
Maneka Gandhi v. Union of India
In this case, the interpretation of Article 21 by the Hon’ble Supreme Court was done in a broader sense. This case interpreted the Right to Life in a different and wide way that made the Right to Privacy fall within the ambit of the right to life.
R. Rajagopal and Anr. v. State of Tamil Nadu (Auto-Shanker Case)
Privacy Jurisprudence evolved again in the post-liberalisation era in the Auto-Shanker Case. This was the first case to explain the evolution and scope of the right to privacy. The Hon’ble Supreme Court after examining the whole jurisprudence, scope and evolution of the right to privacy by discussing the Govind’s case held that though the right to privacy is not directly expressed under the right to life and personal liberty guaranteed by Article 21 but is a part of it and no more just a matter of public record.
People’s Union for Civil Liberties (PUCL) v. Union of Indian
This case was about telephone tapping and the issue raised was whether the telephone tapping infringes right to privacy or not. It was held by the Hon’ble Supreme Court that the telephonic conversations are private and confidential and therefore, in this case, the right to privacy was violated. It also said that including the right to privacy under Article 21 depends on the facts of the case.
Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors.
This case is a landmark judgment by the Hon’ble Supreme Court because it was held in this case that the right to privacy is protected or enshrined under Article 14,19 and 21 of the Constitution of India. This case overruled the Kharak Singh and M.P. Sharma judgement.
In this case, the ‘Aadhar Card Scheme’ was challenged as it was violating the right to privacy, by collecting and using the biometric information of the citizens for other purposes. The petitioner argued that the Right to privacy is a fundamental right and should be included under Article 21 of the Indian Constitution. To this, the respondents contended that the Constitution only recognises personal liberty, and it has given the right to privacy to the citizens to an extent.
The nine-judge Constitutional bench was set up to decide this case unanimously. It was held by the Hon’ble Supreme Court that the right to privacy is intrinsic of the right to life and personal liberty enshrined under Article 21. It also is a part of rights guaranteed under Part III of the Constitution of India. It was also said that it is an obligatory duty of the State to protect the privacy of its citizens. Hence, the ‘Aadhar Card Scheme’ was held liable for violating the right to privacy of the citizens.
This decision of the Supreme Court empowers the citizens to seek judicial relief in case their data privacy rights are breached. Also, this judgment affects the rules and regulations set by tech companies in India.
Existing data protection framework in India
Though India is not that developed country in terms of technology yet it has entered the digital era which brings in the concerns related to data privacy. Data is the collection of information for a particular branch or topic. And the issue of data protection started the day collection and possession of data had started on.
In India, there is no specific law or regulation regarding data protection as of now. But there are certain legislations and acts which have some provisions that cover this subject, they are:
Constitution of India
The Constitution of India grants privacy of data by recognizing the right to privacy. The right to privacy has been held as an intrinsic part under Article 21 by the Hon’ble Supreme Court which protects the private data as a private property of a citizen. Since the protection of the database falls under the right to livelihood, then it can not be violated and taken away except according to the due procedure of law.
Moreover, the existing legal framework also recognizes one’s right on his/her private property, without restrictions and no one can violate it, even the state can not deprive the citizen of this right, except according to the due process of law. So, one’s data is protected by the Fundamental Rights under Article 21.
Indian Contract Act, 1872
Information Technology Act, 2000 and rules made thereunder
The Information Technology Act, 2000 was the one legislation that was brought by the Parliament to provide a legal framework to the entire digital era such as for various e-commerce platforms, electronic contracts, e-mails, online banking, and so., on. Today after so many years of passing this act, the digital era has developed a lot. There are many online platforms because of which the relevance of the Information Technology Act 2000, has increased. And this act also covers data protection. It provides a legal framework to stop the misuse of the database and attracts heavy penalties to stop cybercrimes. And after the amendment of 2008, it has added more laws related to data protection and privacy policies. The relevant laws under this act for data protection are:
- Section 43 (a), (b) and (i) – This Section penalises the person for accessing a secure computer network without the permission of the owner, or downloads, copies or extracts any data in the computer and steals, conceals, destroys, or alters any computer source or data intentionally to cause damage. The person who commits this crime shall be liable to pay as compensation of not less than one crore to the owner or the person affected.
- Section 43 A – This Section explicitly provides for data protection. It clearly states that if any corporate body handling or possessing any sensitive personal data or information in its computer, was not careful in implementing a proper security system and had lost or shared the data. If because of the negligence of a corporate body results in any wrongful loss or wrongful gain to any person then will be held liable to pay damages as compensation not less than five crore rupees.
- SPDI Rules – These rules are for Sensitive Personal Data or Information, which were notified by the government in 2011. While handling sensitive information body corporates and companies are required to follow and adhere to these rules strictly:
- Rule 3 – This rule defines SPDI. The data such as password, financial information (bank account or credit card), physical, physiological and mental health conditions, medical records or history, Biometric information, any information regarding these is provided to body corporate and any other information received by the corporate body under a lawful contract is termed as Sensitive Personal Data or Information (SPDI).
- Rule 5 – This rule states the various provisions governing the collection of data-
- That the companies and the other corporate bodies shall not collect any sensitive or personal data without the consent in writing to give data from the owner.
- Personal and sensitive data should only be collected for a lawful purpose and is very necessary.
- The information collected should only be used for the purpose it has collected for and not for any other use.
- The companies and corporate bodies will not be liable or responsible for the authenticity and reliability of personal data.
- If the provider has given the information then he must also be given an option to withdraw the consent at any point of time he feels so.
- The data should be kept secured and the companies should also introduce a grievance redressing body to address all the discrepancies or problems arising out of the given data.
- Rule 6 – It states that the company or the corporate body in case wants to disclose the personal information to a third party then must have to take the consent of the provider. But such information can be disclosed without consent when the third party is a government agency and it is mandatory to share with them under the law.
- Rule 8 – This rule clarifies that if a company or a corporate body collects any such sensitive or personal information then it must implement a proper security system. And clause 2 of this rule mentions one such ISO security standard for data protection but it is not mandatory to follow this only if they follow the best security system than the one mentioned.
- Section 66 C – This section punishes a person for identity theft with an imprisonment of not less than 3 years and fine up to two lakh rupees. So, if any person by fraud, uses electronic signature, password, or any such unique identification of another person shall be held liable for the punishment.
- Section 72 – It states that if any person who secures access to any electronic record, book, register, correspondence, information, document or any such material without the permission or consent of the person who owns the above mentioned, also if the person disclosed such electronic record, book, register, correspondence, information, document, or any such material to another person without the permission or consent of the owner then, he/she shall be punished with an imprisonment of not less than two years or with fine, not less than rupees one lakh, or maybe both.
- Section 72 A – This section states that if any person or intermediary secures access to any personal information about another person while providing services of a lawful contract, without consent or permission, to cause wrongful loss or wrongful gain then such person shall be punished with imprisonment not less than three years or with a fine of up to five lakh rupees or with both.
Indian Penal Code, 1860
The Indian Penal Code has been amended and enforced to prevent data theft. It is effective in preventing data theft. Offences under this code includes, misappropriation of property, theft, or criminal breach of trust which leads to imprisonment and fine. Though these offences apply only to the movable property as this Code has recognised data as part of the definition of ‘movable property’ to include corporeal property of “every description”, except land and things that are attached to the earth permanently and hence data theft constitutes an offence within the meaning of the Indian Penal Code. Hence, the computer data or databases are protected under the IPC as they are movable in nature.
The Copyright Act, as amended, recognises computer databases under the definition of literary work, and thereby copying of computer databases amounts to copyright infringement which has criminal remedies. It protects the Intellectual Property rights of all kinds of work, i.e. literary, dramatical, artistic, etc. The literary work also includes the database of the computer. So, if anyone copies a particular database from computer and shares or distributes it further, then it amounts to copyright infringement, which could lead to civil as well as criminal remedies.
Thus act protects data or databases as they are a form of Intellectual Property. Though under the Copyright Act it is difficult to differentiate as to what is database protection and data protection. Basically, data protection aims to protect the private information of the person, whereas database protection is different, it aims to protect the work i.e., creativity, investment of effort and presentation of a work or databases.
Also, many businesses and companies seek for the protection of their data under the contract law and common as well, by mentioning a confidentiality or data protection clause in their contracts itself, as it reduces the time and effort by asking for the mentioned relief if there is any breach.
Personal Data Protection Bill, 2019 (“PDP Bill”)
This bill was introduced in Rajya Sabha by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad in 2019. This bill specifically provides laws for the protection of personal data and also introduces a Data Protection Authority. This bill applies to all the incorporated bodies in India whether it is public or private. The bill also mentions about the ‘sensitive personal data’ which requires more supervision and stringent laws. It makes it obligatory for the data fiduciaries/processors to maintain definite standards to protect the data. This bill also has some exemptions. The bill was quite controversial from its very first draft as it came with a data localization policy, wherein the international companies collecting the personal data of Indian citizens were required to keep or store a copy of that data in India also.
This bill supervises or governs the processing of personal data by government, companies incorporated, and foreign companies handling or dealing with the personal data of the citizens of India. Personal data is the one through which one can identify the person to whom the data is related. And the bill also recognises some sensitive personal data which includes financial data, biometric data, caste, or religious or political beliefs as these are the most exposed to cybercrimes.
Obligations of data fiduciary
A data fiduciary can be defined as an individual or entity that decides the means and the purpose of the personal data being processed. And such processing has collection and storage limitations. Personal data can be used only for specific and lawful purposes. Moreover, all the data fiduciaries have to take compulsorily some measures for transparency and accountability such as :
i.) Implementation of a proper security system (data encryption) to prevent misuse of the data.
ii.) Setting up of grievance redressal mechanisms to address all discrepancies or complaints of individuals.
iii.) Introducing a particular mechanism of age verification and parental consent while processing sensitive personal data of and by the children.
Rights of an Individual
This bill grants certain rights to an individual or data principal which includes the right to-
i.) confirm from the fiduciary as to whether their personal data has been processed,
ii.) to correct any inaccurate, incomplete, or out of date personal data,
iii.) to disclose the personal data to any other fiduciary in special or certain circumstances,
iv.) to protect and restrict their personal data to be closed by a fiduciary, it is without consent or is no longer necessary to disclose.
Grounds for processing personal data
A fiduciary can only process the personal data if consent is given for the same by the individual. But, in certain circumstances, personal data can be processed or shared further without consent if :
i.) it is required by the State to provide benefits to the individual,
ii.) it is required for any legal proceedings,
iii.) or, it is required for responding to a medical emergency.
Social media intermediaries
This bill also provides provisions to include intermediaries that help in online interaction between users and allow for data processing or sharing of information. But all the intermediaries having users have a notified threshold, and their actions can impact democracy and elections, or public order. There are certain obligations that there must be a voluntary user verification mechanism for users in India to confirm that there is no wrongful loss or wrongful gain.
Transfer of data outside India
Sensitive personal data can be shared or transferred outside India only when it is consented to by the individual and is subjected to certain conditions. But the data will be stored in India only. The data which is notified as critical personal data by the government can only be processed in India.
Data Protection Impact Assessment
When a data fiduciary processes any data that involves any significant or sensitive personal data, then it is mandatory for the fiduciary to conduct a Data Protection Impact Assessment. The authority selects certain data fiduciaries who will have to comply with the bill. It will also mention the data auditor who will be required to audit the DPIA. The Data Protection Impact Assessment shall include:
- List of processing activities along with the nature and purpose of the activities,
- Assessment of the harm that may be caused while data processing,
- Steps to reduce harm.
Maintenance of Records and Audit of Data
A data fiduciary is required to keep the records updated for all the data processing activities, according to the regulations. Records should include:
- List of all the important activities and operation in the whole cycle of data processing,
- Record of periodic review concerning the security system and safeguards,
- Records of the Data Protection Impact Assessment conducted,
- Any other aspects involved.
Data Protection Officer
Every data fiduciary is required to appoint a Data Protection Officer who has sufficient qualifications and experience and will have to perform functions such as:
- To maintain the records mentioned in the Bill,
- To conduct the Data Protection Impact Assessments,
- To act as an intermediary or a point of contact for the data fiduciary for grievance redressal mechanisms,
- To advise and assist to look that there is compliance with the provisions of the bill.
The Central Government can exempt any of its agencies from the provisions of this Act:
- in the interest of the security of the State, public order, sovereignty, and integrity of India and friendly relations with the foreign States, and
- in order to prevent the incitement to the commission of any cognisable offence, it amounts to arrest without any warrant relating to the above matters.
Processing of personal data is also exempted from the provisions of this bill for the purposes such as:
- Prevention and prosecution of any offence,
- Personal or journalistic purposes.
And the field of innovation and new technologies, i.e. Artificial Intelligence, Blockchain, etc. are also exempted in some provisions of the bill.
Offences mentioned under this bill are:
- If the personal data is processed or transferred without the consent of the individual, then it constitutes the violation of the Bill, which attracts the fine or penalty of rupees 15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher will be considered, and
- If the data fiduciary or the data protection officer fails to conduct a data audit then it attracts the punishment to pay a fine of rupees 5 crores or 2% of the annual turnover of the fiduciary, whichever is higher will be considered.
- If any de-identified personal data is processed or re-identification is there then it will attract the punishment of imprisonment for up to three years, or fine, or both.
Sharing of non-personal data with government
The data fiduciaries can share with the Central Government the non-personal data and the data where data principal is not identified i.e. anonymised personal data for better services.
Amendment to other laws
This Bill also mentions amending the Information Technology Act, 2000 and deleting the provisions asking for paying compensation by companies in case of failure to protect personal data.
Data Protection Authority
This bill introduces setting authority for data protection, as the regulatory and enforcing body, which will :
i.) take the necessary steps to protect the interest of individuals,
ii.) prevent the misuse of personal data,
iii.) ensure adhering to the bill.
The authority will consist of a chairperson, and six members, with at least 10 years of experience and expertise in the field of data protection and information technology. Orders of the authority will not be final; they can be appealed to an Appellate Tribunal, and from there, the matter will go to the Hon’ble Supreme Court.
The authority will create a “code of practice” which will make sure that the data fiduciaries are adhering and working in compliance with the provisions of the Bill. This code might be specific to a particular company or industry. The Bill also empowers the authority to conduct an inquiry, investigate and appoint inquiry officers whenever he/she feels so in the exercise of its functions mentioned under the Bill.
The provisions of the Bill also empowers the Data Protection Authority to impose a penalty for the violation of the provisions envisaged under the Bill. The penalty can range from Rupees five crores to rupees fifteen crores and from 2% of the data fiduciary turnover to 4%. Re-identification is also a criminal offence which may attract the punishment of imprisonment up to 3 years or fine which may extend up to Rs. 2 Lakh.
It also offers compensation to data principals who had to suffer harm due to the breach of any data. The Data Protection Officer decides the compensation if the harm of data breach is caused by the negligence of the data fiduciary.
Key principles that apply to the processing of personal data
The key principles that apply to the processing of personal data are:
- Practices and policies of the data controller,
- Types of data collected by the body corporate is personal or sensitive,
- Purpose of collection and processing of the data,
- Disclosure of the data including sensitive personal data, when it is required in certain specified conditions, and
- Proper and reasonable security systems and practices, according to the rules.
- The Personal Data Protection Bill also states about transparency in Section 30 that the data fiduciary should maintain transparency regarding its practices related to the processing of personal data and should make this information easily accessible as:
- To mention the specific categories of the personal data collected and the manner it was collected,
- Purpose of collecting data being processed,
- Any data which is processed in exceptional situations and processing of such data may create a risk of significant harm,
- Existence and exercise of data principal rights under Chapter VI,
- Right to file a complaint to the authority,
- Information regarding cross-border transfers of personal data carried out by the data fiduciary,
- Any other information specified or mentioned by the authority.
- The data principal must be notified about all the important operations involved in the processing of personal data related to data principal by the data fiduciary.
Lawful basis of processing
- The Information Technology rules clearly state that it is mandatory for the body corporate or any person on its behalf to take permission or consent in writing from the data subject or provider for the purpose it is collecting and using the data. And if the information or data collected is sensitive personal data, then the purpose of collecting it should be a lawful one only. It is the duty of the corporate body or person acting on behalf of it to make sure that the data is being used only for the purpose it was collected.
- The Personal Data Protection Bill also states in Section 7 that the data processing should only be for lawful purposes. Chapter III of the bill mentions about “consent”, which is required mandatorily for the lawful processing of the data and also provides the available grounds for lawful processing of the personal data, that are:
- To carry out or for functions of the State,
- For compliance with the law,
- To carry out any prompt action,
- When it is necessary for employment, or any other necessary purpose,
- For all the reasonable purposes like to prevent any unlawful activity, such as fraud, whistleblowing, etc. Any reasonable purpose is to be decided by the data protection authority from the purposes mentioned by the Personal Data Protection Bill.
- The Information Technology Act does not specify the time frame for the possession of sensitive personal data. But, the information technology rules mentions that a body corporate or any person if has sensitive personal data with them, then shall not retain or possess that information for longer than it is required, i.e. when the purpose for which it was collected is fulfilled then the possession of such information will not be a lawful one.
- Section 67 C of the Information Technology Act states that an intermediary can only retain the data for the time prescribed by the Central Government. Intermediaries include telecom service providers, online auction sites, online marketplaces, and cyber cafes.
- The Personal Data Protection Bill states in Section 5 about purpose limitation:
- Personal data should only be used for lawful and specific purposes.
- Personal data can be used for specified purposes or incidental purposes.
- The Personal Data Protection Bill states in Section 10 that data fiduciaries can only possess or retain the data until the purpose for which the data was processed is fulfilled. Further, it also requires that the data fiduciaries should review from time to time on the necessity of retaining the personal data in question and then delete such data after it is no longer required. Also, the bill empowers the data protection authority under Section 61 “to issue a code of practice for steps or measures about the retention of personal data under Section 10”.
Sector-specific legislation that impacts data protection
Since to treat the patients, the hospitals require the patients to fill forms and certain formalities, through this they collect their personal data. Medical and healthcare sectors have few provisions that impact data protection. They are:
Mental Health Act, 1987 (MH Act)
- Section 13- This section provides for the inspection of psychiatric hospitals, nursing homes, and visiting patients by an inspecting officer at any time and the inspecting officer may also check the records of patients and records maintained under the Mental Health Act. The records of the patient shall be confidential with the inspecting officer until and unless the officer feels that there is a lack of proper treatment and care to that patient and then he can report the matter to the licensing authority. The licensing authority may issue directions that are required to adhere and comply with by the medical officer-in-charge of the licensee of the psychiatric hospital, the psychiatric nursing home, and every such medical officer-in-charge.
- Section 38 – This section prohibits any visitor to the psychiatric hospital to check or inspect any personal record or data of any patient that is confidential in nature.
Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002
Regulation 7.14 – This regulation provides that any registered medical practitioner is not allowed to disclose any secrets of the patient he/she got to know while exercising his/her profession, except;
- On the orders of the presiding judge in the court of law,
- In case, there is a serious/ identified risk or disease to that particular person,
- And in case there is communicable/notifiable disease, then that medical practitioner should inform about the case immediately to the public health authorities.
Health record privacy and harm to others
In the case of Mr X v. Hospital Z, it was held by the Hon’ble Supreme Court that though the patient has the right to privacy and the doctor has to maintain confidentiality but is subjected to the protection of the health of others. So, it was held that the disclosure by the doctor that the appellant was suffering from HIV was not a violation of the right to privacy because it saved the life of the woman in time to whom he was married to.
Private Sector (NASSCOM)
- The National Association of Service and Software Companies (NASSCOM) is a non-profit industry association and an apex body for the Indian IT-BPM (Information Technology-Business Process Management) industry, which leads private sector initiatives to protect and support data privacy regulations in India.
- Business Process Outsourcing Units implements self-regulatory processes such as ISO standards, to have a proper and standard security system and also restricts the quantity of data made available to employees.
The Telecom Regulatory Authority of India (TRAI) while providing services can gain a lot of personal data of the service recipient. So, to protect the data, it has laid down several sector-specific regulations, that are:
Indian Telegraph Act, 1885 (“Telegraph Act”)
- Section 5 – This section states that the Government has the power to take in possession all the telegraphs and even order to intercept the messages in case of public emergency, or for public safety, or in the interests of sovereignty and integrity of the State, or to prevent incitement of any offence.
- Section 24 – This section states that if any person attempts to learn the contents of any message unlawfully then it will amount to a punishable offence with imprisonment for up to one year.
- Section 25 – This section states that if any person tries to, intercept, damage, or tamper with any of the telegraphs or tries to obstruct it from transmission then it will attract a punishment with imprisonment from one year to three years or with fine or both.
- Section 26 – This section states if any telegraph officer or any person having official duty belonging to the telegraph office secretly and willfully alters any message he has received through transmission and has to send or transmit it to other person and divulges the telegraphic signal to a person to whom such message is not entitled will be punished with imprisonment from one year to three years or with a fine or with both.
- Section 30 – This section states that if any person willfully detains any message from transmitting to another person or the telegraphic officer refuses to transmit the message to the person entitled then this act will attract a punishment with imprisonment from one year to two years or with fine or both.
Department of Telecommunications
- National Long Distance License – Clause 21 of the National Long Distance License requires the telecommunication provider i.e. the licensee to maintain and adhere to confidentiality conditions to secure the customer’s information. It also states that the licensee is responsible for the privacy of the communications and must take all the significant steps required to maintain and safeguard the privacy and confidentiality of the information of the third party to whom it provides its services.
- United Access Service License and Cellular Mobile Telephone Service License – Clause 37, 39 of the United Access Service License and Clause 42 of the Cellular Mobile Telephone Service, states that the telecommunication provider or the licensee should adhere and maintain the confidentiality regarding the information of its customer, and is also responsible for maintaining the security system to ensure the privacy of communication and prevention of the interception of messages. Also, if the licensee has connected any bulk encryption equipment for certain requirements then there has to be prior evaluation and approval of the licensor for that encryption.
- Also, telephone tapping was held to be violating the right to privacy in the judgment of the Hon’ble Supreme Court in the case of PUCL V. Union of India.
When a person opens his/her bank account then he/she shares his sensitive personal data. Here are the regulations by the banking sector to protect the data of its customers –
State Bank of India Act, 1955
Section 44 – This section provides a secrecy clause to the bank as a whole and its directors, local boards, auditors, officers, or other employees. It makes it mandatory for them to maintain fidelity and secrecy by declaring a prescribed form. It also states that the State Bank shall observe the practices of the bankers to avoid divulging any information or data related to its constituents.
Banking Companies (Transfer and Acquisition of Undertakings) Act, 1980
Section 13 – This section states that every new bank has to observe the practices of its bankers and prevent any information from divulging except when it is required in the court of law or is very necessary for the bank to do so. Every member and employee of the bank has to also make a declaration of fidelity and secrecy in a prescribed form.
Credit Information Companies (Regulation) Act, 2005 and Credit Information Companies Regulations, 2006
- Section 19 – This section states that any credit information company, credit institutions, and specified users are responsible for preserving the accuracy and security of the credit information and also to ensure that data relating to that credit information is accurate and duly protected against any loss or unauthorised access or disclosure.
- Section 20 – This section requires every credit information company to adopt the privacy principles for credit information and collection, processing, collating, recording, preservation, secrecy, sharing and usage of such credit information.
- Section 22 – This section states that if anyone has an unauthorized access to credit information which owns a company or a credit institution then the person will be punished with a fine up to Rs. 1 Lakh and if that person continues to possess that data then he has to pay the sum of Rs. 10,000 for every day.
The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983
- Section 3 – This section states that a public financial institution shall not divulge any information relating to its constitutes or its affairs until and unless if required by the court of law and is very necessary for the public financial institution to divulge such information.
- Section 4 – This section states that any member to whom this act applies is required to make a declaration of fidelity and secrecy through a prescribed form.
In the case of District Registrar and Collector, Hyderabad v. Canara Bank, it was held by the Hon’ble Supreme Court that the right to privacy of a person also includes the documents of his/her given to the bank and should remain confidential. And also declared that Section 43 of the Stamp Act (as amended in Andhra Pradesh) invalidated, which allowed the Collector to have access and inspect the register, books and records, papers, documents with any public officer.
Current Issues Surrounding Data Privacy
- It is still an argument in India that whether India should adopt a rights-based model over the present consent-based model. In the current consent-based model, the data controller is free to process and share the data once it gets consent in writing by the user. But many people are not aware of the consequences while giving consent. Whereas under the right-based model, it gives the users more and greater rights over their data and it is required by the data controller to ensure that there is no violation of the rights.
- The decision of the Hon’ble Supreme Court gives the right to the citizens to seek judicial relief if there is a data breach. So, this could impact the rules and regulations implemented by the tech companies, because the users can not only raise tort-based claims but can also invoke their fundamental right to privacy.
- The Hon’ble Supreme Court has laid down that the State can intervene or encroach upon the fundamental rights to protect the State’s interests. But before going for a law which seeks to encroach upon the fundamental rights, there is a need to test reasonableness and proportionality.
Need for revamping the data protection framework in India
There is a dire need to revamp the existing data protection laws because of the many loopholes that exist, and need to be filled. These are:
- The provision under the Information Technology Act just deals with the collection and processing of the data by ‘body corporate.’ So, it does not protect any data other than that.
- This does not protect the data that is freely available on the public domain even if it is a sensitive one.
- Though when the Aadhar is linked with your personal information it will remain confidential and that information shall be shared with the Income Tax Department but Income Tax Act does not provide any rule to protect the data.
- The Personal Data Protection Bill empowers the officer or the Data Protection Authority to enforce actions against a person like an arrest, detention or any other action required without the approval of the court; this bill gives unfettered power to the authority.
- The PDPB bill does not mention any stipulated or specified time to report a data breach. And the complaint can be filed only when there is the harm caused, so it does not prevent data breaches and all. And also though the bill has not yet passed but it might give unrestricted access to the data of citizens to the government.
- The bill states that the data could be processed even without consent if the State wants it. This is irrational and very quite uncertain to predict what possible requirement of the State could be because even persons representing the State can tamper the data and use it for unlawful purposes.
- Apart from this, in India, there is no minimum age set for joining the social media platforms, that are most vulnerable for the data breach.
- Along with mentioning the fair and reasonable collection of data, the Personal Data Protection bill should also mention rules for the reasonable and fair processing of data by the data fiduciaries.
- The PDPB bill should broadly explain the ambiguous term of incidental purposes of Section 5(2).
- Data fiduciaries should be required to mention about the data breaches also on their website to ensure transparency.
- There should be given significant importance to the privacy rights of the people as mandated in the General Data Protection Regulation (GDPR).
- In the case of a data breach, the data authority should show the data protection impact estimation and data audits to the public, to maintain transparency.
- Though the bill mentions all the broad principles, it still needs to work more on the consent of the people in case of exceptions and privacy for the information.
Data protection and privacy around the world
Now, though in India, the e-commerce companies who deal with European countries have to comply with the General Data Protection Regulation (GDPR). The basic purpose of GDPR is to strengthen the privacy rights of the people of the European Union and to unify the data protection even outside Europe. US and European Union policymakers have made the laws according to the recent actions and enforcement.
The European Union’s GDPR has covered a wide range of consequences on a global scale. The GDPR harmonizes the data protection laws to provide more protection to the right of privacy of an individual. It also mentions strict punishment for not only the organisation but also for the individual who does not handle the data properly and with safety.
On the other hand, the US has a different approach to data protection. It has legislation for each sector like different legislation or sector-specific such as for medical, private, etc. instead of applying or adopting Global legislation like GDPR.
Also, in the US and Europe, there is a minimum age specification, i.e. before 13, no children can join social media whereas in India there is no such limitation. And one cannot share any disseminate information regarding children, otherwise, it will amount to a criminal offence.
This year started with the adoption and enforcement of the California Consumer Privacy Act (CCPA) on 1st January, 2020. Because of this, the US legislation has been affected at both state and federal level. Also, other data privacy legislation was going to be adopted by countries such Brazil, Thailand, India and South Korea to be a part of a global movement to protect and make stricter laws for the data protection. But the final regulations were about to come, so the enforcement was not done yet, but was expected to be completed by 1st July, and the effect of it will be applied retroactively.
The California Consumer Privacy Act (CCPA), included the following rules–
- The civil penalty which an Attorney General could impose under this act was up to $2500 in case of an unintentional violation and up to $7500 in case of an intentional violation decided according to consumer basis. And from $100 to $750 in case of statutory damages as per the incident and consumers.
- It also allows the consumers to take a private right of action and statutory damages for the businesses that suffered data breaches because of the failure to maintain a proper security system, and then maintain the reasonable security practices.
- But the private right of action is allowed to take only to those who came under the categories of personal information mentioned in California’s breach notification statute and not the one mentioned in the act.
- If a consumer wants to file a litigation against any business, then it should give a prior notice of breach and a period of 30 days to sort out the mentioned violation. And if that business solves that problem or violation within the prescribed time, then the consumer cannot claim statutory damages.
- Also, the consumers can exercise their right from the 1st January, 2020 itself.
Two more important laws which are going to be adopted by Brazil and Thailand. Brazile was going to adopt Lei Geral de Protecao de (LGPD), from 15 August, 2020, which will apply to all the companies handling information related to the Brazilian residents or citizens, irrespective of whether they stay there or not. It also suggested for the formation of a body to implement these laws, and this legislation is all ready to follow GDPR. The LGDP makes it mandatory for every company to have a proper security, technical and administrative system to protect the data from hackers or unauthorised users by accessing and imposes a fine up to 2% of their total revenue in Brazil or to pay up to $12,300,000.
Thailand also adopted a Personal Data Protection Act (PDPA), ON 27th May, 2020. Though the law was in making from the past twenty years but was passed by the National Legislative Assembly in 2019. This act states some of the strict rules of GDPR. It also mentions the need to have data protection officers to protect the sensitive data category. But the one thing is that the person who violates the rules of this act will not only have to pay the fine but can also be prosecuted criminally and due to which might have to face an imprisonment up to one year.
While South Korea is still aligning to the existing data protection laws of the GDPR, hoping to receive an adequacy decision from the Europe Commission, which could probably allow the free movement of data between South Korea and European Bloc, promoting the cross border businesses and data transfers. Many other countries are also looking for the adequacy decision which will make the free movement of data from the European Bloc and them. South Korea protected the child data and made it mandatory for the companies collecting data of children under the age of 14 years, to be consented by their parents or legal guardians, in 2019.
Though India is working towards developing and creating laws for data protection and privacy, there are still some loopholes that need to be looked upon. Hence, our Indian legislature needs to incorporate the merits of the data protection and privacy laws from around the world and take a step forward in the implementation and development of this new branch of law owing to the paramount importance it has in today’s times. There are various laws for data protection around the world, which could contribute to curb the issues related to data protection if adopted and implemented strictly in India.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: