This article has been written by Nehal Misra, from Nirma University, Ahmedabad. In this article, she discusses the lack of jurisprudence in data protection laws in India.
“Data is the new oil” is popularly said. In the 21st century, data has replaced oil to become the most valuable commodity. It can be derived from the fact that the data sector belongs to 5 of the world’s most valuable companies, namely Amazon, Google, Apple, Microsoft, and Facebook. If we look closely at the two commodities we understand that data and oil are very similar. The crude oil which is found in the world is unusable due to its raw form and is required to be refined and filtered through various processes for the production of petroleum, diesel, kerosene, gasoline and the like, the raw information is also required to be processed as well as analyzed for the purpose of converting it into usable data, such as for health information, geolocation browsing information, etc.
Also, sensitive personal data as the definition of sensitive personal data, or information, exists under the Law. It means personal information consisting of: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health status; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any data relating to the things referred to above provided to a corporate body to achieve results. Sensitive personal data or information may not include freely available or accessible information on the public domain or given under the Access to Information Act, 2005, or any other applicable legislation. The PDP Bill proposes a broad definition of personal sensitive data and also defines income, caste, race, religious and political views or association as sensitive personal data.
On the other hand, private data is confidential to an individual/organization and can not be disseminated openly by others without the subject’s prior permission. It includes financial details, family details, psychological characteristics, locations, and history of travel, behaviour, abilities, photographs, aptitudes, etc.
India has adopted a special, biometric identification number for citizens, named ‘Aadhaar.’ Aadhaar is governed by the Aadhaar Act, 2016 and its rules and regulations (Targeted Delivery of Financial and Other Subsidies Act). Entities in controlled sectors such as financial services and telecommunications are subject to confidentiality obligations under sectoral laws which require them to keep personal customer information confidential and use it for specified purposes or only in the manner agreed with the customer.
Lastly, personal data is protected utilizing indirect safeguards developed by common law courts, equity principles, and trust breach law. In the judgment of Justice K.S Puttaswamy & Another vs. Union of India, which was delivered in August 2017, the Supreme Court acknowledged the right to privacy as a constitutional right under Article 21 of the Constitution. “Informative privacy” was accepted as a facet of the right to privacy and the court held that privacy protection (“Privacy Judgment”) also had to be given to a person’s information and the right of access to that information. The court declared that each and every individual should have the right to control the commercial use of his or her identity and that from this right emanates the “right of individuals to use their identity and personal information exclusively commercially, to control the information available on the Internet about them and to distribute such personal information for restricted purposes only.”
Fundamental rights may only be enforced against the state and the instrumentalities of the state and accepted by the Supreme Court in the same judgment that protection of the right to privacy against private individuals can require legislative intervention. Consequently, the Government of India formed a committee to propose a draft data protection statute. The committee proposed draft legislation, and the Indian government issued the Personal Data Protection Bill, 2019 (“PDP Bill”) based on the committee’s proposal. It will be India’s first personal data privacy law, which will repeal S. 43A the IT Act.
Entry into force
- Section 43A and Section 72A of the IT Act -27 October 2009
- Aadhaar Act- 12 September 2016.
Personal Data Protection Bill
In July 2017 a committee was established by the Ministry of Electronics and Information Technology to study data protection issues. The Committee was headed by Justice B. N. Srikrishna, a former Supreme Court judge. In July 2018, the committee tabled the draft Personal Data Protection Bill, 2018. The Bill was approved by India’s cabinet ministry on 4 December 2019 as the Personal Data Protection Bill 2019 and tabled in the Lok Sabha on 11 December 2019, after further deliberations. The PDP Bill has been debated by a Joint Parliamentary Committee, and a revised draft PDP Bill is scheduled to be released in 2020. The PDP bill will then need to be approved by both legislative houses and published in the official gazette before it becomes law. On 11 December 2019, the Personal Data Protection Bill 2019 was tabled in the Indian Parliament. A Joint Parliamentary Committee (JPC) is analyzing the Bill as of 17 December 2019, in consultation with various groups. The Bill covers mechanisms for personal data protection and proposes the establishment of an Indian Data Protection Authority for the same. The 2019 Bill includes some crucial provisions for which the 2018 draft Bill did not provide such that the central government could exclude any government agency from the Bill, and the right to be forgotten. The legislation is likely to be enforced in a staggered way, even after implementation. There is currently no information regarding that timeline for implementation.
The revised Bill was criticized by Justice B. N. Srikrishna, for turning India into an “Orwellian state”. Justice Srikrishna said, “Government can access data from private data or government agencies on grounds of sovereignty or public order at any time. That has dangerous implications. “In their comment, a think tank shares this view. Apar Gupta of the Internet Freedom Foundation notes that “Privacy is mentioned only once in this voluminous document[b] — 49 references to ‘security’ and 56 references to ‘technology'” imply that the Bill does not do enough to protect the privacy of an individual. Internationally, fresh criticism stems from an advisor to a group proposing an alternative text. A reasonably critical review is available from a scholar working with an American co-author in India. On several fronts, the role of social media intermediaries is being more tightly regulated.
Data protection laws in India
Data Protection refers to a set of privacy laws, policies, and procedures aimed at minimizing the intrusion into one’s privacy caused by personal data collection, storage, and dissemination. Personal data generally refers to the information or data relating to a person identifiable from that information or data whether it is collected by any government or private organization or agency. India’s Constitution does not patently grant the basic right to privacy. However, the courts have read the right to privacy in the other fundamental rights that exist, i.e. freedom of speech and expression under Art. 19(1)(a) and the right to life and freedom under Art. 21. However, under the Constitution of India, these Fundamental Rights are subject to reasonable restrictions laid down in Article 19(2) of the Constitution which the State may impose. Previously in the landmark case Justice K S Puttaswamy (Retd.) & Anr. Vs. Union of India and Ors., the constitutional bench of the Honorable Supreme Court held the right to privacy as a fundamental right, subject to certain reasonable restrictions.
India does not have clear regulations on data security or privacy. There exist a few regulations which are related to data security regulations in India, such as the Information Technology Act, 2000, and the Indian Contract Act, 1872. There lies an urgency for a codified law on data protection. The IT Act, 2000 deals not only with civil issues pertaining to the payment of compensation but also the punishment (Criminal) in cases of breach and violation of personal data through misrepresentation or misuse of personal data. Under Section 43A of the IT Act, 2000, a corporate body is held liable by the court of law, if the corporate body owns any personal data, and distributes any confidential personal data due to its negligence in implementing and maintaining fair security practices, the corporate body is liable for paying damages to the individual concerned.
The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with the protection of “Sensitive personal data or information of a person”, including personal information related to:
- Financial information such as bank account or credit card or debit card or other payment instrument details;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history;
- Biometric information.
The rules provide reasonable security practices and procedures to be followed by the corporate body or any person who collects, receives, possesses, stores, deals or handles information on behalf of the corporate body. In the event of any breach, the corporate body or any other person acting on behalf of a corporate body, the corporate body may be held responsible for paying damages to the person so affected. The Rules provide that every corporate body needs to maintain reasonable safety practices and procedures. A corporate entity or individual operating on its behalf shall be considered to have adopted appropriate security practices and procedures where they have established these security practices and standards and have a comprehensively recorded information security policy and information security policies including commensurate management, technological, operational and physical security control measures. The Ministry listed the IS/ISO/IEC 27001 International Standard on “Information Technology-Security Techniques-Information Security Management System-Requirements” as one of those standards. Corporate bodies that follow other standards are required to have their safety practices and standards notified and approved by the Ministry for effective implementation. A corporate body is expected to have its security practices and procedures accredited and audited by an independent auditor who is authorized by the central government at least once a year, or when its computer resource is substantially upgraded.
According to Section 72A IT Act, 2000, disclosure of information, intentionally and deliberately with knowledge of the same is punishable by imprisonment for a period of up to three years and a fine of up to Rs 5,00,000, without the permission of the individual concerned and in breach of the lawful contract. It is required to be noted that Section 69 of the IT Act, which constitutes an exception to the general rule of privacy and confidentiality of records, provides that if the Government is satisfied that it is in the interests of:
- the sovereignty or integrity of India,
- defense of India,
- security of the State,
- friendly relations with foreign States,
- public order,
- for preventing incitement to the commission of any cognizable offense relating to above,
- for investigation of any offense, or
- It can, by order, direct any appropriate government agency to intercept, track or decrypt or trigger the interception or monitoring or decryption of any information produced, transmitted, obtained, or stored in any computer resource.
Where the information is such that it should be disclosed in the public interest, disclosure of such information may be required by the government. Details concerning anti-national activities which are against national security, infringements of the law, or statutory obligation or fraud that fall under this category.
Lack of jurisprudence
India’s data protection law is currently facing many problems and resentment because of the lack of a proper legislative framework. Globally, there is a continuing explosion of cybercrimes. The theft and sale of the stolen data occur across the vast continents where physical boundaries in this technological era do not pose any restriction or appear to be non-existent. India, being the world’s largest host of outsourced data processing, could become the epicentre of cybercrimes. This is primarily due to the lack of appropriate legislation. India’s Data Security Council (DSCI) and the Department of Information Technology (DIT) also need to rejuvenate their efforts on similar lines in this regard. The best approach will, however, come from good statutory requirements along with sufficient knowledge of the public and the employees. It is high time we in India had to pay attention to data security. There is a lack of cybersecurity in India and the same requires rejuvenation. If even the cybersecurity of PMO is compromised for many months we must wake up now at least. In India, data breaches and cybercrimes can not be minimized until we implement strict cyber laws. We can’t do that by actually declaring a cat to be a tiger. India’s cyberlaw also needs sound cybersecurity and effective cyber forensics to support it.
Indian companies in the IT and BPO sectors manage and have access to confidential and personal data of all sorts of individuals around the world, including their credit card numbers, financial records, and even their medical history. Such businesses store electronically sensitive data and details and this could be exposed in their employees’ hands. It’s often misused amongst them by unscrupulous elements. Security vulnerabilities and data leakages have occurred in high-profile Indian firms. Recent data theft incidents in the BPO industry have raised data privacy concerns.
There is no specific data protection legislation in India. Despite the introduction of the Personal Data Protection Bill in Parliament in 2006, the light of the day is yet to see. The bill seems to be building on the general basis of the Data Privacy Directive of the European Union, 1996. It follows a comprehensive model with a bill that aims to govern personal data collection, processing, and distribution. It is important to note that the bill’s applicability is restricted to personal data, as described in the bill’s clause 2.
The Bill refers to the data functionalities of both government and private companies. The appointment of data controllers with general superintendence and jurisdiction over subjects covered by the Bill is provided for. It also specifies that criminal sanctions may be placed on criminals, in addition to compensation for damages to victims. The Bill marks a step in the right direction. However, due to a lack of documentation, the Bill is still pending. Though the IT Act is inclusive of the provisions not only on cyber and IT laws in India but it also attempts to define to the degree to which a party has access to data stored on a device, it fails to resolve the need for strict data protection law.
The IT Act, 2000 has been revised to tackle cybercrime issues, it has implemented two significant provisions that have a strong impact on the data protection legal regime. These are sections 43A and 72A, which the amendment act inserts into the IT Act. But the data security and confidentiality requirements are severely insufficient. Data theft incidents at BPO have raised concerns over data privacy in recent years and the offshore industry, media, and the legal world question the safety of foreign data which is in the Indian hands. The amendments are therefore, more of a government knee-jerk reaction to recent data breaches and other accidents, India has more to do with cybercrime and e-commerce problems than with data security.
Recent amendments to the IT Act
Section 43A states that if a corporate entity that maintains, distributes or manages any confidential personal data or information in a computer resource that it owns, regulates or operates is deficient in enforcing and maintaining fair security standards and procedures and this causes any individual wrongful loss or unfair benefit, then that corporate entity shall be liable for compensatory damages. The term corporate body is broad enough to include a company, a corporation, a sole proprietorship, or any other group of individuals engaged in professional or business activities. And then on reasonable safety practices and procedures including safety practices and procedures including security practices and procedures desiring to protect information unauthorized damage, use, modification, disclosure or impairment as may be specified either:
(i) in an agreement; or
(ii) in any law in force; and in the absence of an agreement or rule, as the Government of the Union may prescribe.
It implies, in particular, that the contracting parties can specify the level of protection they expect from the disclosing parties in the event of a violation which makes them liable to pay the damages under their contract. The Amendment Act, however, failed to define the definition of the term sensitive personal data or information, and merely stated that the personal data would mean such personal information as recommended by the Union Government in consultation with such professional bodies or associations as may deem necessary.
Section 72 is limited to knowledge obtained by virtue of a power granted under the IT Act. On the other hand, the scope of Section 72A is wider than existing Section 72 and applies to the disclosure of a person’s personal information (without consent) when delivering services under a lawful contract and not merely to the disclosure of information obtained by virtue of the powers conferred under the IT Act. The word intermediate was inserted in Section 72A. This was defined in the amendment as an individual (for any particular electronic record) who receives, stores or transmits any recording or service on behalf of another person and includes telephone service providers, network service providers, Internet service providers, web hosting service providers, search engines, online payment sites, online auction sites.
The proper requirement for Indian law can be analyzed when comparing Indian law with the law of developed countries. U.K. does have its 1998 Data Security Act (DPA). This Act is instituted for the protection and privacy of individuals’ personal data in the UK. Under this Act, the persons and organizations that store personal data must register with the information commissioner, who has been named as the government official to oversee the Act. The law places limits on data collection. Personal data may only be collected for one or more defined and valid purposes and may not be processed further in any way that is inconsistent with the intent or purposes for which they are processed.
Both the U.S. and the European Union are focusing on enhancing the protection of their citizens’ privacy, with the U.S. taking a different approach to privacy than the European Union. The United States has adopted a sectoral approach based on a mix of legislation, regulation, and self-regulation. In the United States, data are grouped into several classes based on their usefulness and significance. Thereafter, the various data groups are granted a different degree of security. Whereas the IT Act’s provisions essentially deal with data extraction, data destruction, etc. Organizations can not achieve full data security through what eventually forced them to sign separate private contracts to keep their data protected. Those arrangements are as enforceable as the general contractor.
In all its member countries the European Union has implemented a detailed Directive on Personal Data Protection. The US has also complied with the EU Directive through the Safe Harbor Agreement to encourage businesses from EU countries. It would also be prudent for India to comply with the EU directive as there is a great deal at stake here. Notwithstanding attempts to provide a law on data security as a separate discipline, our legislature has left some holes in the 2006 bill. The bill was drafted entirely on the structure of the UK Data Protection Act whereas the requirement today is a comprehensive law. So it can be suggested that compiled drafting based on US data protection laws would be more favourable to the requirement of today. Unauthorized use or transmission of this credit data is subject to prohibitive fines. Credit information can only be used to identify a potential customer’s creditworthiness, and can not be used or transferred for any other purpose to unauthorized persons. The IT Act again exclusively protects credit data which is just one aspect of personal data.
Any piecemeal legislation is insufficient; we require a comprehensive data protection legislation to protect data subjects’ rights, which will vehemently prohibit the use of data collected for any purpose other than that for which it was. The Information Technology Act, 2000 is not permanent law on data security or privacy. It does not lay down any specific principles regarding data protection or privacy. The Information Technology Act, 2000 is a general law that articulates on a range of subjects, such as digital signatures, public key infrastructure, e-governance, cyber contraventions, cyber offences, and privacy. It has one Act syndrome. Comparing the Information Technology Act, 2000 provisions with the European Data Protection Directive (EC/95/46), OECD Guidelines on Privacy Protection and Transborder Flows of Personal Data, 1980, and the US Safe Harbor Principles would be erroneous.
India needs a legislative structure to maintain and promote the BPO boom that fulfils both legal and public standards to prevail in the jurisdictions from which data is shipped to India. In practical terms, the greatest hurdle is for India to have its domestic data protection law system formally adjudicated and widely viewed as adequate. About its Data Protection Directive of 1995, the EU officially declares and lists adequate countries. So far, only a handful of countries such as Argentina, Canada, Australia, and Switzerland have made this white list. If India were also to be included in this list by enacting necessary legislation, companies within the EU Member States would then be able to export data to India without having to follow mandatory, complex, and tedious procedures. Instead of becoming a Corporate America and Europe service provider, India sees itself as the location where these companies will develop themselves. Therefore India could expand far beyond being a mere service provider to multinational companies worldwide by having a strong data security law.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: