data protection

This article has been written by Prasenjeet Sudhakar Kirtikar pursuing Diploma in Corporate Litigation and edited by Shashwat Kaushik. This article will provide a glimpse of a few significant enactments in the world and compare those with the Digital Personal Data Protection Act 2023 of India.

This article has been published by Sneha Mahawar.

Introduction

The revolution in information and technology has given rise to concerns related to the protection of personal data by people around the world. The personal data that is filled up online for purposes like online shopping, business, travel, government schemes, and programmes can be accessed for any other purpose against the wishes of the person. This ultimately causes a breach of privacy for that individual. The protection of the personal information of individuals must be guaranteed by the implementation of statutes in every country. Accordingly, most countries have enacted laws to support data privacy policies and made provisions for stringent punishments for any breach.

Download Now

United Nations Conference on Trade and Development (UNCTAD)

As per the report of the United Nations Conference on Trade and Development (UNCTAD), 137 out of 194 countries (71%) have enacted legislation providing security to their citizens from any breach of personal data. In the European region, 44 out of 45 countries; in the Asia Pacific region, 34 out of 60 countries; in Africa, 33 out of 54 countries; and in the American region, 26 out of 35 countries have enacted laws to protect the data privacy of their citizens.

European Union (EU)

The General Data Protection Regulation (GDPR) was adopted on April 14, 2016 by the European Parliament and became effective on May 25, 2018. It is directly binding and applicable to the European Union (EU) and the European Economic Area (EEA), and it also governs the transfer of personal data outside the EU and EEA.

Salient features of GDPR:

  1. The regulation has proved to be a remarkable guide for the entire world to draft and implement data protection policies. The regulation became a model for many other laws around the world, including in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina, Kenya, etc., as it addressed the need for privacy protection in the digital world.
  2. The regulation applies if the data controller (whether in the EU or not), processor (an organisation that processes data on behalf of a data controller like cloud service providers), or data subject (person) is based in the EU and also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. 
  3. The regulation does not apply to the data shared by a person for a personal purpose or to the data used for national security or law enforcement. The personal data disclosed voluntarily is the responsibility of the person who discloses it and does not fall under the purview of this regulation. Also, the use of personal data for national security and integrity purposes is legitimate.
  4. For the first time, it defines terms such as “personal data”, “processing”, “data subject”, “controller”, and “processor” with the perception of data protection. Before the enactment of this regulation, no terms were officially in place to address the stakeholders in digital affairs, and defining certain roles in this area has generated a greater sense of responsibility among the players. 
  5. Every member state is to establish an independent supervisory authority (SA) for investigations and sanctions pertaining to data breaches and the European Data Protection Board (EDPB) to coordinate with all SAs. Such a unique organisational structure binds the entire Europe together for more cooperation and coordination among countries to safeguard online businesses and punish wrongdoers.
  6. The consent of the individual has been marked as the most significant factor for lawful data disclosure. As a part of the fundamental rights of human beings, every person must be asked for his consent for every action affecting his life in any possible way. Women and children, being vulnerable groups of society, will be protected by such vital provisions of the regulation. 
  7. Various rights are provided to the individual whose personal data is at stake, such as the right to access his personal data, the right to know the purpose of data processing, with whom it is shared, how it was acquired, the right to erasure of his personal data, etc. 
  8. The GDPR recognises and implements the concepts of pseudonymization and anonymization of the personal data of individuals. 

“Pseudonymization” is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers. This helps to hide or keep personal data wholly secured. “Anonymization” is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous. 

  1. Minors under the age of 16 need parental consent. The smartphone’s features and web content have created too much attraction among children. The natural mentality of a curious child to explore things can neither be ignored nor prohibited. Thus, just like other hazardous things, they must be supervised and protected by their guardians/parents while dealing with the internet and its demand for personal information. The regulation even advises its member states to lower this age limit as per their social and cultural needs. 

United Kingdom (UK)

The Data Protection Act 2018 (DPA) was enacted by the United Kingdom by simply following the directions of GDPR. Below are some of the salient features of the act.

  1. The EU’s GDPR and the UK’s DPA are primarily based on similar principles of data protection and privacy management. The DPA recognises the right to privacy and the right to know for what purpose the information is used as fundamental rights. It classifies and explains personal data and sensitive personal data in detail. Similar to the GDPR, the DPA has also included the right to erasure (‘right to be forgotten’) as a statutory right of the person. The minimum age of consent for processing a person’s data is 13 years old in the UK under the DPA and 16 years old under the GDPR. 
  2. The Information Commissioner’s Office (ICO) regulates all data protection in the UK and also cooperates with data protection authorities in other countries, including the European Data Protection Board. The role of supervisory authority under the GDPR is being allotted to the ICO in the United Kingdom, which undertakes the responsibility of coordination with other EU member countries as well as dealing with internal data breaches within the UK. 
  3. It is the right of every sovereign country to have complete control over its security by whatever means it pleases. Thus, the DPA exempts application of the GDPR in some cases to safeguard national security or for defence purposes.

United States of America (US)

The California Consumer Privacy Act 2018 (CCPA) and its amendment by the California Privacy Rights Act 2020 (CPRA) set the standard in the U.S. for consumer privacy and data security regulations.

Salient features:

  1. It secures the privacy rights of citizens, such as the right to know about the purpose and mode of processing their information, the right to opt out of personal information, etc. The right to notice makes business entities compulsory to inform citizens of any collection and/or use of personal information prior to such collection and/or use. 
  2. Business entities are under obligation to respond to the inquiry regarding personal data and must furnish information as per the provisions of the act. A service provider is an entity that processes personal information for business purposes as per a written contract, and a “contractor” is a person to whom a service provider provides a consumer’s personal information for business purposes as per a written contract. These terms are different from the concepts of “controller” and “processor” mentioned in the GDPR.
  3. As compared to GDPR, CCPA defines “sensitive personal data” broadly as personal information that reveals social security, driver’s license, state identification card, passport number, account log-in, financial account, debit card, credit card number in combination with any required security or access code, password, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents mail, email, messages, and genetic data, etc. 
  4. Business entities cannot share the personal information of a consumer who is under 16 and require consent from the guardian of a consumer under 13. Here again, the children are well protected for their privacy, and businesses must seek their parents/guardians’ permission well before using their personal data. They are also under obligation to inform their parents/guardians of the purpose, extent, and duration of such use.

Singapore

The Personal Data Protection Act 2012 (PDPA) came into effect in July 2014, and its main purpose is to protect the privacy rights of citizens of Singapore and regulate how personal data can be collected and used by private sector organisations.

Salient features:

  1. Similar to the GDPR, the PDPA only protects the privacy of living individuals. The PDPA grants individuals several rights over their personal data, including the right to access, correct and delete data, etc. However, the right to consent is more flexible in the PDPA, as implied consent suffices as the requisite for data processing in some cases.
  2. Unlike GDPR, the PDPA uses the term “data users” to refer to business entities that are accessing the personal data of others. The business entities are under obligation to report data breaches to concerned authorities, and non-compliance with the guidelines provided in the act results in heavy penalties. 
  3. Do-Not-Call (DNC) Registry: It has proven to be a unique feature of the PDPA, as it gives citizens the facility to add their names and contact numbers to the DNC registry if they don’t wish to be called by telemarketers. Registration with the Do Not Call (DNC) Registry is free and simple. A citizen should expect to stop receiving unsolicited telemarketing messages on telephone numbers within 21 calendar days of being registered with the DNC.

China

Like most of the statutes on data privacy, China’s Personal Information Protection Law (PIPL) also shares similarities with the GDPR, which has proven to be a universal guideline for countries enacting data privacy laws. However, PIPL is not just a copy-paste of GDPR and certainly has some modifications supporting Chinese cultural and administrative needs. 

Let us understand the salient features of PIPL:

  1. PIPL talks about “sensitive information” and excludes anonymized personal information, whereas GDPR explains a “special category” of information. The role of business entities is defined as data controller in GDPR, but in PIPL it is defined under the term “Personal Information Handler,” and the term data processor is not defined clearly. 
  2. The PIPL stipulates more requirements for consent based on the sensitivity of the personal information and the scenario in which the processing is conducted; however, it allows the processing of personal information for news reporting. Both the GDPR and the PIPL require companies to assess the potential risks to individuals before they can process their personal information in certain cases. 
  3. Punishments for violations of provisions of the PIPL include not only penalties but also other consequences such as suspending a licence, denying access to any specific data system, and barring particular business activities. 

Now, after reviewing the features of major international acts for privacy protection, let us analyse the extent to which the Digital Personal Data Protection Act 2023 (DPDP Act) of India is in line with these acts and how far it’s following the guidelines practised around the globe.

India

In an era dominated by digitisation and interconnectedness, the need for robust legislation to safeguard personal data has never been more pressing. So to battle these modern day threats, the Digital Personal Data Protection Act, 2023—a landmark piece of legislation designed to redefine and fortify the protection of our digital identities—has been introduced by the government.

Features of the Digital Personal Data Protection Act, 2023:

  1. Similar to GDPR and statutes of other countries, the DPDP Act also defines basic concepts to identify the owner of digital data, business entity, and agent as data principal, data fiduciary, and data processor, respectively. The Act is applicable to personal data only if it is in digital form or in non-digital form if digitised later within India or outside India for a person living in India. 
  2. A notice must be served to the data principal to inform him of the manner and purpose for which his digital personal data is going to be used. This right is part of almost every statute enacted for data privacy across the world. Also, the consent provided by the data principle must be free, unconditional, and clear to agree to use his personal data for any specific purpose. The DPDP Act also provides the right to nominate a person in case of death or medical issues to take care of their data privacy. 
  3. The Central Government has been given tremendous powers related to the implementation of the provisions of this act, the appointment of members of the Data Protection Board, and giving exemptions to “significant data fiduciaries” with regard to any provision of the act. There are provisions for stringent punishments for infringement of the right to privacy up to Rs. 250 crore. 
  4. Unlike GDPR, CCPA, PIPL, and other acts, the DPDP Act defines the person below the age of 18 as a child and vests the powers of data protection with their guardians. It also has the provision of the appointment of a guardian in the case of a person with a disability, which is missing from other counties’ statutes. 
  5. The concepts of “pseudonymization” and “anonymization” of personal data, which find a significant place in GDPR, are missing from the DPDP Act. Also, the act has failed to distinguish sensitive data from ordinary personal data. Since these concepts are not included in the act, it has a limited scope in order to mitigate the risk of data breach.

Conclusion

The lawmakers in India have analysed the international scenario before providing a digital personal data protection mechanism for the masses. The rights of citizens, obligations of business entities, the duty of the state for efficient monitoring, and punishment for breach of data privacy are a few of the most significant features drafted in accordance with international regulations such as GDPR, DPA, CPRA, etc. 

However, the DPDP Act failed to define a few concepts such as “sensitive data”, “pseudonymization” and “anonymization”. A person below the age of 18 is considered a child and needs a guardian for the protection of his privacy, which is a bit irrelevant. Also, the Central Government has been given too much power as per the act, which might make the act ineffective to some extent.

Though the Act has some lacunas, it surely is an endeavour to make our country a safer place to protect individual privacy while becoming a global digital economy.  

References


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/lawyerscommunity

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here