This article on data privacy laws in India is written by Debapriya Majumder, pursuing M.A. in business law from NUJS, Kolkata.
We are living in a time when we are no longer required to stand in long queues in front of banks for banking services and can avail any product at our doorstep after placing an online order. This is the boon of information technology. In the last decade, Information Technology has grown by leaps and bounds. It has created a positive impact on the employment sector, education sector, banking sector, economy as well our day to day activities. With the evolution of the internet and its expansion in accessibility, we see a new world where there is better communication, accessibility, knowledge sharing and transparency. But as it is said, every good will have some disadvantage. Similarly, our increasing dependency on internet has increased illegal activities like cyber-crime, data piracy etc.
Data privacy refers to the authority or determination of the information holder as to what extent the data or information shall be made accessible to the third party. The majority of information is sensitive in nature. They include data of various nature, like economical, defense, medical, financial, educational etc. Information holders, who are generally organizations, have the major responsibility of protecting the data as there are chances that if it falls into wrong hands, they might be misused and cause harm to the owner of the information. The harm caused to the owner of the information may extend from the leakage of the bank details of an individual to causing threat to the security of a nation. This explains the importance of ensuring the privacy of sensitive data or information.
In this era of globalization, data privacy is a concern for various jurisdictions around the world. The United States have drafted their legislation on data privacy sectoral wise or based on the different sections of the population. The legislations majorly drafted are:
- The Children’s Online Privacy Protection Act, 1998 (COPPA) – This law protects the interest and misuse of information provided by children under 13 years of age on various websites while availing certain digital service.
- Health Insurance Portability and Accountability Act – This law protects the security health-care related data of any patient which includes health insurance details.
- Electronic Communications Privacy Act – Wiretapping or telephone tapping is accessing the data being transmitted between two persons without their permission. This Act was enacted to check on this offence and provide security on telephonic conversations.
- Video Privacy Protection Act – This law was enacted to ensure the privacy of the rental, purchase, or delivery of video tapes or similar audio visual materials.
- Gramm-Leach-Bliley Act – This is also known as the Financial Modernization Act of 1999. It regulated the security that the financial institutions need to maintain regarding the financial information they are holding. They are also required to provide a written declaration to their customer ensuring that their data is secure in their hands.
In the year 1995, European Union adopted the Directive 95/46/EC, for regulating the security of private data. Directives of EU are like guidelines which paves a way or shows the direction to the member countries in order to frame their own law on any particular subject. In an electronic transaction, one provides sensitive details like bank account number, name, address etc. to a 3rd party. Personal data security ensures that they are being gathered under absolute security and with legitimate reasons. When there are variety of legislative laws on the same subject followed by different countries it becomes difficult for the businesses to comply with them and run business. Hence, EU has published directives, so that there is a standardized format of the data privacy laws followed by the member states.
Though proposed in January 2012, the first regulation and directive got published by the EU in the year 2016. The regulation is supposed to be effective from the year 2018. Comparing the data privacy law of US and EU, it can be concluded that in US the laws are framed keeping in mind the requirements of different sectors of the society. While in EU, there has been more emphasis on securing the personal data scattered over the electronic source. This is an aftermath effect of the second world war.
In India, data privacy is regulated by various legislations like Constitution of India, Contracts Act etc.
Under Constitution of India, data privacy is considered under the right to privacy. There has been several judgements given by the honorable courts, considering the data privacy under this fundamental right.
Under Contracts Act, the data security is included under the clause of the contract. When there is a transaction agreement between two or more parties, they include the clause of data privacy where it is mentioned how the person shall be compensated if there is any kind of leakage of the data. In addition to the compensation, it is also mentioned who is responsible to what extent in order to secure the data, what shall be the enforcement mechanism and what shall be the redressal mechanism.
In the year 2011, the Ministry of Communication and Information Technology has published the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, which is currently the guiding law of data privacy in India. Few important points from the Rules are as follows (the below content is as mentioned in the legislation):
- Sensitive personal data or information includes –
- Financial information such as Bank account or credit card or debit card or other payment instrument details
- Physical, physiological and mental health condition
- Sexual orientation
- Medical records and history
- Biometric information
- Any detail relating to the above clauses as provided to body corporate for providing service
- Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise
- Body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
- Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
- Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.
- A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.
Further, there are rules like “Information Technology (Intermediaries guidelines) Rules, 2011” which also guide in securing the data privacy in our country.
Cases on Data Privacy in India –
- In R. Rajagopal v. State of T.N.15, the Supreme Court held that the petitioners have a right to publish what they got as information regarding the concerned person, from the public records or public domain. This may be without his consent or authorisation. But if they go beyond that and publish his life story, they may be invading his right to privacy.
- In Sharda v. Dharmpal, the Supreme Court upheld that the right to personal liberty under Article 21.
Concluding, the assurance of data security is a concern for all jurisdiction around the world. Along with other benefits, strengthening the law in this sector shall help in the growth of domestic as well as international business