The European General Data Protection Regulation (GDPR) which came to effect recently, highlights that India needs to be proactive in formulating a robust data protection law.
What is Data Protection?
- Data is the information collected for reference or analysis
- Data protection is the process of safeguarding data from misuse. Such data could either be concerned with an individual, enterprise or even a government.
Need for data protection Law in India
- Efficient management of data in the age of Big Data
- Big data is a term used for voluminous and diverse data; traditional data-processing application software is inadequate to deal with them.
- One of the major challenges to big data is information privacy which necessitates a robust data protection.
- Right to privacy is now a fundamental right. The right to privacy encompasses the right to have data protected.
- Check unauthorized leaks, hacking, cyber crimes, and frauds. Economic cost of data loss/theft is high
Cases of Aadhaar Leaks:
- Three Gujarat-based websites were found disclosing Aadhaar numbers of the beneficiaries on their websites.
- Website run by Jharkhand Directorate of Social Security leaked Aadhaar details about 1.6 million people living in Jharkhand due to a technical glitch.
- Improve business process, and secure digital payments
- Restrict use of data by data colonising companies such as Facebook, Whatsapp
- Data colonisation is basically the concentration of data in the hands of a few companies
Cambridge Analytica Scandal:
It involved the collection of personally identifiable information of up to 87 million Facebook users. The data was allegedly used to attempt to influence voter opinion
Data Protection Regime in India- a timeline of Events
- At present India does not have a separate law for data protection in India
- IT Act 2000, Amendment in 2008
- Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 issued under Section 43A of the Information Technology Act, 2000, provides a measure of legal protection of personal information
- Breach of data privacy is punishable under Section 72-A. Penalises the offender for a three year imprisonment or a maximum fine of Rs 5 lakh.
- Only applicable to corporate entities
- Rules are restricted to sensitive personal data — medical history, biometric information and sexual history, among other things.
- After concerns were raised about the impact on privacy of individuals with the emergence of several national programmes such as Unique Identification number, NATGRID, DNA profiling, Reproductive Rights of Women, the Planning Commission set up the AP Shah Committee to identify privacy issues and prepare a document to facilitate the proposed Privacy Act
- Justice AP Shah Committee (2012) Recommendations:
- 9 principles based on OECD guidelines: a) Notice, b) Choice and Consent, c) Collection Limitation, d) Purpose Limitation, e)Access and Correction, f) Disclosure of Information, g) security, h) openness and i) accountability
- Technology neutral safeguards- data to be protected from unauthorized use regardless of the manner in which it is stored: digital or physical form.
- Protect all types of privacy: a) bodily (e.g. DNA) privacy against surveillance (unauthorised interception, audio and video surveillance); and data protection
- Safeguards to be applicable to both private sector entities and government
- Appointment of ‘Privacy Commissioner’ at both the central and regional level
- Establishment of Self-regulating organisations by industries- to develop framework to protect and ensure right to privacy of an individual
Privacy (Protection Bill), 2013:
- Focuses on the protection of personal and sensitive personal data of persons
- Provisions of the Bill relate to collection, storage, processing, transfer, security, confidentiality, and disclosure of sensitive personal data
- Draft Data (Privacy and Protection) Bill, 2017:
- It was introduced as a Private Member’s Bill in the Lok Sabha in July 2017
- Mandates the consent of an individual for collection and processing of personal data.
- Introduces two categories of data intermediaries: data collector and processor
- Mandates that data intermediaries shall collect, store or access personal data in a lawful and transparent manner
- In case of a data breach, data intermediaries to inform individuals in a fixed time frame.
- Mandates the creation of an end user-facing position of data protection officer for grievance redressal
- Provides for provision for appeal to the Data Privacy and Protection Authority (DPPA).
- Right to Privacy:
- In August 2017, the 9 Judges Bench of Supreme Court in its verdict in Justice K.S. Puttaswamy (Retd) vs. Union of India case held that Right to Privacy is a fundamental right under Article 21
- In the backdrop of Supreme Court hearings on Right to Privacy, the Centre constituted the BN Srikrishna Committee (2017) to identify “key data protection issues” and suggest a draft data protection Bill
- The Committee released a White Paper which included the following recommendations
- Technology agnostic law– data protection law must be flexible to include changing technologies
- Law to be applicable to both private sector and the government
- Informed and meaningful consent
- Minimal and necessary data processing
- Data controller must be accountable for any processing
- Establishing a high-powered statutory authority for enforcement, supported by a decentralised enforcement mechanism
- penalties for wrongful data processing
- The white paper had considered global best practices on data protection from the European Union, United Kingdom, Canada and the United States.
- Virtual ID by Unique Identification Authority of India (UIDAI) :
- It seeks to ensure Aadhaar privacy- It aims at eliminating the need to share and store Aadhaar numbers
- An Aadhaar holder can use Virtual ID in place of his/her Aadhaar number at the time of authentication
- Draft Digital Information Security in Healthcare Act (DISHA), 2018:
- It seeks to ensure protection of data related to physical, physiological and mental health condition, sexual orientation, medical records and history and biometric information
- In the US, there is no single, comprehensive federal (national) law regulating the collection and use of personal data. It has system of federal and state laws and regulations which at times overlap
- Governmental agencies and industrial groups have self-regulatory guidelines and frameworks that are considered “best practices”.
- The US legislation has been criticised largely for not having a comprehensive data protection law. Recently it has shown a poor picture of data protection: Case of Cambridge Analytica, electronic surveillance cases etc.
- Protection of people’s data has been included as one of the fundamental rights of the European Union under Article 8 of the Charter of the Fundamental Rights of the European Union.
- European General Data Protection Regulation (GDPR):
- It is applied to all 28 of the European Union members
- Stronger proof of consent
- Portability: right to data portability allows individuals to obtain and reuse their personal data across different services.
- Right to erasure- individuals can now request that their personal data is erased or not used in specific circumstances.
- Mandatory breach notification
- International Implications: processing location of EU citizens’ data is not relevant. GDPR applies if any organization targets EU citizens or monitor their behaviour online.
- Data collectors can be held responsible for violations by third-party users.
Concerns associated with GDPR:
- Increase in compliance cost
- Huge risks of penalty on account of failure to comply
- Right to erasure pose a significant risk of misuse
- It is important to strike a right balance between digital economy and privacy protection
- Robust data privacy laws are needed to allow citizens enjoy the right to privacy. The law should encompass all the aspects- data collection, processing and sharing practices.
- Privacy should not be used to undermine government transparency. Data protection law should be framed such that it does not make government opaque and unaccountable
- To formulate a robust data protection law, the best ideas and practices from both USA and EU’s GDPR should be adapted.