Reading time : 8 minutes
There isn’t a single facet of life that the pandemic hasn’t impacted. Be it healthcare, education, food, research and development, art, societal standards, or other fields. Data regulation is one of them. With everyone at home, digitalization spread like a wildfire all over the world, especially in India. From youngsters to elderly citizens, the consumption of social media platforms swelled for entrainment, education, business, e-commerce, information, etc. thus a handy exposure of themselves and their personal data to various governments- not just Indian, various institutions and organizations- also not just Indian. Ever wondered how a Google search and speech recognition access to various applications results in similar adverts appearing on numerous other platforms, applications and websites? Ever wondered why most social media platforms are free? Conceivably, they aren’t. The users and their data are the products. Hence the question- how crucial is data protection? To answer this, the amendments made in the IT Act in 2008 were not sufficient. India needs a more classified, integrated, thorough regulation to protect and regulate data and hence the birth of the Data Protection Bill(PDP), 2019.
DEFINITIONS AND MEANING:
What is data?
A compilation of all facts and statistics used either for reference or analysis. Data can be classified into various kinds. For the purpose of our topic, the area of concern is around personal data, Sensitive Personal Data Information(SPDI), Anonymity and Pseudonymity. Personal data relates directly or indirectly or in combination with other ordinary data that shows a connection with/to a natural person. SPDI is a person’s personal information relating to passwords, biometric information, financial information like bank accounts, credit cards, debit cards, and other payment instrument details, physical, physiological, physical and mental health conditions, sexual orientation, and medical information. Information readily accessible through the Right to Information Act, 2005 does not fall under SDPI ambit.
What is data protection?
Any law, set of laws, statute, rule, code of practice that legalizes control over personal data, SPDI, and any data relating to a person thus ensuring privacy of personal data. The General Data Protection Regulation(GDPR) in its recitals mentions the applicability of such protection only to natural persons and not include legal persons like organizations, companies, undertakings, etc.
Data protection is often overlapped with data security, information security and cyber security. Data security is the process through which theft, unauthorized access, leak, or corruption is paralysed. With Information security, there are two basic points of difference. Data protection has narrower approach and includes only personal data and SDPI whereas information security protects all kinds of data whether physical or digital and rules for data are stringent because threat has significant gravity. Cyber security protects only digital data. Section 403, Indian Penal Code includes cybercrime as theft. Surprisingly cyberattacks are controlled by “ethical hacking”(white-hat hacking) and in identifying the systemic flaws that unethical hackers(black- hat hackers) may exploit.
What is data privacy?
Ability to determine when and an individual’s personal data is to be collected, processed, and shared is called data privacy. The consent is the determining factor of data privacy and must of such activities should be given expressly(Rules 5(1) and 6(1), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules)). In India, such consent of minors is absent.
What is a data breach? Who can do it?
Release of personal or confidential data in an unsecured environment without permission, accidentally or deliberately, is data breach. Accidental breaches may attract lesser punishments, a deliberate data breach(cyber-attack) is a high-grade crime. When platforms seek consent to collect, process and share your personal information but fail to provide adequate safeguards to protect it, the probability of data breach increases.
Data Minimization, Data Redundancy, Data Storage and Data Retention.
To ensure data security, personal data is only accessed and processed for as long as it is required for the scope and purpose and this is called data minimization. This usually helps to keep a track record of employees of a company or students of a university. When such data is retained while abiding to the law of practice, it is called data retention. The software or hardware used to store data is called data storage. Repetitive storage of data that occupy unnecessary space is called data redundancy. Data redundancy poses threat to data security as unprotected data storage can be easily attacked.
Data Outsourcing and Data Sharing.
Data can be outsourced and shared. In sharing data, all the parties are personal information controllers. Whereas in outsourcing data, one party is a controller and one is a processor. This is often done to save financial costs. To combat the threat of the data breach in outsourcing data, data localization is encouraged where data is stored within the geographical boundaries of that country. Information giants and social media platforms such as Facebook, Goggle, Microsoft have data storage facilities all over the world that provide storage at cheap costs with maximum analytical and processing power. Data driven companies like Uber Alibaba, Airbnb possess no real property. All their business I run by analyzing customer patterns and interest. These companies rea seen with double standards as only regulate information in certain countries.
GDPR has its roots in Article 8(1), EU Charter of Fundamental Rights. The law aims to simplify international business in EU while enhancing individuals’ right to control personal data. It provides room for flexibility to the member states albeit its binding nature and sets a benchmark of principles for other nations. Being a set of the most comprehensive data regulations provisions, it is mostly subject-centric and enumerated under Chapter 3. The principles of the lawful regulation as authorized by data fiduciaries only through express consent including minor, categorization of personal data, and identification privacy are mentioned in Chapter 2, data transfer to third countries in Chapter 5 and Independent supervisory authorities to protect an individual’s right in Chapter 6.
- The USA:
There is no one, comprehensive federal legislation governing the acquisition and use of personal data in the United States. It is governed by a system of federal and state laws and regulations that occasionally overlap.
Self-regulatory rules and frameworks are regarded “best practices” by government agencies and industry associations.
- The UK:
The already existing Data Protection Act(DPA), 1998 was updated to comply with the GDPR principles and named DPA, 2018, after Brexit to facilitate the free flow of business and information in Europe. Its provisions too are subject-centric and impose restrictions and penalties on infringing subjects’ rights, mandates registration with the Information Commissioner and emphasizes on accountability. The significant differences between the DPA, 2018 and the 1998:
- Identification of right to erasure arising from an individual’s right to privacy and increased exemptions.
- Implementation of and adherence GDPR audit principles.
Similar provisions to those in GDPR and the Data Protection Directive can be found in the Russian Federal Law “On Personal Data(OPD).”
The OPD Law was amended in July 2014 by the Russian Federal law “On revisions to relevant legislative acts of the Russian Federation for clarification of personal data processing information and telecommunication networks”(the “Data Localization Law”) and approved in 2015 that gave people the right to be delisted from search engines(the “Delisting Law”).
There is no one comprehensive data protection law. Personal information protection and data security requirements, instead are part of a complex framework that are found in various laws and regulations. The Personal Information Protection Law(PIPL), the Cybersecurity Law(CSL), and the Data Security Law(DSL) are the three primary pillars of the PRC’s personal data protection framework.
The PIPL covers public and private sector and has extraterritorial application for:processing of PRC residents’ data within the PRC;
and processing of PRC residents’ data outside the PRC for the following reasons: delivering products or services to PRC residents, analytics or evaluation of PRC residents’ behavior or any other reason as required by law or regulation.
CONSTITUTIONAL PROVISIONS IN INDIA:
- The Information Technology Act, 2000:
The Original IT Act did not have provisions relating to data regulation. As amended by the Information Technology (Amendment) Act 2008, it applies to companies in and outside of India that process personal data in India or a computer, computer system, or computer network based in India. If the computer, computer system, or computer network implicated in the offense or contravention is located in India, the IT Act applies to offenses or contraventions committed outside of India as stated under Section 1(2) and Section 75 of the said act. Section 72A provides for punishments on data breach applicable to body Corporate.
- Article 21, Constitution on India:
Article 21 of the Indian Constitution recognizes the “Right to Privacy” as a fundamental right. In the historic case of Justice K.S. Puttaswamy(Retd) vs. Union of India, 2017, a constitutional bench of the Supreme Court declared “privacy” to be a basic right. The establishment of the PDP Bill and the upholding of the Basic National Regime were inspired by the necessity to preserve Indians’ privacy.
- Justice B.N. Srikrishna Committee 2017:
As the result of the Committee’s report. PDP Bill, 2018 was proposed legislation. In 2019, Parliament significantly updated the Bill and was called PDP Bill, 2019. The suggestions were:
- Technology agnosticism- Must be adaptable in order to keep up with evolving technology and compliance standards.
- Holistic application – Must apply to both commercial and public sector companies with differentiating requirements carved out for governmental aspirations.
- Informed consent – To be real, such expression must be well-informed and meaningful.
- Data minimization – Processed data should be minimum and essential for the purposes for which it is sought, as well as for additional complementary objectives.
- Controller accountability – The data controller is responsible for any data processing, whether carried out by itself or by third companies.
- Structured enforcement- Enforcement by a high-powered statutory authority with acceptable decentralized enforcement measures.
- Deterrent penalties- Penalties for unlawful processing must be sufficiently severe.
- Personal Data Protection Bill, 2019:
The objective of this Bill is to protect individuals’ privacy to their Personal Data and to establish a National Data Protection Authority of India for the said purposes. Prior, was the Draft Data Bill, 2017 concentrated on the consent, two separate categories of data intermediaries- data controller and data processor, and appeal for Data Privacy and Protection Authority. In 2013, Privacy (Protection Bill), 2013 was proposed which highlighted the difference between Personal Data and SDPI, Privacy Commissioner, the establishment of self-regulating authorities by industries, protection of all types of data including bodily information and surveillance, based on the recommendations of A. P. Shah Committee.
IT Rules 2021:
Issued under Section 43A of the IT Amendment Act, 2008 regulates:
- Collecting, receiving, possessing, storing, dealing, retaining, using, transferring, and disclosing SPDI.
- SPDI handling security practices and procedures (Section 8, Privacy Rules).
- Data subjects’ rights of evaluation and updating SPDI and withdrawal of consent for SPDI processing (Privacy Rules, Sections 5(6) and 5(7)).
Computer Emergency Response Team is a designated national nodal agency by the IT Amendment Act, 2008 that responds to and records cyber security incidents, forecasts alerts, and warnings, issues guidelines relating to information security practice, etc.
- Digital India Initiative:
A Government of India initiative to make government services available to residents electronically by improving online infrastructure and increasing internet connectivity. And to empower the country digitally in the field of technology. The Digital India Mission is primarily concerned with three issues providing digital infrastructure as a useful resource for all citizens, on-demand governance and services, to ensure that every citizen has access to the internet.
Also read: Legality of cryptocurrency
CRITICAL ANALYSIS: PERSONAL DATA PROTECTION BILL, 2019
- Principles: Follows the recommendations of the Justice B.N. Srikrishna. Committee, 2017.
- Promote consent framework, purpose limitation, storage limitation, and data minimization.
- Impose obligations on data fiduciaries to collect only that data that is required for a specific purpose and with the express consent of the data principal.
- Grant individuals rights to obtain personal data, correct inaccurate data, erase data, update data, and port data to other fiduciaries.
- Impose obligations on data fiduciaries to collect only that data that is required. to specify a provision relating to “social media intermediary” whose actions have significant impact on electoral democracy, state security, public order, or India’s sovereignty and integrity, and empower the Central Government to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the proposed legislation, and promote awareness about data protection;
- Empower the Authority to specify the “code of practice” to promote good data protection practices and facilitate compliance with the obligations under this legislation.
- Empower the Central Government to exempt any government agency from the proposed Legislation’s application.
- Empower the Authority to exempt any government agency from the proposed Legislation’s application; to empower the Authority to exempt any government agency from the proposed Legislations.
- Designate an “Adjudicating Officer” to decide on the penalties and the compensation under its provisions;
- Create an “Appellate Tribunal” to hear and decide any appeals from the Authority’s and Adjudicating Officer’s orders under paragraphs 54, 63 and 64.
- Levy “fines and punishments” for violating of its clauses.
- Application of its provision:
- Body corporate- A body corporate is defined under Section 43A of the Act as a company, partnership firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.
- Government- the government and its institutions though regulated. Have certain exemptions.
- Aadhar Card- The Unique Identification Authority of India (UIDAI) has launched Virtual ID, which intends to protect Aadhaar privacy by removing the need to share and maintain Aadhaar numbers. At the time of authentication, an Aadhaar bearer may use Virtual ID instead of his or her Aadhaar number.
The UIDAI has asked for a blanket exemption under the PDP Bill claiming that its functions under the Aadhar Act and duplicity of law. It was Aadhar that first stimulated the debate of Data Protection as it is mandated in various key services. Following similar path, many other authorities may seek such exemption.
Aadhaar Data Breach Cases:
- Three Gujarat-based websites were discovered to be exposing the beneficiaries’ Aadhaar numbers on their websites.
- Due to a technical malfunction, the Jharkhand Directorate of Social Security’s website released Aadhaar information for 1.6 million people in the state.
- Pegasus: Pegasus spyware is thought to have affected people from approximately 45 countries, including Indian officials, journalists, and activists. It can access all of a user’s saved data, and once Pegasus has infiltrated a user’s mobile device or personal data server, it will have complete control over the device’s functionality and can remotely control the user’s whole system. The Union government declined the Supreme Court information citing “national security” as the cause which the SC denied and stated that “The state cannot withhold a secret from the court merely on the basis of ‘national security,’ and expect the judiciary to remain a “silent spectator,” The Supreme Court agreed to appoint an impartial investigation team to look into the allegations.
- Exemption to Privacy:
Clause 35 of the law makes it easier for the government to employ surveillance authorities. The ramifications of the criteria indicated like “public order” and “state security” in the clauses are ambiguous. The country’s national security jurisprudence has yet to evolve, and the word “public order” has such a broad meaning that it might be applied to any purpose the government sees appropriate. This section also allows for widespread surveillance of persons in order to “prevent any cognizable offence.”
Furthermore, unlike Section 42 of 2018, the new law does not include any conditions of necessity or proportionality in terms of government access to data, effectively circumventing the Supreme Court order.
The Pegasus spyware has prompted concerns about the Indian government’s ability to withhold material in the interest of national security. As a result, the Pegasus violations are an example of illegal and unconstitutional spying.
- Sectorial application:
Data regulation and protection finds its traces in many other central enactments. Such sectorial division in the proposed bill will help reduce repugnancy and make functioning of authorities efficient. Some are:
- BANKING- In October 2018, the Reserve Bank issued a set of basic cyber security rules for principal(Urban) cooperative banks(UCBs), as well as the establishment of a Security Operations Center(SOC). It has even laid down rules for online transaction application and setting guidelines for protection of both, personal as well as sensitive personal data.
- INSURANCE- In addition to the general framework under the IT Act, the Insurance Regulatory and Development Authority of India(IRDAI) has prescribed an additional framework for the protection of policyholder information and data. Inter alia, Insurance intermediaries, such as brokers, individual agents, corporate agents, third party administrators(TPAs), surveyors, loss assessors, and web aggregators are required to (i)treat all information provided clients as absolutely confidential to themselves and the insurer(s) to whom the business is being offered; and (ii)take appropriate steps to maintain the security of confidential documents in their possession, such as limiting access to such information, executing confidentiality undertakings, and so on.
- HEALTH- The 2018 draft of the Digital Information Security in Healthcare Act(DISHA) aims to protect information about a person’s physical, physiological, and mental health, sexual orientation, medical records and history, and biometric data. The Central Government announced the National Digital Health Mission(“NDHM”), and the Ministry of Health and Family Welfare(“MOHFW”) published a blueprint in late 2019 recommending the creation of a National Digital Health Ecosystem(“Ecosystem”) that allows for digital health system interoperability at the patient, hospital, and ancillary healthcare provider level.
- ELECTIONS- With rise of social media, the Umesh Sinha Committee proposed revising Section 126, Representatives of People’s Act(RPA), 1951 to impose ‘campaign silence period’ on all media, urged star campaigners to refrain from evaluating press conferences or giving interviews on election issues during this time, ban display of any election matter television or similar mean 48 hours preceding the conclusion of ballet, intermediaries such as social media corporations, commit to processes to ensure that their platforms are not used to sabotage free and fair polls, communication system through which the EC could alert the platform to potential infractions and should report to the Commission on the steps they’ve taken to avoid misuse of their platforms, including producing publicly accessible action taken reports.
- E-COMMERCE AND MARKETING- A comprehensive examination of the two recently adopted laws, the Consumer Protection Act of 2019 and the Consumer Protection(E-commerce) Rules of 2020, as well as a literature review, support the analysis of 290 online customers who answered the research questions and met the research goals. The new rules are ostensibly strong enough to defend and safeguard online customers’ rights while also boosting India’s e-commerce development. Customers’ trust is influenced by laws controlling consumer rights protection in e-commerce, in addition to elements such as security, privacy, warranty, customer service, and website information. With a strong legal framework and consumer protection measures in place, the future of e-commerce is bright. The established Email Marketing Compliance guidelines prohibit the sharing of user information(SPDI) with other businesses without the explicit consent of the user.
- TELECOMMUNICATION – The Telegraph Act and Rules, which contain measures prohibiting and punishing illegal communication interception. Furthermore, licences issued under this Act oblige telecom service providers(TSPs) to take steps to protect their customers’ privacy and the confidentiality of their communications.
The Telecom Regulatory Authority of India(TRAI) has issued a number of privacy-related directives to TSPs. Customers have a right to redress under the Consumer Protection Act if their privacy is violated.
- AUTOMOBILE – Navigation and speech recognition capabilities are now available in automobiles thanks to technological advancements. The data is stored by the vehicle businesses, which allows them to analyse consumer demand based on behavioural patterns. Though no such specific mention is made in any statutes, given the dynamic and ever-growing breadth of data dependency of data-driven businesses, it would be prudent to include automobile industry in the ambit of the proposed bill.
- ARTIFICIAL INTELLIGENCE- The use of artificial intelligence has improved the accuracy of consumer focus. While industry has become more intrusive, governments have begun to provision rules that set some boundaries. The electorate cares about privacy, therefore many industries consider how to use data to obtain information while staying inside regulatory guidelines. In AI, the medical industry is the most vulnerable to data breaches.
- DIGITALISATION OF CENSUS- Digitalisation of census is now inevitable. However, adequate safeguards need to be taken in order to protect personal data. Exposure of one’s financial data and health records is an infringement of the basic fundamental right of life. Formation data regulator for census and data processing will not only benefit the public at large but also help the government to study demography and constitute policies while securing personal data.
- Criticism and shortcoming–
“35. Where the Central Government is satisfied that it is necessary or expedient,— (i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or (ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed. Explanation.—For the purposes of this section,— (i) the term “cognizable offence” means the offence as defined in clause (c) of section 2 of the Code of Criminal Procedure, 1973; (ii) the expression “processing of such personal data” includes sharing by or sharing with such agency of the Government by any data fiduciary, data processor or data principal.”
Section 35 of the PDP Bill 2019 is contentious as it invokes the “sovereignty and integrity of India,” “public order,” “friendly relations with foreign states,” and “security of the state” to give the Central government the power to suspend any or all of the provisions for government agencies. Reasonable restriction to be imposed on Right to Privacy should not Deprive one from enjoying it due to state intervention. While it protects Indians’ personal data by providing them data primary rights, it also gives the central government exemptions that are in violation of the norms of personal data processing. Without the explicit consent of the data principals, the government can process even sensitive personal data when necessary. The rules referring to “data localisation” are one of the more contentious concerns in the law Bill. The phrase, which can apply to any constraints on cross-border data transmission has mostly come to relate to the need to physically locate data within the country.
Having comprehensively articulated the GDPR, in the world of globalization and cloud computing, the restriction, financial burden for updating, regulation, compensation by companies has made 66% of the 366 Global IT Companies reconsider their business strategies in Europe. Not only does it impose a cost compliance burden on the companies but also deprives states to attract global market for data processing. The right to be forgotten carries a high risk of abuse.
In US, the lack of a comprehensive data protection regulation in the US laws has been a major point of contention. Recent events have painted a bleak picture of data protection: the Cambridge Analytica case which entailed the capture of up to 87 million Facebook users’ personally identifying information. The information was reportedly utilized to try to sway voter sentiment, electronic spying charges, and so on. Personal information can be collected and used in the United States as long as the subject is informed of the collection and use. However, it has been deemed insufficient in crucial regulatory areas. It has been criticized for being overly strict and imposing several requirements on data processing organizations.
In the United Kingdom, the training or expert guidance required for the dynamic nature of technology-driven companies may be required to ensure compliance.
In India, data protection is crucial because of the large number of consumers. According to the Internet and Mobile Association of India (IAMAI)‘s Digital in India report 2019, India has nearly 504 million active web users and its online market is second to China. Learning with the stringent and uninviting GDPR provisions, the liberalization of a rule imposing provision like help attract Information Giants to set up company headquarters in India and promote data localization, generate revenue and employment. India has the ability to analyze these pitfalls of various acts and formulate a comprehensive and acceptable global approach.
- Set up Tribunal- to adjudicate cases relating data breach, breach of rights of data subject as guaranteed in the act, and conflict among various competitive organizations.
- DRAI- the Data Regulation Authority of India has numerous functions that includes setting guidelines, regulating rules governing intermediaries, duties and rights of data subjects, supervision on the data intermediaries, and enforcement of the provisions of the act.
- Privacy Commission- to enforce data subjects’ right on their infringement and to recommend changes in provisions along which are in line with the dynamic nature of society, rights and technology.
- Social media intermediary- to include a provision relating to “social media intermediaries” whose actions have a significant impact on electoral democracy, state security, public order, or India’s sovereignty and integrity, and to empower the Central Government to designate the said intermediary as a significant data fiduciary in consultation with the Authority;
- Reforming surveillance through CCTV and drones related laws, entering into more detailed and up-to-date mutual legal assistance treaties,
- Enabling development of digital infrastructure, promoting entrepreneurship and formation of Indian cloud such as ESDS that provide data security and localisation, revenue and employment.
- Creating appropriate data-sharing policies that preserve privacy and other third- party rights, while enabling data to be used for socially useful purposes.
- Minor consent- in line with GDPR, minors’ consent is of grave importance in the world of digitalization.
- Blockchain technology- The GDPR fails the recognize the features of Blockchain technology and its financial importance in the coming future. GDPR’s centralized security system does not include a blockchain decentralized security system. The anonymity and pseudonymity of data storage in blockchain provide for higher privacy by using public-private encryption keys. Having introduced a tax on cryptocurrency in Budget 2022, India should focus on including provisions in the proposed PDP Bill.
- Cookies- Provisions for cookies as they are used to study user behaviour. Tracking cookies trace activities without authorization and threaten privacy. Marketing cookies too keep a track of your likes, dislikes, searches without authorization, and hence the relevant adverts while using other websites or social media platforms.
Data is a crucial asset in the digital era that should not be left unregulated. In this scenario, India’s time for a strong data protection regime has arrived. The Personal Data Protection Bill, 2019, needs to be amended as soon as possible. It has to be rewritten to ensure that it emphasizes user privacy while focusing on user rights. To enforce these rights, a privacy commission would need to be established. The government would also have to protect citizens’ privacy while bolstering their access to information. Furthermore, technical advancements in the recent two to three years must be addressed, since they have the potential to render the law obsolete.
The Personal Data Protection Bill, 2019 has certain reservations which on correction has the ability set up a precedent for upcoming data regulation in other countries. India’s ability to lead the world into the digital economy by leveraging its existing capabilities in information technology, demographic dividend, and need for empowerment through data-driven access to services and advantages. Data regulation is the need of the hour and the in the era of the globalization to protect one’s data exposure and privacy. This can be done so by learning from the mistakes of the already enforced data Regulation act in various technology driven countries. With Right to Privacy being a Fundamental Right, the need of Personal Data Protection Act becomes even more vital much as it is inevitable.
 Section 403- Dishonest misappropriation of property, India Penal Code 1860.
 Manohar Lal Sharma v. Union of India, 2021 SCC, SC 985
 Personal Data Protection Bill, 2019, s. 35
 Ovum Research Report, 2019
 Cambridge Analytica case,  EWHC 954 (Ch)
Author: Ruchika Jain, D.E.S. Navalmal Firodia Law College, Pune
Editor: Kanishka Vaish, Senior Editor, LexLife India