Privacy : A Modern Pun

Reading time : 12 minutes

Privacy is Implied. Privacy is not up for discussion. – Mikko Hypponen

In this up surging world, where it is fairly easy to confer and share, our lives to whomsoever we want, we leave behind bits on the same platform wilfully or insentiently which is used as consumer data by companies to monitor the users demand so as to improve their experience respectively and determine their overall demographics, from the preferences of their searches to the likeliness of the entity and by receiving several customer testimonials, the companies change their digital protocols. Our lives are revolving around these machineries which assist us all, we unconsciously share our know-hows and subjective choices with the third party. This incursion raises concerns on privacy of the users, which has resulted into vigorous problem for current era operators.

According to oxford learners dictionary “Privacy” means “the state of being alone and not watched or disturbed by other people”. Privacy is about valuing other beings, if a person aspires to keep their life private we must respect it and not induce them to showcase it, Although Practically it doesn’t go absolute on this idea as this can be misused but through sovereign checks and balances an individual’s private interests can be safe guarded.

As we are getting digitised day by day the further we are jeopardizing our privacy hence one should be mindful that not only companies have to be efficient to not invade the customers privacy, but also for the individuals to be aware of the consequences of data theft and its significance.

Each country has their own set of laws that govern this standing issue of the era and defends its citizens against the maleficent intentions of the breaches. Bringing light upon India’s Privacy Law first we need to know the rights protected by our Constitution, Article 21 of the Indian Constitution which guarantees to every citizen, the Right to Privacy as a fundamental right. In 2017 a nine-judge bench of the Supreme Court in the case of Puttuswamy v. Union of Indiahas declared that the right to privacy is a fundamental right protected under Part III of the Constitution of India. The key findings in the judgement included that right to privacy is included in Article 14 (equality before the law or equal protection of the laws within the territory of India), Article 19(6) ( fundamental  freedoms) and Article 21 (Right to life and liberty) of the Constitution of India. There is no prompt legislation in India dealing with data protection, which results into chaotic mess of the policies. Currently, the procedure and transfer of personal data of nation is controlled by the  Information Technology (IT) Rules, 2011, under the IT Act, 2000.

The Personal Data Protection Bill, 2019 was introduced by the recommendation report of the expert committee which was appointed to deal with matters of data protection in the Lok Sabha by the Minister of Electronics and Information Technology, on December 11. The bill proposes to protect the invasion and matters associated with personal data. The personal data protection bill also states the anticipated process of data to be collected, saved and relocated.The Personal Data Protection Bill 2019 intends to to process the personal data that has been collected, within the territory of India;

(a) By the government, any Indian Company, any citizen of India or any person or body of persons incorporated in India, and

(b) Foreign companies trade with personal data of citizens in India.

The dispensation of the Personal Data will be subjected to certain restrictions which is to be cautiously maintained by the data fiduciaries, the data collected is to be used for lawful purpose only and it should be a necessity to process the data and should be used only for such purposes for which it was initiated, upon completion the data used should be deleted. The act also states that the approval and notification is vital to be given to the data principal for processing the personal data. In obtaining sensitive personal data of children, parental consent is required. The data fiduciaries must undertake careful  steps in processing the data, they should use security safeguards to prevent the misuse of data, by chance any personal information or data is breached the fiduciaries should inform the authority for the same. The fiduciaries are also directed to audit the policies every year, with the help of new technology, the fiduciaries should handle sensitive data cautiously.  The act states that a data protection officer shall be appointed to track the activities of the fiduciaries the act supports the individuals by instituting grievance and redressal mechanism to address their complaints.

Though, the bill states that it is mandatory to obtain consent of the individual by the data fiduciaries, there are some exceptions to it. Thus, the personal data can be obtained without the consent when there is a legal necessity or any medical emergency, any employment related matter and for prevention of crimes such as fraud and acquisition.

The Bill sets out certain rights of the individual (or data principal) which includes the right to obtain confirmation on whether their data has been processed by the fiduciary or to update and correct any personal data. Also, the act gives an important right, which is right to be forgotten the principal can restrict the disclosing of their personal data by a fiduciary, if it is not necessary any further.

The Bill put forwards a Data Protection Authority of India which shall take the appropriate measures, to guard the interests of it citizens, prevent abuse of personal data and secure compliance with the Bill. The bill also states for the promotion of awareness amongst the individuals about data protection. The bill includes handling of  sensitive personal data that are transferred outside India with the consent of the individual, it also states that certain data should be saved in India and some data which are highly sensitive in nature can only be collected or used in India.

There are certain exemptions  in the act which states that the Central Government has the authority to relieve any organisation of the Government from applicability of the act if it is in the interest of sovereignty and integrity if India, the security of the state and friendly relations with foreign states. The bill also states the exemption from provisions of the Bill in prevention, investigation, or prosecution of any offence, or personal, domestic or journalistic purposes, for research archiving or statistical purpose. 

The bill states of two tiers of penalties and compensations. In failure of the data fiduciary to fulfil its duty for data protection, he/she may be punishable with a penalty which may extent to Rs.5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher. Processing data in violation of the provisions of the PDPB is punishable with a fine of Rs.15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine or both.

The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“) came into force on 25 May 2018 to safeguard data and privacy in the European Union (“EU“) and European Economic Area the companies have to follow and comply strictly with  protocols of the General Data Protection Regulation (GDPR) while collecting the data of the citizens.  The General Data Protection Regulation (GDPR) has taken a wider view as to what constitutes personal data of the individual. The GDPR states that the companies should take rational protection for the personal data collected of the individuals. It is not to be forgotten that GDPR came into force or is in existence because of the public concern over privacy. GDPR has replaced EU’s Data Protection Directive, 1995. Conferring to the RSA Data Privacy & Security Report, consumers amongst France, Germany, Italy, UK and the US were surveyed. 80% of the consumers were concerned of losing their banking and financial data. 76% of the consumers had concerns over passwords and identity material. GDPR allows the data to be stored for an extensive period of time, PDPB confines the storage of personal data beyond the time for which the individual has assented for.

As said earlier, the scope of PDPB is wider as compared to GDPR. Any institution may fall under the scope of processing personal data in India. PDPB also mentions about critical data as well as sensitive data, it also gives the power to the Central Government to modify or increase what may constitute as sensitive personal data. The Powers of the Central Government to exempt organizations from the application of the bill may be narrower.

Under GDPR, penalties are generally categorized into severe infringement and minor infringement. In the happening of severe infringement, the fine goes up to €20 million, or Four percent (4%) of the organization’s worldwide yearly revenue, whichever is more. In the happening of minor infringement, a fine may go up to €10 million, or two percent (2%) of the organization’s worldwide yearly revenue, whichever is more. Under GDPR all breaches are reported to the Data protection authority unlike PDPB. The breaches which may distress the data principal are to be informed to the DPA. Therefore stringent fines make the companies and agencies to be cautious in handling the personal information of the public.

The USA currently has more than 100 laws prevailing over data protection and security amongst the states. Thus, there is a chaos and confusion amongst varied state laws. These laws are supervised by diverse government agencies.

India still lacks behind for such stringent laws to protect the personal data recently the new WhatsApp policy which was acknowledged on 4th January 2021, it fundamentally takes away the will of users to not share their data with other Facebook-owned and third-party apps, if the users do not agree to new terms and conditions they will be not allowed to use WhatsApp. This raised concern amongst Indians for a stringent data protection law unlike in European regions.  The new policy of WhatsApp is not implemented, reason being they have strong data protection law that isGeneral Data Protection Regulation (GDPR).

In the absence of strong laws in India, it leaves the users with no choice but to rely on company’s own commitments and privacy policies. In India, users often abort to obtain appropriate legal redressal of their rights. Currently in India, compensation is claimed under Section 43A of IT Act,2000 on a complaint lodged with the adjudicating authority. There is only limited defence which is available under the Information Technology Act.

WhatsApp’s end-to-end encryption clause still rests together, even though it can’t see the conservations but it can share the users metadata which defines other crucial data to the facebook and third party apps. WhatsApp saw a 35 per cent decrease in downloads in India, from 2 million between January 1 and 5 to 1.3 million between January 6 and 10, as per Sensor Tower. In comparison, Signal’s 24,000 Indian app downloads between January 1 and 5 increased to 2.3 million between January 6 and 10.

Recently, Zee5 was caught In Data Breach Information of 9 Million Users were exposed. Over 313,000 cyber security incidents were reported in 2019 alone. According to the Indian Computer Emergency Response Team (CERT-In) in February 21, personally identifiable information of 500,000 Indian police personnel was put up for sale on a database sharing forum. In January 2021, COVID-19 test results of Indian patients leaked online of at least 1500 Indian citizens (real-time number estimated to be higher)

In October 2020, BigBasket user data for sale online, it impacted 20 million user accounts. In August 2019, hackers stole the healthcare records of 6.8 million Indian citizens, which impacted around 68 lakhs patient and doctor records.

Thus,  data centric solution is needed in protection of the personal data of the users, stringent laws and fines could deter the companies and agencies to be careful in handling the users data , as seen above numerous scams have been  committed by reputed companies .It is a fundamental right of every citizen to have reasonable privacy and a sovereign which safe guards it.

“Heavy on my privacy what you see is what I allow”- Anonymous

Author: Hiba Khan

Editor: Kanishka VaishSenior Editor, LexLife India.