Author: Ritu Chaudhary, Student at Lloyd Law College, Greater Noida
This article highlights the problems arising due to the absence of express legislation in India dealing with Data Protection Laws and the need for Data Protection Laws in India. With the advancement of technology, the number of its users has also increased, India became the ‘Second’ largest online market with an expansion of 47 million users between 2020-2021, and close to 700 million accessed into the internet via computer and mobile device. Although the number of internet users is increasing, but due to the absence of Data Protection Law, the privacy of the people is threatened, their details can be shared in an unauthorized way. Privacy of an individual can be understood as a right to decide who can get the right of entry to the data when they can get entry to the data, what data they can get entry to. Privacy is defined under Article 21 of the Indian Constitution as “the Right to life and personal liberty”. No one shall be deprived of his life or personal liberty except according to the procedure established by law. It is time that we must pay attention to Data Security in India. So that privacy of an individual can’t be infringed.
- What is Data Protection?
Data protection is the process of protecting important information from an unauthorized body, corruption, compromise, or loss.
Data protection is the practice and technology of protecting valuable and important company and customer data, such as personal or financial information.
Data is like a valuable asset to any company or any individual, it contains important information like financial or payment data, intellectual property, and sensitive personal information. If this data is stolen then the important information of the person gets leaked and they suffer a lot. And these losses are not only of finances but also of their reputation. That is why the government must pay attention to the data protection law and bring data protection law so that the personal information of the person (either individual or company) can be kept safe.
- Importance of Data Protection:
As mentioned above: India is the second-largest online market in the world with India being the second-most populous country in the world. Half of the population is using the internet but not everyone knows of data protection. A layman himself is not aware of the significance of his data. This lack of awareness and seriousness has led the users vulnerable to big corporations who exploit weaknesses and thus misuse the data. Such laws related to data protection should be made in which no other person can know the information of users without their permission.
After the arrival of Aadhar Judgment [Justice K.S.Puttaswamy(Retd) vs Union Of India, 24 August, 2017], there has been a lot of awareness among the people about data privacy. The Supreme Court of India changed the landscape and outlook of people towards data privacy. This judgment, in particular, raised awareness and made the general public realize that their data is truly intrinsic, important, and therefore worthy of protection in the first place. The judgment pronounced the Right to Privacy a fundamental right under the ambit of Article 21 of the Indian Constitution.
Although the judiciary has accepted privacy as a fundamental right, no law has been made related to data protection.
- Purpose of Data Protection Act
The main purpose of the Data Protection Act is to protect a person and their important information from being misused. The Data Protection Act does this in many ways like:
- By instituting rights for persons;
- By creating responsibilities for organizations, businesses, and the government and setting guidelines for the way they handle and store ‘personal data’.
- ‘Personal data’ is such information that everything can be known about a person.
- By spreading awareness among laymen about the uses of the data.
THE MISUSE OF PERSONAL DATA BY SOCIAL MEDIA PLATFORMS IN THE GARB OF CONSENT
In K.S. Puttaswamy vs Union of India, Chief Justice of India, S.A. Bobde said that “Consent is essential for the distribution of inherently personal data”.
After being sanctioned by the Courts, social Media Platforms realize that they will need the help of the users to make such moves. In the discharge of this, they create a hallucination of such kind that the user can neither escape nor get hold of the same. These crooked terms and conditions are so secretly concealed with the general terms that a layman agrees to all these terms and conditions without even reading them once, traceable to the natively coupled with lack of care and time with the user. Even if they do read the terms and conditions as a responsible citizen, it bears no fruit to them because they cannot proceed or access the platform without agreeing or accepting these terms and conditions.
These types of contracts come under ‘Standard form Contract’, where one party makes the terms and conditions of the contract and another party cannot negotiate more favorable terms. Another party has given an option either to take it or leave it.
In Life Insurance Corporation of India vs Consumer Education and Research Centre and others, the Hon’ble Supreme Court has held that
“If a contract or a clause in a contract is found unreasonable or unfair or irrational one must look to the relative bargaining power of the contracting parties. In dotted line contracts, there would be no occasion for a weaker party to bargain or to assume to have equal bargaining power. He has either to accept or leave the services or goods in terms of the dotted line contract. His option would be either to accept the unreasonable or unfair terms or forego the service forever. Having the services of the goods, the party enters into a contract with unreasonable or unfair terms contained therein and he would be left with no option but to sign the contract”.
Further, even if the user, for once, allows a particular app to access some of the user’s data or files, it is inherent in this contract that the consent to access this information pertains to an only particular action in question and not a general green signal given to the platform for limitless exploitation of data. For example, users often allow these platforms to access a device’s current location but this permission is only related to that particular task and not for these platforms to save in their servers for their use in the future. But users have no choice but to accept the terms and conditions of these platforms if they wanted to use them.
On 2nd September, 2020, the Ministry of Electronics and Information Technology (MEITY) banned 118 Chinese apps. The MEITY orders say that these apps were banned for engaging in activities “prejudicial to sovereignty and integrity of India, defense of India, security of the state and public order” under Section 69A of the Information and Technology Act. MEITY had received many complaints about misuse of some mobile apps available on Android and IOS platforms for stealing and secretly transmitting user’s data in an unauthorized manner to the server which has locations outside India. So it is a matter of very deep and immediate concerns which required emergency measures because it can threaten the sovereignty and integrity of India and further infringe the privacy of the individual. MEITY has taken this step to safeguard the interests of Indian mobile and internet users.
The decision of MEITY has yet again opened up the discussion on the urgent need to have strong Data Protection Laws in India.
CURRENT LAWS DEALING WITH DATA PROTECTION IN INDIA
India does not have a legislative frame of laws to protect the personal data and information shared or received in a verbal or written or electronic form. However, protections are available and they are incorporated in a mix of enacts, rules, and guidelines.
The most important provisions are given in the Information Technology Act, 2000(as amended by the Information Technology Amendment Act, 2008) read with the Information Technology [Reasonable Security Practices And Procedures And Sensitive Personal Data or Information] Rules, 2011(SPDI Rules). It is the key law in India dealing with cybercrime and electronic commerce.
All the laws and procedures that are given in the IT Act, 2000, lacked the protection and provisions needed to protect one’s sensitive personal information provided electronically. So this led to the introduction of the Information Technology Bill, 2006 in the Parliament of India which led to the Information Technology (Amendment) Act, 2008 and the provision of this Act came into force on October 27, 2009. Section 43A is inserted in the Information Technology Act, which says:
- Compensation for failure to protect data-
“where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected”.
Also Section 72A, according to which:
- Punishment for disclosure of information in breach of lawful contract-
“Any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both, in case disclosure of the information is made in breach of lawful contract.”
- Penalty for the breach of confidentiality and privacy is mentioned in Section 72 of the IT Act, 2000.
which states that “If any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh, or with both”.
Section 75 states that “If any person has committed an offense, or contravention committed outside India, and if the act or conduct constituting the offenses or contravention involves a computer, computer system or computer located in India, then the provisions of this Act shall apply to any offense or contravention”.
However, the scope and coverage of this Act and Rules are limited. The provisions are restricted to corporate entities undertaking the automated processing of data and consumers are only able to take enforcement action concerning a small subset of provisions. There is no provision on data localization which was the major concern and reason for the ban of the Chinese apps in India.
- The Personal Data Protection Bill, 2019
To protect the protection of personal data of the individuals, and to establishes a Data Protection Authority, The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019.
- Applicability: The Bill governs the processing of personal data by:
(b) companies incorporated in India, and
(c) foreign companies dealing with the personal data of the persons in India.
Personal data includes financial data, biometric data, caste, religion or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
- Obligations of data fiduciary: A data fiduciary is a body or individual who decides the purpose and means of processing personal data. Personal data can be processed only for specific, clear and lawful purposes. In addition, all data fiduciaries must undertake certain transparency and accountability steps such as:
- Take necessary steps to regulate transparency in processing personal data
- Implementing security safeguards (such as data encryption and preventing misuse of data)
- Inform the Authority by notice breach of any personal data
- Audit its policies and conduct of policies every year
- Significant data fiduciary shall appoint a data protection officer for suggesting and monitoring the activities of the data fiduciary, and
- Institute grievance redressal mechanism to address complaints of individuals.
- Grounds for Processing personal data:
Personal data can be processed only if consent is given by the individual. However, in certain circumstances, it can be processed without consent. Like, if required by State for providing benefits to the individual, in legal proceedings, and to respond to a medical emergency.
- Rights of an individual:
Certain rights have been set out in the Bill which includes:
- Necessary to obtain confirmation from fiduciary on whether their personal data has been processed,
- Seek correction of inaccurate, incomplete, or out-of-date personal data,
- Have personal data transferred to any other data fiduciary in certain circumstances, and
Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
- Data Protection Authority:
A Data Protection Authority will be established which shall take steps to protect the interests of the individuals, prevent misuse of personal data, and ensure compliance with the Bill and promote and spread awareness about data protection.
- Transfer of data outside India:
Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
The Central government can exempt any of its agencies from the provisions of the Act:
- In the interest of the security of State, public order, sovereignty and integrity of India and friendly relations with foreign States, and
- For preventing incitement to the commission of any cognizable offense relating to the above matters.
- Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as:
- Prevention, investigation, or prosecution of any offense, or
- Personal domestic, or
- Journalistic purposes, or
- For research archiving or statistical purposes.
There are two tiers of penalties and compensation:
- Failure of the data fiduciary to fulfill its obligation for data protection may be punishable with a penalty that may extend to Rs.5 Crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.
- Processing data in violation of the provisions of the Personal Data Protection Bill is punishable with a fine of Rs.15 Crores or 4% of the annual turnover of data fiduciary, whichever is higher.
The number of Internet users in India may increase from 687 million to 900 million in the next five years. With the advancement of technology, man is becoming more and more dependent on it. Personal data has become a part of the daily routine of man, as it keeps track of his activity, meaning it contains all the important information. For example, earlier, a person had to go to the bank to send money from one place to another, but now with just one touch, he can send money from one place to another with his mobile. Although the internet has made people’s life easier, sometimes they have to suffer. For example, if their personal data is leaked, they may lose money and reputation. This is why now the time has come, to make a law to personal data and implement it and protect the privacy of the individuals.
- Keelery, S. (October 16, 2020). Number of internet users in India 2015-2025. Retrieved June 08, 2021, from https://www.statista.com/statistics/255146/number-of-internet-users-in-india/
- The Constitution of India, Art. 21
- Dalmia, VP., Aggarwal, P., (January 14, 2021). Need for data protection laws in India: Analysis of the exploitation of personal data by whatsapp and other social media platforms. In The Status Quo as to the data privacy laws in India. Retrieved June 08, 2021, from https://www.mondaq.com/india/privacy-protection/1025404/need-for-data-protection-laws-in-india-analysis-of-the-exploitation-of-personal-data-by-whatsapp-and-other-social-media-platforms
- What is the Data Protection Act. In purpose of the Data Protection Act. Retrieved June 08,2021,fromhttps://debitoor.com/dictionary/data-protection act#:~:text=The%20main%20purpose%20of%20the,personal%20details%20misused%20or%20mishandled.
- Dalmia, VP., Aggarwal, P., (January 14, 2021). Need for data protection laws in India: Analysis of the exploitation of personal data by whatsapp and other social media platforms. In The exploitation of personal data by social media platforms in the garb of consent. Retrieved June 08, 2021, from https://www.mondaq.com/india/privacy-protection/1025404/need-for-data-protection-laws-in-india-analysis-of-the-exploitation-of-personal-data-by-whatsapp-and-other-social-media-platforms
- The Legal 500, (October 02, 2020). Personal Data Protection Law in India. Retrieved June08,2021, from https://www.legal500.com/developments/thought-leadership/personal-data-protection-law-in-india/
- The Information Technology Act, 21 IN. 43A, §72A, §72, §75 (2000).
- Talukdar, A. (March 16, 2020). Key Features Of The Personal Data Protection Bill, 2019.RetrievedJune08,2021,fromhttps://www.mondaq.com/india/data-protection/904330/key-features-of-the-personal-data-protection-bill-2019