Index
- Introduction
- What Is Data
- Types Of Data
- Understanding Privacy
- What Is Data Privacy
- Importance Of Data Privacy
- Advantages Of Data Privacy
- Consequences Of Data Disclosure
- Challenges In Achieving Data Privacy
- Distinction Between Data Security And Data Privacy
- Evolution Of Data Privacy
- Overview Of The IT Act, 2000
- Overview Of The Digital Personal Data Protection Act, 2023
- Applicability Of The DPDP Act
- Penalties And Adjudication Under The DPDP Act
- Penalties For Specific Violations
- Key Principles Of Data Protection
- Conclusion
Introduction
Data privacy and data protection have become major controversial topics in India. This manuscript aims to provide a thorough and comprehensible overview of the current state of data privacy and protection in India, including the legal landscape and the implications for individuals and businesses.
The rapid digital transformation in India, driven by increasing internet penetration and technological advancements, has led to a surge in data generation and consumption. Consequently, concerns over how personal and sensitive data are collected, stored, and used have intensified. In the absence of a robust legal framework, individuals’ privacy rights and data security are at risk, raising significant ethical, social, and economic questions.
What Is Data
Data encompasses all information and materials created and acquired during the provision of services. This includes survey plans, charts, video or sound recordings, pictures, curricula, graphic representations, computer programs, printouts, notes, and both completed and draft documents. Such data can be instrumental in shaping the future of an entity or an individual.
Types Of Data
Personal Data: Personal data refers to private information about an individual that can be used to identify or monitor them online. This includes any data related to an identified or identifiable person, such as medical, biological, financial, and residential information. Such data should not be disclosed to any third party to protect the individual’s privacy.
Non-Personal Data: Non-personal data encompasses all information that does not fall under personal data. This includes general information about individuals that organisations can use to devise profit-making strategies. It also includes data collected by the government during publicly funded works.
Understanding Privacy
Privacy’s meaning can vary depending on the legal context, but it generally refers to individuals’ rights regarding their personal information. It signifies freedom from unauthorised intrusion and control over one’s personal data.
What Is Data Privacy
Data privacy is the right of users to control their personal data and limit what a website or organisation collects. It involves regulating the processing of private information, such as history, financial, and property data, to prevent unauthorised access and identity tracing. Proper data privacy ensures that users’ data is used appropriately and remains confidential.
Importance Of Data Privacy
Data privacy is crucial for building trust between internet users and intermediaries. Users rely on the assurance that their information collected by websites is protected and kept confidential. A trustworthy relationship is essential to prevent the exploitation and disclosure of an individual’s online activities and personal information. Without trust, users’ privacy and the integrity of their web interactions are compromised.
Advantages Of Data Privacy
Implementing robust data privacy measures has several advantages:
- Prevent Government Surveillance: Protects citizens from being spied on by the government.
- Accountability: Ensures those who steal or misuse data are held accountable.
- Maintains Boundaries: Helps maintain personal boundaries and privacy.
- Control Over Personal Data: Provides individuals with control over their personal data.
- Protects Freedom of Speech: Safeguards the right to freedom of speech and expression.
Consequences Of Data Disclosure
Unauthorised data disclosure can have severe consequences:
- Personal Harm: Disclosure of personal data, such as education records and biological information, can significantly impact an individual’s life.
- Fraud and Identity Theft: Hackers can use stolen data for fraudulent activities, including illegal purchases, making the victim accountable for these transactions.
- Unwanted Advertising: Some websites sell user information, leading to intrusive advertisements and marketing.
- Erosion of Rights: Being tracked or monitored online infringes on an individual’s right to freedom of speech and expression, which is a fundamental right under Article 19(1)(a) of the Indian Constitution.
Challenges In Achieving Data Privacy
Achieving data privacy is challenging for individuals. While it can be improved by regulating how organisations collect and store data, many negatives persist in terms of privacy and regulation. Not every organisation maintains confidentiality, and while large organisations often implement robust data security measures, small-scale organisations frequently fall short in ensuring confidentiality and accountability.
In the past decade, numerous data breaches and hacks have targeted major companies like Facebook and Mobikwik. User data stored on servers has been stolen and sold on the dark web. In 2020, more than 1.1 million cyber-attacks were reported in India, a significant increase from nearly 400,000 the previous year. This placed India among the top five countries for cybersecurity incidents and third in terms of internet users.
Data localization involves storing data on devices within a country’s borders. This practice eliminates barriers and the need for permissions to access the information. Currently, much data is stored on foreign clouds, requiring Mutual Legal Assistance Treaties for access. Localising data is crucial for national security, as it ensures data is stored on domestic servers, protecting it from foreign surveillance and allowing easy access when needed.
Global entities rushed to comply with the Reserve Bank of India’s (RBI) deadline for localising all sensitive data of Indian users of various digital payment services. This move underscores the importance of data localization in safeguarding national security and ensuring the privacy of Indian citizens.
It is unethical to sell security measures for profit. Privacy is a fundamental right, and organisations have a duty to provide every user with the same level of security. However, some commercial companies charge users extra for protection against fraudulent and unauthorised transactions, which undermines the principle of equal security for all.
In a significant data security lapse, 8.2 terabytes of personal information belonging to 3.5 million users were allegedly stolen from the payments platform MobiKwik and put up for sale on the dark web. This incident represents the largest such breach in India. Independent cybersecurity researchers had been reporting potential vulnerabilities in MobiKwik’s servers since February, with confirmation from French security researchers.
Distinction Between Data Security And Data Privacy
Data security and data privacy are distinct concepts. Data privacy regulates the flow of user data by a website or organisation, ensuring transparency and control over what data is collected. In contrast, data security focuses on protecting data from unauthorised access and breaches. Preventive measures, such as firewalls and encryption technologies, are integral to data security. In essence, data privacy concerns what data is collected and shared, while data security addresses how that data is protected. Effective security practices are a prerequisite for addressing privacy concerns.
For example, de-identifying data is a provision of data privacy. A key data security measure is encryption, which makes digital data unreadable to unauthorised users and hackers, safeguarding sensitive information.
Evolution Of Data Privacy
Data privacy is not a new concept. The concept of privacy evolved further and gained prominence through an article titled “The Right to Privacy” by Attorney Samuel Warren and Justice Louis Brandeis, which highlighted the protection of privacy as the foundation of individual freedom in the modern age. Privacy was later recognized statutorily in 1948 through Article 12 of the Universal Declaration of Human Rights (UDHR).
In 1980, the Organisation for Economic Cooperation and Development (OECD) issued guidelines on the protection of privacy and the transborder flow of personal data. Countries began enacting their own data privacy laws, with Germany pioneering this effort in 1970. A significant milestone was reached with the implementation of the General Data Protection Regulation (GDPR) on May 25, 2018, which revolutionised data privacy and protection laws globally.
In India, privacy has been a contentious issue in the judicial courts, with some rulings recognizing it as a fundamental right under Article 21 of the Constitution and others not. The landmark case of K.S. Puttaswamy v. Union of India in 2017 finally declared the right to privacy as a fundamental right protected under Article 21. Prior to this, privacy was addressed in fragmented laws such as the Information Technology Act (2000) and the Indian Penal Code (1860). However, there was no comprehensive law on the subject. After seven years of deliberation and three attempts to pass privacy legislation, India enacted a full-fledged data protection and privacy law on August 9, 2023.
Overview Of The IT Act, 2000
The Information Technology Act, enacted in 2000 and amended in 2008, addresses issues related to data protection and cybersecurity. Section 43A of the Act mandates that if a body corporate handling sensitive personal data or information is negligent in ensuring reasonable security, resulting in wrongful loss or damage, it is liable to pay damages. Additionally, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, provide guidelines for protecting sensitive personal data, such as financial information, sexual orientation, and medical records. Section 72A of the IT Act prescribes a fine up to Rs. 5,00,000 or imprisonment for up to three years for the intentional and unauthorised disclosure of information, violating the terms of a lawful contract.
Overview Of The Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection (DPDP) Act, 2023, is a recent legislative measure regulating personal data processing in India. Enacted nearly six years after the Supreme Court recognized the fundamental right to privacy under Article 21, the DPDP Act is influenced by global privacy laws like the European Union’s GDPR. It addresses privacy and protection obligations concerning personal data and extends its applicability beyond India’s borders. The Act imposes stringent penalties for unlawful data processing while granting significant exceptions for governmental bodies. The DPDP Act establishes a comprehensive framework for personal data processing, replacing the limited provisions of the IT Act.
The DPDP Act introduces various terms that may seem confusing at first. It is essential to distinguish between these terms:
- Data Principal: The individual whose personal data is collected.
- Data Fiduciary: The entity that determines the purpose and means of processing personal data, equivalent to a data controller.
- Data Processor: The entity that processes data on behalf of the data fiduciary.
The Act permits certain exceptions in the interest of India’s sovereignty and integrity, state security, friendly relations with foreign states, maintenance of public order, and prevention of incitement to commit offences.
The Act has extra-territorial application, meaning it applies beyond India’s borders and imposes no restrictions on international data transfers.
Applicability Of The DPDP Act
The DPDP Act applies to organisations that meet the following criteria:
- The organisation processes digital personal data that can identify the data principal to whom the data belongs.
- The data being processed is collected by the organisation in digital form.
- The organisation processes personal data within Indian territory, or processes personal data outside India in connection with offering goods or services to individuals in India.
Penalties And Adjudication Under The DPDP Act
Chapter 8 of the DPDP Act addresses penalties and adjudication. According to Section 33, a monetary penalty after completing an inquiry into a breach of the Act’s provisions and providing the person concerned a reasonable opportunity to be heard. In determining the penalty amount, the Board will consider several factors:
- The nature, gravity, and duration of the breach.
- The type and nature of the personal data affected by the breach.
- Whether the breach is repetitive.
- Whether the person gained or avoided any loss due to the breach.
- Actions taken by the person to mitigate the breach’s effects and the timeliness and effectiveness of such actions.
- The proportionality and effectiveness of the penalty in ensuring compliance and acting as a deterrent.
- The likely impact of the monetary penalty on the person concerned.
Penalties For Specific Violations
The Act outlines specific penalties for various breaches under Schedule 1:
- Failure to Take Reasonable Security Safeguards (Section 8(5): Penalty may extend to Rs. 250 crores.
- Failure to Notify the Board and Affected Data Principals of a Personal Data Breach (Section 8(6)): Penalty may extend to Rs. 200 crores.
- Non-Fulfillment of Additional Obligations in Relation to Processing of Data of Children (Section 9): Penalty may extend to Rs. 200 crores.
- Non-Fulfillment of Additional Obligations of Significant Data Fiduciary (Section 10): Penalty may extend to Rs. 150 crores.
- Violation of User Duties (Section 15): Penalty may extend to Rs. 10,000.
- Breach of Any Term of Voluntary Undertaking Accepted by the Board (Section 32): Penalty up to the extent applicable for a breach in respect of proceedings instituted under Section 28.
- Other Non-Compliance Under the Act: Penalty may extend as applicable to each section.
Key Principles Of Data Protection
Data minimization is one of the most crucial principles in data protection, aiming to minimise data collection to only what is necessary. This principle is foundational to recent legal developments worldwide. It focuses on collecting only the required data and disallows any data gathering that has no clear purpose. Unnecessary data collection increases potential societal risks and can breach individual privacy. Therefore, data collectors must state the reason for data collection, ensuring data is not collected for one purpose and used for another without valid consent from the data principal. This principle aims to strengthen the trust and faith individuals place in organisations that collect their personal data.
Consent is the cornerstone of any data collection process. For data collection to be legitimate, it must be accompanied by valid and express consent. Users can only give valid consent when fully informed about the data collection, its usage, their rights, and other relevant information. Most modern laws prefer opt-in clauses over opt-out clauses to ensure explicit consent. This means individuals must actively choose to share their information; inaction does not substitute for explicit consent. This promotes transparency and allows users to make well-informed decisions about their data. The recently enacted Indian privacy law, specifically Section 4 read with Section 6, states that consent must be free, specific, informed, and unambiguous.
Lawful data collection mandates that the purpose for collecting data must be lawful and fair. The reason for data collection should be legitimate and not contrary to the law. For instance, collecting data for contractual purposes or legal obligations is considered lawful. Data collection should not result in discrimination or harm to individuals. This principle requires strict adherence to local and global laws impacting data collection, promoting ethical standards and practices for data collection and processing. In the Indian privacy law, this principle is detailed in Sections 4 and 7 of the DPDP Act, which define a lawful purpose as any purpose not expressly forbidden by law.
The collected data should be accurate and up-to-date. The data controller must ensure that inaccurate data is correct concerning the purpose for which it was collected. Active measures should be taken to ensure the information is not only correct but also complete and reliable. Data collection can only serve its true purpose if the information is accurate and trustworthy. This means data should be verified regularly. Mechanisms must be in place to review and update information periodically, and proper documentation of accuracy measures should be maintained. Section 8 of the DPDP Act echoes this principle, stating that the Data Fiduciary must make reasonable efforts to ensure data completeness, accuracy, and consistency.
This principle ensures that data is collected for a limited duration and is not retained indefinitely. Data should be gathered, stored for the minimum necessary time, and later disposed of safely. Once the purpose for which the data was collected is fulfilled, it should be appropriately disposed of. At the end of its retention period, data should be securely disposed of using methods such as data shredding, encryption, or other secure methods. Section 8 of the DPDP Act also addresses data retention, requiring the Data Fiduciary to delete retained data when consent is withdrawn or the data has served its purpose.
Confidentiality is one of the most vital principles in data protection. It mandates that personal data should be collected, stored, and transferred in a manner that ensures confidentiality and prevents unauthorised access. This principle requires meticulousness in data collection and security in storage systems. Proper encryption and secure access and storage systems are essential for maintaining confidentiality. Additionally, it ensures that data transfer is secure and protected. Section 8 of the DPDP Act includes similar provisions, outlining the general obligations of the Data Fiduciary to maintain confidentiality.
Another critical principle in data protection law is governance and accountability. This principle obligates data collectors to establish a robust framework for data collection that outlines their responsibilities and includes a system for grievance redressal. It mandates the appointment of data protection officers, the conduct of data protection assessments, and the proper monitoring and auditing of processing activities. These obligations for data fiduciaries are detailed in Section 10 of the DPDP Act, which requires them to appoint data protection officers and independent data auditors, undertake data protection impact assessments, conduct periodic audits, and implement other necessary measures.
Conclusion
In an era where data is a critical asset, understanding and implementing robust data privacy practices is paramount. The evolution of data privacy laws, including the IT Act, 2000 and the Digital Personal Data Protection Act, 2023, underscores the growing recognition of data protection’s significance. Ensuring data privacy not only safeguards individuals’ rights but also builds trust and compliance in a digital economy. As organizations navigate the complexities of data privacy, adhering to key principles and staying informed about legislative changes will be crucial in mitigating risks and protecting valuable information.