As digitization increases, large volumes of data aregenerated and there are no measures to safeguard theprivacy of this data nor regulate data retention by theplatforms collecting it. Hence, we are in needof a strong data protection lawIn the new media age, privacy has become a fiercelydebated topic. In India, we observe that with theongoing Aadhaar case in the Supreme Court, a...
As digitization increases, large volumes of data are
generated and there are no measures to safeguard the
privacy of this data nor regulate data retention by the
platforms collecting it. Hence, we are in need
of a strong data protection law
In the new media age, privacy has become a fiercely
debated topic. In India, we observe that with the
ongoing Aadhaar case in the Supreme Court, a new
common discussion has started around the issue of
digital privacy and where the law currently stands on
this subject.
The debate on privacy and data protection has become a
burning issue as the constitutional bench of nine judges,
headed by the Chief Justice of India, is set to decide whether
the right to privacy is a fundamental right, and a committee
headed by Justice B. N. Srikrishna, former judge of the
Supreme Court, has been constituted to suggest a draft Bill
on data protection. It must be noted that it is this series of
important events that may contribute to India’s focus on
data protection and the Data (Privacy and Protection) Bill,
2017.
Bombay High Court Lawyer. His
area of practice is Cyber Law
& Privacy. He is the Founder-
President of Law Firm Cyber
Law Consulting (Advocates &
Attorneys)
What is Data Privacy and Data Protection
A privilege to ensure one’s information online constitutes
information security. Such information could either be
about an individual, undertaking, or even a government.
Following the definition of personal data laid down by the
European Union’s data protection guidelines, “Information
concerning an identified and identifiable natural person”
covers the scope of personal data. Hence, if we follow this
definition, the personal information provided by individuals
during biometrics would be included. But data put out
through biometrics or for economic purposes remains at
risk in India since no legislation has been chalked out to
protect such personal data.
Where It All Started
Recently, in the Lok Sabha, Member of Parliament Baijayant
“Jay” Panda tabled the Data (Privacy and Protection) Bill,
2017, proposing the right to privacy as a fundamental right
for Indian citizens.
This is not the first time a Bill proposing such a right has
been laid down in Parliament. As a matter of fact, Panda
himself had presented a Bill in 2009 titled “The Prevention
of Unsolicited Telephonic Calls and Protection of Privacy
Bill”, which aimed at prohibiting unsolicited telephone calls
by business promoters or individuals to persons who didn’t
want to receive such calls. It stated that every person shall
have the right to privacy and freedom to lead and enjoy his/
her life without any unwarranted infringement. Apart from
Panda, Rajeev Chandrasekhar (2010), Vivek Gupta (2016),
and Om Prakash Yadav (2016) have in the past introduced
Bills pertaining to citizens’ data privacy.
What The Data (Privacy And Protection
Bill 2017) Portends
Data protection is a daily part of our lives. We come across
data protection issues at work, when browsing the Internet, while dealing with public authorities, when shopping, when
booking online tickets, etc. As digitization increases, more
and more data is being captured. How this data is used and
held is becoming increasingly important.
The Data (Privacy and Protection
Bill, 2017)
1. Proposes Right to Privacy as Fundamental Right of
citizens
2. Follows a right-based approach and demands the
consent of individuals for collection and processing of
personal data
3. Gives final right to modify or remove personal data from
any database, whether private or personal, solely to an
individual
4. Includes data collectors and data processors (defined)
who ensure that they collect and process data in a
lawful and transparent manner
5. Creates obligation on data intermediaries to implement
security measures to ensure the security of the data
collected
6. Lays down that in case of data breach, data
intermediaries are mandated to inform individuals in a
fixed time period
7. Promotes creation of an end user-facing position of
data protection officer for grievance redressal, with a
provision for appeal to the Data Privacy and Protection
Authority (DPPA)
8. Allows lawful interception and surveillance by the state
for the purpose of National Security
9. Authorizes DPPA to penalize, imprison, and order
compensation for losses suffered by private individuals
against the government or any other private institution
10. May also engage in impact assessment, consultation,
and inspection by the DPPA
Recent Developments
The Ministry of Electronics and Information Technology
released a white paper by a “committee of experts” led by
former Supreme Court judge, Justice B. N. Srikrishna, on a
data protection framework for India.
The government had sought public comments till December
31, 2017 on the white paper, which is aimed at securing
digital transactions and addressing customer and privacy
protection issues.
Public discourse around data privacy is probably at its
zenith in India today. As digitization increases, large
volumes of data are generated and there are no measures
that safeguard the privacy of this data nor regulate data
retention by the platforms collecting it. Hence, we are in
need of a strong data protection law.
Data Privacy Law Has To Be In Tandem With The Aadhaar Act LEGAL ERA MAGAZINE speaks to Advocate PRASHANT MALI, BOMBAY
HIGH COURT, about data privacy, data security and everything in between
LE: According to you, what is the basic meaning
and purpose of the Data Protection Bill, 2017?
This Bill grants a statutory Right to Privacy under Section 4.
However, this Right to Privacy is only pursuant to Articles 19
and 21. While a statutory recognition of the Right to Privacy
may be applauded for being a baby step in the right direction,
it will have to pass the test of reasonable restrictions when it is
codified. The Bill aims to define and protect the right to digital
privacy and to constitute a Data Privacy Authority to protect
personal data. This Bill is an attempt at empowering
citizens with this right.
LE: Do you feel that the Privacy
Bill is in favor of the masses or
do you think it is a political and
industrial gimmick? What is the
territorial scope of the Privacy
Bill, 2017? What about extraterritorial
application of data
protection laws in India as far
as the Bill is concerned? What
categories of exemption can
be incorporated into the data
protection law?
The law must have extra-territorial
effect with respect to data of
Indian residents, and must provide
appropriate redress mechanisms for
privacy violations outside India if the
infringer has a business presence in
India. The applicability of the law should be extra-territorial as it is as of now in the penalties and
liabilities prescribed under Section 43A and 72A of the IT Act,
have also been given extra-territorial applicability and would
apply to contraventions committed by non-Indian companies,
irrespective of the nationality of the data subject whose
information is collected, processed or transferred. While the
practical enforcement of penalties against a company is unlikely
where such company has no presence in India, authorities may
resort to other means, including blocking access to servers
or networks located in India in the event of repeated and
significant contraventions or failures by a company to comply
with obligations under the Privacy Rules. Data already in the
public domain, anonymous data, data on deceased persons,
journalistic data, research data, historical data, data related to
investigation, data related to national security etc. should be
exempt.
LE: What are your views on cross-border
transfer of data?
I feel that transfer can only be to countries with a similar
or comparative level of data protection laws or having
explicit treaties with India. The bill is silent on the issue of
data sovereignty, which has become a persistent issue in
the wake of technology enabling seamless moving of data
across international borders. Covering this lacuna along
with addressing the collateral issue of data storage only can
make it a comprehensive privacy bill. Well defined provisions
against the contractual determination of governing law,
jurisdiction and dispute resolution may be considered to ensure
that foreign entities comply with Indian law, and do not find ways
of working around it by way of contracts or by other means.
LE: Currently, there are a variety of laws in
India which deal with processing of data,
including personal data and sensitive personal
data. These laws operate in various sectors,
such as the financial sector, health sector and
the information technology sector. Should
these laws be inspected and suitably amended
before passage of the Data Protection Law,
2017?
All regulators currently have mandate for Privacy, in fact I have
written a whole research paper around it in the current issue
of NUJS, International Journal of Law & Privacy. I feel This Data
Protection Law, 2017 or 2018 or 2019 whenever it is incarnated
should supersede The IT Rules, The Telecom Act & all other
Regulatory Privacy rules of all sectors. I feel the Aadhaar Act
has more privacy provisions than any other laws, how will they
complement the new law is also to be seen.
LE: Do you think that the law will break the
impasse among legislators this time?
I am personally optimistic but the experience of legislators
legislating and the history of the same bill since 2006 is
disheartening. Even though PM Modi and the Law minister have
taken all the right steps towards formulation of public opinion for
the bill, I feel the intelligence agencies and opposition political
parties find no grounds for the Law being made. I also feel
defining Privacy would be a herculean task for parliamentarians,
moreover adding reasonable restrictions to the same would be
another issue. I wish the Hon. SC could have defined “Privacy”
in its last Right to Privacy Judgment then things could have been
easy. I personally feel Privacy would be like an obscenity which
gets defined differently in different decades.
LE: With Section 33(2) of the Aadhaar Act, the
state can cite 'national security' and access
identity information and authentication
records of citizens. Isn’t this a blurring of lines
between 'data security' and 'privacy'?
Yes! it is. Data Privacy law has to be in tandem with Aadhaar
Act and the state would take this stand. If you look today
as well, all states invade citizen’s privacy under the garb of
National Security. Section 33(2) of the Aadhaar Act is no
different. I feel, as India is drafting a brand new Law, it can take
precautions to balance between Privacy, National Security &
Criminality.
LE: What according to you should be the
safety guidelines for privacy and people? With
advancing technology and easy availability of
the data, how strict should be a privacy law in
the country to control disruption. Your opinion
please.
I strongly feel the last section of the Bill should have
mentioned about the state’s role in providing “Privacy literacy”
related awareness and education to Indian citizens. I feel until
any state doesn’t inculcate Privacy culture among data users
and make them aware about safeguards, they will remain
vulnerable. India is seriously late to protect its data. We may be
serious and may bring a law but are deficient and yet not ready
with technology to implement the same. The architecture must
address the following questions: how people give consent, how
their data is released, how it is stored and encrypted? When
that data is given to another party for use, what is the criteria
for usage? Implementation of the said law cannot be overnight,
it would need timelines and meticulous planning in the Indian
context.
Disclaimer – Statements and opinions expressed in this article are those from the editorial and are well researched from
various sources. The content in the article is purely informative in nature.