Online Privacy And Personal Data Protection in India: A Legal Perspective

 

Name – Vinay Sharma

College - Amity Law School, Amity University, Noida

Introduction:

In the year 2020, because of the pandemic all of us have been forced to accommodate drastic changes in our lifestyles. We all made the decision to become more digital than we had ever been. Today, we do everything online, from our jobs to our shopping, meetings, and social gatherings. With such a shift, we have realised the importance of data and data privacy. Over the last few years, India has been one of the largest data generators.

 According to Statista, there are currently 700 million internet users in India. This figure is expected to rise to more than 974 million by 2025. In fact, India was ranked as the world’s second largest online market in 2019 (1).

 People knowingly or unknowingly share sensitive personal data on various digital platforms such as e-commerce sites, mobile apps, webinar platforms, net banking, e-wallets, and so on in this digital age. Users of these platforms grant permission to use personal data by simply clicking the ‘I agree with the terms and conditions’ button, whether they have read the Privacy Policy or not. Because of this security flaw, millions of users are vulnerable to hackers and other threat actors.

Because of digitisation, the Ministry of Electronics and Information Technology introduced the Personal Data Protection Bill, 2019 (PDP) in the Lok Sabha on 11-12-2019 with the purpose of protecting and securing the data of millions of users. Despite being introduced in Parliament for over a year and a half, the Bill has yet to be passed into law. In the absence of such legislation, Indian citizens’ privacy is currently protected through provisions in various statutes.

The statutes and provisions that govern India’s privacy laws:

1) Information Technology Act, 2000 (2) – (a) Section 43-A – Entities dealing with sensitive personal data or information are liable for damages if they fail to implement and maintain reasonable security practices that result in wrongful loss or gain to any individual. (b) Section 72-A – It is punishable for service providers to disclose materials containing personal information of any person without the person’s consent or in violation of a lawful contract.

2) The Telegraph Act of 1885 and the Telegraph Rules of 1951.

3) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 – Personal information is protected under the law.

4) Right to Information Act, 2005 (3) – According to Section 8(1)(j), information relating to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause an unwarranted invasion of the individual’s privacy, unless the Central Public Information Officer, the State Public Information Officer, or the appellate authority, as the case may be, is convinced that the disclosure of such information is in the greater public interest. 

5) Post Office Act, 1898 (4) – Section 26 authorises the Central Government and the State Governments of India to intercept postal articles in the event of a public emergency or in the interest of public safety or tranquillity.

6) Code of Criminal Procedure, 1973 (5) – Section 91 governs restricted access to stored content.

Right to privacy as a fundamental right in India:

The right to privacy is a fundamental right under Article 21 of the Indian Constitution, which outlines our fundamental rights. This was affirmed by a nine-judge Supreme Court bench in Justice K.S. Puttaswamy v. Union of India (6) in its historic judgement dated August 24, 2017, in which they declared “the right to privacy” as an integral part of Part III of the Indian Constitution.

 One might wonder why the issue of whether the right to privacy is a fundamental right was brought before a nine-judge panel. In 2017, a Supreme Court bench of five judges hearing the case on Aadhaar Card and the right to privacy stated that they wanted a nine-judge bench to first decide whether privacy is a fundamental right before deciding on the main Aadhaar case. In the Aadhaar case, the Attorney General argued that, while several Supreme Court decisions had recognised the right to privacy, they had refused to accept that the right to privacy was a fundamental right in the Kharak Singh judgement (passed by a six-judge bench in 1960) and M P Sharma’s judgement (delivered by an eight-judge Constitution bench in 1954). As a result, a nine-judge panel was formed to decide whether the right to privacy is a fundamental right or not.

 

The Supreme Court’s broad interpretation triggered a flurry of government initiatives aimed at enacting personal data protection laws.

 

 

Applicability of the Personal Data Protection Bill:

It is applicable to data processing by the following:

o   The Government.

o   Companies registered in India.

o   Foreign companies dealing with individuals’ personal data in India.

 It applies to the following types of information:

o   Personal data – Data about or relating to a natural person who is directly or indirectly identifiable, based on any characteristic, trait, attribute, or other feature of such natural person’s identity, or any combination of such features, with any other information. [Sec 3(29)]

o   Sensitive personal data – It refers to personal information revealing, related to, or constituting passwords, financial information, health information, sex life, and so on. [Sec 3(35)]

o   Critical personal data – A subset of personal data that will include any categories of personal data that the Central Government may notify.

 Salient features of the Personal Data Protection Bill:

1. Data fiduciary obligations – A data fiduciary is an entity or individual who decides how and why personal data is processed. Certain limitations on purpose, collection, and storage will apply to such processing. Personal data, for example, can be processed only for specific, clear, and legal purposes. Furthermore, all data fiduciaries must implement certain transparency and accountability measures, such as: (i) implementing security safeguards; and (ii) establishing grievance redressal mechanisms to address individual complaints. When processing sensitive personal data of children, they must also implement mechanisms for age verification and parental consent.

2. Individual Rights – The Bill establishes certain individual rights. These include the rights to: (i) obtain confirmation from the fiduciary that their personal data has been processed or not; (ii) request correction of inaccurate, incomplete, or out-of-date personal data; (iii) have personal data transferred to any other data fiduciary in certain circumstances; and (iv) limit continuing disclosure of their personal data by a fiduciary if it is no longer necessary or consent is withdrawn.

3. Grounds for processing personal data – The Bill allows fiduciaries to process data only with the individual’s consent. Personal data can, however, be processed without consent in certain circumstances. These include: (i) if the State is required to provide benefits to the individual; (ii) legal proceedings; and (iii) responding to a medical emergency.

4. Social media intermediaries – As defined by the Bill, these are intermediaries that enable online interaction between users and the sharing of information. All such intermediaries with users above a notified threshold, whose actions have the potential to impact electoral democracy or public order, are subject to certain obligations, including providing a voluntary user verification mechanism for users in India.

5. Data Protection Authority – The Bill establishes a Data Protection Authority, which may: (i) take steps to protect individuals’ interests; (ii) prevent misuse of personal data; and (iii) ensure Bill compliance. It will be led by a Chairperson and has six members with at least ten years of experience in the fields of data protection and information technology.

6. Transfer of data outside India – Sensitive personal data may be transferred outside India for processing if the individual expressly consents and certain additional conditions are met. Such sensitive personal data, however, should continue to be stored in India. Certain personal data designated by the government as critical personal data can only be processed in India.

7. Exemptions – The Central Government may exempt any of its agencies from the provisions of the Act: (i) for the sake of state security, public order, India’s sovereignty and integrity, and friendly relations with foreign states; and (ii) to prevent incitement to commit any cognizable offence relating to the aforementioned matters. Personal data processing is also exempt from the Bill’s provisions for certain other purposes, including: (i) the prevention, investigation, or prosecution of any offence; (ii) personal, domestic; or (iii) journalistic purposes. However, such processing must be for a specific, clear, and lawful purpose, with appropriate security safeguards in place.

8. Offences – (i) processing or transferring personal data in violation of the Bill, which is punishable by a fine of Rs 15 crore or 4 percent of the fiduciary’s annual turnover, whichever is higher; and (ii) failing to conduct a data audit, which is punishable by a fine of five crore rupees or 2 percent of the fiduciary’s annual turnover, whichever is higher. Re Identification and processing of de-identified personal data without consent is punishable up-to 3 years, or a fine, or both.

9. Non-personal data sharing with the government – The Central Government may direct data fiduciaries to provide it with any of the following: (i) non-personal data; and (ii) anonymised personal data (where the data principal cannot be identified) for better service targeting.

10.  Amendments to other laws – The Bill amends the IT Act of 2000 by removing provisions relating to compensation payable by companies for failing to protect personal data.

 

 

Conclusion:

With the increased use of data and the internet, the need for a comprehensive law protecting people’s fundamental right to privacy has become apparent. It is crucial to have a protective mechanism in place to deal with instances of data protection and privacy infringement in India. It is important that the government adhere to the proposed timeline for revising and passing the law. Protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits are all legitimate goals of the state. These were policy considerations for the Union Government as it designed a carefully structured data protection regime. The Personal Data Protection Bill is a step toward achieving these objectives.

 References:

https://www.statista.com/statistics/255146/number-of-internet-users-in-india/#:~:text=Number%20of%20internet%20users%20in%20India%202010%2D2040

https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf

https://rti.gov.in/rtiact.asp

https://www.indiapost.gov.in/VAS/DOP_RTI/TheIndianPostOfficeAct1898.pdf

https://legislative.gov.in/sites/default/files/A1974-02.pdf

(2017) 10 SCC 1, 509-510