Time and again confused with trade secrets and confidentiality, data privacy refers to the use and disclosure of personal information and is only relevant to information specific to individuals. Data privacy has always been important. It’s why people put locks on filing cabinets and rent safety deposit boxes at their banks. But as more of our data becomes digitized, and we share more information online, data privacy is taking on greater importance.
Since personal information is a manifestation of an individual personality, the courts of the country have, over time, entwined the concept of privacy with the interpretation of right to life and personal liberty as provided under Article 21 of the Constitution. It may be interesting to note here that the Supreme Court of India is yet to conclusively decide whether right to privacy is naturally a fundamental right guaranteed under Article 21 of the Constitution. This decision is expected to be taken by the Apex Court shortly. However, such a right is enforceable against the State alone and this poses a perplexing question as to which legislation governs the nonstate related aspects of privacy breach.
In this regard, though avenues under law of torts and Indian Penal Code, 1860, always existed, the concepts of data privacy and data protection were given focused attention through provisions of the Information Technology Act, 2000 (“IT Act”) after its amendments in the year 2009 (“Information Technology (Amendment) Act, 2008”).
Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.
The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with protection of “Sensitive personal data or information of a person”, which includes such personal information which consists of information relating to;
The inadequacy of these few legal sections, in an ever-growing technological world, is inordinate to say the least. With increase in people’s reliance on internet-based services, deeper and deeper digital footprints are being created and there is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors and also by the State. Since the Government had informed the Supreme Court of the constitution of the Committee to review inter alia data protection norms in the country, the Court felt it was appropriate to leave the matter for expert determination so that a robust regime for the protection of data is put into place. The Indian Government is therefore, seeking to further strengthen and equip its regulatory framework for data protection and privacy. Accordingly, a Committee of Experts under the chairmanship of former Supreme Court Justice, Shri B. N. Srikrishna (“Committee”), has been formed to study various issues relating to data protection in India, has sought public comments on questions, and make specific suggestions on principles to be considered for data protection and suggest a draft Data Protection Bill.
The Committee has also noted that the provisions of the IT Act are limited in their applicability and do not appear to take into account the wide range of instances of data
Protection violation which may occur due to advancement in technology used towards processing of personal data. Moreover, the quantum of penalty prescribed under the provisions of the IT Act appear to be inadequate and may not act as a deterrence to emerging ecommerce and other technology-based players in India
Today, 126 countries in the world have national data protection legal frameworks. Yet many countries across the world still do not have comprehensive data protection laws, and in the ones, which do there are ongoing challenges with enforcement of the laws and/or failure to uphold the highest data protection standards. Furthermore, many of these countries have a weak rule of law and power dynamics skewed by socio-economic and political challenges which raise additional factors which must be addressed.
Of the many countries and regions that have passed various regulations, the European Union stands out for its overarching and comprehensive approach. The 27-country EU directive, passed in 1995, restricts the use, sharing, storing and collecting of personal data. This holistic view of personal data, defined as anything that can identify an individual, including a person’s address and their image, is seen as the gold standard for many countries. It differs from the patchwork laws in the US and some other countries. When the region’s regulators roll out the changes known as the General Data Protection Regulation (GDPR), on May 25 2018, it will represent the major overhaul of the world’s privacy rules in over two decades. The new regulations offer EU citizens far-reaching new powers over how their data can be collected, used and stored, presenting global leaders outside the 28- country block with a stark choice: bring their domestic laws in line with the EU’s new rules, or risk being shut out of a market of 500 million well-heeled consumers.
While much of the developed world seems to be acting to protect personal data the lack of overarching privacy law increasingly sets the US apart. American retailers are largely self-policing so the enforcement is limited to a company’s own privacy policy. The US Federal Trade Commission, charged with protecting American consumers, only steps in when a company doesn’t keep its self-developed privacy promise.
This is exactly the kind of bungling policies that gave rise to the Facebook data breach scandal that shook the entire country as well as the rest of world. A political research firm was able to gain access to data belonging to over 50 million Facebook users through a third-party personality quiz application, the users had absolutely no knowledge of this and had not explicitly given any sort of consent for this to take place. Given Facebook’s privacy policies at the time to hinder these kinds of activities, the quiz app was able to pass this information along to the firm, which then used the information to create detailed user profiles of Facebook users. They used these profiles to essentially develop microtargeted political ads that were intended to sway users in favour of one candidate during the 2016 US Presidential elections. However, Facebook now claims that “people knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked”. As India has an opportunity to build its data protection framework, it has two models to choose from: the path adopted by the European Union, which is tilted towards privacy of individuals; or the second, the path chosen by the United States of America where innovation is given primacy over regulation. The Srikrishna Committee in India, mentions the two models, and says that “factoring in these diverse objectives, a nuanced and balanced approach towards data protection will have to be followed in India”.
In the absence of a data protection regime in our country, can data be used to manipulate voters in the coming general elections, like what is alleged to have happened during the 2016 American presidential elections
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
