Living in this Digital Era, there is no denying the fact that technology indeed plays a humongous role in making our lives easier. But this comfort and luxury is not arbitrary and happens to come at a price, bringing in various bothers like, increased cyber-crimes, equivocal data management and numerous privacy concerns.
In the present day, data privacy and the concerns related have grown in to become a hot potato. In the following article, we are going to explore various aspects of data privacy in India. But before that, let’s begin with some basic terminologies to get a better understanding of the forthcoming content.
Basic Terminologies
Data: means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.[1]
Personal Data: means any data about an individual who is identifiable by or in relation to such data.[2]
Personal Data Breach: means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.[3]
Processing: in relation to personal data means an automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.[4]
Data Fiduciary: means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.[5]
Data Principle: means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.[6]
Sensitive Personal Data: means such personal data, which may, reveal, be related to, or constitute—
(i) financial data;
(ii) health data;
(iii) official identifier;
(iv) sex life;
(v) sexual orientation;
(vi) biometric data;
(vii) genetic data;
(viii) transgender status;
(ix) intersex status;
(x) caste or tribe;
(xi) religious or political belief or affiliation; or
(xii) any other data categorized as sensitive personal data under section 15.[7]
Non-personal Data: the expression “non-personal data” means the data other than personal data.[8]
Right to Privacy
Even though there is no exact definition of privacy, it can be elaborated as a person’s right to not be interfered with unless deemed necessary by law.
In Maneka Gandhi v UOI, Supreme Court laid that the Right to Privacy is a Fundamental Right covered within the ambit of Right to life and personal liberty under Article 21 which can be curtailed via procedure established by Law which is just, fair and reasonable.[9]
Right to Privacy as a Fundamental Right:
In KS Puttaswamy v Union of India, famously known as right to privacy verdict, “The right to privacy must be considered in relation to its function in society and be balanced against other fundamental rights” held Justice Sanjay Kishan Kaul.[10]
The Right to Privacy falls under the ambit of Article 21 of the Indian Constitution (Right to Life and Personal Liberty); however, it is also supplemented by the scope of other Fundamental Rights as Article 14 (Right to Equality Before Law) and Article 15 (Right Against Discrimination on Grounds Only of Religion, Race, Caste, Gender, or Place of Birth).
Information Technology Act, 2000
Even though there is no explicit act that governs data privacy in India, IT act also known as IT rules deals with data protection and privacy to a certain extent, providing various provisions against hacking, data theft and breach of confidentiality and privacy.
Hacking:
According to section 43(a) IT (Amendment) act, 2008, If any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network, accesses or secures access to such computer, computer system or computer network or computer resources, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.[11]
According to section 66 IT (Amendment) act, 2008, If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two-three years or with fine which may extend to five lakh rupees or with both.[12]
Data Theft:
According to section 43(b) IT (Amendment) act, 2008, If any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network, downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.[13]
According to section 66E IT(Amendment) act, 2008, whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.[14]
Breach of Confidentiality:
According to section 43A IT (Amendment) act, 2008, where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected.[15]
Section 72 IT act, 2000, save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book. register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.[16]
Section 72A IT (Amendment) act, 2008, Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.[17]
Digital Personal Data Protection Bill 2022
Timeline
After a nine-judge bench unanimously held right to privacy as a fundamental right under Article 21 (Right to Life and Personal Liberty) of the Indian constitution in KS Puttaswamy v UOI on 24 august, 2017, a committee was appointed under the chairmanship of Justice BN Srikrishna that submitted Draft of Data Protection Bill in august, 2018.
The Draft then went through several additions, deductions and substitutions to provide with Personal Data Protection Bill, 2019.
Personal Data Protection Bill, 2019 was then recommended to a joint parliamentary committee which was supposed to examine the bill and submit its report by last week of budget session 2020. The process was delayed due to the pandemic COVID-19 and the report was finally adopted in December, 2021 and Draft Data Protection Bill, 2021 was tabled alongside.
On august 3, Draft Data Protection Bill, 2021 was withdrawn from the parliament with the aim of presenting a more ‘comprehensive legal framework’ which leads to fabrication of 4th iteration of draft data protection law in India namely Digital Personal Data Protection Bill, 2022, released on 18 November 2022.
Summary
Application of the act (section 4)
(1) The provisions of this Act shall apply to the processing of digital personal data within the territory of India where:
(a) such personal data is collected from Data Principals online; and
(b) such personal data collected offline, is digitized.[18]
(2) The provisions of this Act shall also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals within the territory of India. For the purpose of this sub-section, “profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behavior, attributes or interests of a Data Principal.[19]
(3) The provisions of this Act shall not apply to:
(a) non-automated processing of personal data;
(b) offline personal data;
(c) personal data processed by an individual for any personal or domestic purpose; and
(d) personal data about an individual that is contained in a record that has been in existence for at least 100 years.[20]
General Obligations of Data Fiduciary (section 9)
(1) A Data Fiduciary shall, irrespective of any agreement to the contrary, or noncompliance of a Data Principal with her duties specified in this Act, be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf by a Data Processor or another Data Fiduciary.[21]
(2) A Data Fiduciary shall make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete, if the personal data:
(a) is likely to be used by the Data Fiduciary to make a decision that affects the Data Principal to whom the personal data relates; or
(b) is likely to be disclosed by the Data Fiduciary to another Data Fiduciary.[22]
(3) A Data Fiduciary shall implement appropriate technical and organizational measures to ensure effective adherence with the provisions of this Act.[23]
(4) Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.[24]
(5) In the event of a personal data breach, the Data Fiduciary or Data Processor as the case may be, shall notify the Board and each affected Data Principal, in such form and manner as may be prescribed. For the purpose of this section “affected Data Principal” means any Data Principal to whom any personal data affected by a personal data breach relates.[25]
(6) A Data Fiduciary must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that:
(a) the purpose for which such personal data was collected is no longer being served by its retention; and
(b) retention is no longer necessary for legal or business purposes.[26]
(7) Every Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the Data Principal’s questions about the processing of her personal data.[27]
(8) Every Data Fiduciary shall have in place a procedure and effective mechanism to redress the grievances of Data Principals.[28]
(9) The Data Fiduciary may, where consent of the Data Principal has been obtained, share, transfer or transmit the personal data to any Data Fiduciary, or engage, appoint, use or involve a Data Processor to process personal data on its behalf, only under a valid contract. Such Data Processor may, if permitted under its contract with the Data Fiduciary, further engage, appoint, use, or involve another Data Processor in processing personal data only under a valid contract.[29]
Right to Information about personal data (section 12)
The Data Principal shall have the right to obtain from the Data Fiduciary:
(1) the confirmation whether the Data Fiduciary is processing or has processed personal data of the Data Principal;
(2) a summary of the personal data of the Data Principal being processed or that has been processed by the Data Fiduciary and the processing activities undertaken by the Data Fiduciary with respect to the personal data of the Data Principal;
(3) in one place, the identities of all the Data Fiduciaries with whom the personal data has been shared along with the categories of personal data so shared; and
(4) any other information as may be prescribed.[30]
Right to Correction and Erasure of Personal Data (section 13)
(1) A Data Principal shall have the right to correction and erasure of her personal data, in accordance with the applicable laws and in such manner as may be prescribed.[31]
(2) A Data Fiduciary shall, upon receiving a request for such correction and erasure from a Data Principal: (a) correct a Data Principal’s inaccurate or misleading personal data;
(b) complete a Data Principal’s incomplete personal data;
(c) update a Data Principal’s personal data;
(d) erase the personal data of a Data Principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose.[32]
Right to grievance redressal (section 14)
(1) A Data Principal shall have the right to readily available means of registering a grievance with a Data Fiduciary.[33]
(2) A Data Principal who is not satisfied with the response of a Data Fiduciary to a grievance or receives no response within seven days or such shorter period as may be prescribed, may register a complaint with the Board in such manner as may be prescribed.[34]
Right to Nominate (section 15)
A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act.[35]
For the purpose of this section, “incapacity” means inability to exercise the rights of the Data Principal under the provisions of this Act due to unsoundness of mind or body.
Duties of Data Principal (section 16)
(1) A Data Principal shall comply with the provisions of all applicable laws while exercising rights under the provisions of this Act. [36]
(2) A Data Principal shall not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board.[37]
(3) A Data Principal shall, under no circumstances including while applying for any document, service, unique identifier, proof of identity or proof of address, furnish any false particulars or suppress any material information or impersonate another person.[38]
(4) A Data Principal shall furnish only such information as is verifiably authentic while exercising the right to correction or erasure under the provisions of this Act.[39]
Concerns
- Some have shown concerns about the bill being too vague regarding the capacities of Data Protection Board of India (DPBI) and argued that repetitive use of phrases like ‘as may be prescribed’ or ‘as may be specified’ may lead to abuse of power.
- The bill also received criticism on being silent on cross-border transfer of digital personal data. What kind of data may be transferred to which countries remains unclear and on the discretion of government.
- Controversies as whether a 17-years-old may be treated same as a 5-years-old continues to be a dispute. Many have argued to define a child as someone below the age of 16 instead of 18.
- Categorizations as critical personal data and sensitive personal data have been removed, increasing the risk of personal data breach.
Conclusion
Even after 5 years of right to privacy verdict and 4 iterations of Draft Data Protection Bill, the work on legal framework for data privacy is still in progress and until then IT Rules, 2000 will continue to govern data protection laws in India.
The Digital Personal Data Protection bill, 2022 has attracted considerable criticism in hope that government will take the suggestions and come up with a revamped version of the bill.
[1] The Digital Personal Data Protection Bill, 2022 3, https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf (last visited Jun 11, 2023)
[2] Id. at 4
[3] Id. at 4
[4] Id. at 4
[5] Id. at 3
[6] Id. at 3
[7] THE PERSONAL DATA PROTECTION BILL, 2019 GROUNDS FOR PROCESSING OF PERSONAL DATA WITHOUT CONSENT 12. Grounds for processing of personal data without consent in certain cases AS INTRODUCED IN LOK SABHA CLAUSES, 9
[8] Id. at 41
[9] AIR 1978 SC 597
[10] T A K Sikri, CIVIL) NO. 231 OF 2016 CONTEMPT PETITION (CIVIL) NO. 444 OF 2016 IN WRIT PETITION (CIVIL) NO, (2017)
[11] The Information Technology ACT, 2008, 16–17
[12] Id. at 24
[13] Id. at 16
[14]Id. at 25
[15] Id. at 17
[16] Id. at 30
[17] Id. at 30
[18] digital personal data protection bill, 2022 at 5
[19] Id. at 5
[20] Id. at 5
[21] Id. at 10
[22] Id. at 11
[23] Id. at 11
[24] Id. at 11
[25] Id. at 11
[26] Id. at 11
[27] Id. at 12
[28] Id. at 12
[29] Id. at 12
[30] Id. at 14
[31] Id. at 14
[32] Id. at 14
[33] Id. at 14
[34] Id. at 15
[35] Id. at 15
[36] Id. at 15
[37] Id. at 15
[38] Id. at 15
[39] Id. at 15
Author: Kartika Barsainyan
Juris Centre 