Data protection regime in India

 

Introduction:

• In the present era of digital technology and information age data protection is need of the hour. The right to privacy being a fundamental right in the Supreme Court’s landmark judgment Justice K.S. Puttaswamy (Retd) v. Union of India, the government must prevent and investigate digital crimes, prevent misuse of data and encourage data security through legislation. Therefore, the Committee of Experts was formed under the Chairmanship of Justice (Retd) B.N. Srikrishna to suggest a draft data protection law. 
• The recent Covid pandemic has increased people’s participation within the digital economy. The very recent incidence of data breach at MobiKwik could stand to be India’s biggest breach with the info of 9.9 crore users in danger. In another incidence three Gujarat-based websites were found disclosing Aadhaar numbers of the beneficiaries on their websites.  Given the importance of knowledge during this age, robust data protection regimes are necessary to stop such events and protect users’ interests.

 

Need for a strong data protection regime in India

• Unauthorized leaks:To check unauthorized leaks, hacking, cyber crimes, and frauds. The economic cost of data loss/theft is high. The recent rise of crimes like the WhatsApp Pegasus scam demands a data protection law in place.
• Right to Privacy: Right to privacy now being a fundamental right (Puttaswamy judgment) under Article 21 of the constitution of India, framing guidelines for the protection of digital data should be the responsibility of the government.
• Supression of dissent and censorship: Unregulated access to data can cause suppression of dissent and censorship. Journalists, Human Rights activists etc. can be anaesthetized to an invisible prison of surveillance.
• Improve business processes: Data protection laws would improve business processes, and their compliance will eventually lead to securing digital payments, and improvement in banking operations as well.
• Data colonizing: To curtail the perils of unregulated and arbitrary use of personal data colonising companies such as Facebook, Whatsapp, etc. For example: the Cambridge Analytica Scandal involved the collection of personally identifiable information of up to 87 million Facebook users.
• To balance between digital economy and privacy: It is important to strike a right balance between digital economy and privacy protection.
• Loopholes in existing laws: Until now, the only legal framework for information technology in India is the Information Technology Act, 2000.  The act does not provide guidelines for data collection, storange and processing.

 

 

There are some issues associated with IT Act 2000 such as:

• Misuse of consent:  Users consent could be misused by data aggregators under broad terms and conditions.
• Ignoring Data Privacy: The frameworks under IT Act emphasize data security but do not place enough emphasis on data privacy.
• Excluding government agencies: The provisions under the IT Act also do not apply to government agencies. This creates a large vacuum for data protection when governments are collecting and processing large amounts of personal data.
• Inadequate in addressing risks: The present data protection regime became inadequate in addressing risks emerging from new developments in data processing technology

 

Data Protection Bill, a departure from the existing regime:

 

• Rights of the Citizens: The Bill seeks to offer users a group of rights over their personal data. A user will be able to obtain information about their personel data that an entity has about them.
• Applicability: The Bill governs the processing of personal data by (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with the personal data of individuals in India.
• An independent and powerful Authority: The Bill seeks to make an independent and powerful regulator referred to as the info Protection Authority (DPA). The DPA will monitor and regulate processing activities to make sure they comply with the regime.
• Transfer of data outside India: It provides for a transfer of data on certain grounds such as when the central government approves transfers to a particular country and when the data protection authority approves the transfer in certain situations.
• Data mirroring: It does away with the requirement of data mirroring (in the case of personal data). Only individual consent for data transfer abroad is mandatory.
• Data localization: It will help law-enforcement agencies access data for investigations and enforcement. It will further help the ability of the Indian government to tax Internet giants.
• Exemptions: Certain exemptions from compliance are provided on grounds such as state security, prevention, investigation, or prosecution of any offence, and personal, domestic and journalistic purposes.

 

 

 

 

Shortcomings of the Data Protection Bill:

• Compromised Concept of Consent: The government will have the power to access and process data without the consent of a person, on the grounds of weak standards such as necessity and breakdown of public order.
• Arbitrary provision: The bill made it a cognizable and non-bailable criminal offence in case of non-compliance with the law. This is considered by industries as an arbitrary provision.
• Issue of surveillance: There is no provision regarding the issue of surveillance.
• Data processing: It is unclear about the functions of different departments of the government in data processing and which of the functions are to be served by a processing activity.
• The bill does not explicitly deal with data surveillance by non-state actors.
• Data Protection Authority: When personal data is breached, it is not informed directly to the person. Instead to the Data Protection Authority. The Authority decides whether to inform the person or not.
• Right to be forgotten: There is no strict right to be forgotten, unlike the EU’s General Data Protection Regulation (GDPR). It is not compulsory for a data collector to erase data.
• Legal consequences: The Bill threatens legal consequences for users who withdraw their consent for a data processing activity.
• Backfire on startups: It may backfire on India’s emerging startups and on large firms that process foreign data in India.

 

 

Way Forward:

• Robust data privacy laws are needed to permit citizens to enjoy the proper privacy.  The law should deal with all the aspects- data collection, processing and sharing practices. The best practices from both USA and EU’s GDPR should be adapted.
• Privacy shouldn't be wont to undermine government transparency. Data protection law should be framed such that it does not make the government opaque and unaccountable.
• There is a need for a separate law to address the oversight in intelligence gathering, rather than dealing it within the data protection law itself.
• A separate tribunal or authority can be established to give prior authorization for data surveillance and interception.

 

Conclusion:

• In this digital age, data is a valuable resource that should not be left unregulated. In this context, the bill is a step in the right direction. Once the bill is fine-tuned, it will be an effective law in enforcing the rights of the people over personal data and will provide more effective data protection regime.