By: Aishwarya Santosh Patil
Introduction
When thinking about privacy, various scenarios may come to mind. This could include an environment where one can engage with specific individuals without interruption or a space where one can safeguard one’s sensitive information. In today’s context, privacy encompasses information protection, intrusion prevention, and a secure exchange of digital data over the Internet. It is imperative to prioritise addressing data privacy to uphold customers’ fundamental right to privacy and deter unauthorised use of personal data, particularly as India's economy advances technologically.
The right to privacy in India was established in Part III[1] of the Constitution, drawing from key legal cases such as Kharak Singh v. State of U.P.[2] and Justice K.S. Puttaswamy v. UOI.[3] The latter, decided in July 2017, led to calls for robust data protection laws, prompting the Government to form a committee to address these issues. Ultimately, the committee proposed the Personal Data Protection Bill, 2019[4] [‘PDP Bill’], which aimed to protect the personal information of Indian citizens. However, the proposed legislation faced criticism for not adequately addressing certain concerns and for granting significant exemptions to specific groups.
India still needs highly comprehensive and clear legislation governing personal data privacy. The Digital Personal Data Protection Act of 2023[5], a revised version of the PDP Bill 2019, is the most recent attempt to provide standard legislation on the subject. It is currently in the public domain and open for criticism. It is uncertain whether a fresh Act like this will be able to put an end to India’s protracted history of data privacy issues.
Why is there a need to Secure Data Privacy?
The renowned British mathematician Clive Humby said that “data is the new oil”, drawing a parallel between data and crude oil that requires refining based on specific needs and requirements. Similarly, data must be processed in line with organisational needs in order to be effectively utilised. The growing volume of data being stored online, in cloud storage, and on various devices presents numerous risks that could compromise data privacy. By agreeing to the provided ‘terms and conditions’, individuals expose their information to potential misuse, as companies may utilise it for targeted advertising and share it with other applications and websites.
Who is responsible for protecting citizen data from MNCs and hackers? According to research from the Dutch cyber-security company Surfshark, there were 304 accounts breached every minute in the first quarter of 2022. Since 2004, over 14.9 billion accounts have been leaked globally, with 254.9 million of them belonging to users from India.
Legal Framework of Data Protection in India
Constitutional Safeguard
The right to privacy is protected by Article 21[6] of the Indian Constitution but it is not specifically listed there. Hon’ble Apex Court acknowledged the Right to Privacy as a fundamental right under Part III of the Indian Constitution in the case of Justice K.S. Puttaswamy v. U.O.I.,[7] where a nine-judge bench interpreted Article 21. Even while Article 21 guarantees the right to privacy, it is subject to reasonable restrictions under Article 19(2)[8] of the Constitution. Thus, through several set by the Apex Court, including Kharak Singh v. State of U.P. in 1962[9] and Maneka Gandhi v. U.O.I. & Anr. in 1978[10], privacy was acknowledged as a fundamental right under the Indian Constitution.
Personal Data Protection Bill 2019
As was mentioned earlier in this article, the Government established a 10-member committee, under the leadership of Rt. Justice B.N. Srikrishna, to study the need for legislation protecting data privacy and ultimately propose ‘The Data Protection Act’ in response to the ruling by the Supreme Court in the case of Justice K.S. Puttaswamy v. U.O.I.[11] The committee issued a report that emphasised the need for the State to protect citizens’ interests and data as well as the importance of protecting citizens’ rights. Additionally, it suggested creating ‘Data Protection Authorities’, which would guard and regulate data sent over the Internet. The Ministry of Electronics and Information Technology received the report and the proposed legislation, which Mr. R.S. Prasad, a former Union Minister, introduced in Parliament in 2019.
The Digital Person Data Protection Act, 2023
The PDP Act was withdrawn by the Ministry of Electronics and Information Technology [‘MeitY’] following input from the public, businesses, ministers, and the Joint Plant Committee Report. The plan is to introduce a new Act after making necessary adjustments and amendments.[12] In November 2022, MeitY introduced a fresh draft of the ‘Digital Personal Data Protection Act of 2023’ and sought feedback from the public and industry professionals. Subsequently, the previous proposal was modified and enhanced.
Applicability: The DPDP Act applies to all online and offline methods of processing personal data collected in India. Additionally, the law has been made clearer about how data may be processed outside of India if used for profiling or providing goods.
Consent & Deemed consent: Before any personal information on a person is collected, they must be informed in advance and given a list of the details that will be requested of them. The person is then free to revoke permission whenever they want. A guardian, either natural or appointed, must consent on behalf of a minor. Situations involving a medical emergency, state security, the welfare of the general public, and employment requirements are the only exceptions to this provision.
Data principal: Data principals have the right to request information about how their data is being gathered and to file complaints, but they are also required to do so truthfully and are subject to fines of up to Rs. 10,000 for doing so.
Data Protection Board: In contrast to the earlier Bill, which called for the creation of Data Protection Authorities, the new Act makes reference to the Data Protection Board. The composition of the Data Protection Board and the procedure for nomination and removal must be established by the Union Government, even if the monitoring, reprimanding, and assessment of appeals are identical activities carried out by both regulatory organisations.
Offenses and Penalties: The Act establishes sanctions of up to Rs. 250 crores for incorrect data handling that results in violations and up to Rs. 150 crores for breaching promises to minors. Unlike the previous one, the present Act does not consider the companies’ turnover.
Remarks and Recommendations
As technology seeps deeper into our lives due to innovation and globalisation, the amount of data digitalised and entered digitally keeps on increasing daily. Although the Digital Data Protection Act 2023 introduced by the Government has a detailed framework for governing online data, it does have its shortcomings. The provisions of this Act provide individuals with high control over what information they enter online and make it essential for all kinds of businesses to maintain whole transparency and keep data security a top priority.
However, many concerns have been raised about some provisions of this Act, where the Government has been granted discretionary power. There is a high chance that an individual’s agency might get hampered as there are no comprehensive guidelines regarding data portability limitations and also the ‘right to be forgotten’. This Act has built a foundation for the future of digital India where the Government, with continuous dialogue with all stakeholders, can ensure that innovation and digital data protection can go hand in hand.
Keywords: privacy, data protection, personal data, corporate bodies, committee.
[1] INDIA CONST. art. 12-35.
[2] Kharak Singh v. State of Uttar Pradesh & ors., AIR 1963 SC 1295.
[3] Justice K.S. Puttaswamy v. UOI, (2017) 10 SCC 1.
[4] The Data Privacy and Protection Bill, 2019, No. 341, Bills of Lok Sabha, 2019 (India).
[5] The Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India).
[6] INDIA CONST. art. 21.
[7] Justice K.S., supra note 3.
[8] INDIA CONST. art. 19, cl. 2.
[9] Kharak Singh, supra note 2.
[10] Maneka Gandhi v. Union of India, (1978) 1 SCC 248.
[11] Justice K.S., supra note 3.
[12] Ibid
Comments