Amid the Aadhaar and privacy hearings, the Centre had informed the court that it had formed an expert committee headed by retired Justice B N Srikrishna, to study issues relating to data protection in India and suggest a draft Data Protection Bill. The committee panel consists five experts in fields relating to data protection.
In the digital age, privacy has become an intensely discussed and debated topic. In India, we are seeing that with the ongoing Aadhaar case in the Supreme Court, a new public discourse has started around the issue of digital privacy, and where the law currently stands on this subject.
A nine-judge bench passed its ruling on Thursday in the Aadhaar-privacy matter making right to privacy a fundamental right under the Constitution of India. Here we explain what is data privacy and under what laws India regulates its technological laws.
What is data privacy and data protection?
A right to protect one’s data on online platforms constitutes data privacy. Such data could either be concerned with an individual, enterprise or even a government. Going by the definition of personal data laid down by the European Union’s data protection guidelines, “information concerning an identified and identifiable natural person” covers the scope of personal data. Therefore, if we follow this definition, the personal information provided by individuals during biometrics would be included. But data put out through biometrics or for economic purposes remains at risk in India since no legislation has been chalked out to protect such personal data.
What are the data protection laws in India?
Data protection in India is governed by loosely constructed provisions of the Information Technology Amended Act, 2008 (ITAA) under Sections 43-A and 72A of the Act. Compensation for failure to protect data (Section 43-A) was introduced by way of an amendment in 2008, which states the liability of a body corporate to compensate in case of negligence in maintaining and securing the “sensitive data.” However, the Act fails to define “sensitive data” and states the same as “personal information as may be prescribed by the Central government.”
Although three years later, IT Rules 2011 were issued by WIPO defining in detail the term “sensitive data” and what it entails of. As the IT Rules issued have been poorly drafted, the applicability of the same has always been in question.
Breach of data privacy has also been mentioned under the ITAA and is punishable under Section 72-A (introduced by an amendment in 2008), which penalises the offender for a three year imprisonment or a maximum fine of Rs 5 lakh.
The effort to bring in a second legislation — Personal Data Protection Bill — governing data protection and privacy has been in the pipeline since 2006. Several amendments have been made to the Bill and the latest draft was introduced in Rajya Sabha in 2014. This bill provides a small definition of “personal information” and vaguely explains the role of a “Data Controller.” Data controller has been defined as those people who view the complaints relating to processing, disclosing of personal data and claim for compensation. Unable to explain the duties and responsibilities of a data controller, the bill also fails to underline the issue relating to outsourced data and the liabilities of companies outsourcing and hosting the data.
The current legislation (ITAA) fails to mention the enterprises that store data and questions their liability in case of a breach and compensation to consumers.
How do the foreign data protection laws regulate data privacy?
European Union (EU): Distinct from all other major human rights documents, protection of people’s data has been included as one of the fundamental rights of the European Union under Article 8 of the Charter of the Fundamental Rights of the European Union. Right to privacy and consent of an individual form the basis of Article 8 adding the right to access data and the right to have it rectified.
EU superseded the Data Protection Directive with the General Data Protection Regulation in 2016 and the same Regulation will be enforceable from 2018. The Regulation will be applied to all 28 of the European Union members. Data processors will be held under the law which would include individuals as well as companies processing bulky data.
In order to remove obstacles from cross-border flow of data, the Directive states that privacy of people and freedom should be maintained at all levels by processing the data equivalent in all Member states.
The European Union Directive 95/46/EU, Data Protection Directive, lays down the liability of data breach on the data controller. According to the provision, any person who has been a subject to data breach is entitled to a compensation from the data controller.
Japan: After European Union, Japan introduced a separate central legislation for protection of data as the Act on the Protection of Personal Information (APPI). The Act took partial effect in 2016 and has been enforceable from May 30, 2017. The law defines the scope of the legislation and states on whom the law is applicable under Article 2-4 of the APPI. As per the Act, it is applicable to four entities- state institutions, local public bodies, independent administrative agencies and an entity not having over 5,000 individuals’ personal information for more than six months. Similar to the EU law, consent of a data subject forms the essence of the legislation and has been stated as mandatory in case of transmitting data to a third party or for any use beyond communication purposes.