Deepika Nain, from Law Center-1, Faculty of Law, University of Delhi.
Need for Stronger Data Protection Laws in India
According to an IBM report released on February 24th, 2020 India was the second most attacked country by cyber criminals after Japan in Asia Pacific.
Everyone we know now a days is connected to internet and is using extensive information and data, that’s why 21st century has been described as the Age of Information. But daily we came across incidents where the personal and important data of users is compromised, used for various purposes illegally by different organization. We have witnessed instances where data collected is not handles with proper care, systems being hacked, people’s privacy being compromised. Who is responsible for all this?
So, the purpose of this article to throw some light on the present rules, regulations and laws applicable in India for the protection of data and to cite reasons why India needs to implement stronger Data Protection Laws to cope up with this Digital era of 21st century.
At present in India any specific law for data protection is not in force. Some provisions of Information technology Act, 2000 (IT Act) and The Information technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules, 2011 (SPDI Rules) are amended from time to time so as to deal with personal information and sensitive personal data and information. After amendment Section 43A and 72A were included in IT Act, 2000 which provides for the right to compensation in case of improper disclosure of personal information.
Personal Data Protection Bill, 2019 was presented by the Government in the parliament. But it’s still not enacted and is currently pending before a Joint Parliament Committee for consideration. The main purpose of this bill is to provide protection to the privacy of individuals relating to their personal data. This bill Specifies the flow and usage of personal data. This bill also tries to establish a relationship of trust between persons and the organizations processing the personal data of individuals. The bill lays down the provision for providing fundamental right to protect privacy of individuals whose personal data is processed. It also provides an organizational and technical framework for processing of personal data. It lays downs various rules and norms for social media intermediary, cross-border transfer. It also establishes the accountability of entities processing data. It also provides various remedies to individuals in case their data is processed harmfully and without authority. Most necessarily it establishes a Data protection Authority of India for complying with all the above state purposes.
Let’s try to find out this answer by taking a look at the European law for data protection and protection of privacy of individuals.
The general data protection regulation (GDPR) of European Unions is one of the best data protection regulations worldwide. It is one of the toughest and strongest data protection regulations. It was made on 14th April 2016 and was implemented on the 18th of May, 2018 as a successor of Data Protection Directives.
It is basically a regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It gives the fundamental right to data protection whenever personal data is used by criminal law enforcement authorities for law enforcement purposes to the citizens of the European Union. In particular, it ensures that the personal data of victims, witnesses, and suspects of crime are duly protected.
European Union Charter of Fundamental rights gives the European citizens the right to protection of their personal data unlike The Constitution of India.
The main principles which a data protection acts needs to follow are:
1. Fair and lawful: Any organization collecting personal data should state the particular reasons for collecting such need and also, they should provide full transparency explaining how they are going to use such collected data. The organizations collecting data must have legal ground explaining why they need to do so and ensure that it doesn’t use the data collected for any other use than stated. And the laws applicable in any country must ensure that this is includes as a provision in the law and must ensure that the organizations are following the rules implemented
2. Specific for its purpose: The laws applicable must state that the organizations can use the data only for the specific purpose the one which they have stated as the reason to collect data. The data should not be used for any further purposes by the organization unless clear consent is not obtained from the consumer for such act. For example, a company collects data for marketing certain type of product they should not share the data further to other companies marketing other product unless the consent is not obtained from the consumer. There are many examples for this like the data of the students are leaked by various coaching institutes to various educational organizations, especially private organizations, another example is sharing of data by various online websites of browsing details of the consumer.
3. Be adequate and only for what is needed: The Laws must contain a provision stating that organizations should only collect data which is necessary and use the technique of minimization that is collecting minimum of the minimum data of the consumer. For example, in case a consumer unsubscribes from the services of the organization then the data relating to that customer needs to be deleted by the organization and just keep minimum information relating to that customer for keeping a record of former customers.
4. Accurate and up to date: The organizations need to keep an updated information relating to customers for contacting them. If any detail regarding a customer is changed the company needs to stop contacting from that detail because case may be that the same contact details are now used by someone else. Also, the organization needs to be attentive for updating any changed information and should not solely rely on customer that he will come and ask for the updates to be done.
5. Not kept longer than needed: The legislation regarding Data protection should state that the data collected by any organizations should be retained only for the period required not longer than that. There needs to be proper rules as to delete and dispose the data no longer in use or no longer required. This will also help in easy maintenance of the data
6. Take into account people’s rights: The data protection legislation should provide certain rights to the persons whose personal data is used for different purposes. They should be provided with the right of asking for any information relating to their data in case they need, right to ask for stop using data in case it is used for unauthorized purposes, get incorrect data changed, also there should be provision regarding compensation in case of data breach.
7. Kept safe and secure: The legislation must provide for proper and secure system for storing Data. It must provide for the technical as well as physical security systems that must be used to keep the data safe. Guidelines for appointing well trained staff should be clearly put forth so as to handle Personal data of persons with due care and responsibility. The level of security must be in accordance with the type of organization for example, an intelligence agency needs stronger system than a bank and a bank need a stronger system than a normal retail store.
8. Data Not to be transferred outside: The legislation must provide for rules defining the area in which data can be shared. Under no circumstances the personal data be shared to any country not having same level of data protection acts.
So, keeping on view India’s Current position we need to bring a Strong Data Protection Law in force bearing all these qualities as soon as possible. Because we can see everything is turning online these days. The Government of India has also launched the ‘Digital India’ Initiative as a step towards digitalization.
Question arises why privacy is this much importance.
As we know still most of India’s population resides in rural areas. According to word bank approximately 65.5% of the total population still resides in rural areas of India. And out of the total population of India only 86% adults are literate. And India population until 2019 is approximately 136 crores. And chances are there that people residing in rural areas and illiterate people are not well versed with technology these days. So, they are the one who suffers a lot because of such drastic change. And they are also citizens of India, their rights, their privacy also need to be protected.
As we all know India being a post-colonial country and post colony of Britain has adopted many regulations as it is in past or after independence. But in today’s era, the times have changed, people’s needs have changed, so does the requirements for becoming an advanced and digitally revolutionized country. If India wants to become fully digital in the coming years then, first of all, it needs to win peoples’ trust that their personal data is in safe hands. India also needs to implement a strong law like GDPR in order to ensure safety of people’s data.
As most of the Indian population is uneducated and lives in ruler areas and mostly depends on agriculture so to win over their trust and to make them fearless while using digital systems, we need to ensure that a proper and efficient data protection law or regulation is adopted in India.
Keeping in mind the action taken by the government in two phases banning various apps, if there is a proper Data protection law implemented in India then all these companies will be under the dimension of this law and they no more will be able to any unethical thing like releasing the personal data of the users or selling the personal data of the users.
In India people are assigned the Right of Privacy as a fundamental right under constitution of India. Article 21 gives the fundamental right of privacy of an individual. The Supreme Court also confirmed the Right to privacy in Justice K.S. Puttaswamy vs Union of India. As Right to privacy is a fundamental right it can-not be taken by law or anyone instead it needs to be protected by law.
Now as Right to privacy is a Fundamental Right and Honorable Supreme Court also affirmed it, then all this confirms that with the growing information and technology, privacy need to be maintained. And if there arises a conflict between infringement of privacy rights and public interest, reasonable care should be taken to see what holds more Importance.
Hence in order to ensure everyone’s data is in safe hands and is utilized legally for the right purpose, to protect everyone’s fundamental right of privacy which is being breached by many public and private organizations in different time sphere as well as circumstances needs to be protected by implementing a strong and specific Data Protection Law in India.
 Information and Technology Act, 2000.
 Personal Data Protection Bill, 2019.
 The general data protection regulation