The announcement of the PDP Bill in 2019 leads the way to a lot of developments in the protection of personal data. The bill is tabled before a joint parliamentary committee for a further review.
Introduction
The notion of privacy in the modern world is at the greatest extent of latency, described as something which is there but not exactly there. Anthony Burgess conveyed this modern issue in fitting words, “To be left alone is the most precious thing one can ask of the modern world.” The General Data Protection Regulation (GDPR), is a legal framework under EU law regarding data privacy and protection in the European Union, GDPR introduced new guidelines in the form of privacy risk Assessments that the Business entities and organizations around the world should conduct i.e., Data Protection Impact Assessment (DPIA), this assessment was introduced with the purpose to ensure consumer data protection.
India is not a party to any of the EU conventions on data protection, however, India complies with other international conventions under which the ‘Right to Privacy’ is recognized namely, the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.
There is no such particular legislation enacted for data protection in India yet but some amendments have been made in the Information Technology Act, 2000 by the Indian Government, including section 43A and section 72A which provides a ‘Right for Compensation’ for inadequate leakage of personal data.
Section 43A talks about the Information Technology Rules, these rules impose some requisites on business and commercial entities in India regarding the collection and processing of sensitive personal data. Moreover, Personal Data Protection Bill (PDPB) 2019 was introduced by the Government of India as the Preliminary Law for the protection of personal data.
Laws Regulating the Collection and Processing of Personal Data
Sections 43A and 72A of the Information Technology Act 2000, are the two provisions that regulate the collection and processing of personal data in India, Section 43A provides that whenever a business entity acquires some sensitive personal data of a person and appropriate security is not maintained for the protection of that information, and if it results in a wrongful loss or gain of a person then that business entity is entitled to pay damages to the person affected. Section 72A of the IT Act deals with the punishment regarding the leakage of personal data by breaching a lawful contract, a punishment of imprisonment of up to 3 years or a fine not exceeding rupees 5 lakh or both may be imposed on a person for disclosing personal data.
Moreover, a ‘Personal Data Protection Bill, 2019’ (PDPB) was introduced by the government of India apart from these provisions, which deals in the collection and processing of personal data. This bill was further referred to a joint parliamentary committee for detailed examination, the scope of introducing this bill was to provide protection to the personal data of individuals, create a legal framework for the collection and processing of such data, and establish an authority for data protection.
What Constitutes Personal Data for the Purpose of Data Protection Laws?
There are majorly two classifications of data, that are personal and non-personal data. Personal data includes all the sensitive information of an individual like, attributes that can reveal the identity of a person such as a name, location, email address, etc. non-personal data pertains to the information that does not reveal the identity of an individual.
Certain procedures and rules reducing the intrusion in the privacy of an individual caused due to the collection and processing of personal data are referred to as data protection.
Personal Data refers to the information of an identifiable person, a person who can be identified is known as an identifiable natural person. Persona Data constitutes of location data, an identification number with genetic, physical, social and economic identification of the same person.
Analyzing the concept of ‘Personal data’ in the context of IT Act, 2000 and Personal Data Protection Bill
The Information technology Rules 2011, is only applicable to business organizations and persons located in India. Rule 3 of the IT rules 2011 provides a list of items that are considered as “sensitive personal data”, including passwords financial information like credit/debit cards, biometrics, physical and mental health conditions, sexual orientation. Also, it is mentioned that any data that is accessible in a public domain is not considered Sensitive Personal Data.
Rule 4 deals with the duty imposed on the business entity to draft a privacy policy that should be easily accessible on the website of the organization. Moreover, it should contain the detail of the information that is being collected, the reason to collect that information with appropriate security measures that are practiced by the organization to avoid intrusion on the personal data.
There are some guidelines mentioned under rule 5 that should be followed by an organization while collecting sensitive personal data, the same are mentioned below:
• One of the major guidelines that should be kept in mind while collecting the data is acquiring the consent of the person providing information in writing, the consent can also be obtained via any electronic mode of communication.
• No such information without any lawful purpose shall be collected, and it should only be used for which it was collected. The organization should not retain the information for a longer period than it is required.
• The person providing the information should have cognizance about the purpose of the collection, name, and address of the organization collecting such data.
• An opportunity to review the information provided shall be offered to the person providing the information.
• A grievance officer should be appointed, the name and contact information of such officer should be uploaded on the website. The officer appointed shall address the grievances of the persons within 1 month of providing the data.
• Rule 6 of IT rules provides that the business organization must ask prior permission from the person providing the information, to disclose it to the third party. If the information is requested by any government agency by the order of law then no such permission is required.
Appropriate security measures and procedure that must be implemented by the business entity collecting the information is dealt under rule 8 of the IT rules, 2011.
The Personal Data Protection Bill, 2019 regulates sensitive personal data by processing, collecting, and retaining that data. Under the PDP bill, the business organization deciding the purpose of collecting data is referred to as the Data Fiduciary and the person whose data is being collected is known as the Data Principal. Also, the bill regulates the processing done by the foreign organizations dealing with the personal data of an Indian citizen.
To whom do data protection laws apply?
The personal data protection bill, 2019 states that the bill regulates the collection, processing, retaining, and sharing of sensitive personal data of any individual residing in India, done by, Government of India, any Indian organization, or any citizen of India or any body of persons formed under Indian Law. Moreover, it will be applied in the Data fiduciaries not present within the territory of India, having a connection with any sort of business conducted in India, or if any processing involves the profiling of the personal data of any person residing in India.
In the case of Balu Gopalakrishnan v. the State of Kerala, the Kerala High Court passed an interim order on the sharing of personal data related to COVID-19 by the State Government of Kerala to a US-based organization, Sprinklr for data analysis. Kerala High Court held that there are certain measures such as acquiring consent from the citizens, data anonymity, not retaining the information for a longer period than it is required, which must be implemented by the state government before providing the access of personal data to Sprinklr.
What are the principal obligations of Data Controllers to ensure the proper processing of personal data?
Indian law does not follow the concept of data controllers of data processors, the Information technology rules, 2011 follows the concept of Data fiduciaries of the Provider of Information. The General Data Protection Regulation on the contrary appoints Data controllers and data processors to ensure the proper processing of personal data. If we talk about data protection under GDPR then the Data controller comes with the most responsibilities.
In general, the preliminary responsibility of the data controller is to ensure that the data processing complies with the EU data protection laws.
Article 24 and Recital 74 of the GDPR states that the Data controller should ensure that the data processing is in accordance with the requirements of GDPR. Also, appropriate technical and organizational measures should be implemented by the data controller including a well-drafted privacy policy.
Some of the principal obligations of the data controller to ensure the proper processing of personal data are as follows:
• The data controller must ensure that data is processed lawfully and transparently.
• The data controller must ensure that there should be a specific purpose for which the data is collected and processed and not for any other reason that is incompatible with the original purpose.
• The data controller must ensure that there must be accuracy in the collected data and it should be prevalent.
• The data controller must ensure the compliance of the processing of data with the requirements of GDPR.
Conclusion
The announcement of the Personal Data Protection Bill in 2019 lead the way to a lot of developments in the protection of personal data, while we may expect an extensive approach towards personal data protection in 2021, the bill is also tabled before a joint parliamentary committee for a further review. Cross-border sharing of data is under scrutiny and its finalization will reverently affect the foreign organizations to orchestrate more business in India. Moreover, in the case of Justice K.S. Puttaswamy v. Union of India The Hon’ble Supreme Court of India held that the right to privacy is a fundamental part of Article 21 of the Indian Constitution. Indeed, the announcement of the undue delay by the government, personal data protection of every citizen of the country must be the utmost priority but the authorities came up with data protection laws and enactment of the PDP bill will be vital relief with section 43A and 72A of Information Technology Act in force. In the preamble of The Personal Data Protection Bill, it is mentioned that it provides privacy protection to the individuals in regards of their personal data by forming an alliance of trust between the organizations processing the data and the individuals whose data is being collected. Furthermore, awareness concerning data protection is on the rise, policies like the PDP bill strengthen cybersecurity of the nation and the Indian Judiciary is more inclined towards it than ever before.