The uproar over Chinese firms monitoring and collecting users’ data without their consent, and its availability in the public domain, has underlined the need for laws to protect the personal data of the citizens. This will in turn help the common folk be aware of the privacy rights they are entitled to and make any breach a punishable offense. The Personal Data Protection Bill 2019, which was introduced in the Lok Sabha in December 2019, is currently under review by a Joint Parliamentary. The Information Technology Act, 2000, read along with Information Technology Rules, 2011, contain fixed provisions governing the protection of personal data in India.
Our information shared on any public platform gets shared instantaneously and is vulnerable until the proper laws of the said country don’t govern them. This is where data protection steps in. Data protection regulations secure the privacy of the individuals’ data and safeguard rules to make sure you remain in control of your data online. In other words, an individual is responsible and holds the power to how widely his or her data can be shared.
Two of the many reasons why the government needs to make the laws more comprehensive is because (a) people have started to share more online. The more they share, the more vulnerable their data becomes, and (b) companies have sworn to secrecy and protection of people’s data by self-regulation or co-regulation mechanisms.
Currently, India does not have specific legislation enacted primarily for data protection. India’s statutory method for data protection and privacy is Information Technology Act, 2000 (the IT Act), and its corresponding Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the IT Rules). An individual’s data is also protected under Article 21 of the Indian Constitution which states ‘The Right to Privacy’ as a fundamental right.
Relevant Sections of the IT Act –
Section 43A contains that any body corporate, which includes firms, or commercial activity where the organization is handling personal data in a computer resource which it owns negligently causes harm to an individual, the said firm is liable to pay damages in form of compensation to the person who has been affected.
With the new bill introduced in the parliament, the PDPB seeks to protect ‘Personal Data’ (identity, traits of a person) and ‘Sensitive Personal Data’ (gender, financial data, health, caste/tribe, etc.); this excludes the anonymised data or the non-personal data. Data Fiduciaries will undertake transparency measures that include preparing a policy, taking necessary steps to maintain transparency in processing data, implementing secure safeguards, etc.
The PDPB puts forward data processing by fiduciaries only when the consent is given. However, there might arise certain situations where consent wouldn’t be mandatory – a) state providing benefit to individual; b) legal proceedings; c) responding to medical emergencies, etc. The Personal Data Protection Bill 2019 contains rights of the individual that includes obtaining authentication from the fiduciary whether or not their data has been processed, seek correction or update of private data, data probability, and right to be forgotten – which means restricting the proceeding of their data provided that it is no longer required.
The Personal Data Protection Bill 2019 also puts forward the Data Protection Authority of India which protects the interest of citizens, avert misuse of their data, and raises awareness. The Central Government can exempt any governmental agency from the applicability of the Act. So while India’s interest ensures to upload the rights and economic welfare of the citizens, with the exemptions of the PDPB, it’s unclear if the objective will be met. Meanwhile, we hope the policymaking pendulum swings the right way.
By Amaal Sheikh, B.A L.L.B, Hamdard Institute of Legal Studies and Research (HILSR), Jamia Hamdard University, New Delhi