Data Privacy Protection in India – Technology vis-à-vis Law
With the advent of various types of technology and availability of such technology at lesser cost, every human being around the world has fallen trap to use technology in day-to-day life. From ordering food online to shopping clothes, books and other necessary items to booking tickets, appointments with doctors etc., to digital payments, every aspect of one’s life has become dependent on technology. To put it in simple words, life has become dependent on two essential things – (i) smart phone; and (ii) internet access. However, it is important to note that the success of such technology is inter-alia dependent on the availability of data/information that it collects and/or collected for it. Thereby, data has definitely become the ‘new oil’ since availability of data, processing it and utilizing it in formulating a perfect algorithm for technology has become very expensive for companies providing digital services. It is has opened a Pandora’s Box of issues to discuss and worry about misuse. Few very important aspects for us to understand are our rights over our data, how does law protect our rights and what should companies do to safeguard our rights.
Current Law in India:
- Information Technology Act, 2000 as amended in the year 2008 introduced:
- Section 43A of the Information Technology Act (ITA) provides that any body-corporate that possesses, deals or handles any “sensitive personal data” or information should maintain reasonable security practices and procedures relating to such data. It will be liable to pay compensation to the affected person in case of any negligence.
- Section 72A provides for the punishment for intentionally or knowingly disclosing personal information relating to a person that was acquired for providing services under a lawful contract, without the consent of the person concerned or in breach of a lawful contract.
- Subsequently, as a clarification to the above amendment, the government introduced the ‘Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011’ (”IT Rules”):
- enacted pursuant to Section 43A of the IT Act define “Personal information” to mean any information that relates to a natural person, which can be used, either directly or indirectly with some other information for identifying such person i.e. “Personally Identifiable Information”. Further, “Sensitive personal data or information” is defined to be a further sub-category of this information, to include items such as individual’s user name/passwords, individual’s financial information, individual’s health conditions/biometric, individual’s sexual orientation etc.
- IT Rules states that body corporates shall provide a privacy policy which should have for the following:
- clear and easy comprehension of its practices.
- the purpose of collection and usage of such information.
- the kind of data collected (whether personal information or sensitive personal information).
- The Rules further state that a consent has to be obtained in writing or email from the provider regarding the purpose of usage before collection of such information.
- Prior to collection of the information (both personal and sensitive personal), the information provider has to give an option to opt out of providing such information and at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier.
- Disclosure of sensitive personal data or personal information by body corporate to any third party shall require prior permission from the provider of such information
- The body corporate has to designate a Grievance Officer and publish his name and contact details on its website.
- In the light of the above, the following are quick check-list items for (i) companies to follow; and (ii) for public to check if companies are following before collecting their data and using it:
- Differentiate between (a) personal information; (b) non-personal information; and (c) sensitive personal information.
- Have a privacy policy
- Obtain explicit consent in writing or email. (check for a ‘tick box’ or ‘pop-up’ of terms and conditions and privacy policy to give consent)
- An option to opt out of providing information.
- An option to withdraw already providing information/consent to provide.
- Permission to be taken from the provider of information for sharing any information collected, with third parties.
Advent of data-privacy discussions in India:
- A judgment in the matter of Justice K S Puttaswamy and ors. vs Union of India and ors. (“Aadhar Judgment”), passed by the Supreme Court held that the Right to Privacy is a Fundamental Right and is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.
- The judgment, apart from recognizing privacy as a fundamental right, has recognized informational privacy as a facet of privacy.
- It has recognized the need for data regulation and has indicated some important facets of information, namely:
- Information is nonrivalrous (i.e., information can be consumed by several users and players);
- Information (collection, use, storage and processing) can be invisible (i.e., the information provider may not be aware of such collection, use, storage or processing);
- Information is recombinant (i.e., fragments of information collected from various sources can be combined to form a complete profile).
- The Judgment has recognized that a certain class of information warrants a reasonable expectation of privacy and the “right to be left alone”.
- It is pertinent to point out that the current enactment (Information Technology Act, 2000 and as amended in 2008) recognizes “personal information” and “personally sensitive data or information” and stipulates that any collection or use of personally sensitive data or information can be undertaken only with explicit consent of the user and the user should have the choice to provide or not provide such information.
- The Judgment has emphasized the requirement of transparency in obtaining consent for collection, use, retention and processing of information generally.
- The Judgment has also laid out that any encroachment of privacy has to be through a legislated law in existence and such law should meet all constitutional requirements when imposing any reasonable restrictions on fundamental rights.
- The bench has commended the matter to the legislature to adopt a regime for data protection, with a careful and sensitive balance between individual interests and legitimate concerns of the state.
Prospective Law in India on Data Privacy and Protection:
The Central Government of India set up a committee of experts headed by Hon’ble Justice B N Srikrishna to study the challenges surrounding data privacy and protection in India. On 28 November 2017, the committee released a white paper seeking comments from various stakeholders including public, companies, think-tanks etc. Basis suggestions and comments received, the committed submitted recommendations on data privacy and management and also tabled in the parliament a draft legislation as Personal Data Protection Bill, 2018.
Key takeouts from the bill:
- Applies to (i) data principal (owner of data); (ii) data fiduciary (who determines the purpose of data; (iii) data processor (who processes the data collected).
- It doesn’t apply to processing anonymized data.
- Personal data can only be processed for the purpose which has been specified at the time of collection.
- Collection of personal data is to be limited to data that is necessary for the purposes of Processing.
- Personal data can only be processed on the basis of consent. For sensitive personal data, the consent has to be taken explicit.
- Storage of such data can only be done in servers or data Centres placed in India.
- Penalty- (i) the higher of Rs. 5 Crores or 2% of total worldwide turnover for breach of notification, audit, and other compliance requirements; and (ii) the higher of Rs. 15 Crores or 4% of total worldwide turnover for breaches in processing of personal data or in making cross-border transfers.
With an approximate 500 million active internet users in India, points discussed about are very crucial to understand and deliberate upon. Companies have to take into account the prospective law being legislated in India and be future ready to protect the interests of data protection. It is important to balance between the need for technology and the fundamental concept of privacy. As the technology grows leaps and bounds, the law also has to be dynamic and meet the need of the hour.
Author Alaknanda Duggirala, Legal Manager-Reliance Jio Infocomm Ltd.