Data Protection and Digital Rights in India: Safeguarding Privacy in the Digital sphere
Data Protection is the process of protecting individual's personal information which is collected, processed and stored in the electronic form by the Government and various private enterprises to protect individual's right to privacy which is also one of the fundamental rights in India. In the context of the digital domain, the right to privacy is the ability to preserve one's information privately without granting access to third parties.

In India, the Parliament passed the Data Protection Bill, 2023 which recognises both the individuals' right to protect their personal data and the need to process such data for lawful purposes.

Need for Separate Data Protection Laws

India is rapidly growing in the field of technology and people are subject to use of smartphones, digital devices to carry out daily tasks. As per the law officer's report given during the recent international lawyers' conference held on 23rd & 24th September 2023[i], there are around 760 million internet users joining every 3 seconds.

These users submit their personal data in various circumstances as in when they download any mobile application then they will have to give access to their google account in order for such apps to function and provide personal information like age, qualification, gender, location, interests, and Aadhar number.

This data is quite often sold for hefty amounts. People use UPI apps for easy online transaction which mandates them to provide their bank details and no one is aware about the processing, storing of such data.

When we fill out any kind of membership form, we provide our personal information like contact number, mail-id, address, etc. These data are processed and stored for future reference. We cannot prevent such data collection but instead ensure that it is protected through certain laws. Clarity and consistency in data protection laws can foster trust in the digital ecosystem, encouraging businesses to invest in India and drive economic growth through innovation and technology adoption.

To ensure that India complies with the international norms including General Data Protection Regulation (GDPR) in the European Union, data protection legislation is crucial to facilitate global data transfers, trade, and cooperation.

Why IT Amendment Act, 2008 is not sufficient for data protection?

The IT Act, 2000 as amended by the IT Amendment Act, 2008 includes provisions for personal data protection. The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules) provides reasonable security practices, procedures, and standards to handle sensitive personal data or information (SPDI).

The Act is not sufficient because:

1. ITA-2008 is primarily focused on regulating electronic records and cybersecurity. It lacks data protection principles like lawful and fair processing, purpose limitation, data minimization, and data subject rights.
    
2. The IT Act does not specify about the data protection board of India unlike the data protection act, 2023. The board's function is to conduct inquiry & impose penalty on the complaint received by the data principal regarding data breach. The board shall have same powers as that of a civil court to issue summons, receive evidence & inspect any data or document.
    
3. The IT rules 2011 fails to provide redressal mechanism by not including the provisions for appeal & alternative dispute resolution unlike the 2023 Act.

Data Breach and Right to Privacy

The right to privacy is recognized as a fundamental right under Article 21 of the Indian Constitution. Data breaches compromise individuals' personal information, including sensitive data like financial details, medical records, and communication logs. The right to privacy is violated when this information is disclosed without consent. The landmark case Justice K.S. Puttaswamy (Retd.) v. Union of India,[ii] firmly established the right to privacy as a basic freedom.

The petitioner opposed the scheme proposed by the Indian Government for a biometric-based identity card to access governmental benefits and services was a violation of a citizen's right to privacy. The Supreme Court held that the right to privacy as a fundamental right under Article 21 of the Indian Constitution. The court also observed that privacy includes the protection of personal data and informational autonomy.

We experience data breaches every day but are oblivious to them. This includes, when we add any product to cart in any of the online shopping app and immediately social media apps start showing the same products and recommends us to purchase them. This could be one of the marketing strategies used by the e-commerce companies. But it is our personal data which has been transferred from such online shopping apps to social media platforms.

In other cases, we are asked to provide our contact number in the billing section of any supermarkets to generate bill. Later, we receive random calls from any of the insurance companies, real estate agents or fake bank calls and we fail to question that how did they get our personal information.

The Right to Privacy is also a Human Right as it is the right of every citizen as a human to have control over their personal information and is essential for human dignity.

Evolution of Data Protection Bill in India

Information Technology Act, 2008
The IT Act, 2000 as amended by the IT Amendment Act, 2008 inserting Section 43A which mandates the companies to protect personal data and sensitive information of people that they possessed, dealt or handled in a computer resource by implementing reasonable security practices. Such companies are also liable for penalty in case of non-compliance.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, provides guidelines for the companies to possess privacy policy and to obtain consent from the data owners while collecting or transferring such data.

Draft Personal Data Protection Bill, 2018
Sri Krishna Committee had drafted the Personal Data Protection Bill, 2018 which governs the data processing by the Government and private entities in India and abroad. The bill also provides rights to the Data Principal (person to whom the personal data belongs) in seeking access to their data. It also formed National Level Data Protection Authority.

Personal Data Protection Bill, 2019
The bill was again introduced in 2019 after making amendments to it by broadening the data principal's rights, prescribing compliance criteria for personal data and introduced central data protection regulator.

Data Protection Bill, 2021
The bill regulates both personal & non- personal data. It provided key obligations for data fiduciaries (State, corporate entities and individuals who collects personal data). The data fiduciary is obliged to notify the data principal at the time of personal data collection, even if such data is not being collected directly. Data is collected after obtaining free consent from the data principal.

Rights of the data principal:

• Right to Confirmation and Access
• Right to Correction and Erasure
• Right to Data Portability
• Right to be Forgotten

Cross Border Data Transfer: The bill permits cross-border transfer and processing of personal data hence imposing penalties in case of contravention of its provisions.

The Digital Personal Data Protection Bill 2022
The bill had recommended to set up a Data Protection Board of India to determine non-compliance with the provisions of the draft Bill. The bill had imposed penalty for non-compliance mandating data fiduciaries to publish privacy policies on their websites so that users are informed about the collection, handling, and processing of their data.

Digital Personal Data Protection Act 2023
India's first ever privacy act to govern digital personal data, was passed on 11TH August 2023.

It provides rights to the data principals including the right to:

1. Receive details about their personal data.
2. Amend or update the information if it is inaccurate or incomplete.
3. Seek remedies for grievances.
4. Nominate a 3rd party to act on their behalf.

Compliance Obligations for Data Fiduciaries

1. Comply with the act.
2. Notify data principals about the purpose and process of data collection & handling.
3. Obtain free consent from data principals.

Penalties for Non-Compliance

1. Failure to prevent a personal data breach: Up to ₹250 crore.
2. Failure to notify the breach to the Board and data principals: Up to ₹200 crore.
3. Non-fulfilment of obligations while processing children's data: Up to ₹200 crore.
4. Non-fulfilment of obligations by a significant data fiduciary: Up to ₹150 crore.
5. Miscellaneous non-compliance with provisions of the Act: Up to ₹50 crore.

Conclusion
India needs to align its data protection practices with international standards. A separate law allows India to be in harmony with global data protection laws, facilitating international data flows and boosting the country's position as a data-driven economy. The Data Protection Act, 2023 is passed to prevent Data breach so that India can aspire to create a data protection regime that protects the rights of its citizens by fostering a conducive environment for economic growth and technological advancement in the coming years.

End-Notes:

• https://economictimes.indiatimes.com/news/india/bci-conference-bharat-is-present-and-future-of-world-says-solicitor-general-tushar-mehta/articleshow/103889982.cms?from=mdr.
• Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, AIR 2017 SC 4161.
• https://indiankanoon.org/doc/127517806/.
• file:///C:/Users/MY%20PC/Downloads/in-ra-Deloitte-PoV-The-Digital-Personal-Data-Protection-Act-16.08-noexp.pdf.
• https://www.meity.gov.in/writereaddata/
• https://eprocure.gov.in/cppp/rulesandprocs/
• https://www.khaitanco.com/sites/default/files/2021-04/Data%20Protection%20in%20India%20Overview.pdf.
• https://pib.gov.in/PressReleasePage.aspx?PRID=1881402.

Written By: Bindu Gowda, 5th year law student, Presidency University, Bangalore.