Data Protection and Right to privacy: An insight into the data privacy issues and the need of legal framework
In June 2020, an online session of a school in Nashik was hacked and the school
had to fight flood of obscene comments and threat of rape and murder to
students. The RBI in its annual report states an increase of 15% year on year
basis, in bank fraud cases with the increase in amount by 73.8%. Convergence of
technology has indeed served as a boon to mankind. Living in the modern world,
it is indeed not less than a necessity to have an account on prominent social
networking websites, to make your purchases online or to have unlimited access
to movies and myriad web series. It, resultantly, then becomes inevitable to
share data and quickly have access to all the above.
However, in this so-called modern world we often tend to forget the cost sometimes we might have to
incur for this. Having the security to shared data as a pre-requisite is
disregarded or infact neglected numerous times. And as a consequence, identity
theft and other personal security breaches are faced by the user quite more than
seldom now. Prior to progressing ahead with the discussion, it is pertinent to
understand right to privacy and data protection fundamentally.
Right to privacy and data protection: MeaningBlack's Law Dictionary says that the terms Right to Privacy is a generic term
encompassing various rights recognized to be inherent in concept of ordered
liberty, and such rights prevent government interference in intimate personal
relationships or activities, freedoms of individual to make fundamental choices
involving himself, his family, and his relationship with others.
A man has the
right to pass through this world, if he wills, without having his picture
published, his business enterprises discussed, his successful experiments
written for the benefit of others, or his eccentricities commented upon by any
means or mode. It is based on the theory that everyone has the right of
inviolability of the person as held in UPSC v. R.K Jain. Privacy, in context to
present article, would mean having the right to control one's personal data and
deciding about its dispensation oneself.
Data protection on the other hand
relates to the technical branch whereas, privacy is a legal concern. At present,
the right to privacy being regarded as part of fundamental right to life under
Article 21 of the Constitution of India by Hon'ble Supreme Court in Justice K.S.Puttaswamy (Retd) vs Union Of India, over-ruling the judgement of Kharak
Singh, data protection has a major role to play in order to ensure the said
fundamental right to citizens.
Problem analysis and the legal provisions dealing therewith:
Stepping into the century, one is necessitated quite often to provide with
personal information in distinct web platforms. However, these platforms have
model as per ECPA (Electronic Communication Privacy Act 1986), whereas the EU
internet platforms has different mechanism, it functions via the European
Union's General Data Protection Regulation (GDPR).
The central point boils down
to trust because no number of technological safeguards can eliminate the central
role of trust in ensuring the data privacy, which is often compromised. Data is
now an asset to the companies who have built the data economy, yet, we often see
the privacy failures in form of data transmutation.
It has so happened that the
user provided the credit card details which resulted in huge money transfer to
the unknown person or fraud calls being generated based on the recent purchase
on an online shopping website. This usually occurs due to data breach. These
incidents at times, involve organizations misconfiguring cloud services or
failing to implement the proper access controls, such as password requirements
for public-facing web services or applications.
The legal framework regulating this in India is the Information Technology Act,
2000. However, there are no provisions in fixing the responsibility of internet
service provider and the online website possessing the data, neither any
differentiation is laid down amongst the intentional and accidental
breach. Another piece of legislation in financial sector is Credit Information
Companies Regulation Act, 2005(CICRA).
As per the CICRA, the credit information
pertaining to individuals in India have to be collected as per privacy norms
enunciated in the CICRA regulation. Having mentioned the laws touching the
current problem of discussion, it would be appropriate to conclude that the
country lacks meticulous and stringent data protection laws.
Personal Data Protection Bill 2019:At present, the Data Protection Bill 2019 is pending in Lok Sabha which has been
referred to the Standing Committee on 11 December 2019 and the report is
awaited. The bill seeks to define personal data and categorizes certain data as
sensitive personal data. It has also defined the data fiduciary, as an
entity or individual who decides the means and purpose of processing personal
data. Such processing will be subject to certain purpose, collection and storage
The preventive framework of the bill places multifold compliance requirements on
the Data Fiduciaries besides making the consent of Data Principal mandatory
before processing Data and Sensitive Personal Data. The
bill mentions the term 'Critical Personal Data' but doesn't define it.
contrast to the 2018 version of this bill, the 2019 bill authorizes the Central
Government to transfer the 'Critical Personal Data' outside India to a country,
any entity or class of entity, or to an International Organization where it
deems it permissible and where such transfer in its opinion doesn't prejudices
the security and interest of the State, however the consent of data principal is
Moreover, the bill also empowers the Central Government to exempt any
of its agencies from the compliance of the provisions of the bill in the
interest of Sovereignty and Integrity of India, security of the country,
friendly relations with foreign states, public order and to prevent incitement
of commission of any offence relating to any of the above.
provision has quite often been a subject of debate and is still a matter of
discussion amongst the liberalists. Needless to say that such power must
necessitate its usage sparingly and that too in a grave and emergent
contingency. The representation of the judiciary in the Selection Committee,
entrusted with the function of appointment of the Authority responsible for
governing and regulating the stakeholders, too has been done away with.
Right to be forgotten: A recent developmentAlongside the right to privacy, there is another debate doing rounds for a new
right called the right to be forgotten or the right of erasure.
The source can be traced back to French jurisprudence right to oblivion or
l'oubli. The right was adopted by European Union Data Protection Directive back
in 1995. It was stipulated that the member states should give people the
guaranteed right to obtain from the 'controller' the rectification, erasure or
blocking of data relating to them, the processing of which does not comply with
the provisions of the Directive.
The term controller here refers to a natural
or legal person, public authority, agency or any other body which alone or
jointly determines the purposes and means of processing personal data. Such a
provision if implemented in the country can serve as a diminishing factor for
heights that cybercrime has achieved today.
The Date Protection Bill 2019, very warmly seem to have accepted the
right to be forgotten drawing inspiration from above as the bill is inclusive of
right of erasure in case of personal data which is no longer in requirement for
the objective for which it was at first processed.
The race between technological advancements and laws governing them is like that
of a hare and a tortoise respectively. The former is always ahead of the latter.
Information Technology is a fast evolving sphere. Though, the Right to Privacy
has in the 21st century ushered into a Fundamental Right, but until the
jurisprudence around it develops, a robust regime of legislation addressing the
data protection and privacy violation is the need of the hour.
The Personal Data
Protection Bill, 2019 which awaits approval from the Parliament answers the call
to a large extent; but the means adopted and the end sought to be achieved look
imbalanced. Rule of Law is the hallmark of the democracy which is upheld by
independent judiciary. Every piece of legislation must balance the interest of
the stakeholders who are likely to get affected by it.
legislation shall continue to match the pace of the technological advancements
in this era of digital economy either by way of introduction of amendments by
the legislature or by judicial precedents. Lest, the tortoise would always be at
the losing end in this race.
The data today as mentioned above can act as capital to many large
private companies as well as governments in certain countries. Henceforth, we
witness the necessity of protection every now and then which would ensure the
right to privacy guaranteed as fundamental right by Hon'ble Supreme Court.
Nevertheless, the strict privacy norms by various governmental bodies like
Reserve Bank of India, and distinctive government and mass sensitization
programs do suggest that India is leaping forward towards comprehensive and
strict privacy norms.
Manishika A. Kaushik, JMFC
Gautam Singh Deora, 2nd Addl. Civil Judge and JMFC, Modassa
Law Article in India
You May Like
Legal Question & Answers