Data Protection and Privacy Issues in India
Introduction
Internet era has brought revolution in the way human used to live and work everyday. And everything that we do on internet gets stored in the form of data, which takes place in multiple form. Data surrounds us and is generated in almost everything we do. Therefore, this data becomes of utmost importance and some companies are even willing to pay for the same. Furthermore, in this age of technology, data has become the new form of currency. Even more intriguing fact is that the full potential of data is still not known by more than 90% of the population. As the technology progresses and new applications are emerging, the value of data gets even more enhanced.
And the value of data gets even more enhanced after the Supreme Court judgment in the case of Retd. Justice K.S. Puttaswamy’s case, wherein Supreme Court held that Right to Privacy is a fundamental right being enshrined in Article 21 of the Indian Constitution. However, with this Supreme Court judgment, new laws gathering data will be tested to their limits in deriving the privacy of such data.
However, the question still unanswered is the contours and limits of data protection laws as India still does not have any comprehensive law dealing with data protection and privacy.
What is Data?
Current issued surrounding Data Privacy in India
Nature of Data protected by Indian legislature
Who can collect personal information?
Conclusion
What is Data?
Section 2(1)(o) of the Information Technology Act, 2000 defines ‘data’ as “a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.”
While data including all king of information concerning an individual, privacy of it have gained even more importance than before. And all of this is mainly because of the substantial amount of data is being generated nowadays through the usage of electronic devices and applications.
Considering the importance of data and its privacy, question is “What is privacy?”
Privacy means the right to be left alone or to be free from misuse or abuse of one’s personality. Thus, the right of privacy is the right to be free from unwarranted publicity, to live a life of seclusion, and to live without unwarranted interference by the public in matters with which the public is not necessarily concerned.
However, right to privacy is not a new concept. It is a common law concept, invasion of which entitles the individual to claim tort based damages. The first case of invasion of Right to Privacy was the case of Semayne’s Case, wherein it was held by the House of Lords that the house of everyone is to him as his castle and fortress, as well for his defence against injury and violence, as for his repose.
However, the first case questioning the validity of Right to Privacy as a fundamental right came before Supreme Court in the case of M.P. Sharma & Ors. v. Satish Chandra, District Magistrate, Delhi & Ors., wherein Supreme Court held that “the power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction. Nor is it legitimate to assume that the constitutional protection under Article 20(3) would be defeated by the statutory provisions for searches.”
However, recently in the case of K.S. Puttaswamy (Retd.) v. Union of India, held the Right to Privacy as a fundamental right enshrined under Article 21 of the Constitution of India.
Current issued surrounding Data Privacy in India
Supreme Court unanimously limited the State interference with the fundamental right to privacy of an individual. Supreme Court further held that State may interfere with the individual’s right to privacy, however, there must be a justification in law to justify such encroachment on privacy of an individual. Thus, going forward Supreme Court has laid down that any laws which seek to encroach upon the right of privacy of an individual would need to meet the test of proportionality and reasonableness. It will take a few years before jurisprudence around what constitutes reasonable and proportionate State interference settles temporarily.
However, the current privacy laws in India are consent based rather than right based. The problem with the current regime is that the controller of the data is at liberty to use and share data of its users with third party, once the consent of the individual is obtained. The problem with this systematic approach is that users most of the times give consent without knowing or reading what and how their data is going to be used and who is at liberty to use their data.
However, right based approach, which India currently do not follow, allows the users to have greater control over their data and at the same time this approach requires the controller of the data to make sure that data is being used in such a way that it does not violate the rights of the user.
Thus, the approach of consent based data privacy is the biggest challenge to the current data protection laws in India.
Nature of Data protected by Indian legislature
India, from the beginning does not had comprehensive data protection laws. While the main enactment which deals with data protection is the Information Technology Act and the Information Technology Rules, 2011, these act and rules does not cover the wide array of the data and its privacy.
Under both the IT Act and IT Rules, the primary data which is protected is the “personal information” and “sensitive personal data”. However, it nowhere defines what all is included under personal data and information.
Reference can be derived from various rulings wherein various courts have held that personal and sensitive personal information tends to include (i) password; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; and (vi) biometric information.
Judicial interpretation further states that information which is available in public domain does not form part of the personal information and therefore, is not protected under the IT Act.
Who can collect personal information?
Under Rule 5 of the IT Rules, no body corporate or any person can collect personal or sensitive personal information unless:
- The information collected is going to be used for a lawful purpose, which is in connection with the activities of the body corporate;
- And, collection of such information is deemed necessary for such body corporate;
Thus, even after providing protection to the personal and sensitive personal information, body corporate is still at liberty to collect such information, provided the purpose is lawful.
Conclusion
Privacy laws in India are being criticized and for all right reasons. First of all, India does not have comprehensive laws for the protection of individual’s privacy. The only legislature which deemed to be providing protection are the IT Act and IT Rules. However, even those legislations grants liberty to the body corporate or individuals to collect data if they think is necessary, the only condition being that such data is used for lawful purposes. However, the rules still does not define the complete scenario which authorizes the body corporate to collect data and determine which is necessity and what is lawful.
Thus, India is still far way from achieving the objective of protecting individual’s privacy and legislature has still long way to go.