With the advancement in technology and the revolutionary increase in the use and dependability of internet, a lot of data is being created and shared by us through mobile applications and websites, including personal information. A lot of this data is also stored in hard disk, cloud, database, memory disk, internet, computer, etc. and the same continues to grow at limitless rates leading some sensitive information to enter the “Public Domain”. Once the data enters the public domain it is subjected to various threats such as the threat from hackers, software threats, misuse or misrepresentation of information, data breaches and leaks creating a need for data protection.
The term Data Protection means legal control over access to and use of data stored. In other words, it refers to a series of continuous and repetitive processes, sound policies and privacy laws to reduce intrusion in one’s privacy.
Up until now, privacy laws in India offer little protection against misuse of one’s personal information. The transfer of personal data is currently governed by the Sensitive Personal Data and Information Rules, 2011, which has been proven to be inadequate. With the mounting concerns worldwide regarding the protection and need for legal regulation of an individual’s personal data in the face of various scandals, the need for a similar legislation is of greatest importance in India, where the data-driven services and transactions in the digital economy are ever increasing but apparently, the personal data of Indian nationals sees very little protection.
Recently, an admission was made by Facebook that the data of 87 million users, including 5 lakh Indian users, was shared with Cambridge Analytica, a British political consulting firm which combined data mining, data brokerage, and data analysis with strategic communication during the electoral processes. The very thought of personal data being used for unknown intentions sent ripples across the world. In furtherance to this, the European Union, in order to protect the personal data of individuals had enacted the General Data Protection Regulation (GDPR) which establishes the right to privacy as a Fundamental Right. Following the implementations of the GDPR and taking examples from the legal frameworks of other countries on the subject, the Personal Data Protection Bill 2018 has been introduced by the Justice B.N. Srikrishna Committee to prevent “Personal Data” of individuals from being misused.
The Personal Data Protection Bill has introduced concepts which are the essence of data protection, such as:
The proposed Data Protection Bill states that unless explicit consent is given, your personal data cannot be shared or processed, which means that the onus lies on you to make an informed choice. It also states that any person processing your personal data is obligated to do so in a fair and reasonable manner and it shall not be processed for the purposes it was not intended for in the first place. It makes the data fiduciary responsible for complying with the obligations in respect of any processing undertaken by it or on its behalf.
The Bill makes consent an essential part of processing data. No data shall be processed without the consent of the data principal. However, the data shall be processed without consent only on certain grounds specified in the draft bill, such as:
The term ‘Sensitive Personal Data’ includes passwords, financial data, health data, biometric data, genetic data, and data on caste or tribe or religious and political beliefs. The sensitive personal data may be processed on the basis of explicit consent for:
Under the Personal Data Protection Bill, the Data Principal are granted certain rights such as:
Personal data other than those categorized as sensitive personal data may be transferred outside the territory of India under the following conditions:
Processing of personal data in the interests of prevention, detection, investigation, and prosecution of any offense or any other contravention of law is permitted, provided it is authorized by a law made by Parliament and State Legislature.
The Ministry of Electronics and Information Technology has announced that before the Draft Bill is passed by the Parliament, it will undergo intensive parliamentary consultation. The Ministry solicits comments from General Public on the Draft Bill in order to ensure that it is indeed the need of the hour and beneficial to the interests of the individuals. The Draft Bill, when enacted will give way to new data privacy regime, which is based on trust and efficient mechanism between the Data Fiduciary and Data Principal. The Draft Bill imposes series of obligations on the State and makes it accountable for processing the personal data of an individual, thereby protecting both – the personal data and the constitutionally guaranteed right to privacy.