Introduction:
India, A Country known for its Diversity and Incredibility has been witnessed on being successfully entering into the phase of Digitalization. The use of Digital Media has started prevailing since a long time back in India but due to the outbreak of COVID-19, this has been adopted very rapidly. From Online Payment to Online Education and many more, the Citizens of the country has explored various modes of this Digitalization in the last few months. With the arose of this Digital India, one of the crucial issue that has caught the attention of majors is the Data Protection. Most of the online applications that are used in Daily Life asks for the Personal Information and many more which somehow creates a threat for its misuse.
It has been rightly stated that ‘Data is the new Oil’.[i] Earlier the Mineral Oil was considered to be the most lucrative commodity and many of the nations were running after it. Data seems to have been taking the same value today in the 21st Century which is evident from the fact that the 5 most prestigious companies in the world belong to the Data Sector namely Google, Amazon, Apple, Microsoft and Facebook.
Present Legislative Framework for Data Protection in India
India presently has no specific Laws governing the Data Protection and Privacy Laws. The Data Protection is derived from various other Laws related to Crimes, Intellectual Property, Information Technology and Contractual Relations. In addition to it, Article 21 of the Indian Constitution which guarantees every Indian Citizen the Right to Privacy as a Fundamental Right. Some of them are mentioned below:
1. Information Technology Act, 2000 (IT Act):
IT Act is presently considered to be the essential act to deal with the Data Protection although not intended to do so. The Act mainly deals with the Civil (Compensation) and Criminal (Punishment) in the matter of wrongful disclosure and misuse and violation of contractual terms in respect of personal data.
After the IT Amendment Act 2008 the following sections were substituted and inserted:[ii]
- Section 43A- Compensation For Failure to Protect Data.
- Section 66- Computer Related Offences.
- Section 66B- Punishment for dishonestly receiving stolen computer resource or communication device.
- Section 66E- Punishment for Violation of Privacy.
- Section 72A- Punishment For Disclosure of Information in Breach of a Lawful Contract.
Limitation to the Present Provisions:
- The IT Act enacted did not had the intention to provide Data Protection.
- This IT Act does not provide for any Penalties for Data Breach except under Section 72A.
- The IT Act is applicable only to Electronically generated and Transmitted Informations.
2. Indian Penal Code (IPC), 1860:
The Indian Penal Code also does not specifically provide for any Provisions related to Breach of Data Privacy. Under IPC, the Liability of such Breach is to be inferred from the related crimes. Such as, Section 403 of IPC imposes a criminal penalty for dishonest misappropriation or conversion of ‘movable property’ for one’s own use.
3. Intellectual Property Laws:
The Indian copyright Act gives for mandatory Punishment for Piracy of Copyrighted matter commensurate with the gravity of the offence. Section 63B of the Indian Copyright Act provides punishment for any person who willingly makes use on a computer of an infringing copy of the computer program. The Indian Courts have also recognised Copyright in Database and if any infringement with respect to the Database happens then the Outsourcing parent entity may have the recourse under the Copyright Act.
4. Credit Information Companies Regulation Act, 2005 (CICRA)[iii]:
The credit information related to Individuals in India is to be collected as per the Privacy Norms mentioned in CICRA Regulations. All the entities collecting such data and maintaining it would be held liable for any alteration of such data. These Regulations provided by CICRA related to data Privacy Principles has been recognised by the Reserve Bank of India.
5. Initiatives of Industries:[iv]
The efforts of Private Industries are being witnessed more in India than Government industries to secure the data. The National Association of Service & Software Companies (NASSCOM), India’s National Information Technology Trade Group has created a National Skills Registry which is a centralized Database of employees of the IT services and BPO Companies. Further, a Self-Regulatory organization has been set up to monitor the Data Protection Standards for India’s BPO Industry.
Personal Data Protection Bill, 2019
In India, the Ministry of Electronics and Information Technology in July 2017 set up a committee chaired by Justice B.N. Krishna to discuss the issues related to Data Protection.[v] This Committee submitted the Draft of Data Protection Bill in July 2018.[vi] After the Approval of Cabinet Ministers the Personal Data Protection Bill (PDPB), 2019 was introduced in the Parliament by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad on 11-12-2019 in its winter session. The objective of this bill is to regulate and protect the Data Privacy in India.[vii] This Bill includes the process for Protection of Personal Data and also proposes to set up a Data Protection Authority of India for it.[viii] The Bill governs the processing of Personal Data by Government, Companies incorporated in India and Foreign Companies dealing with Personal Data of Individuals in India. A Data Protection Authority (DPA) should be set up to oversee the Data Related Processing activity.
This PDPB has faced an ample of criticism since its presentation in the Parliament. Justice B.N. Krishna in its interview stated that the Present Data Protection Bill has the capacity to turn the Country into Orwellian State.[ix] Also, it is being said that this Data Protection Bill brings more power and Data Access to govt.[x] Further, this bill exempts the Government Agencies and it is like giving them a Blank Cheque to do whatever they want to do.[xi] Reports from Forbes India states that this Bill gives the Government Blanket Powers to access the Citizen’s Data.[xii]
DISHA: Digital Information Security in Healthcare Act
Health Data also comprises of various information such as Age of the Patient, Contact Information, Pathological Reports, Medical History, etc. The Indian Government is planning to implement DISHA as one of India’s First Health Data Specific Legislation[xiii] with a threefold objective i.e., Firstly set-up a central-level and a State-Level Digital Health Authority; Secondly, enforce Privacy and Security measures for Digital Health data and Thirdly, regulate the storage and exchange of Electronic Health Data.
Right to be Forgotten
The Right to Forgotten is the Right of an Individual by which his private information can be removed from the Public Domains such as Search Engines of the Internet. This Right is presently practiced in the European Union and Argentina. India does not have such Right in its Laws. In the Puttaswamy Case, the Supreme Court has stated that this Right to be Forgotten falls within the ambit of Article 21 of the Indian Constitution. The PDBB proposes for the inclusion of Right to Forgotten in the Legislation. If it happens, the individuals would be able to delete or correct any information irrelevant.
Conclusion
Today, when the Era of Digitalization is emerging with such great intensity, it is the need of the hour to bring a Specific Data Protection Laws. Many Industries are taking steps to ensure Data Protection at their own end. However, this won’t solve the problem at large. Although the Government has taken steps in drafting the Personal Data Protection Bill and bringing it before the Parliament, still the country is in need of a Proper Legislation so as to ensure the Data Protection. This step from the government would be a crucial one during this time.
References:
[i] RK Dewan & Co (May 13,2020), Personal Data Protection Laws in India, Lexology.
[ii] Vijay Pal Dalmia, Partner, (December 13, 2017), India: Data Protection Laws In India-Everything You Must Know, Mondaq.
[iii] Overview of Data Protection Laws In India available at: http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf
[iv] Overview of Data Protection Laws In India available at: http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf
[v] “Personal Data Protection Bill 2018 draft submitted by Justice Srikrishna Committee: Here is what it says” . The Indian Express. 28 July 2018. Retrieved 4 December 2019.
[vi] “Personal Data Protection Bill 2018” (PDF). MEITY. Retrieved 11 December 2019.
[vii] https://www.scconline.com/blog/post/2020/02/06/evolution-of-data-privacy/
[viii] https://www.prsindia.org/billtrack/personal-data-protection-bill-2019
[ix] Mandavia, Megha (12 December 2019). “Personal Data Protection Bill can turn India into ‘Orwellian State’: Justice BN Srikrishna”. The Economic Times. Retrieved 21 December 2019.
[x] Regina Mihindukulasuriya, (December 13, 2019), “More Power & Data Access to govt-all about personal data protection bill”
[xi] Regina Mihindukulasuriya, (December 13, 2019), “More Power & Data Access to govt-all about personal data protection bill”
[xii] “The Personal Data Protection Bill could be a serious threat to Indians’ privacy”. Forbes India. Retrieved 21 December 2019.
[xiii] RK Dewan & Co (May 13,2020), Personal Data Protection Laws in India, Lexology.
0 Comments