Protection of personal data is of utmost importance as it is directly linked with privacy. Privacy I .eright of every person to enjoy his/her life and liberty without arbitrary interference must be respected and the state must act for it. The right of every person to be let alone and it’s protection is extremely important in the present age driven by information technology where intrusion into privacy is easy and at the same time difficult to detect by the victim.
The state must protect the right of privacy of every individual but the current times the state is failing to do so. The state has been incapable of protecting the right of the people nor has it shown any great intent The fact that the country with approximately 50 crore users of the internet does not have a comprehensive data protection law is a proof that the state has failed tremendously in protecting the right to privacy of the people. This also shows how serious the state and its agencies are about the matter.
The current scenario
India’s lack of a comprehensive data protection law has enabled tech companies to exploit the data of its users in India and use the same in a manner they so desire.
Currently, several laws are in force that governs the protection of data. The laws state the kind of data that might be collected, how the data is to be collected, the circumstances under which the data may be shared with a third party and other such clauses. The various laws governing data protection in India currently are
- The information technology Act 2000 and the Information technology Rules 2011
- The regulatory bodies
- Telecom Regulatory Authority of India
- Banking Regulators
- The right to information Act 2005
- The Aadhaar Act 2016, Aadhaar (data security) Regulations 2016, Aadhaar (sharing of information) Regulations 2016
- The General data protection Regulations
- The Information Technology Act 2000 and Information Technology Rules 2011
- Section 43 provides that any person who has unauthorised access to a computer to and downloads, copies, destroys, or alters the data in any manner shall be liable to pay damages to the extent of rupees one crore.
- Section 43A provides that a body corporate dealing or handling sensitive personal data or information shall maintain reasonable security measures and in case of negligence causing wrongful loss shall be liable to pay compensation up to rupees 5 crores.
- Section 66C provides that any person who frequently or dishonestly makes use of electronic signature or password or any uniques identification shall be punishable with imprisonment which may extend to 3 years and with fine up to rupees one lakh.
- Section 72A provide that any person while providing services obtains the personal information of an individual and then subsequently discloses the information to any third party with the consent of the individual shall be punishable with imprisonment which may extend up to three years and with fine which may extend up to rupees 5 lakhs.
The IT rules of 2011 state the following
- Rule 5 states that consent must be taken from the provider of information for the collection of sensitive personal information and the reasons for the same shall be stated.
- Rule 6 states that personal sensitive information shall not be shared with any third party without the prior consent of the information provider. Such information may be provided to government authorities for lawful purposes or investigation of crimes.
- Rule 8 mandates the body corporate to maintain reasonable security measure for the protection of personal data if the information provided.
A) Telecom Regulatory Authority of India
The department of telecommunications has provided standard form agreements for its stakeholders and service providers under the telegraph rules.
- Clause 21 of the national long-distance license requires the telecom provider to adhere to confidentiality conditions concerning customer information.
- Clause 37, 39 of the unified Access service license and clause 42 of the Cellular mobile telephone requires the telecommunications provider to comply with confidentiality conditions in reaction to customer information and to ensure that unauthorised interception of messages does not take place.
B) State bank of India act 1955
Section 44 of the act states that the bank as a whole and every person working in it are obligated as to fidelity and secrecy by way of a declaration in a prescribed form.
C) Credit information companies Act
Section 19 requires credit information companies and credit companies to take steps to preserve the accuracy of the data and it’s security.
Section 20 lays down a punishment of a fine up to 1 lakh for any unauthorised access to credit information in the possession of the credit information company or credit company.
D) The public financial institutions act 1983
Section 3 stipulates that any public financial institutions shall not give out information relating to its affairs or its constituent except as provided under the law.
Section 4 states that the member director auditors and the employees shall sign a declaration of secrecy and fidelity in the prescribed form.
E) Mental health act 1987
Section 13 provides that an inspecting officer may see the records of the patients maintained by the hospital but such records should be kept confidential and must not be disclosed further to anyone unless as prescribed by law.
Section 38 clearly states that visitors of psychiatry patients will not be entitled to inspect any personal records of an admitted patient.
F) Indian medical council Regulations
Regulation 7.14 provides that medical practitioner shall not disclose the secrets of a patient learnt in the exercise of his/her profession except in a court of law.
- Right to information act 2005
Section 81 I the section provides that the authorities are not under any obligation to provide any personal information which has no public importance and would amount to an unnecessary intrusion of Privacy.
- Aadhaar act
Section 28 puts a duty on the relevant authorities to ensure the security of the identity information and authentication records of individuals.
Section 29 prohibits the sharing of core biometric information which has been collected under the Aadhaar with anyone for any reason.
Biometric information has been included in the definition of personal sensitive information for the IT act
Section 37 provides a penalty for disclosing identity information and the same is punishable with a fine of 10 thousand rupees if the offender is an individual and rupees one lakh in case of a company.
- The General Data Protection Regulations.
GDPR was approved and adopted by the European Parliament (“EU”) in April 2016 and came into force on May 25, 2018, without the need for implementing national legislation. The GDPR extends its geographical reach and does not only apply to organisations located within the EU but it will also apply to organisations located outside of the EU if the following conditions are satisfied
(a) processes personal data in the context of the activities of an establishment of a ‘controller’ or a ‘processor’ in the EU, or
(b) processes personal data of EU data subjects, where the processing activities relate to the offering of goods or services (including for free); or
(c) monitors the behaviour if the behaviour takes place within the EU.
Major issues In India
The lack of a comprehensive data protection law coupled with the complicated and high number of laws for the protection of data has not helped India in the protection of data and ensuring Right to Privacy is protected. Some other issues have been listed below-
- Lack of comprehensive data protection legislation.
- A very large biometric database in the form of Aadhaar which is highly vulnerable due to the low standards of security standards maintained.
- The recent efforts to make WhatsApp messages traceable are among the most concerning in India and will threaten citizens’ privacy,
- CCTV surveillance is not regulated in India, and hence any privacy violation by them is difficult to be addressed.
- The surveillance framework established under the IT Act, 2000 does not provide for any judicial oversight and a significant amount of power lies with the executive officers so appointed.
Comparitech a UK Based firm conducted a study in October 2019 on a global privacy index. The study gave India a score of 2.4 out of 5 on a global privacy index.
India does have several laws for the protection of data having said that these high number of laws only create a complex system where everything happens except protecting the data of the users. India needs a sound system of data protection and the system must be a right based rather than the current consent-based where consent is neither voluntary nor is the consent given after understanding the nature of consent by the person giving the consent.
The Personal Data Protection bill 2019 that was presented in 2019 in the parliament was a welcome step by the government of India to provide for a comprehensive data protection law. Though the Bill has not been passed when passed it would get rid of a lot of problems that are prevalent in the current system although the bill itself needs a lot of amendment. But seeing the current state of data protection in India the Bill will help in achieving some of the goals