Download Data Protection: A growing concern worldwide and an unruly situation in India and more Essays (university) Law in PDF only on Docsity!
DATA PROTECTION: A GROWING CONCERN
WORLDWIDE AND AN UNRULY SITUATION IN
INDIA
Siddharth Singh* LLB tyc IV Sem
1. Introduction
Data is the new oil and the current situation in India regarding it is almost lawless. Our data is precious to the companies and organization which need it for online ad targeting, custom recommendations and other ethical and non ethical things. We as a human being think we are unique, irrational and orignal but in actuality we are not and rather much predictable and not so unique at least from the point of view of the large data collecting organizations. Data is the new oil and countries that have abundance of this new oil along with the knowledge of its proper and legal use will bring the next revolution and will become the next superpower, for that the Artificial Intelligence is the next big thing and which needs a lot of data to feed upon in order to flex its muscles.
But this data of ours is secretly being smuggled by the organizations from various online and offline platforms we use in day to day life, which on a micro or individual level is a clear breach of our privacy and on a macro level is costing as our future and eventually will lead our country into great distress because we may miss the bus leading to the future we all aspire for.
Data being the new oil its collection and transfer should be appropriately regularized and protected from illegal use but India still does not have a specific Data Protection law and instead the old Information Technology Act 2000 is being employed which is proving insufficient to deal with this issue.
2. Meaning/Definition
Data – Data in simple words means information. Data are characteristics of information usually that are collected through observation. According to European Union website on General Data Protection Regulation, Personal data means “any information that relates to an identified or identifiable living individual. Different pieces of information which collected together can lead to the identification of a particular person also constitute personal data”.
According to Sec 2(o) of the Information Technology Act 2000, Data means - “A representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer”.
The definition of data used in the Information Technology Act is quite narrow and only those information is included in the definition which is intended for processing in comparison the definition of data in the Personal Data Protection Bill is quite wide and include all the information which is suitable for communication, interpretation or processing by human or by automated means. It is to be noted here that the word “suitable” is used instead of “ intended” which may result in including all the data whether intended to be processed by the data collectors or not and only condition which will need to be satisfied is that is must be suitable for communication and processing.
2.1 Types of Data
- Personal data – Any data which is specific to you and it covers your location, email address and other factors. Many companies collect our personal data anytime we use their platforms & applications and many times it is done without our consent or knowledge. It is used by the companies and organizations to provide us with personalized suggestions to keep us engaged on their platforms and apps. Definition of personal data is nowhere given in the Information Technology Act 2000 but it is Clearly been established in Sec 3(28) of proposed Personal Data Protection Bill 2019, according to which personal data means – “Data about or relating to a natural person who is directly or indirectly
collection of data will be legal. But it is usually contend by these data collecting companies that it is a kind of implied contract where the user give them implied consent to use their personal information. Implied contract is not defined anywhere in the Indian Contract Act 1872 but this contention may be covered under Sec 9 of Indian Contact Act which states that “ in so far as the proposal or acceptance of any promise is made in words, the promise is said to be express. In so far as such proposal or acceptance is made otherwise than in words, the promise is said to be implied”. But in State of Maharashtra v. Saifuddin Mujjaffarali saifi, AIR 1994 Bom 48 the court held that “a contract implied in fact requires meeting of minds. The court should refuse to read an implied term into a contract which is silent on the point or did not clearly indicate the nature of the term. However, when the stipulations are clear and in contemplation of the parties or which necessarily arise out of the contract between the parties, they will be implied”.
3.1 Consent A due importance to the consent of the users/data principle must be given in these data collecting agreements as is distinctly given in the General Data Protection Regulation (a European Union regulation on data protection). Article 4 of the above said regulation state what constitutes consent: – Freely given – The user must not be pressured to give information. Specific – The user must be asked to consent to the individual types of data processing. Informed – The user must be told what they are consenting to. Unambiguous – The language must be clear and simple. Clear affirmative action – The user must expressly consent by doing or saying something. But in the absence of exclusive Data Protection law in our country the main questions of purpose and extent of data collection will remain unanswered. The personal data collected from the users is susceptible to being hacked or leaked if these companies did not employ proper and protective mechanism to secure the data which may cause financial loss and mental distress to the users. Many a times these companies also sell the personal data to other companies without the users consent.
4. Data Collection Sources and Uses Data is usually collected through the medium of electronic devices having access to internet like
- phone, laptop, tablet, gaming consoles etc. but it can also be collected through offline sources like a hospital record, voters record etc. Electronic devices being the medium, the source of collecting data is those applications and platforms which we have installed on these electronic devices and which are usually free to use. As it is said nothing comes free it is so when it comes to using these free applications. These companies provide free application and platform and collect all your valuable personal data which they may sell it to other companies or may use it themselves. Where the data goes – The personal data collected from the users is used in various ways. Data is used by these companies to make their applications and platforms more efficient. Sold to other companies who needs this kind of data. Data is used to drive advertisement according to the behavior and responses of the users. Data is used in various decision making of the enterprise. Data is used in the analytics of the applications. Data is used to do research and analysis. Data is used to know the effectiveness of government schemes and plans. 5. Present Situation in India
At present there is no specific law or statue serving for the cause of data protection in India which is becoming a serious issue. Data protection is a worldwide problem and every country is trying its best to protect the data of its subjects, over 80 countries have already framed comprehensive data protection laws and many are in process to construct.
The ministry of Information and Broadcasting has plan for a Social media monitoring hub and the Home Ministry has recently tendered for a nationwide facial recognition technology to create a nationwide facial recognition database, all this is happening without the country having a specific Data Protection legislature.
In Indian mainly Information Technology Act 2000 is employed to deal with the issues relating to the data protection which is not meant for data protection and it rather deals with the cyber law and other issues incidental to it. Along with it The Indian Contract Act 1872 can also be
corporate or person, pursuant to any law, for the time being in force, or any contract to this effect”, Justice Chandrachud strikes down this sec as being too broad and leading to commercial exploitation of individuals data and held that private companies, telecom companies, e- commerce companies, and private banks cannot ask for biometric data. Hon'ble court also revoked Sec 33 (2) which states that “nothing shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorized in this behalf by an order of the Central Government”.
Court also strike down Sec 47 of the Act which states that “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorized by it”, this sec allowed only the government to complain in case of theft of the Aadhaar data. It was clear in the judgment that use of Aadhaar authentication by private entities is unconstitutional and it cannot be legalized through another enactment. Hon'ble Supreme Court asked the center government to bring a robust law for data protection as soon as possible.
7. Right to Privacy a Fundamental Right In the same case – Justice K.S Puttaswamy (retd) and anothers v. Union of India and others (writ petition No 494 of 2012) Hon'ble supreme court recognized the right to privacy and held that right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 of the constitution and as a part of the freedoms guaranteed by Part III of the constitution. Government contended on the basis of the previous judgements of the Hon'ble court. In M.P Sharma v. Satish Chandra 1954, the Bench held that the drafters of the constitution did not intended to subject the power of search and seizure to a fundamental right of privacy and therefore questioned the existence of a protected right to privacy. The present court made it clear that it did not decide other question such as – “whether a constitutional right to privacy is protected by other provisions contained in the fundamental rights including among them, the right to life and personal liberty.
In Kharak Singh v. State of uttar pradesh 1962 the decision invalidated a police regulation that provided for nightly domiciliary visits, calling them “unauthorized intrusion into a person's home and a violation of ordered Liberty”. However it also upheld other clauses of the regulation or the ground that the right of privacy was not guaranteed under the constitution and hence Article 21 of Indian constitution had no application. The court held that although the right to privacy was not expressly recognized as a fundamental right, it was an essential ingredient of personal liberty under Article 21.
7.1 WhatsApp and Facebook Data Sharing Case In 2017 a special leave petition was filed by the Petitioners Karmmanyo Singh Sareen, Shreya Sethi in the Supreme Court against Delhi High Court ruling upholding WhatsApp updated privacy policy. In the updated privacy policy WhatsApp were given rights to share user’s personal information with Facebook (parent company of WhatsApp). Petitioner contended that WhatsApp was sharing the data of the users with Facebook and other third parties. The case is still pending.
8. Information Technology Act 2000 Information technology act 2000 was enacted to deal with cyber law and other incidental topic to it. It is not Meant to deal with the issues related to personal data protection which can be reasonably inferred from the fact that it did not contains the definition of Personal data. Even though the Act was not meant for personal data protection there are few provisions which were added In the amendment of 2009 to provide for personal data protection, which are as follows –
8.1 Sections Dealing with Data Protection Sec 43A is one such new provision added to the Act which deals with the compensation for failure to protect data, Sec 43A States that – “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected”.
9. Personal Data Protection Bill 2019 A committee of experts headed by Justice B.N Srikrishna submitted a draft of Personal Data Protection Bill to the ministry of Electronic and Information Technology. It was one of the very first step toward constructing an exclusive data protection law in the country. Electronics and Information Technology minister Mr. Ravi Shankar Prasad on 11th^ December 2019 tabled the Bill in the Lok Sabha and is being analyzed by the joint parliamentary committee. This Bill seeks to protect the personal data of individuals and privacy of individuals.
The bill tries to establish the principle relation of trust between the data collecting entities and data giving entities which can be reflected through the words used to refer the data processing entities as “Data Fiduciaries”. According to Sec 3(13) of the bill, Data Fiduciaries means “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data”. The data fiduciaries can process the data only for some specific purpose which are legal and clearly mentioned.
9.1 Data Definition
Personal data has been defined Under Sec 3(28) of the said bill and Means “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline”. The personal data has been divided into two parts in the bill as sensitive personal data and critical personal data. sensitive personal data has been described under Sec 3(36) which states the following personal data as critical – “financial data, health data, biometric data, genetic data, caste & tribe, political & religious beliefs, sexual orientation etc.” and according to Sec 33 of the bill sensitive personal data cannot be transferred out of India unless consent is given by the data principle (to whom the personal data relates) but it shall continue to be stored in India. Critical personal data is described under explanation part of Sec 33 which states that “such personal data as may be notified by the Central Government to be the critical personal data”, And thus no clear definition is given. According to Sec 33(2) Critical personal data should only be processed in India alone.
9.3 Rights
Personal Data Protection bill also provide the data principles with certain Rights under Chapter V from Sec 17-20 which are as follows:-
Right to confirmation that the data which had been collected is processed. Right to know that whether the personal data has been transferred to other entity for processing. Data principle has the right to make correction or to alter the personal data. Data principle has the right to restrict the continuing disclosure of the data.
9.4 Consent Consent has been given the due importance in the said bill and the personal data of an individual can only be processed by the data fiduciary when the former has given consent to it. Under Sec 11 of the bill, the requisites of a valid consent is given which states that the - Consent must be freely given. Consent must be obtained after individual being informed so. Consent must be specific with regard to the scope of data processing. Consent must be clear with reference to the given context. Consent must be capable of being withdrawn.
There are few exceptions provided under Sec 12, 35, 36 and 37 of the bill that describes when the data can be processed without the consent of the data principle and should be a debatable topic. As it destroys the whole purpose of the personal data protection law. It provides that a data can be processed without consent when it is necessary - For the performance of any function of the state. Under any law for the time being in force made by the Parliament or any State Legislature. For compliance with any order or judgment of any Court or Tribunal in India. To respond to many medical emergency. The above said first two exception are thought provoking as to why the personal data is being allowed to be processed by the government without consent as there are instances when the
data and privacy of individual of the member states. It is an open convention to which any country can apply to acceded and not just restricted to the European countries. There are 47 signatories and 55 ratifying countries of which the non European countries are – Argentina, Cape Verde, Mauritius, Mexico, Morocco, Senegal, Tunisia and Uruguay. It is the first international instrument which binds its member to protect the individuals from the abuses which may arise from the collection and processing of personal data and regularize the transfer and flow of the personal data. It also prohibit the processing of sensitive data or personal data in the absence of proper legal safeguards. This convention imposes restriction on the member countries to transfer data from one state to other state where the legal regulation does not provide equivalent protection. In 2008 the convention was updated to address the new emerging challenges posed by the new information and communication technologies and is called Modern Convention 108+. So far 26 COE members and 1 non member State has signed on the amending protocol. The amended convention requires:- Prompt data breach notification. Establishment of National Supervisory Authority to ensure compliance. Transfer of data to non member State only when the data is sufficiently protected. Proportionality and data minimization.
10.2 General Data Protection Regulations It is a set of rules and regulations in European Union on the data protection, privacy and transfer of personal data outside European union. It is said to be the strictest law on data protection in the world. The official text and regulation of directive were published on May 2016. It applies to all the organizations operating in the European Union member states and it gives control to the individual over the personal data. Right to privacy is a part of the 1950 European Convention on Human Rights which states “everyone has the right to respect for his private and family life, his home and his correspondence”. Principles The regulations are based on certain principles which are stated under Article 5.1 – 2 which are as follows:- Data processing must be lawful, fair and transparent to the data subjects.
Data must be processed for the legitimate purpose which must be specified to the data subjects specifically. Data should be collected and processed only as much as absolutely necessary. Data must be correct and up to date. Data must be stored as long as necessary for the specified purpose. Data collectors are responsible for compliance with the Regulations. Appropriate security, integrity and confidentiality should be maintained while processing the data.
Consent of the data principle is of utmost important for data processing and failure to obtain consent will attract hefty fine and penalties. Penalties for violating the Regulations are very high. There two tiers of administrative fine for non compliance the Regulations which are – Up to € 20 million or in case of Undertaking 4% of Annual global turnover, whichever is higher. Up to € 10 million or in case of Undertaking 2 % of Annual global turnover, whichever is higher.
Few Cases of Fine Imposed Under General Data Protection Regulation
Google – On 21st^ January 2019 French National Commission on Information and Liberty (CNIL) fined Google with €50 million for the violation of Article 5 – Principles relating to the processing of personal data (for ad targeting). Article 6 – Lawfulness of processing Article 13 – Information to be provided where personal data are collected from the data subjects.
British Airways – On July 2019 ICO (Information commissioner's office) of United Kingdom which reports directly to the Parliament, announced its intention to issue a fine of € 204 million to British Airways, which if proved would be the biggest fine in the world relating to personal data protection. In this case British Airways website diverted users traffic to a hacker’s website which resulted in hacker stealing personal data of more than 500,000 users.
under the definition of an intermediary and is obliged to ensure the security of the data collected and is liable for the loss of it under the intermediary guidelines. So far 90 million people have downloaded the application. The government has said that the personal data of individuals will be deleted once the epidemic is over. Countries like South Korea and Singapore have already enacted privacy laws and under it have specific conditions for contact tracing applications issued to track the spread of the virus. India since did not have enacted specific data protection law is facing transparency issues.
12. Conclusion Personal data of an individuals if put to a proper and ethical use can benefit the nation as a whole. Data collected from the individuals helps in various types of researches and analysis of cause and effect of many important things like government plans and policies. We are all on the verge of seeing self driven cars, home deliveries through drones and are already witnessing virtual assistants in our phones and epidemic management and control through applications, which is a part of artificial intelligence and it needs a lot of data to work. India being the second largest populated country in the world has a lot of personal data to secure from the unauthorized hands. When the private data gets in the wrong hands can result in financial losses, mental distress and breach of the right to privacy. A data breach in the hands of the government can put secret information in the hands of the enemy state. On a macro level unauthorized collection and transfer of data by entities to other states may give them a competitive advantage or an upper hand in the future with reference to upcoming revolutionary technologies like artificial intelligence. So a specific legislation dealing with the issues of data protection should be constructed as soon as possible. In the absence of which the data collecting entities are without much of regulations and hampering the fundamental right to privacy.
References
- Retrieved from https://www.livemint.com/politics/policy/data-protection-bill-gets-cabinet-nod- 11575443663959.html visited on 10th May 2020
- Retrieved from https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en visited on 10th May, 2020.
- Retrieved from https://www.mondaq.com/india/data-protection/655034/data-protection-laws-in-india-- everything-you-must-know visited on 12th May, 2020.
- Retrieved from https://www.privacypolicies.com/blog/gdpr-consent-examples/amp/ visited on 11th May, 2020.
- Retrieved from https://www.google.com/amp/s/m.economictimes.com/news/politics-and-nation/this-is- what-the-supreme-court-did-not-like-about-aadhaar/amp_articleshow/65961697.cms visited in 11th May,
- Retrieved from https://www.prsindia.org/billtrack/personal-data-protection-bill-2019 visited on 9th May, 2020.
- Retrieved from https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108 visited on 9th May, 2020.
- Retrieved from https://www.google.com/amp/s/www.zdnet.com/google-amp/article/gdpr-an-executive- guide-to-what-you-need-to-know/ visited on 10th^ May, 2020.
- Retrieved from https://www.google.com/amp/s/m.economictimes.com/tech/software/legal-experts- point-out-liability-concerns-with-the-aarogya-setu-app/amp_articleshow/75561944.cm visited on 13th May, 2020.
- Retrieved from https://www.import.io/post/what-is-data-and-why-is-it-important/ visited on 13th^ May
