Data protection in India: a bill that will change the game.

India is one of the world's biggest markets, where we have numerous consumers of different kinds. In the digitalisation era, each person uses technological products like laptops, PCs, and the utmost important device, the cell phone.

If these devices are connected to the internet, they will be able to transmit data over different platforms. India is such a big market of consumption; it can also be called the biggest generator of the data regarding the devices' usage. This data is provided through the websites, mobile applications, different domains, etc., in exchange for any service or consideration that the user is obtaining.

Data is everything to run the economy to know the recent trends the consumers are searching for in the present world. According to it, the market conditions are adjusted or manipulated to meet the demand-supply curve. The big tech companies have been researching a lot on the importance of data. In their recent developments, they have developed several algorithms that study the data and give the desired outputs according to the users' needs. The algorithms have been updated to such a level that they can even track down human behaviors and wants.

In previous times, no one talked about the privacy of the person. However, nowadays, it has been observed a lot. After the Hon'ble Supreme Court of India gave the Aadhar verdict, India's recent development stated the Right to Privacy as the fundamental right (Justice KS Puttaswamy v. Union of India), the privacy of the person had taken a toll.

The data collected by the companies through various resources & devices can be imminently dangerous for the citizens of India as there are no laws for the protection of the privacy of the person. By collecting and selling the data, these companies are growing their business exponentially and harming the person's privacy on various occasions.

At present, there are no laws on the privacy of the person or the data protection.

To a certain extent, the Information Technology Act, 2000 provides us a few provisions as the following: Section 43A-Compensation for failure to protect data.

Where a body corporate, possessing, dealing, or handling any sensitive personal data or information in a computer resource which it owns, controls, or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Section 72- Penalty for breach of confidentiality and privacy

Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

72A- Punishment for disclosure of information in breach of lawful contract

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.

Few rules can be observed from Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:

 Rule 3 provides a list of items that are to be treated as "sensitive personal data" and includes inter alia information relating to passwords, credit/ debit cards information, biometric information (such as DNA, fingerprints, voice patterns, etc. that are used for authentication purposes), physical, physiological and mental health condition, etc. It is further clarified that any information that is freely available or accessible in the public domain is not considered to be sensitive personal data.

 Rule 4 imposes a duty on Body Corporates seeking sensitive personal data to draft a privacy policy and make it easily accessible for people who are providing the information. The privacy policy should be clearly published on the website of the body corporate and should contain details on the type of information that is being collected, the purpose for which it has been collected, and the reasonable security practices that have been undertaken to maintain the confidentiality of such information.

 Rule 5 provides the guidelines that need to be followed by a Body Corporate while collecting information and imposes the following duties on the Body Corporate:

1. Obtain consent from the person(s) providing information in writing or by Fax, or by e-mail before collecting such sensitive personal data.

2. Information shall not be collected unless it is for a lawful purpose and is considered necessary for the purpose. The information collected shall be used only for the purpose for which it is collected and shall not be retained for a period longer than which is required;

3. Ensure that the person(s) providing information are aware about the fact that the information is being collected, its purposes & recipients, name and addresses of the agencies retaining and collecting the information;

4. Retain the information for no longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force;

5. Offer the person(s) providing information an opportunity to review the information provided and make corrections, if required;

6. Before collection of the information, provide an option to the person(s) providing information to not provide the information sought;

7. Maintain the security of the information provided; and

8. Designate a Grievance Officer, whose name and contact details should be on the website who shall be responsible to address grievances of information providers expeditiously. A maximum period of one month has been provided for the resolution of such grievances.

 Rule 6 provides that a Body Corporate must seek prior permission of the information provider before disclosing such information to a third party. However, no prior permission is required if the request for such information is made by government agencies mandated under law or any other third party by an order under law.

 Rule 8 provides the reasonable security processes and procedures that may be implemented by Body Corporates. International Standards (IS / ISO / IEC 27001) is one such standard that can be implemented by a body corporate to maintain data security. It is pertinent to note that an audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.

These laws and rules are not enough while we are dealing with data protection. We would need more efficient laws to curb serious problems.

In an attempt to this, a bill passed solely for the data protection named the Personal Data Protection Bill, 2019 (PDP Bill). This bill is based on the recommendations provided by the Justice BN Srikrishna Committee.

Personal Data Protection Bill, 2019

 The bill mentions the data in the following manner.

o Personal data like the name and address etc., of the person. It is to be stored only in India. If any foreign nation or company wants the same information, it can be provided to them only in specific conditions.

o Sensitive Personal Data (SPD) like financial status, sex of the person, religion, etc.

o Critical personal data, like the security data of the nation. It must be stored as well as processed only in India.

 The bill eradicates the data mirroring, which means copying data from one source to any storage device.

 Social media companies have to develop their own unique verification mechanism.

 The creation of an independent regulator Data Protection Authority will take care of the regulation and the data audit.

 There will be a Data Protection Officer in each company who will take care of the data as per the laws.

 There are Purpose Limitation and Collection Limitation of the data.

 It grants an individual the right to data portability and access and transfers on owns data.  In case of the violation of the data protection laws, there would be a penalty of 5 crores INR or 2% of the worldwide turnover of the company in case of the minor violation and 15 crores INR or 4% of the worldwide turnover of the company in case of the serious violations.

Bottom-line

In India, our Hon'ble Apex Court has given the verdict in Puttaswamy judgment (2017) that the Right to Privacy is a fundamental right. This is the protection provided under Article 21 of the Constitution of India. Personal data protection also comes under this. There is an urgent need to implement the laws as the companies are changing the policies to collect more and more personal data and share or sell to other third party companies. There is nothing seen for the user. On the other hand, the main basis of the economy's growth in the present era is digitalization and its reach. So, the best laws must suffice the need to protect the privacy of the users and aim for the growth of the digital economy.