In 2017, A nine-member Supreme Court bench unanimously ruled that Article 21 of Indian constitution guaranteed a fundamental right to privacy for every citizen. This landmark ruling in Justice (Retd.) KS Puttaswamy v. Union of India is also popularly known as the Aadhaar Case. And Justice Dr DY Chandrachud held that “Informational privacy is a facet of the right to privacy” and that the “dangers to privacy in an age of information can originate not only from the state but from non-state actors as well”.
Currently, India does not have a specific legislation enacted primarily for data protection. Data breach from computer systems, including payment of compensation and punishment in case of wrongful disclosure and misuse of personal data, are governed by the Information Technology Act, 2000, specifically Sections 43-A and 72-A therein. The collection and disclosure of sensitive personal data or information are laid out under the Information technology Rules 2011. On September 26, 2018, the Supreme Court asked the government to set robust data protection rules. Thereby, the Ministry of Electronics and Information Technology (MeitY) and Government of India (GoI) constituted a committee of experts under the chairmanship of the retired Supreme Court judge Justice B. N. Srikrishna. This committee was entrusted with the responsibility of identifying lapses in the present data protection regulations and preparing more robust and comprehensive data protection laws.
The Personal Data Protection Bill, 2019 (PDP Bill) has been tabled before the Lok Sabha and is yet to be enacted. This bill ensures protection of individuals’ personal data and regulates the collection, usage, transfer and disclosure of the said data. It also proposes to create an independent new Indian regulatory authority, the Data Protection Authority (DPA), to carry out this law.
The Bill introduces the concepts of ‘Data Fiduciary’ and ‘Data Principal’ and places greater reliance on ‘Obligations of Data Fiduciary’ and ‘Consent of the Data Principal’. Data Fiduciary has been defined as any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data and Data Principal is the natural person to whom the personal data relates.
As per Section 4, personal data is to be processed only for a specific, clear and lawful purpose and in a manner, which ensures privacy of the Data Principal. The Data Principal is to be given notice of the purpose for which the personal data is to be processed and several other details regarding withdrawal of consent. Section 11 of the Bill emphasises upon the consent of the Data Principal, which is a prerequisite for processing any personal data. Processing of ‘Sensitive Personal Data’ like biometric data mandates additional safeguards like storage of information locally in India. Data fiduciary must take steps to ensure that ‘Critical personal data’ is not transferred out of India. Data breaches must be notified immediately to the Authority by data fiduciaries.
The bill gives the DPA the power to fine any business that does not comply with the bill or the regulations made by either the DPA or the government. The maximum amount of penalties that can be imposed is 150 million Indian rupees (about $2.1 million), or 4 percent of the global turnover of the firm in the preceding financial year.
This extract from 2017 judgement aptly summarizes the need of having a strong privacy bill which safeguards and protects user data. “It was rightly expressed on behalf of the petitioners that the technology has made it possible to enter a citizen’s house without knocking at his/her door and this is equally possible both by the State and non-State actors. It is an individual’s choice as to who enters his house, how he lives and in what relationship. The privacy of the home must protect the family, marriage, procreation and sexual orientation which are all important aspects of dignity.”
However, one must bear in mind that while there is an imperative need for a strong law to protect the rights of digital users; it is extremely important to build a mindset of a healthy & responsible user. So, while the law may state that it is a violation of privacy to enter one’s home without knocking at the door; it is the responsibility of the user to lock the door. Hence, simple steps go a long way staying secure and maintaining privacy like keeping strong passwords, downloading apps from trusted sources like Google Play store, not signing up as a user unless it’s a necessity, disabling unwarranted permissions to apps, creating another account instead of signing up via google or facebook account etc.