Data Protection Regime in India – The Guardian of Right to Privacy

In the past five years, there has been an ocean change in the World’s perspective towards Data Protection and Data Privacy. Thanks to the General Data Protection Regulations(GDPR), which was rolled out by the European Union(EU) and also, to the several global issues that concerned Social Media giants intruding into their digital consumer’s private information for purposes such as targeted advertisements, electoral behavior study, et al. It was about the same time that India was taking the first step towards assuring to its citizens – “The Right to Privacy” as a Fundamental right that can be claimed against the State as a positive right, negative right and as a horizontal claim of right against the non-State actors. The Puttaswamy Case the judgment had only raised further questions and apprehensions than actually resolving the issues and doubts because when the judgment was passed, India’s regime of laws for Informational privacy was at its nascent stage and unclaimed.

The technologically developed countries like the member States of the EU had enacted their legislation for Protection of Data Privacy almost two decades ago and are now weighing the possibilities of strengthening them in the due course by way of harmonization of the rules and expanding the scope of application. Whereas, in India, except for the ‘Rules of the Professional Code of Conduct’ and the ‘Information Technology Rules of 2011’ that touches upon the need for protection of Sensitive Personal Information and the need for mandating Privacy policies for Data collectors, there has not been any specific and specialized legislations to uphold the privacy rights of the digitally inclined citizens and neither has there been a protective legislations to safeguard the seclusion and autonomy of an individual in the cyberspace.

Need for Privacy in the Digital World

The autonomy of an individual is at her disposal, and she alone has the exclusive rights upon her body and her personal information. Privacy as a right is more expressed in the policy papers, than actually existing as an individual’s rightful claim against the vicious digital expropriations. 

‘Knowledge is Power’ and ‘Information is Wealth’. These mantras have been taken up way too seriously by the eagles of cyberspace, who are raking in profits by merely spying, hacking, mining, and stealing other persons’ personal and non-relevant information that are randomly available in the World Wide Web. 

Suppose, a person wants to apply for a loan, then she needs to depend on a random Search Engine for comparing and choosing a financial institution that best suits her. But, during the course of her search – without her knowledge and authorization, the information that she is keen on applying for a loan is spread like a wildfire. She is bombarded with phone calls, emails, and whatnot from several financial institutions that are by now aware of her name, phone number, nature of the loan that she is interested in taking up, and sometimes they are even aware of her income and eligibility for the proposed loan! Thanks to the hidden cookies that were present in the search engine. This is happening to each and every internet user today, yet how many of us are formally complaining?      

 The above illustration may seemingly be innocuous, but the affected person fails to look beyond the mere disturbances and intrusions – Who are these watchers? ; How do you filter an individual’s data? ; Why do they track an individual? ; What if the search was for a more intimate and sensitive matter, that is commercially viable and personally demeaning? Would that also be preyed on in the same manner? 

A foolproof Data Privacy Legislation: The Need of the Hour

Infringement of Privacy rights in the digital world is a major issue and the respective safeguarding legislation must be water-tight enough to secure protection against unauthorized Data Processing. In India, presently, the Personal Data Protection Bill (hereinafter, referred to as the PDP Bill) is yet to be enacted into legislation. The PDP Bill is predominantly modeled based on the EU’s GDPR for various socio-economic reasons. Yet there are certain differences, or, maybe practical difficulties that blatantly makes the latter a step ahead of the former, As already pointed out, India is the latest entrant in passing a Data Privacy Act (still underway), and therefore it is notably a humongous task to lay down a stringent enactment and enforcement of the same in a boundaryless jurisdiction.

The Personal Data Protection Bill: An Overview

The Personal Data Protection Bill (PDP Bill), although proposed to be novel legislation from the Indian perspective, has been framed in a constrained manner, fearing loss and isolation in the global e-commerce sector. Still, the Bill is vague on concepts like “Right to erasure” and factors to improve or eliminate consent fatigue, which are the weakest links that would result in the ineffective implementation of the Legislation. The Joint Parliamentary Committee has also recently recommended including the non-personal data within the purview of the Data Protection enactment, thereby increasing the powers and functions of the Data Protection Authority in filtering and segregating the data.

On the other hand, Cyberspace giants – both the technologically developed nations and the Non-state actors are insisting on relaxing the Data Localization policies and insist on not mandating duplication of personal data collected, stored, and processed via servers located outside India. Most social media processors and sensitive personal information processors like healthcare and spyware companies will be hit badly if the Indian laws insist them to duplicate data to be stored locally in a server within the Indian Territory.

The necessity in implementing a fail-proof Data Protection Regulations in India by means of strong Data Localisation policies for all forms of personal data of the Indian Citizens is not only for social and economic reasons but also imbibes in itself a political and human rights perspective. Though such a measure would involve a negative socio-economic impact, the idea is not impossible. When nations like Germany and Sweden have taken a giant leap in securing their citizen’s data and protecting their rights in a very strong way, then why not India? 

Impact of a Strong Legislation

Infringement of Privacy rights in the digital world is a major issue and the respective safeguarding legislation must be water-tight enough to secure protection against unauthorized Data Processors. In India, presently, the PDP Bill that is yet to be enacted into legislation is predominantly modeled based on the EU’s GDPR for various socio-economic reasons. Yet, certain clarity is imminently required in the inability of our Courts and the lawmakers to create a rigid framework for Data Localisation; Server restrictions and the “Right to be forgotten” on par with that of the developed nations. India’s position on the legislative competence and the Judge-made laws with regard to ensuring privacy rights lacks universality and clarity. If these are taken care of, by routing for a procedurally strong enactment, then India can ground its Data Sovereignty and also it shall strengthen the country’s position in the international arena. 

Conclusion

The autonomy of an individual is at his or her disposal, and she or he alone has the exclusive rights upon her body and her personal information. Privacy as a right is more expressed in the policy papers, than actually existing as an individual’s rightful claim against the vicious digital expropriations. The present global situation preys on individual’s processed information, as “data” is considered as the new “oil”. An individual’s personal information gets processed and transmitted in the global market without her knowledge or consent, and such data leakage has the potential to take shape of dangerous impacts, such as one’s future prospects on personal and professional life may be at stake because of an irrelevant Data leak. 

The corporate giants, the ones like the controversial body corporate M/s. Cambridge Analytica, who in collaboration with Facebook Applications, had raked in moolah by merely spying, hacking, mining, and stealing their subscriber’s personal and non-relevant information that was randomly available in the Social media and the World Wide Web.

If such mishaps should not happen evermore, then it is high time for the Indian Lawmakers and Courts to awaken, arise and act immediately and eminently in securing citizen’s data before it is too late. Because once a data leak takes place, then the retraction of the same would become very cumbersome and near impossible. 

This article was written and submitted by Sangeetha Lakshmi, as a part of Tsaaro’s Blog Writing Competition.