Updated: May 25
The right to privacy is a fundamental right enshrined in many constitutions around the world, as well as in international human rights law. The right to privacy is multi-faceted and is increasingly relevant to people’s lives, i.e. the protection of individuals’ data. Protecting privacy within the digital age is important to effective and good democratic governance. However, despite increasing recognition and awareness of data protection and the right to privacy across the world, there is still a lack of legal and institutional frameworks, processes, and infrastructure to support the protection of data and privacy rights. At the same time, the increasing volume and use of personal data, together with the emergence of technologies enabling new ways of processing and using it, mean that regulating an effective data protection framework is more important than ever.
Sharing data may bring benefits, and it's often also become necessary for us to try to everyday tasks and have interaction with people in today’s society. But it is not without risks. Our personal data reveals a lot about us, our thoughts, and our life. These data can easily be exploited to harm us, and that’s especially dangerous for vulnerable individuals and communities, such as journalists, activists, human rights defenders, and members of oppressed and marginalized groups. That is the reason that these data must be strictly protected.
A strong data protection framework can permit individuals, restrain harmful data practices, and limit data exploitation. It essential to provide the much-needed governance frameworks nationally and globally to ensure individuals have strong rights over their data, stringent obligations are imposed on those processing personal data (in both the public and private sectors), and strong enforcement powers can be used against those who breach these obligations and protections. Protecting the data privacy is essential and the majority of states have adopted some forms of protection; however, frameworks are often inadequate and have not kept up with modern uses of data and challenges they pose. Data protection laws got to be updated to face emerging challenges. For the last three decades, Privacy International has been promoting and advocating for the right to privacy and, through the Privacy International Network, we have been calling for the adoption and enforcement of the strongest data protection safeguards across the world. Over the years, some of these issues have expanded and some entirely new ones have emerged: the dominant narratives we are challenging have evolved and new actors, both allied and adversaries, have entered our scope of intervention.
The Concept of Data
Generally, Data means information and this information may be in the form of text documents, images, audio clips, software programs etc.
Section 2(1)(o) of the Information Technology Act, 2000 (the “IT Act”) has defined "data" to mean “a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared during a formalized manner, and is meant to be processed, is being processed or has been processed during a computing system or network, and should be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally within the memory of the pc .” The electronic consent framework furnished by the Digital Locker Authority defines ‘data’ to mean “any electronic information that's held by a public or private service provider (like a government service department, a bank, a document repository, etc, and may include both static documents as well as transactional documents’. However, the concept of data is not only restricted to electronic information but also extends to information stored in physical form, e.g. on a piece of paper”.
Privacy of Data
Over the last couple of years, there has been a substantial increase in the amount of data that is generated through the usage of various electronic devices and applications. Today’s businesses derive a substantial value by analyzing the ‘big data’ and often determine their business strategies based on such analysis. The burning question is ‘do individuals have control over the manner in which information pertaining to them is accessed and processed by others’.
In August 2017, the need for a law on the protection of private data was first recognized by the supreme court of India in-
Case:- Justice K.S. Puttaswamy v. U.O.I
It explicitly recognized an individual’s fundamental right to privacy and paved the path for a foundational legislation on the protection of personal data. Right to privacy of data is one step forward of the right to privacy enshrined under the Indian constitution under article 21(right to life and personal liberty.)
Why is Data Protection Needed?
Every time we use a service, buy a product online, register for email, go to the doctor, pay our taxes, or enter into any contract or service request, we have to hand over some of our personal data. Even without our knowledge, data and information about us is being generated and captured by companies and agencies that we are likely to have never knowingly interacted with. The only way citizens and consumers can believe in both government and business is thru strong data protection practices, with effective legislation to assist minimize state and company surveillance, identity theft, cyber impersonation and data exploitation.
There are two main reasons that governments should pursue comprehensive data protection frameworks:
• Laws got to be updated to deal with today’s reality. Ever since the web was created, people are sharing more and more of their personal information online. In many countries, privacy rules exist and remain important to assist protect people’s information and human rights, but they're not adapted to suit the challenges of today’s connected world.
• Corporate co- and self-regulation isn't working to guard our data. Around the world, companies and other entities that collect people’s data have long advocated for regulation of privacy and data protection not through binding frameworks but rather through self- or co-regulation mechanisms that offer them greater flexibility. However, despite several attempts, we've yet to ascertain samples of non-binding regimes that are positive for users’ rights (or, indeed, for business as a whole).
As of January 2018, over 100 countries around the world have enacted comprehensive data protection legislation, and around 40 countries are in the process of enacting such laws. Other countries may have privacy laws applying to certain areas, for instance for youngsters or financial records, but don't have a comprehensive law on data protection. In countries where there's no comprehensive data protection framework, data protection is regulated through sectorial laws where it's regulated.
The concept of data privacy has been covered under the following acts:-
1. IT Act, 2008:-
The Government has provided a legal framework for data protection and privacy through the IT Act.
The IT Act, after its amendments in 2008, is now equipped with multiple provisions catering to data protection, mandatory privacy policies and penalties to be imposed on breach of such privacy policies. The relevant provisions of the IT Act are:
Section 43 (a), (b) and (i); Section 43A; Section 66 C; Section 66 E; Section 72 and Section 72A
2. IT RULES 2000:-
The IT rules require body corporate holding sensitive personal information of users to maintain certain specified securities standard. Below are the relevant provisions of the IT Rule 4, Rule5, Rule6, and Rule8.
3. The Telecom Regulatory Authority Of India
In the process of providing services, the telecom service providers have the ability to gain access to substantial personal information of the service recipient. In order to protect the data of the service recipients, a number of sector-specific rules and regulations have been formulated:
4. Indian Telegraph Act, 1885 (“Telegraph Act”):
:- Section 5,24,25 26,30 talks about the same.
4. Banking Regulators
Section 44 of depository financial institution of India Act, 1955
5. Medicine and Healthcare
Section 13, 38 Mental Health Act, 1987 (“MH Act”)
6. RTI Act, 2005t to Information Act, 2005 (“RTI Act”)
The RTI Act was acted to enable private citizens to access information under the control of public authorities so as to market transparency and accountability within the working of each public authority. Nevertheless, the RTI Act also provides for exceptions8(1)(j) to the disclosure of information.
7. The Aadhar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) act, 2016 (“Aadhar Act”):-Section 28 29,30,33,37. The Government has recently mandated the use of the biometric database -Aadhaar to deliver targeted subsidies, benefits and services;
The Aadhaar card has got to be applied for by individuals and within the application requires an individual to supply his or her personal data. This card is provided by the Government of India. Recently, the govt has mandated that even foreign residents who are Taxpayers in India must obtain an Aadhaar card alongside the already in situ PAN (Permanent Account Number). Thus, with the recent GDPR coming into force, the knowledge obtained by the govt of India under the Aadhaar system is impacted, especially for EU citizens currently residing in India.
The Aadhaar scheme which was first introduced as a way of targeted distribution of subsidies, is today being implemented towards a spread of purposes, including the fight against black money, transaction authentication, and 'know your customer' requirements for banks and telecom companies. Aspects of Aadhaar Act, like (i) security of the Aadhaar system, (ii) the lack of the individual to file complaints (for a violation under the Aadhaar Act) concerning theft or misuse of their data, and (iii) the lack to withdraw/delete one's data once registered with the UIDAI (government authority handling Aadhaar laws) is under scrutiny within the currently pending litigation with the Supreme Court of India.
What can we do to protect ourselves?
• Use security software on our devices to protect yourself from the latest threats.
• Protect our accounts with powerful, unique passwords that contain a combination of at least 10 uppercase and lowercase letters, symbols, and numbers. Don’t write them down, not even during a password-protected file, but use an honest password manager.
• don't open personal data or accounts on social media via unsecured Wi-Fi networks.
• Use a spam filter, to filter the foremost obvious unsolicited e-mail. Note that the filters are not perfect. They can miss some, or mark a message you probably did want to receive as spam.
• Think carefully before you click on any links or open unsolicited messages and attachments.
Data Protection Principles
1. Fair, lawful and transparent- the processing of personal data should be lawful and fair and done in a transparent manner.
2. Minimization- the processing of personal data should be adequate, relevant and limited to necessity of the purpose for which it is being processed.
3. Integrity and Confidentiality- appropriate measures must be taken to ensure security of data and systems, and to protect personal from loss, unauthorized access, destruction, use, modification or disclosure.
4. Accuracy- Personal data that is processed should be accurate, complete and measures should be taken to ensure it is up to date.
5. Purpose limitation- Personal data should be processed for a specified, explicit and legitimate purpose, stated at the point of collection, and further processing also compatible with this purpose.
6. Storage limitation- Personal data should only be retained for the period of time that is necessary for the purposes for which it was processed.
7. Accountability- those that processed personal data must be accountable for demonstrating compliance with the above principles, their obligations, and facilitate and
8. fulfil the exercise of these rights.
Right to privacy:-
The constitution of India does not specifically recognize the right to privacy as a fundamental right under article 21 of the constitution. the right to privacy may be a fundamental right was first considered by the hon’ble supreme court within the case of M.P. Sharma and others v Satish Chandra district magistrate and ors1954 AIR 300 were in, the warrant issued for search and seizures under sec 94 and 96(1) of the CRPC were challenged, the hon’ble supreme court had held that the power of search and seizure was not in contravention of any constitutional provisions.
However, the choice as regards to privacy as a fundamental right of people subject to reasonable restrictions was not directly intended to impact the infliction of Aadhaar card, it'll now have a significant smash on the pending litigation. The end result of this pending litigation will significantly impact data protection policies in India.
Protection of personal data is intricately linked with privacy i.e. right of every person to enjoy his life and liberty without arbitrary interference with his life, family, home or correspondence though there is no enactment which comprehensively governs data protection in India. The data protection bill2019 is aimed at the same:-
Personal Data Protection Bill, 2019
• The Personal Data Protection Bill, 2019 was presented in Lok Sabha by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for the cover of private data of people and establishes a knowledge Protection Authority for an individual.
• Applicability: The Bill rule the processing of private data by (i) government, (ii) companies incorporated in India, and (iii) foreign companies handling personal data of people in India. Personal data is data which pertains to the quality of traits or attributes of identity. The Bill classify certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religion or politics, or the other category of knowledge specified by the govt, in consultation with the Authority and therefore the concerned sectoral regulator.
• Obligations of knowledge fiduciary: a knowledge fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing is going to be subject to a certain purpose, collection and storage limitations. For instance, personal data are often processed just for specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as encoding and preventing misuse of
(ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of youngsters.
Rights of the individual
The Bill sets out certain rights of the individual (or data principal). These include the right to (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or
• out-of-date personal data, (iii) have personal data transferred to the other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
• Grounds for processing personal data: The Bill allows the processing of knowledge by fiduciaries as long as consent is provided by the individual. However, in certain circumstances, personal data are often processed without consent. These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to reply to a medical emergency.
• Social media intermediaries: The Bill defines these to incorporate intermediaries which enable online interaction between users and permit for sharing of data. All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
• Data Protection Authority: The Bill sets up a knowledge Protection Authority which may: (i) take steps to guard interests of people, (ii) prevent misuse of private data, and (iii) ensure compliance with the Bill. It will contains a chairperson and 6 members, with a minimum of 10 years’ expertise within the field of knowledge protection and knowledge technology. Orders of the Authority are often appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
• Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if clearly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should still be stored in India. Certain personal data notified as critical personal data by the govt can only be processed in India.