Data protection laws refers to a set of privacy laws, rules, and processes aimed at limiting the amount of personal data collected, stored, and disseminated that intrudes on one’s privacy. Personal data is any data or information related to the individual through which they can be identified, whether collected by the government, private agencies or any other organization. India is one of the world’s largest democracies, but there is currently no proper law in place to address the critical issue of privacy in the country. In 2018, post a Supreme Court ruling of 2017 judgment in the case of Puttuswamy v Union of India stating right to privacy a fundamental right, the Personal Data Protection (PDP) Bill, a draft of a new law to monitor data privacy in India, was introduced in Parliament. Both houses of the Indian parliament recently granted the joint parliamentary committee a fourth extension to submit its report on the Personal Data Protection Bill, 2019. The bill had been referred to a joint parliamentary committee comprising of members from both chambers of the Indian Parliament, which was anticipated to submit its findings by April 2020. However, more than a year and several extensions later the joint parliamentary committee has failed to report its final submission. With every round of extension and further delay to the PDP Bill, concern for data protection and privacy has intensified. How does another extension and further delay in the legislation of data protection laws affect India?
How is data presently protected in India?
Presently India does not have any explicit data protection laws nor do we have fundamental right to privacy distinctly granted in the constitution. However, the courts have interpreted the right to privacy into other existing fundamental rights[1], such as freedom of speech and expression under Article 19(1)(a) of the Indian Constitution and the right to life and personal liberty under Article 21. Nonetheless the Indian Constitution’s Fundamental Rights are subject to reasonable restrictions imposed by the state under Article 19(2) of the Constitution[2]. Information Technology Act, 2000 and the Indian Contract Act, 1872 are the laws governing data protection currently.
Concerns such as financial compensation and criminal penalties for unlawful disclosure and exploitation of personal data, as well as violations of contractual agreements relating to personal data, are addressed under the (Indian) Information Technology Act, 2000.[3] IT Act has certain provisions against misuse of personal data of an individual, for instance, a body corporate that is in possession, dealing, or handling any sensitive personal data or information and is negligent in implementing and maintaining reasonable security practises, resulting in wrongful loss or gain to any person, may be held liable to pay damages to the person who has been affected under section 43A of the (Indian) Information Technology Act, 2000.[4]
The IT Amendment Act, 2008 has substituted certain sections and inserted new sections among many such as compensation for failure to protect data, punishment for violation for privacy, punishment for cyber terrorism, punishment for publishing or transmitting obscene material in electronic form, preservation and retention of information by intermediaries.[5] Section 10A of the IT Act, which deals with the legality of contracts created using electronic means, states that contracts formed through electronic means must not be regarded to be unenforceable solely on the ground that such electronic form or method was utilized for that purpose.
The government has also released the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules address the protection of “sensitive personal data or information of a person,” which includes personal information such as passwords, financial information, physical or psychological health conditions, medical records, biometric information or sexual orientation.[6]
Need for Data Protection Law in India-
Data protection laws are very much disparaged in India. Since completely private bodies do not constitute “state” within the meaning of Article 12, the Indian constitution does not now allow writ remedies against them[7]. This means that under Indian law, there is now very limited recourse available in cases when a totally private body infringes a citizen’s right to privacy.
As of now there is barely any legislation to respect the idea of consent of the user. Social media and other platforms continuously exploit personal data in the garb of consumer’s consent. These platforms are well aware of the fact that they need consent from the user to access their data and to pursue their gimmick, they produce an illusion that the user is unable to escape or obtain. Because of the user’s ignorance combined with a lack of attention and time, they use exploitative terms and conditions that are so subtly hidden among the general terms that a layman agrees to all of them without ever reading them.[8] A data protection law has the potential to provide a clear legal basis for our entitlements reasonably expected to arise from our fundamental right to privacy, that defines what is permissible and what is not, clarifies the scope of our fundamental right to privacy, and describing what data fiduciaries can do with our personal data.
Secondly, the Apex Court has already now ruled the right to privacy a fundamental right and the ruling itself is not enough and needs a clear interpretation through enacted legislation. Because of the absence of a data protection regulation in place, it is hard to tell what rights we have, rendering the fundamental right to privacy practically meaningless. Not just that people are not aware of their rights, it also augments irrationality across the courts established by law. For instance, in the lack of a data protection statute, courts have adopted differing positions on the breadth of fundamental aspects of privacy, such as the right to be forgotten.
One of the most important concerns is the escalated use of online platforms during the pandemic and most of the businesses have shifted online, in such case it is only fair and about time that people have remedies in case their rights are infringed. As much as the government’s endeavour towards technological adoption and data-driven governance is appreciated, it also risks unregulated data of millions of citizens of the country.
Conclusion-
Four years have passed since the Puttuswamy v Union of India judgment and obviously the government has failed in enactment and implementation of an effective privacy law. The right to privacy is meaningless unless we can properly enforce it, therefore it remains an ineffectual right that does not provide enough incentive for corporations or the government to respect our privacy. The delay in the enactment of proper legislations by the government, four years after the Court’s ruling of right to privacy being a fundamental right is a violation of citizen’s right to privacy in itself. However, it should also be noted that the enactment of the PDP bill is not enough, even after its enactment from the Parliament and presidential assent, the bigger challenge would be the implementation of as complex a set of laws as the Personal Data Protection Bill. The pandemic bears its own set of challenges when it comes to getting remedies for violation of one’s rights, it is important that the bill is made accessible and effective at the same time.
Cyber Law- How the absence of data protection law is affecting India?
Written By- Anamika Singh, Semester II, NUSRL Ranchi.
[1] Puttuswamy v. Union of India, (2017) 10 SCC 1
[2] INDIA CONST. art. 19, cl. 2.
[3] Information Technology Act, 2000
[4] Information Technology Act, 2000, § 43, No. 21, Acts of Parliament, 2000.
[5] Information Technology Amendment Act, 2008
[6] Information Technology Act, 2000, No. 21, Acts of Parliament, 2000.
[7] “Privacy delayed is privacy denied”, https://thewire.in/, (last visited July 31, 2021)
[8] “Need For Data Protection Laws In India: Analysis Of The Exploitation Of Personal Data By Whatsapp And Other Social Media Platforms”, https://www.mondaq.com, (last visited July 31, 2021).