The Theme
We are living in an era where the protection of personal data has become inescapable. Countries all over the world are updating their laws for processing data. Up till now, India has used the Information Technology Act, 2000 and other general laws to ensure data protection. Presently Personal Data Protection Bill, 2018 has been introduced and once passed will come into force. In 2018 itself European Union has passed GDPR which is considered to be the most comprehensive law on data protection till date.
Rights of data subjects[1]provided under the GDPR make it a very consumer-friendly regulation. E.g.- Disclosure or access to own personal data, right to data portability, right to be forgotten, right to restrict processing of personal data, right to rectification, right to object or processing of data and right to object to automatic decision making by using Artificial Intelligence.
In this article, we will have an overview of data protection laws internationally.
In most countries, the protection of personal data has been addressed by standard contractual clause but in the current scenario when the repercussions of infringement of data privacy are hazardous, we need special laws to address this issue.
The problem
The need to strengthen data protection laws was felt due to some massive mishaps due to leakage of data and the data fiduciaries[2] and data subjects suffered irreparable loss which may never be possible to calculate. E.g. of cases:- Marriot, Yahoo, JP Morgan, Uber and the list goes on. These mishaps have affected millions of users. The other aspect is the right to privacy of the data subject which is a basic human right. In India it is recognized as a fundamental right.
A large part of our essential work is conducted online, whether it is banking, shopping or other transactions. This gives rise to the possibility of misusing personal data. To avoid this we need to place the responsibility to an Authority and establish security safeguards. The data shared with the government, if breached can result in identity theft[3]. As a result not only the data subject will suffer loss her/his other fundamental rights can also be infringed.
Provisions which are significantly placed in the data protection laws are:-
• the guidelines for obtaining consent of the data subject;
• transfer of data from one country to another, and;
• the establishment of Authority for data protection.
The mandatory requirement for obtaining consent of the data subject for processing their data has to be explicit. Mere action or silence cannot be considered as consent. The consent has to be free as defined under the Indian Contract Act, 1872. These features of free consent are universally accepted.
Having a look at the GDPR we find an important feature that empowers data subject with the 'right to be forgotten, which means that the data subject can ask for the deletion of her/his personal infromation from any record. The Authority for governing the data protection laws has to ensure its implementation. However, there are many exceptions to this rule, e.g.-- ECJ[4] has ruled in favor of Google that they do not need to comply with the request of deletion of data outside the EU[5] if the request is raised by an EU citizen.
India, working towards it
In an interesting development even though the right to be forgotten has not yet become a law in India, the Delhi High Court has passed orders in Luv Ranjan and Subodh Gupta case directing social networking sites, e.g- twitter, Instagram, Facebook etc. to erase the data of the petitioners and take it off their sites. The Court opined that after the data is no more relevant it must not be further transmitted. The networking sites must practice due diligence when transmitting data otherwise they will be held liable. Section 79 and 69 of the Information technology Act, 2000 provides the basis for such ruling. The petitioners had also argued infringement of their right to privacy. In the mentioned cases, during the #metoo movement 2018, film Directors Luv Ranjan and Subodh Sharma were accused of sexual harassment and the details of the accusations still existed on social media and the petitioners alleged that the information was constantly defaming them.
An idea about laws
The general concept in data protection laws is that the data has to be stored locally and transferred only when relevant guidelines are met. To govern these regulations Data Protection Officers are to be appointed by every data fiduciary and necessary powers are given to them.
Who is regulated?
• The companies which have high amount of revenues.
• Companies that buy and sell data extensively.
• When a large portion of the company's revenue comes from selling data.
• Companies that used data for selling goods and services.
• Applies on entities that are covered business or are allied with a covered business.
Who is protected?
• Data subjects.
• Residents.
• Travelling residents.
• Tourists.
• Customers of household goods or services, employees, business to business transactions.
What Information is protected?
• Personal information that identifies and is capable of being associated with any person.
• It does not include publicly available information.
• Special categories of personal information can be processed only when justifiable legal grounds exist.
• Information linked at the household or device level.
• Anonymous data is not considered as personal data but pseudonymous[6] data is. Technical controls are required to prevent pseudonymous data.
Data relating to children
• Parental consent is required for processing all information of children under the age of 13 years.
• More stringent security measures are imposed.
Non-discrimination
As a general principle data subjects cannot be discriminated on the ground that they have practiced their right of data protection.
Responding to requests regarding protection of personal data
• The data protection authority has to respond to any such request within a specified time. In case of refusal the authority has to give valid reasons.
• Penalties are imposed on the authority if they do not comply with the timeline.
• Some countries provide data fiduciaries with a chance to cure violations of data related laws and in case of failure they can be penalized.
• The courts can impose injunctive or declaratory relief in case of any violations.
• Any violations will attract economic liability.
Conclusion
With time data protection laws are becoming more stringent. However, the government of a country has total control over any data and the control is given through exceptions to any rule. If a case falls within any of the exceptions then any personal data can be processed overriding the data subjects consent. These exceptions can be interpreted widely.
The data subjects must be vigilant since any information in the public domain can be accessed by anyone.
The personal information provided to banks, companies or any authority needs to be monitored closely so even in case of breach the data subject is least impacted. We also need to keep in mind that in case our personal information is leaked and we suffer losses we may never get adequate compensation. Unfortunately, the measures to safeguard data are very costly and it will be difficult for small businesses to comply with them. The result of this might be breach in compliance or the loss of small industries. We hope that strong measures are taken so any data breach is avoided.
[1] Any person whose personal data is being collected, held or processed.
[2] Anyone collecting or using our data is a data fiduciary.
[3] The fraudulent practice of using another person's name and personal information in order to obtain credit, loans, etc.
[4] European Court of Justice
[5] European Union
[6] De-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms.
Join LAWyersClubIndia's network for daily News Updates, Judgment Summaries, Articles, Forum Threads, Online Law Courses, and MUCH MORE!!"
Tags :others