Key Takeaways
- The phrase “Right to Privacy” first arose in Indian law in the late 1800s.
- The Data Protection Bill,2021 created a Data Protection Authority to ensure data fiduciaries are acting legally in India.
- The DP Bill covers the processing of personal data, sensitive personal data, and financial data that can be used to identify an account opened by a data fiduciary.
- The data protection bill proposes a Data Protection Board with members appointed and fired by the government, rather than providing safeguards or independent review. Landmark cases have ruled that the “Right to Privacy” is a necessary component of our Constitution.
- Data fiduciaries must be aware and notify the data principal when data is acquired, and must only handle children’s personal data in ways that uphold their rights.
- The government has since withdrawn the Personal Data Protection Bill, 2021 due to opposition from technology companies, decision-makers, and privacy advocates. A new bill was put in place in 2022.
Introduction
When a local British court upheld a pardanashin woman’s right to go to her balcony without worrying that someone could be watching her from the street, the phrase “Right to Privacy” first arose in Indian law in the late 1800s. Although the right to privacy is not explicitly recognised by the Indian Constitution, this area of law has developed since Article 21’s interpretation of the Constitution. The Constitution’s Article 21 states that “No person shall be deprived of his life or personal liberty except in accordance with the procedure established by law.”
In December 2019, India introduced the Personal Data Protection Bill (PDPB) for the first time, following the lead of many other key countries around the world. In the two years since then, the Bill has undergone some substantial revisions. The most important one is the addition of many phrases that would apply to non-personal data.
The Data Protection Bill 2021 was enacted into law as the Data Protection Act 2021. The obligations of data fiduciaries (data handlers), the rights of principals (data subjects), and the penalties for noncompliance are described.
The Data Protection Bill creates a Data Protection Authority to enforce the law and ensure that all data fiduciaries operating in India or working with Indian residents’ data are acting legally. The IT Act 2000 is currently in place, but technology has advanced tenfold since then, leaving a gap in the law when it comes to addressing issues with social media and data collection on Indian individuals online.
The Bill and Financial Data
The DP Bill covers the processing of personal data that was gathered, shared, or used in any other way within India, by the State or State bodies, Indian corporations, or by Indian citizens. Personal information is described as information about or pertaining to a natural person who may be identified directly or indirectly by one or more characteristics of their identification.
Additionally recognised and subject to higher standards is sensitive personal data. Financial data is anything that can be used to identify an account opened by a data fiduciary, a card or other payment instrument issued by a financial institution, or any other number or piece of personal information. If the processing of the personal data is related to any business or activity that involves providing goods or services to people in India or the profiling of data subjects in India, the processing must be done by organisations based outside of India.
The Bill also grants the Central Government the authority to exempt from the Bill's application the processing of personal data belonging to data principals outside of India that is done in accordance with a contract that a data processor has with any person or business incorporated outside of India.
Principal duty of data controllers
The DP Bill introduces the idea of a data fiduciary, which refers to the organisation that chooses how or why to process the personal data of the data principle. This includes data storage, modification, retrieval, distribution, and erasure or destruction.
It establishes numerous requirements on data fiduciaries with regard to the gathering and processing of personal data, such as being aware and notifying the data principal when the data is being acquired.
The notice for processing personal data should outline the different purposes for processing, the nature and categories of the personal data that was collected, the identity of the data fiduciary (including its data trust score, if applicable), the contact information for the data protection officer (DPO), the rights of the data principal, information about sharing, cross-border transfer, and retention of personal data, the grievance procedure, and any other relevant information.
Data fiduciaries must use secure encryption and de-identification techniques, come up with strategies to prevent abuse, loss, destruction, or unauthorised access to personal data, and regularly evaluate their protection procedures.
Scope and Effect on Public
The present measure provides the government with authority to exempt itself from complying with data privacy rules for nebulous and overbroad reasons, such as interests in India’s sovereignty and integrity, security of the state, friendly relations with foreign states, and maintenance of public order. It does not specify criteria for integrity, sovereignty, or positive relations with other countries.
A data principle is considered a “child” under the definition of the DP Bill if they are under the age of 18, which is older than the majority of other jurisdictions. To process a child’s personal information, all data fiduciaries are required to confirm the child’s age and acquire parental consent in accordance with the rules.
The Bill also forbids all data fiduciaries from profiling, tracking, monitoring children’s behaviour, or targeting advertisements to them, as well as from engaging in any other processing of personal data that could materially harm children. Instead, data fiduciaries are only allowed to handle children’s personal data in ways that uphold their rights.
The data protection bill proposes a Data Protection Board whose members would be appointed and fired, and whose terms and conditions of employment would be set by the government, rather than providing safeguards or independent review of these governmental authorities.
Landmark cases
- Nine judges of the Supreme Court bench ruled that the "Right to Privacy" is a necessary component of our Constitution in the case of Justice K.S. Puttaswamy v. UOI. The Attorney General remarked that although previous judgments had acknowledged the existence of the "Right to Privacy," they had not explicitly recognized it as such. This decision was made in the case of Justice K.S. Puttaswamy v. UOI (2017 10 SCC), where a five-judge bench expressed their desire for a nine-judge panel to first establish whether "the Right to Privacy" is a fundamental right before addressing the primary issue pertaining to Aadhaar.
- In Ratanlal v. State of Madhya Pradesh (Dec 17, 1970), the Madhya Pradesh High Court decided that police must have a legitimate basis before they can access someone’s phone history. The court established restrictions on government access to personal data in recognition of the need for privacy protection.
Spyware around Us
- The Israeli business NSO Group created India Pegasus, a monitoring programme used by the Indian government to spy on journalists, activists, politicians, and government employees. The usage of the spyware has not been acknowledged or disputed by the Indian government, which has maintained that all surveillance operations are carried out in accordance with laws and regulations. To preserve people's privacy and fundamental rights, the case has spurred discussions about data protection legislation, strict supervision procedures, and transparency in surveillance practises.
- The bulk telephony metadata collection by the National Security Agency under Section 215 was made public by the USA PATRIOT Act, which was passed in 2013. Privacy issues and discussions on how to strike a balance between personal privacy and national security arose as a result. The revelations made by Edward Snowden in 2013 provided more insight on this issue.
Conclusion
A comprehensive legal framework “designed to address all of the contemporary and future challenges of the digital ecosystem” will soon replace the contentious Personal Data Protection Bill, 2021, according to the government, which has since withdrew it. A new bill was put in place in 2022 for further approval
Although the law of 2021 undoubtedly marked a turning point in India’s history of data protection, revisions are welcome. The decision to withdraw is considered as a response to the persistent opposition from national and international technology companies, decision-makers, and privacy advocates to the legislation that was initially proposed as a “privacy bill” in 2017.
Join LAWyersClubIndia's network for daily News Updates, Judgment Summaries, Articles, Forum Threads, Online Law Courses, and MUCH MORE!!"
Tags :Others