Data Protection Compliance: Adherence To Data Protection And Privacy Laws, Ensuring Proper Data Handling And User Consent Mechanisms

INTRODUCTION 

In the current world, information can be said to be the major and in fact, the key that propels most of the present-day firms as well as agencies in diverse fields and disciplines. However, as the usage of the Internet and data appliances increases, the importance of protecting data emerges. This is because issues of data loss, cyber threats, and non-compliance with rules and regulations create risks of damage to reputation, the economic performance of organisations, and their regulatory compliance. Therefore, the struggle for the protection of insufficient data security is one of the most formidable battles in any given organization that handles data.

The primary objective of data privacy and security is to safeguard the data, and also gain confidence of customers, and partners, and other stakeholders. This way it becomes possible for organizations and companies to provide evidences for their compliance concerning legal standards and usage and management of data mostly for business purposes.

Toward the end, the best way through which data privacy and security could be effectively put in place in organizations is if practices were carried out that are in line with the legal provisions and practices that are acceptable in organizations. This means that depending on the nature of business that an organization is in and the kind of data they are collecting, there might be some data protection laws that the organization needs to abide by. Different controls are also instituted starting from the generation of data to its utilization, in the process known as data life cycle. This relates to concerns such as security of data, measures of entry, physical and technical control, ways of data protection, ways of data concealment, classification of data, and health compliance, checks, and responses. Furthermore, it is important for the organization to familiarize its employees on the importance of data privacy so that they are able to understand and fend off threats regarding data privacy and to ensure that they are adhere to the data protection policies and procedures.

Amidst the developing technologies and the ever-shifting threats, the importance of data protection cannot be overemphasized. It is not just a legal and moral requirement but also a strategic business strategy to remain competitive and relevant as customers are beginning to shun businesses that do not protect their details.

Evolution: The protection of personal data is not something that is new today. This has been in force since the Semayne case of 1604 whereby reasons were given as to why the house of every man is to him as his castle and fortress. The other development involved the concept of privacy and was again raised through an article entitled, “The Right to Privacy” by the learned attorney, Mr. Samuel Warren and Mr. Louis Brandeis, whereby protection of the right to privacy was recognised as the basis of freedom of individuals in the liberal modern society. Even much later in 1984, privacy was introduced formally through legal enactment in what is referred to as the Universal Declaration of Human Rights (UDHR) under Article 12(4). Next in line was the guideline on protection of privacy and trans-border transfer of data by OECD in 1980. The desire to protect or to regulate data privacy in relation to the use of new technologies began as early as 1970 by Germany. The regulation widely known as General Data Protection Regulation or (GDPR) has been implemented on May 25, 2018, that dramatically changed the principles of data privacy and protection.

Regarding privacy, in India, there are certain judgements wherein privacy has been recognized as a right but there have been certain judgements which never admitted that privacy is a right under Article 21 of the Indian Constitution. The much-publicized case came in 2017, and later in 2018, K. S. Puttaswamy v Union of India made a declaration that the right to privacy falls under the protection of Article 21. We already had some decayed sections of the Information Technology Act (2000), the Indian Penal Code (1860), etc. that described the right to privacy. However, there was no standalone coherent legislation on the matter up to the time. After seven years of giving and three tries to the privacy legislation, India at last put into effect a foolproof data protection and privacy law on the 9th of August, 2023.

LEGAL FRAMEWORK 

A.    Information Technology Act, 2000 (IT Act) (S. 43A and 72)

Information Technology Act, 2000 as amended in the year 2008 introduced:

As stipulated in Section 43A of the ITA 2000, any body - corporate – which has the possession, management or control of any “sensitive personal data” or information – is required to prescribe reasonable security practices and measures for the protection of such data. It will be used to make a compensational pay to the affected person in any case of negligence.

Section 72A deals with the punishment where a person involved of making disclosure of information relating to a person which has been communicated or obtained for the purpose of providing services under a contract that is lawful and without obtaining the consent of the person concerned or where the contract has not been lawful.

Subsequently, as a clarification to the above amendment, the government introduced the ‘Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011’ (”IT Rules”) as described by the legislation enacted by Section 43A of the IT Act, which means any information that relates to a natural person, which can be used, either directly or indirectly with some other information for identifying such persons i. e. personally identifiable information. Moreover, “Sensitive personal data or information” is defined as a sub-category there-of as to contain inter-alia the following; Individual’s user name/passwords, individual’s financial information, individual’s health conditions/biometric, individual’s sexual orientation etc.

IT Rules states that body corporates shall provide a privacy policy which should have for the following: 

→ Understandability of its practices, and this is where the need for clear and easy comprehensibility in writing arises.

→ The rationale for the gathering and employment of such data.

→ The type/genre of data sought to be gathered (whether personal information or sensitive personal information).

→ The Rules also clarify that if it is an individual’s IP address that is to be used for the purpose of collection of such information, consent has to be received from the provider in writing or email regarding the purpose of usage.

→ In addition, according to The Rules, the consent has to be given by the provider in writing or email regarding the purpose for which the usage in question is intended before the information is collected.

→ Before collecting any of the above-stipulated data (personal data as well as sensitive personal data), the information provider has to provide an option not to provide such data and thirdly; while using the services or otherwise, the provider has to provide an option to withdraw its earlier granted consent.

→ Any body corporate that discloses to any third party any sensitive personal data/ personal information shall have obtained prior consent from the provider of such information

→ A Grievance Officer has to be appointed by the body corporate and the name of the Officer along with his contact information must be placed on the website of body corporate.

→ In the light of the above, the following are quick check-list items for companies to follow; and for public to check if companies are following before collecting their data and using it:

• Identify and categorise (i) personal; (ii) non-personal; and (iii) sensitive personal data.
• Have a privacy policy
• As general rules, the consensus must be given in writing, fax or e-mail. and check for the ‘tick box’, or ‘pop-up’ of terms and conditions/privacy policy to agree to the consent.
• An option not to give information when being requested for the same by any authority or organization that is legally allowed to do so.
• An option to cancel/withdraw information/data previously provided and/or consent previously given.
• Consent that can be obtained from the provider of information to perform any of the collected information for the third parties.
• Advent of data-privacy discussions in India:

It is noteworthy that on the same grounds the Indian Supreme Court guaranteed a judgment in the matter of Justice K S Puttaswamy and Ors vs. UOI and Ors. This was in the Aadhar Judgment which ruled that Right to Privacy is a fundamental Right which is encompassed in Article 21 of the Constitution and the Part III of the Constitution followed by the liberties thereto. 

→ The judgment has not only upheld privacy as a fundamental right, but informational privacy as a part of the right to privacy.

→ Information is characterized as nonrival (meaning once it has been used by one user and player, it can also be used by others).

→ Information (collection, use, storage, and processing) can be covert (that is, the individual may not know that such collection, use, storage or processing is being done).

→ Information is recombinant, meaning that, fragments of information obtained from different places can be compiled to make an overall picture.

→ The Judgment has acknowledged that there is a category of information, the personal data, which create a reasonable expectation of privacy and one’s right to be let alone.

→ Needless to say, the current enactment of the Information Technology Act, 2000 amended in 2008 identifies the “personal information” and “personally sensitive data or information” and the rule is clear that any collection or use of personally sensitive data or information can be made only and only if the user has expressly consented to such use and further the user should have the option whether to provide or not provide such information.

→ The Judgment has focused on the need for the actual consent on collection, use, retention and processing of information in general.

→ The Judgment has also made it clear that any intrusion of privacy has to be through a legislative enactment in force and such law should also comply with all constitutional requirements when the impose any reasonable limitations on the fundamental rights.

→ The bench has referred the matter to the legislature for enacting a regime of data protection subject to a proper and proportionate regard for individual concerns and the concerns of the state.

B.    IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

In exercise of the powers under Section 87(2) read with Section 43-A of the IT Act were issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) on the 13 th of April 2011 which relates to Sensitive Personal Data or information and applies to any body corporate or any person, including any individual – resides in India.  

• The rules define sensitive personal data under the Rule 3 that the following types of data or information shall be considered as personal and sensitive: Accounts, Passwords, Bank accounts, Credit/ debit card data, Present/ past health information, sexuality, fingerprints.
• An information provider is an individual who submits information to the body corporate and according to these rules has some control as to the personal information that he furnishes, this information can’t be procured without the provider’s permission and he or she has the right to decline to give the permission and to retract the permission granted by writing to the body corporate. 
• Under Rule 6, data or information to any third party pertaining to a body corporate shall not be issued out for public use by the publisher without the consent of the information provider. However, there are two exceptions that have been provided in the context of this rule, Disclosure has been agreed to in the contract between a body corporate and the information provider, Compliance to a legal obligation.
• The information provider also holds the power to preview the information laid out, or modify it if was incorrect.
• The information so collected can be used for the particular purpose for which they are collected and such information cannot be retained by the body corporate for a time period longer than the needed time to fulfill the lawful purpose for which the information was being collected.
• Any occasion of bitterness or mismatch in the provided information by the information provider shall be given a solution by the body corporate under one month by the grievance officer of the body provided that the details of the body are mandatory to post on its website. 
• A body corporate may transfer any sensitive personal data or information to any other body corporate or to a person in or outside India subject to that body ensuring that the recipient applies the same or similar standards or procedures for protecting such data or information and where the provision of such data or information is necessary for the performance of the contract or the provider has given his consent.
• The Rules also makes it compulsory that the body corporate involved in managing SPDI should establish a privacy policy regarding the type of information that is collected, the purpose for Collecting such information, the disclosure policy, the security measures adopted and Further procedures etc and thereby also requires the said policy to be posted on the body corporate’s website and also to follow ‘reasonable security measures in relation to SPDI. IS/ISO/IEC 27001 is one of the standards, numbed Info Tech Sec Tech – Info Sec Management Systems – Requirement. 

C.    Personal Data Protection Bill, 2019

It was introduced in Lok Sabha in the year 2019 and it was long overdue because gathering data about individuals and their behaviours in the online environment has turned into a rather profitable business, but it can also be seen as an intrusion to people’s privacy, given that it provides insight into very private aspects. It is useful to companies, governments, and political parties because with the help of it they may define what methods are the most convincing when promoting internet sites. This bill was necessary in preventing the violation of the privacy of the television audiences and the subsequent sheer advertising of products. The Bill aims to create legal provisions for data protection in relation to individuals.

The Bill governs the processing of personal data by:

→ Government

→ Companies incorporated in India

→ Any firm from another country that is processing personal information belonging to citizens of India

Obligations of data fiduciary: According to the law, personal data can only be processed for the legitimate interest of the data controller insofar as the processing is fair and lawful. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as:

Ensuring compliance with security measures put in areas like the encryption of data and prevention of the misuse of data.

Implementing the processes of grievance redressal mechanisms for lodging grievances from individual persons. They must also put in place measures to ensure that the processing of special category data belonging to children complied with the GDPR, including the use of ages assessment and obtaining consent from the parents or legal guardians of such children.

Rights of the individual: → Avail correction of inaccurate, incomplete or outdated data relating to the person concerned.

→ Data subjects have personal data transferred to another data fiduciary in some cases.

→ Place limitations on the continuing disclosure of their personal data by a fiduciary where it is no longer needed for a purpose permitted under this subchapter or where the individual has revoked consent.

→ Grounds for processing personal data: The Bill permits the processing of data by fiduciaries only if the individual has given his approval based on his or her free will. 

Although personal data can only be processed with the consent of the individual, there are some exceptions. These include:

→ If such relevant information is essential for the State in relation to the provision of the benefit to the individual, Court appearances, for acts necessitating treatment in a medical situation.

→ In the exercise of the right of freedom of speech, the following acts have been prohibited in the interest of the security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states and in the interest of the security of the state and public order, the following acts are prohibited.

→ For the seizure of anything providing materials for which, under section 141, a police officer can arrest without warrant, where such thing is likely to be used in order to incite the commission of an offence.

Exemptions

The government can exempt any of its agencies from the provisions of the Act. 

For the defence of India, maintenance of public order, sovereignty and integrity of the country and to protect friendly relation with foreign countries

When there is reasonable probability of effecting an arrest for the commission of any offence which can be arrested without warrant.

Offences

Transferring or processing the personal data in a manner that is unlawful under the provisions of the Bill attracts a penalty of a fine equivalent to Rs 15 crore or four percent of the annual turnover of the fiduciary.

The omission to undertake data audit attracts a fine of five crore rupees or two percent of the annual turnover of the fiduciary, whichever is greater.

Personal Data Protection Bill – Implication on Organizations

Many tasks will remain for private organisations, ranging from making the technical adjustments necessary in engineering architecture to redesigning business processes. There is much more to it, but at its core, they just must set boundaries to data gathering, analysis, and retention.

Such technical security measures as de-identification – a situation in which an individual’s identity cannot be prevented from being revealed inadvertently –, and encryption must be integrated. All cases of data breach require the data controller to report such a breach to the regulator.

The bigger enterprises—based on the amount of data, annual income, and other factors—and the social media businesses whose audiences are more than a prescribed number will have extra liabilities. This entails assessments of data protection impact on specific tasks articulated by the regulator, standard security reviews and having a data protection officer. Furthermore, the social media websites would have to allow users to give their consent and go through a process of account verification akin to the ‘blue tick’ method found on Twitter.

COMPLIANCE REQUIREMENTS

A.    Data Collection and Consent

Data minimization principle is believed to be one of the most important focusing on making an attempt to minimize data collection, which constitute the foundation of recent advances of the contemporary legislation in the world. The goal of the principal is to pay attention to the acquisition of the relevant data only and to prevent the compilation of any data not needed for a particular aim. The rationale behind this is based on the actual fact that any extra information means higher possible social repercussions and can violate a person’s right to privacy. According to the given steps, it is advantageous for the data collectors to state the purpose for data collection as well so that data is not collected for one purpose and then used for another without proper consent from the data principle. This principle attempts to build confidence and assurance provided by individuals on organisations where their personal information is shared.

It will not be fake for one to consider consent as the most important key to the process of data collection. Therefore, collecting private data by any person cannot be legitimate unless it has been done legally with the consent of the person involved. It is only logical that the user can only offer valid consent where they are not shielded from the practice of data collection, usage, rights, etc. However, once the details have eluded their discretion, then only the principles can give formal consent for something. Because of this the majority of the laws employ the preferred opt in rather than opt out options. 

Data collection principle recommends that the collection of data must not be unfair and, by extension, unlawful. In conclusion, regardless of the reason for data collection, the undertaking must be legitimate and should not violate any law. For instance, the processing may be considered lawful if it is done to perform the contract’s provisions or meet legal requirements. The collection should not cause any discrimination or any other harm or loss in any form to people involved. This does not mean that only the purpose of collection must be lawful but also the data collection must comply with local and international lawful measures that affect collection. By deciphering this data, it aspires to raise the awareness of ethical rules and regulations that can be applied for the collection and processing of data. As applied to the Indian context, this principle is enshrined in Sections 4 and 7 of the DPDP Act. The Section adds that qualifiers of a lawful purpose are all purposes in execution of which are not prohibited by law.

It means that every single one has the ability to choose whether the information about them will be collected or not; their non-decision does not equate to consent. Of their information, this ensures the proper acquisition of transparency between the concerned parties and enable users to take well-determined decisions. This principle has recently been recognized in the recently enacted The India Digital Data Protection Act, 2023 in Section 4, r/w Section 6. They include that the consent given should be voluntary, clear, obtained when the person understands the situation, and when one is not being pressured into making the decision. 

B.    Data Handling and Processing

Data handling and storage principle ensures that the data is collected for a limited time during which they are useful and are not stored for eternity. Identified data should be collected, kept for absolutely the shortest possible time and then deleted or otherwise disposed appropriately. The data should not be retained for a time that is beyond what is necessary; therefore, once the objective for which the data has been gathered is achieved, the data should be completed in addition. Thus, by the time the data has become obsolete and is no longer required to be stored, it can be deleted in a secure manner such as overwriting, where the data is erased and written over or encrypted where the data is rendered unreadable. Another principle in which the Data Retention principle can be related with the DPDP Act is in section 8. It is pointed out that, the Data Fiduciary shall also erase the retained data when the consent for its retention is revoked or when it is no longer relevant for use for the purposes of the collection.

C.    Data Security

Confidentiality is definitely one of the most important principles on which data protection rest. It states that personal data should be collected, stored and transmitted in a manner which is confidential and prevents any unauthorized access. It doesn’t only mean that data collectors have to be extremely careful in collecting the data but must also maintain the security of the storage system they use. Using proper encryption measures, access system and a secure storage system play an important role in maintaining confidentiality. Similarly, it ensures that transmission of the data has been done securely and protecting it as well. Another principle which forms an important pillar in itself is principal governance and accountability, underlining that responsibility of these data collectors to establish a robust apparatus for collection of data portraying both their receptibilities as well as having a mechanism through with consumers can come forward with grievances laidback. And mandates by way of example includes- appointment of Data protection officers, conducting Data Protection assessments, Auditor monitoring or other processing activities outlining clarity on few other additional obligations over and above what we have witnessed until now by A fiduciary vide section 10 off D.P.D.P Act where fiduciary are expected to appoints D.P.O officer, independent auditor impacts assessment, periodic audit and others examples.

D.    User Rights and Grievance Redressal

Right to information: The individuals should be informed that data is being collected about them. This right gives the individuals power and control to know when their personal data is being collected or processed by any organisation. If you are collecting someone’s personal information, he or she has a right to confirm whether your company processes his/her personal data or not. The individual can also ask for a summary of the information collected. Another instance where there may be an obligation upon the person collecting this information is when it has been transferred to another party, as mandated under the specific laws. This includes mentioning functions which are necessary to serve such processing purposes. For example, if according to the law certain types of business relationships between companies permit collection, such cases will also need to be highlighted. This ensures better transparency in the process of sending various communications over unsecured channels (Facsimile/Post etc.). 

Right to access: The individuals should have access to their personal data once it has been collected by any organisation. Also, they must ensure that information is kept accurate and up-to-date. This right enables citizens/individuals to view any business practices relating to him/her:- After an individual makes a request and if your company collects his personal details then your company shall provide a detailed description categorisation as explained under heading − Permitted Collection. There can also be no charging for this providing aid service for citizens/data owners. There will also be no bar on providing this information in electronic form too so that your firm/business may use same systems at its end or keep it useful along with some automated systems.

Right to rectify the information: Data subjects are also entitled to this right, i.e., the rectification of the information that has been incorrectly or outdatedly obtained about them. This is provided for under Section 12 of the DPDP Act, which explicitly states that any data collector or fiduciary — as Act provides — shall be bound by correction of incorrect or misleading personal data and completion of any incomplete personal data, including updating of any information that may be out-of-date.  

Right to be forgotten: An individual also has a right to be forgotten: they can demand that any information related to them be deleted if it is no longer needed, if it has served its intended purpose or upon withdrawal of consent. This right is closely tied to the principle of data minimization; an organization should only collect as little information about an individual as necessary for the intended purpose since only relevant data should be collected from individuals. The provision further elaborates that upon receipt of a request from the data principal to erase personal data which is no longer needed for the purpose, must be deleted unless its retention is required for some legal purpose. Data subjects are entitled to have this information rectified, if it has been incorrectly or outdatedly obtained about them; this is provided under Section 12 of the DPDP Act, with any person acting as a data collector or fiduciary explicitly stating his or her position. Act is personal data correction and completion— including outdated information. 

A person also possesses a right to vanish: they can request the removal of any data concerning them when it becomes obsolete and is no longer needed for the purpose or has accomplished its intended goal or upon refusal of permission. This right is closely connected with the concept of minimalism of data; an entity must take only as much information about an individual as what is needed for the intended purpose and thus should draw out only essential details from persons, since only those will be relevant.

Right to data portability: Individuals also have another right in which they can ask for a copy of their personal data in a readable format that enables them to transfer the data to another person. This right is aimed at enhancing the rights and control of individuals over their data— allowing them to share their data as per their needs and wishes. 

BEST PRACTICES FOR COMPLIANCE

→ Understanding the collected data

→ Limitation of data access

→ Data Encryption

→ Review third-party software

→ Data usage policy

→ Security Training

→ Secure cloud storage

→ Compliance Audits

→ Usage of secure WiFi networks

CONCLUSION 

Every budding and growing economy like India witnessing a transformative age of advancement in technology and proliferation of data, is experiencing a data-driven economy as a global trend, wherein data as resource is at a paramount in a digitally driven ecosystem. The DPDP Act is a critical step forward in the direction of ensuring protection of personal data, giving Data Principals greater control over their data and ensuring that the Data Protection Authority is accountable. The Act sets out the basic principles such as data minimization, accuracy, accountability, purpose limitation and more and also contain a number of rights of Data Principal. It regulates the performance of Data Fiduciaries and penalizes non-observance of them by Data Fiduciaries. The DPDP Act, in full, does what it was enacted to do, but it has defects. Which, during the passage of the Act, fades the original bill diversified with provisions on sensitive personal data? The DPDP Act is widely criticized for allegedly being vague on how consent shall be collected and data will be processed and encompassing extensive exclusion for the government, and is, more or less, a missed chance. The Act is likely to strike a balance between its accolades and criticism and stand by the judgement of the Supreme Court on privacy.

FREQUENTLY ASKED QUESTIONS (FAQs)

What are the key data protection laws in India?

The key data protection laws in India include:

1. The Information Technology (IT) Act, 2000: This act being the base law in India governing things like electronic transactions, digital signatures, and cybersecurity.

2. The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: These were enacted under the IT Act and contain standards that need to be followed while collecting, processing and disposal of personal information or sensitive data by companies in India. It provides an overall guide to security and specifies the measures that should be taken or the punishment that should be inflicted in case of violation.

3. The Digital Personal Data Protection Act, 2023: With regard to personal data, limitations and responsibilities are placed on the organizations that collect, process and store it through the DPDP Act. Its objectives include to guarantee the privacy of individuals, to set out the responsibilities of receiving, using, and disclosing personal information by the data fiduciaries, and to create the Data Protection Authority that will supervise compliance with the law.

What are the career opportunities in data protection and data privacy?

Data protection and privacy management is a cornerstone to any successful business and the consequences of not doing it (fines, loss of business, reputational damage) are too great. Law firms and businesses all over the world are building up a team specifically to cater intermediating privacy regulations so there is no doubt that it is a huge career trend now. Now, with the DPDP Act our country has... exploded in terms of career opportunity in this field. One can be a Data Protection Officer (DPO), a Privacy Lawyer, Chief Privacy Officer (CPO), Privacy Manager, Privacy Analysts etc.

Does the Act apply to foreign companies working in India?

Yes, the Act has extra territorial purview, which alludes to the truth that this Act applies to foreign companies advertising goods and services in India

What kind of data is ensured under the law?

The law secures ‘personal data’, which is characterized under the Act as data that can recognize an individual. Individual information may incorporate subtle elements like title, address, age, contact number, etc. The Act is quiet on the pertinence of sensitive individual information.