Technology has become an integral part of the critical infrastructure for the functioning of modern society. With increased digitization, there has been a spurt in the growth of the digital demands of the consumers. For instance, Government schemes for increasing internet accessibility along with greater financial inclusion have resulted in an increased demand for digital payment services.
Further, these digital demands increased manifold during the COVID-19 pandemic because of which Governments all over the globe had to leverage technology in order to keep individuals and societies connected and healthy.
In the present digital era, there is an increase in digital data collection which raises concerns regarding the safety and security of processing mechanisms. The current state of technological affairs is incompatible with the right to privacy of an individual – this is mainly because it is difficult to balance between the right to privacy and the extensive pooling of data on which today’s digital economy is based.
Hereunder, we seek to explore data privacy in the era of digital demands. This blog expounds on the meaning of the Right to Privacy, the expectations and the reality of privacy in the digital world i.e., the privacy paradox and the current legal framework in India for data protection and privacy.
RIGHT TO PRIVACY – THE EXPECTATION
The collection and processing of personal data of individuals are unavoidable for rendering services in this digital era which makes the Right to Privacy the need of the hour for every individual.
Data privacy or informational privacy is a branch of data security concerned with the proper handling of data which includes consent, notice, and regulatory obligations.
Advocates of data privacy define ‘privacy’ as ‘individual freedom’, meaning, individuals should have complete control over their personal data. The individuals should have the ability to choose what information to share, the persons or entity who may collect and process this information and the right to define the scope of use of such data.
These standards of privacy are mirrored in rules that demand the individual’s or users’ consent to use and process their personal data. However, there are certain challenges to the Right to Privacy. For instance, data is collected and used for a variety of purposes, some of which may not be anticipated at the time of the individual’s consent, which affects the individual’s the Right to Privacy.
THE PRIVACY PARADOX – THE REALITY
Another challenge to the idea or the expectation of the Right to Privacy is the Privacy Paradox. It is a behavioral pattern of consumers which creates discrepancies in achieving their expected standards of privacy.
When offered incentives, most people in the greed for these rewards tend to disclose their personal information.
The existing research on the Privacy Paradox is focused on general internet activities that particularly emphasize on e-commerce and social networking activities. The Privacy Paradox implies that while individuals display a significant theoretical interest in the protection of their privacy, this seldom translates to actual measures to protect their privacy online.
Most users when offered benefits, as minimal as they might be, choose to disclose their personal information with very little risk-benefit evaluation. This tendency is seriously exploited by companies for data mining and profiling.
REGULATORY FRAMEWORK FOR DATA PROTECTION IN INDIA
There is little that can be done when individuals voluntarily sacrifice their privacy because of their own negligence There is no specific legislation that governs data privacy in India but the Data Protection Law is in pipeline and will be implemented soon. However, the following are the legislations that discus the various aspects of data privacy:
Information Technology Act, 2000
- The collection, storage, and processing of personal data are largely regulated by the Information Technology Act, 2000 (IT Act).
- Section 43A of the IT Act essentially forms the foundation of data privacy and protection and it provides for compensation in the event a company is negligent in undertaking reasonable security practices to ensure that there is no exploitation of personal data of individuals.
- Section 43 of the IT Act further, defines “reasonable security practices” as the procedures that are already stated by the law or the terms that the parties have already agreed to and in the absence of both, rules given by the Government.
- These rules incorporate the basic principles of privacy such as when personal data can be collected, requirements of notice and consent and when this data can be transferred.
- Section 72A of the IT Act provides for a criminal penalty where in the course of providing a service under a lawful contract, the service provider accesses any private information and with the intention of causing wrongful harm or gain reveals this information to any other person without the consent of the person concerned.
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) introduced in the year 2011 also compliment Section 43A of the IT Act.
- The SPDI Rules impose additional requirements on business entities in India engaged in the collection of sensitive personal information.
- This is further supplemented by various rules and regulations. In addition to this, there are different restrictions on the management of personal data in sectors such as banking, medicine, and telecom.
- The IT Act has several provisions catering to privacy policies, breaches of these policies and penalties to be imposed on such breaches
KS Puttaswamy Judgment
Furthermore, the Hon’ble Supreme Court of India recognized the Right to Privacy as an inherent part of the right to life and personal liberty guaranteed by Article 21 of the Constitution of India in the landmark judgement of K.S Puttaswamy v. Union of India [(2017) 10 SCC 1] .
NEW LEGAL DEVELOPMENTS
As the ways of collecting and processing personal data evolve and new avenues for data collection emerge, the law must also evolve. This section examines some recent developments in the data protection regime in India.
Data Protection Bill, 2021
The Data Protection Bill (the Bill) was first introduced for consideration in 2019 as the Personal Data Protection Bill, 2019, since then it has undergone several changes and the latest version of the Bill was presented in 2021 in the Parliament.
The draft Bill includes changes in contrast to the older versions such as – the Bill seeks to cover not only personal data but also non-personal data. The Bill also introduces stricter data breach reporting requirements, regulation of hardware manufacturers and it also provides a certification mechanism for all digital and IoT devices to reduce data breaches.
These changes are more in line with Europe’s data protection law, General Data Protection Regulation (GDPR).
New Regime for Geospatial Data and Map Services
The modern digital ecosystem cannot function without location information. It is crucial for the functioning of e-commerce, delivery and logistics and urban transport. The Department of Science and Technology of the Government of India recently released the “Guidelines for acquiring and producing Geospatial Data and Geospatial Data Services including Maps” (the Guidelines).
Prior to the Guidelines, the regulation of mapping data was mostly done by way of fragmented regulations issued by various bodies of the government.
As per the Guidelines, there is no mandate of any prior approval, security clearance or license on “the collection, generation, preparation, dissemination, storage, publication, updating and/or digitization of geospatial data and maps” within India’s territory subject to certain conditions. The Guidelines also impose certain restrictions on foreign entities, collecting geospatial data.
Bureau of Indian Standards (BIS) – Data Privacy Standards – IS 17428
The BIS issued new standards for data privacy assurance in the form of IS 17428. The objective of the BIS is to provide a privacy assurance framework for organizations to handle the personal data of individuals collected and processed by them and to overall enhance their data privacy management system.
It can be divided into two parts – the prescriptive part and the suggestive part. The prescriptive part consists of practices which are to be compulsorily implemented by anyone applying the standard while, the suggestive part provides the best practices which can facilitate better implementation of the prescriptive practices.
The IS 17428 standards are significant because they fill the gap left by the SPDI Rules. The SPDI Rules did not describe any specific requirements or standards for personal data management which left organizations struggling due to the lack of uniform procedures. The new standards afford the much-needed clarity and are also in line with international standards of privacy.
Requirement of Introducing Traceability Features
The Ministry of Electronics and Information Technology released the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Rules) in early 2021. The Intermediary Rules require Internet intermediaries to follow certain due diligence requirements.
The Intermediary Rules also create a category of ‘significant social media intermediaries’ to include those intermediaries who cross a certain threshold of registered users. Such significant social media intermediaries are required to follow additional due diligence requirements. One of these mandates includes the obligation to disclose the identity of the first originator of any information that is transmitted through such an intermediary.
This traceability feature was opposed by WhatsApp before the Supreme Court in the case of Karmanya Singh Sareen v. Union of India [(2017) 10 SCC 638], on the grounds of it being in violation of the Constitution, the Fundamental Right to Privacy and freedom of speech and expression of an individual.
The present article explored the scope and extent of the Right to Privacy in light of digital demands. Data sharing has become an integral part of modern society which raises concerns regarding the right to privacy of individuals.
While individuals have a strong inclination towards the protection of their privacy online in theory, in reality, the Privacy Paradox indicates that said individuals pay little attention to privacy concerns when offered incentives. This is mostly in the context of the e-commerce marketplace.
Nonetheless, the law must strive to safeguard the Right to Privacy of individuals.
– Team AMLEGALS, assisted by Ms. Aditi Mishra (Intern)
For any query or feedback, please feel free to connect with firstname.lastname@example.org or email@example.com.