“Data Protection refers to the means, process, or practice of safeguarding the private/personal information/data of individuals during the process of their collection, storage, and dissemination, and to ensure that they themselves are in control of their information.”
It is the set of privacy laws that aim to ensure minimum intrusion into an individual’s private life. These laws embody the Right to Privacy, which has been recognized as a legal right in many jurisdictions and provides for the protection of privacy, which includes preventing third-party entities from accessing personal details and other sensitive information.. Several jurisdictions like the United States (US), the United Kingdom (UK) and the European Union (EU) have a framework in place to ensure data protection and the privacy of individuals.
The current generation has abandoned the traditional ways in favour of online communication, banking, shopping, gaming, and other activities. Additionally, the tendency of maintaining social media accounts exposes each person’s data to the general public.
Moreover, when an individual discloses sensitive information such as credit card, debit card, and bank details, mobile number, geographic location, pictures, intimate, private, or business chats and calls, interests, financial, educational, family, and medical records, travel history, etc., such data becomes vulnerable and eventually land up in the wrong hands.
Data Protection Laws are therefore necessary to prevent exploitation of data and to supervise the efficient flow of data without violating any rights of an individual. It creates a process for the party who is wronged to seek redressal. Thus, Data Protection Laws are crucial to help people establish trust online by assisting in keeping the data secure and free from unauthorised access, preventing its misuse, and actively discouraging cybercrimes.
Prior to the year 2017, India did not recognise the Right to Privacy as a fundamental right. However, in 2017 with the Justice KS Puttuswamy v. Union of India [(2017) 10 SCC 1] judgment, the Right to Privacy became a fundamental right.
In 2019 a Personal Data Protection Bill was introduced by the Central Government, however due to much criticisms it was withdrawn and a new Bill was introduced in 2022. These recent developments require a deeper analysis on the new law and its comparison with its global contemporaries.
General Data Protection Regulation (hereinafter referred to as “GDPR”) can be considered as the world’s strongest set of Data Protection Framework, which enhances how individuals can access information about them and places limits on what organisations can do with personal data.
Article 5 of GDPR states the key principles to treat Person data which are as follows:
“Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Thus, these principles can be widely interpreted to be as follows:
- Fairness and Transparency;
- Purpose Limitation;
- Data Minimisation;
- Storage Limitation;
- Integrity and Confidentiality (security); and
Additionally, the GDPR also enshrines the individuals with the Right to be Informed, the Right of Access, the Right to Rectification, the Right to Erasure, the Right to Restrict Processing, the Right to Data Portability, the Right to Object and also Rights around Automated Decision Making and Profiling.
THE UNITED KINGDOM
Subsequent to its exit from the EU, data protection in the UK is governed by the United Kingdom General Data Protection Regulation (hereinafter referred to as “UK GDPR”) and the Data Protection Act 2018, (hereinafter referred to as “DPA”) which complements and supplements each other.
DPA is basically the extention of the UK GDPR. The DPA controls how one’s very own data is utilized by associations, businesses, or the public authority. Under the DPA, individuals reserve the privilege to discover every way their data is being used by the public authority and different associations and have the information which is sensitive to them, deleted.
THE UNITED STATES
In Olmstead v. United States, [277 U.S. 438 (1928)], the US Supreme Court ruled that the Right to Privacy entails the Right to Solitude. According to Justice Louis D. Brandeis, who presided over the case, these were the most complete rights given by the Drafters of the US Constitution.
However, the US lacks a single primary piece of data protection legislation, just as India. Depending on their significance and usefulness, the data are divided into numerous groups, and each group has received varying levels of security. Consumer privacy and data protection are governed by a number of Federal and State Legislations that are sector-specific.
These Legislations are as follows:
- The Health Insurance Portability and Accountability Act (hereinafter referred to as “HIPAA”), that governs the data in the health insurance sector.
- The Gramm-Leach-Bliley Act for the protection of non-public personal information (hereinafter referred to as “NPI”) and personal data, in the banking and finance sector.
- The Children’s Online Privacy Protection Act (hereinafter referred to as “COPPA”), that safeguards the privacy of children under 13 and controls the collection of their personal data, and
- The Driver’s Privacy Protection Act.
A detailed article discussing the draft Indian Personal Data Protection Bill can be accessed here. The Indian regime as compared to the other nations is at par with the rights and duties being similar. However there are some differences, few major ones are that the Digital Data Protection Bill, 2022 (hereinafter referred to as “the Bill”) in itself does not provide details rather it mentions as may be prescribed which signifies discretion in the hands of the State which may lead to the violation of the privacy of the citizen.
The Data Protection Board that shall be constructed under the Bill similar to the ones in the EU are however not independent as their appointment and other things would be notified by the Government which again shows higher political interference which is absent in the foreign regimes.
The third major difference is the higher fines and penalties on account of breach of the laws.
In the absence of a central legislation dealing with data protection, the introduction of a Draft Bill is a positive step towards protection of data of the citizens. Because of the large number of citizens and the large potential market, there is a risk that the data stored by an entity will be used by a third party to influence consumer behaviour while also violating citizens’ privacy.
The Bill though has been drafted in a simple language leaves a lot of scope of discretion which can lead to negative usage by the state in interfering in the privacy of the individual as well act as a surveillance state.
The GDPR is among the most robust data protection regimes globally and attempts have been made by India to form a similar framework with EU. However, doing so would involve a lot of complications and efficiency provided the Indian scenario and the limited vires of the Constitution. The Draft Bill, though has numerous fallacies, is a positive step for a digital India.
– Team AMLEGALS assisted by Ms. Niloy Ghosh (Intern)
For any queries or feedback, please feel free to get in touch with email@example.com or firstname.lastname@example.org.