INTRODUCTION
Privacy is undoubtedly a developing and crucial area in India’s online society. It is vital that India prioritises privacy and puts in place strong safeguards to protect the privacy of both Indian and foreign citizens, whose data resides temporarily or permanently in India.
Because of transnational nature of the data that flows over the Internet makes online privacy more difficult, as each country has a different level of protection for the data of their citizens.
In addition to the conundrum of different levels of protection being provided over data as it flows through different jurisdictions, two other issues arise:
- Law Enforcement’s access to data stored in another jurisdiction; and
- Data from one country accessible to Law Enforcement because it is being processed in their jurisdiction.
NEED FOR CLEAR REGULATIONS
A case may be made that a comprehensive privacy legislation recognizing privacy as a fundamental right is needed on the following fronts:
- There is a need for preventive protection. For instance, an enormous digital footprint is left in the wake of an individual’s activity on the Internet which has a large potential for misuse. There is a grave need to secure, anonymize and protect such data.
- At the same time, cyberspace and navigation of cyber crime continue to be uncharted territory in India, from a legal perspective. There is an absence of regulation and stringent cyber security laws in India, which in turn minimises the scope of penalization of online offences.
As a result, there is an urgent need for existing laws to detect, control, and allow for the quick prosecution of online offenders. In India, the Government’s role in enforcing data privacy and cyber security regulations is that of a policy maker.
To guarantee that businesses manage personal information responsibly and to preserve the privacy and security of people’ data, the Government has passed rules and regulations.
Since 2010, the Government and the general public have been increasingly aware that India needs privacy law, particularly one that covers the gathering, processing, and use of personal data.
The public has expressed increasing concerns that Government projects, like the Aadhar, involved with collecting, processing, and using personal data are currently not adequately regulated.
These projects are collecting and processing data in a way that abuses individual privacy, which has prompted industry and industrial bodies like Data Security Council of India (hereinafter referred to as “DSCI”) to push for adequate data protection standards in India.
DATA PRIVACY AND CYBER SECURITY FRAMEWORK IN INDIA
Instead of adopting the isolationist framework like the Chinese regulation that forbids global players like Facebook and Google from operating within its borders, India has adopted the European Union’s (hereinafter referred to as “EU”), General Data Protection Regulation (hereinafter referred to as “GDPR”), which permits international digital companies to conduct business under certain restrictions. However, in addition to the EU legislation, Indian Draft Privacy Bill has some extra restrictions.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, (hereinafter referred to as “IT Rules”) which are governed by the Information Technology Act, 2000, (hereinafter referred to as the “IT Act”) are the major laws that regulate data privacy in India.
According to the IT Rules, sensitive personal data includes, among other things, information about one’s finances, health, sexual orientation, and biometrics. Additionally, the IT Act mandates that enterprises have appropriate security methods and procedures in place to safeguard sensitive personal data.
The Government has also created the Computer Emergency Response Team (hereinafter referred to as “CERT-In”) in addition to the IT Act in order to respond to cyber security risks and vulnerabilities and work with other authorities.
In order to exchange knowledge and best practices on cyber security, the Government also collaborates with other nations, international organisations, and countries.
In addition, the Government has started several programmes to raise public awareness of data privacy and cyber security, such as the Digital India programme, which aspires to make India into a society and economy that, is enabled by technology.
The Indian Government’s adoption of the Central Monitoring System (hereinafter referred to as “CMS”) is another illustration of how it wants to have more access to communications.
Because of technology, security organisations can bypass service providers and intercept talks directly. Whether the technology will enable for the surveillance of digital communications and internet traffic in addition to telephonic calls is not yet evident. What checks and balances the system has in place is likewise unknown.
The Government removes the service provider from the situation, which not only removes a possible check since service providers might refuse illegitimate demands, but also removes the opportunity for businesses to be open about the interception requests that they accede to.
Moreover, the Government is also making efforts to: monitor personal data and not hamper the rights of an individual by directing any authority or agency to intercept, monitor, and enable surveillance of data or privacy of an individual if the act is done for maintaining peaceful relations with other countries, securing public order and national interest, preventing the commission of cognizable offences, or for a variety of other reasons.
However, in accordance to avoid misuse of such powers, it is now required to document the justifications for doing so in writing. The Government has also used section 69A of the IT Act to prohibit a number of websites that contain illegal content or could be against the interests of the country.
As a result, the Government now acts as a watchdog for both the protection of personal data and the rights of the individuals, enforcing acceptable limitations for the sake of national security.
AMLEGALS REMARKS
The Right to Privacy is not included as a basic right in the Indian Constitution. However, based on the interpretation made by the Supreme Court of India in the historic decision of Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors. [(2017) 10 SCC 1], this privilege is guaranteed to Indian nationals.
In this case, the Honorable Supreme Court interpreted Article 21 of the Constitution of India (hereinafter referred to as “Indian Constitution”) which refers to the Indian citizen’s fundamental right to life, principally as including the right to privacy and, among other things, the right to the protection of their data and informational privacy.
There are many challenges and situations to consider when creating data protection and privacy laws in India, such as the paradoxical problem of preserving personal data anonymity while attempting to identify the real perpetrator of an online crime due to identity theft and spoofing, allowing anyone sitting anywhere in the world to commit crimes to the point where they endanger the security of the country.
The Government needs to play the role of market regulator and gatekeeper when it comes to data privacy and cyber security. It must ensure that the right to privacy as a fundamental right is recognised and balanced with the various other security risks associated with trans-border data transfer.
For any queries or feedback, please feel free to get in touch with aditi.tiwari@amlegals.com or falak.sawlani@amlegals.com.
Leave a Reply