EDITORIALS & ARTICLES

The facts of data privacy in 21st century

As we are living in 21st century, which is a digital world, data is a key for any country to become a super power. Along with that, it is equally important that each country must protect its citizen’s data and respect the privacy of individual and provide safeguard from big data giants. Status of Data protection in India
  • Currently, in India, there is a no separate law regarding data privacy.
  • Personal Data Protection (PDP) bill,2019 is the India’s first attempt for data protection.
    • PDP bill is prepared by a committee headed by justice B.N.Srikrishna.
  • Article 51 of the Constitution of India, which forms part of the Directive Principles of State Policy, requires the state to endeavour to "foster respect for international law and treaty obligations in the dealings of organised people with one another".
  • Under article 21 ‘right to privacy’ is the fundamental right.
Key provisions of PDP bill Applicability: The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
  • Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
  • The Bill categorises certain personal data as sensitive personal data.
    • This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government.
  • There is also critical personal data which government can access any time when required.
Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations.
  • All data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), (ii) instituting grievance redressal mechanisms to address complaints of individuals.
Rights of the individual: The Bill sets out certain rights of the individual (or data principal). These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn. Grounds for processing personal data:  The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent.  These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency. Social media intermediaries: The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
Purpose of data protection law
  • Creating Data localisation and boosting domestic digital economy:
    • Digital sovereignty is the right of a state to govern its network to serve its national interests, the most important of which are security, privacy, and commerce.
  • Demonstrating preparedness to meet internationally accepted standards of data protection:
    • It becomes inevitable for India to develop a robust and timeless regulation that has the ability to demonstrate compliance warranting the transfer of data from foreign jurisdictions.
  • Preventing privacy harms and exclusion:
    • There exists visible inequality in bargaining power between individuals and entities that process personal data, and it becomes important to mitigate the harms flowing from such imbalance.
  • Remedy and prevent problems of free data flows and data sharing practices:
    • Deficiencies in the regulation of data flow in India are merely a consequence of a simplistic assumption that data flows are an unadulterated good.
Why there is need for single legislation on data privacy? Current Problem
  • Impact on government: Majority of personal data protection laws across globes have different laws when it comes to the activities conducted within/outside of a country that can harm national security or public interest.
    • For example: In India, different act exists to provide safeguard. These includes:
      • Information Technology Act, 2000 ("Act")
      • Payment and Settlement Systems Act, 2007,
      • Indian Telegraph Act, 1885
      • SEBI Data Sharing Policy, 2019 and 
      • RBI Guidelines on Cyber Security Framework for Banks and Information Security, 2016
  • Impact on organization: Multinational organizations have to frame new rules to follow with every passing legislation. The differences in legislation distracts the focus from their core competencies and thus affects their ability to create value for society.
    • In extreme situations, it may even lead to the withdrawal of companies.
  • Impact on Society: Large corporations have a propensity to exploit the loopholes due to the lack of consensus amongst governments. This behaviour prevents level-playing field for any emerging ideas, leads to the monopoly of a few, and directly impacts societal growth.
What a uniform law can do?
  • It can remove the discrepancies amongst nations’ enforcement of their laws worldwide.
  • It also allows concerted efforts to combat data terrorism, identity theft, data breach and fraud.
    • This, in turn, sustains cyber security and privacy compliance within the nations.
  • Mutually agreed rules of cross border data flows are essential to share the data for international research in health, agriculture, education, and other fields.
  • It can provide assurances in an environment where it is hard to know what is fake or misinformation and whom to trust.
  • It enforces existing privacy protections and thus enable citizens to exercise their privacy rights.
Global rules regarding data privacy
  • As more and more social and economic activities have place online, the importance of privacy and data protection is increasingly recognized.
    • 128 out of 194 countries had put in place legislation to secure the protection of data and privacy.
  • Africa and Asia show a similar level of adoption with 55 % of countries having adopted such legislations from which 23 are least developed countries.
Examples
  • The General Data Protection Regulation (GDPR) is a law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
    • It also addresses the transfer of personal data outside the EU and EEA areas.
    • Primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business.
  • China's Personal Information Protection Law (PIPL) will change the current landscape of scattered provisions on personal data protection.
    • It aims to clarify the rules for processing personal data, the obligations of data handlers and processors, and the rights of data subjects.
Current global efforts
  • Recently, agreements on the protection of privacy and transborder data flows have been devised both between countries through bilateral agreements and within the multi-lateral organizations.
    • Example of bilateral agreements - United States Mexico-Canada Agreement (USMCA)
    • Example of multi-lateral organisations -  Organisation for Economic Co-operation and Development (OECD), the Asia-Pacific Economic Cooperation (APEC), Council of Europe, etc.
Issues in current global efforts
  • Although the decisions are reached by consensus, the commitments are non-binding on the members.
  • The scale of participation is too thin to be genuinely regarded as a global agreement.
  • These frameworks lack the ability to customise with the local needs.
Suggestions
  • Personal sensitive information should not be used without the consent of individual.
  • As data is a new oil, it should be processed judicially.
  • There should be no third party between individual and data storing agency.
  • Collaboration of Aadhar and PDP can bring a new revolution in data privacy policy.
  • Puttuswamy I’ and ‘Puttuswamy II’ judgments also emphasized on ‘Right to Privacy’.
    • The judicial scrutiny through these cases should be implemented.  
  • India can also provide the technology and build capacity for other nations.
    • Example: CoWIN, UPI, Aadhaar, EVMs are India’s technological successes in which around 150 nations have shown their interest.
  • India can leverage its technical, economic, and legal wisdom in several other sectors, such as climate change, solar energy, space research.
Summing up The cross-border data flows become very complicated with sovereignty, privacy, and security concerns at both ends of each data flow. It is the need of hour for protecting privacy as a matter of fundamental right and demonstrating preparedness to meet widely accepted standards of data protection in the international community. It is indeed crucial to respect the need for a reasonable timeline for the introduction and enforcement of such regulation because other countries are enforcing these regulations quickly.  






POSTED ON 09-12-2021 BY ADMIN
Next previous