DATA PROTECTION LAWS IN INDIA

Data protection is about safeguarding our fundamental right to privacy, which is enshrined in international laws, regional laws and convention. It is about understanding and protecting legal and ethical implications of one’s personal data, the risks, rewards of data collection and surveillance, and the need for policy, advocacy, and privacy monitoring.

In simple terms data protection is the structural framework that law and technology provides to protect the collected data and to restrict access to certain data. Data privacy means, who has access to the data, consent for the data and the way it will be used.

Important data protections laws in India are derived from
• Constitution of India
• Indian Contract Act, 1872
• Information Technology Act, 2000 and rules made thereunder
• Indian Penal Code, 1860
• Copy Right Act

The recent Supreme court judgement in the case of “justice K. Puttaswamy Vs. Union of India, it was held that “Right to privacy is protected as intrinsic part of the right to life and personal liberty under Article 21 of the India Constitution and part of the freedom guaranteed by part III of the Constitution”. This shows how the Indian Judiciary is coping with the data protection laws internationally.
Though the current infrastructure lacks in covering some aspects such as data collection, storage, data mining, big data, limit data collection, user consent, the Data protection Bill, 2019 seeks to give clarity in such grey areas.

Data Protection Bill, 2019 The draft, proposed in 2019, is currently being studied by a joint committee of parliament after many stakeholders, including social media firms, privacy experts, and even ministers, opposed some of its provisions.

Major changes/additions:
o Understanding and classifying data.
o Data fiduciary/data processor
o Data loss prevention.
o Provisions securing personal data.
o Banking and Finance.
o Bureau of India Standards on data privacy.
o Processing of personal data of children.

a. The information technology act 2000 provides certain provisions relating to data protection and data privacy in India, since the IT act failed to address certain issues an amendment act 2008 was passed to facilitate further developments in IT and for its security.
b. Indian penal Code also regulates certain aspects of cybercrime.

To understand data protections laws internationally, we can look into US and the EU’s laws on data protection.
There is no single, comprehensive federal (national) law regulating the collection and use of personal data. United States has system of federal and state laws and regulations which at times overlap.
Governmental agencies and industrial groups have self-regulatory guidelines and frameworks that are considered “best practices”.
The US legislation has been criticised largely for not having a comprehensive data protection law. Recently it has shown a poor picture of data protection: Case of Cambridge Analytica, electronic surveillance cases etc.
The notable laws in the US includes:
• Health Insurance Portability and Accountability Act (HIPAA)
• Children’s Online Privacy Protection Act, 2000 (COPPA).
• Gramm-Leach-Bliley Act
• Fair Credit Reporting Act (FCRA)
• California Consumer Privacy Act (CCPA)
• California Privacy Rights Act (CPRA)

Protection of people’s data has been included as one of the fundamental rights of the European Union under Article 8 of the Charter of the Fundamental Rights of the European Union.
India has followed the EU’s General Data Protection Regulation (GDPR) in allowing global digital companies to conduct business under certain conditions. Yet, Indian Data Protection Bill carries additional provisions beyond the EU regulation such as processing of personal data in the interest of the security of the sate, it also permits the processing of personal data for prevention, detention, investigation and prosecution of any offense or any other contravention of law.
Laws governing Data protection in EU:

• General Data Protection Regulation (GDPR)
The GDPR was officially approved on April 27, 2016 and went into effect on May 25, 2018 across the entirety of the European Union. It regulates all virtual data relevant to the individuals, including IP and email addresses, physical device information, home addresses, date of birth, online financial information including transactional histories, and even the user generated data like social media posts and uploads of personal images and so on. It must be noted that the GDPR does not exempt the data stored on a cloud-based storage system too.
The GDPR is a legal standard that protects the personal data of European Union citizens. Any company that processes and stores personal data of EU citizens, even if it is not physically located in the EU, must apply to the GDPR rules.

• Businesses and the GDPR:
The GDPR is not an easy hurdle for corporates as it extensively scrutinizes the data that it collects to an extent to give more emphasis to user rights than user experience. It follows an “opt in” approach rather than an “opt out” approach for the consent to procure data and enroll for subscriptions. It is consumer centric to the point where the users have a legal right to question how their personal information is stored and presented in algorithms. Finally, the data that is stored must be pseudonymized and not just anonymized, and according to Recital 26 of the Regulation, pseudonymized data is “data rendered anonymous in such a way that the data subject is not or no longer identifiable.”

• Complying with GDPR:
An organization will need to hire a Data Protection to comply with the GDPR when it is a public authority or engaged in larger-scale systematic monitoring of user data, or when it processes large volumes of personal user data.
In an even of a data breach, then the same must be notified to the users within a span of 72 hours and the necessary steps for future protection must be ascertained and implemented.
In case an organization or an entity does not comply with the GDPR, then they will be fined up to € 20 million or 4% of the worldwide turnover, whichever is greater.

Data protection isn’t just about regulatory compliance. Effective data protection also fosters trust between businesses and customers, governments and its citizens. The harm of mishandling such sensitive data can be devastating to the reputation of governments, data controllers or data processing companies, not to mention the fines and other legal consequences that can arise.