The world is witnessing a digital revolution where evolution of technology is at unprecedented pace. Technological innovations like smart phones, big data technology, user experience etc have brought a paradigm shift in the way humans live. Social networking sites like facebook, Twitter, Instagram offer a unique experience of being connected to the world while providing gigantic platform to retain galore of information which is more often than not personally identifiable information. On one side, modern day tools/ techniques help us unearth the intelligible details from data pool but on the other side, this gives a potentially risky leverage in the hands of the people having access to the data pool. Companies like Ola, Uber are developing business models whereby these companies without owning even a single car control a significant part of city transportation only by processing the information that a user has provided over the period of use or otherwise more or less without an informed consent. The digital revolution has become a ubiquitous part of our lives.
With the advent of Big Data (technology), Internet of things (network of physical object that can be accessed via internet) the use of information (data) has taken the centre stage. Data analytics is playing significant role in almost all the spheres of life like in transportation, it is helping in optimizing the public transportation by understanding the city traffic control, people’s preferences, etc, in health care sector, it is playing significant role in staff optimization, studying the patient’s symptom/ patterns etc. The foundation of all these technological advancements is the study of enormous data which is mostly personal data collected without the informed consent of the user.
The users are generally not made aware of all possible uses of their personal information by collecting agencies while obtaining consent, including but not limited to distribution of the information to anonymous third parties. In fact, more than 70 percent of smart phone apps are reporting such personal data to third parties such as Google Analytics, Facebook Graph API which data then are often vulnerable to being subtly diverted to influence the user’s choices/preferences. Consequently, leaving behind a trail which carries with it a risk to the user, who does not have any control over its use or distribution. This sensitive information is used by both public and private sectors at an unprecedented scale and for multifarious purposes.
While data can be put to beneficial use, the unregulated and arbitrary use of data, especially the personal data, has raised concerns regarding the privacy and autonomy of an individual for a long time. The concern about data privacy is impacting both the consumer and the enterprise alike.
The consumer is justifiably concerned about misuse of their personal and sensitive information and organisations are worried about their reputation, brand value, consumer trust as well as revenues while they use the collected information. As such, it remains solemn obligation of the legal fraternity to examine and deal with the issue of data protection and privacy in India. The protection of privacy is not merely the provisioning of legal freedom but it must provide cradle to society endeavouring to provide a wholesome experience to human life.
Introduction
The growth of internet in India has revolutionized every part of the society. New Business models have come up in sectors like e-commerce, social media marketing, cashless economy etc. With over 460 million internet users which are anticipated to be around 635 million by 2021, data privacy laws are no more a matter of theoretical excursion. Now, Indians are spending more than 90 minutes on online activities every day. More often, transactions and visits leave electronic track generally without the knowledge of the user notwithstanding consent. Popular websites install cookies (A cookie is information that a website puts on the hard disk of the user so that it can remember something about the user at a later time) and these cookies are used to grab user’s online behaviour which is further used in creating user’s profile. With an unprecedented growth in the use of internet, enormous amount of data is floating and all these data contain identifiable information which includes but not limited to products purchased, hobbies, health, political affiliation, food habits and lot more. It is believed that by 2020, the global volume of the data we create is expected to reach 44 zettabytes. The analysis of such complex and large data is done by Big Data analytics. Employing such analytics enables Organizations and Governments to build insights from the information and to make better, smarter, real time, fact-based decisions for their own purposes.
This personal data are used for various purposes, the data collected from multifarious sources are used by organisations to understand the trends, patterns and make futuristic predictions so that they can take more informed decisions and provide customers with better opportunities, all this drive a higher level of insights, trends, and other vital issues that can be used to build an effective personalized treatment approach, in banking sector it provides the tools necessary for banks to recognize and act on suspicious patterns, quickly notify customers of fraud incidents. At same time states are using personal data to take informed decisions about implementation of Government Schemes, counter-terrorism operations, social welfares etc.
Concerns
This age of information is regarded as an era of ubiquitous ‘dataveillance’, or the systematic monitoring of citizen’s communications or actions through the use of information technology. In temptation to adapt to new technologies users, without much of the homework, shares personal data. For example, to know how to reduce weight they share all the details about their body on the app, while booking a taxi online they are sharing details about where they go, where they live, otherwise to any stranger, one would never disclose such personal details for the associated risks. With convenience, all these digital apps or tools brings the risk of misuse or non-authorized use of sensitive/ personal information. If such sensitive and personal data is used arbitrarily it causes serious prejudice to one’s freedom/ fundamental rights & present day political & legal systems.
Many a times, the consent is given by the user with the understanding that it will be used for a very limited purpose for which it is given, but in reality such information is processed, transmitted, exploited for unauthorized purposes, sometimes to influence people at the time of elections which in a sense results in rigged elections, it is giving rise to new kind of cybercrimes.
The concern is not limited to individuals but also covers organizations. If data privacy and protection is not managed by the organizations properly on one side it has perils for the users/ customers whereby the unauthorized use may result in violation of fundamental right of the user and there by confronts a greater challenge to democratic systems and processes.
Recent inventions and business models call for attention to the next step which must be taken for the protection of data and for securing the rights of the individual/organizations, what Judge Cooley calls the right “to be let alone”. The right to be alone is a part of the right to live &enjoy human life. The right to enjoy life is in turn, reflects the fundamental right of the individual. The associated primary concern is information privacy and data protection all over the world. The concept of data protection is closely linked to privacy. The basic idea is that the person is entitled to some kind of autonomy and protection with respect to their personal data. This is because every individual has incontrovertible right and independence over his mind, body and data as he is a sovereign.
The basic premise of present day establishment is one’s freedom with reasonable restrictions as in ‘Article 21’ of the ‘Constitution of India’ “No person shall be deprived of his life or personal liberty except according to procedure established by law”. Article 21 clearly refers to the term ‘life’ in holistic terms which includes all those aspects of life which go to make a man’s life meaningful, complete and worth living. Such basic tenants of present day establishment demand higher scrutiny of information sharing & data usage in order to appropriately provide protection to one’s personal information & privacy. As informational privacy is an important facet of privacy it is inevitable to define the term ‘Privacy’ as a wholesome exercise. ‘Privacy’ as a linguistic concept, has been derived from the Latin word ‘Privatus’ meaning belonging to oneself (as opposed to the state). Privacy is an inherent right of an individual. It is a right of the individual to live life with dignity that is freedom from any unwarranted intrusion or interference i.e. right to be let alone.
In Indian Constitution ‘Right to Privacy’ is recognized as an intrinsic part of the fundamental right to life and personal liberty under Article 21 after the pronouncement of judgement in Puttaswamy’s case by the Supreme Court. That leaves us with a conclusion that an attempt which invades privacy of an individual will lead to infringement of a fundamental right guaranteed by the Part III of the Indian Constitution.
The concept of ‘privacy’ has also been recognized by ‘Article 12’ of ‘Universal Declaration of Human Rights’ which says that all individuals have the right to protect themselves from any unwelcome intrusion in their homes, family, and personal data. It also bestows them with the right to be protected if someone tries to unfairly damage their reputation.
Although, Privacy is a complex concept which is difficult to be defined as it may have different meaning in different scenarios. The concept of Privacy is volatile, expandable & yet, modest. The definition of privacy when it comes to security of the state may encroach the privacy of an individual but that is necessary in order to protect against crime, terrorism and national security, the meaning acquired by Privacy swiftly undergoes transformation for larger good. However, many a times, the damage caused by the violations of privacy are intangible therefore it becomes difficult to identify them. The protection of privacy is not merely the provisioning of legal freedom but it must provide cradle to society endeavouring to provide a wholesome experience to human life.
With the advancement in the technology, more information is now easily accessible as everything is connected by internet, and every time one uses it, a data streak is created which raises the risk of misuse of data, danger to privacy of individual. Therefore, it has become important to understand the need of information privacy that is the right of the individual to control dissemination of information i.e right to tell who can get access to his personal information, when they can access the information, what information they can access, for what purpose they can use the information.
There are always two sides of a coin. While technology is empowering, it has also invaded into one’s privacy whether the invasion was desired or not, one cannot be sure whether what one says has been heard by an unintended party & the rights of access & use of such an unintended user. While it remains essential that law should be enacted in such a way that it gives protection from physical dangers such as trespasser’s law that provides secured house, path etc. With the modern day life & the advancement in technology security of the spiritual self as well as of one’s feelings, intellect & of personal data is inevitable. That is the reason the ambit of Right to Life has been expanded and it comprises within its scope the right to be let alone. As of today, there is no specific law that deals with the issue of data protection or violation of privacy of individual end-to-end. Certainly, there are provisions in different laws that deal with data protection.
Section 43A of Information Technology Act, 2000provides for the liability of a body corporate to compensate in case of negligence in maintaining and securing the “sensitive data”, further, Section 72A of the same act imposes a penalty on any person, private or public entity.
However, Any law as a standalone legislature fails to define the word ‘Sensitive Data’, and in order to do complete the patch work, SPDI (Sensitive Personal Data Rules) rules were framed which defines sensitive data as personal data or information of a person means such personal information which consists of information relating to;— (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation etc but it excludes from its ambit any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force. With the increase of electronic transactions in the country the act was enacted to provide legal recognition to electronic transactions like transaction done through email, video conferencing etc. Further the act was enacted to deal with cyber-crimes and electronic commerce in India. The act provides for huge penalties on body corporate who does not maintain the data of individual carefully, or any people who share the data of the person without his consent is also liable to be penalized. The act has been successful on setting down a framework for dealing with various electronic crimes at the time when it was enacted but it was not envisaged to deal with the complexity of personal data pools & modern days analytic tools, therefore, it fails to address the issues of data safety raised today. The act does not cover the issue of data privacy, phishing i.e process for acquiring sensitive information of the user like password, username etc, it talks about unauthorized access but it does not talk about maintaining the integrity of customer transactions, identity theft is a growing problem worldwide but IT Act 2000 does not address such issues. There are number of other issues that exist today due to development in technology which the IT Act, 2000 fails to address.
As far as the concept of criminalization is to be understood in this regard (in existing framework), Indian Penal Code is one such piece of legislation. Section 403 of Indian Penal Code (I.P.C) imposes criminal penalty for dishonest misappropriation or conversion of “movable property” for one’s own use. The word ‘movable property’ as defined under Section 22 of I.P.C. includes corporeal property. That leaves us with the conclusion that if ‘data’ is stored in a medium (CD, Floppy etc.) and such medium is stolen, it would be covered under the definition of “movable property” any dishonest appropriation and conversion of such data will be penalized under the act. However, it leaves the situation unattended conceptually if data are not on such physical means.
Further, the Indian Copyright Act also provides for database protection under Section 2(o) of the act which defines “Literary Work. Section 63B of the Act imposes penalty on persons who knowingly makes use on a computer of an infringing copy of computer program. It is pertinent to mention here that the Indian courts recognise copyright in databases. In Burlington Home Shopping Pvt Ltd, vs, Rajnish Chinbber[1995 PTC (15) 278] it was held that compilation of list of clients/customers developed by a person by devoting time, money, labour and skill amounts to “literary work” wherein the author has a copyright under the Copyright Act. However, this right creation does not touch upon the aspect of the rights of the subject of such a data pool/ database.
All these piecemeal legislations stated are not sufficient. Existing legislations do aim to protect the nation from cybercrimes yet are not very effective. The existing Acts do not provide a clear distinction between what can be called as private data and what not, it talks about consent but does not define the informed consent, it does not mandate the liability of the receiver in terms of its usage, there is no concept that the user can ask to delete the data and these Acts are also silent about the jurisdiction whether it will cover only India or will also include within its ambit if data of Indian staying outside are shared.
India being the largest host of outsourced data processing in the world, it could become the epicentre of cyber-crimes. With the advancement in IT and BPO sectors, Indian companies handle and have access to almost all kind of sensitive details of individuals across the world. It includes credit card details, financial information and even medical history. These data are stored in electronic medium and is vulnerable in the hands of their employees. There have been many instances where these data are stolen. These recent trends in the Indian IT sector have raised concerns about data privacy. It is extremely important for us to have a comprehensive framework of law that deals with data protection and privacy of Individual. Law which must provide clarity to the term ‘data privacy’, must create user’s rights & receiver’s obligations in a balanced way, that must introduce measures to ensure integrity, confidentiality of the data, & it must entertain the global concept of jurisdiction unambiguously. The concept of informed consent must be localized & implemented for mapping of data.
Possible Approach
The comprehensive review of global legislations on data privacy & surgical inspection of global attempts made in data privacy laws may help us leverage on existing knowledge & thus, guide the future enactments & implementation of laws. Globally, European Union has made certain significant moves by negotiating & enacting GDPR laws whereas United States has attempted it in a different fashion (due to its superlative federal structure) to deal with data privacy, it is important to leverage on to the existing work in EU and US for enactment of globally relevant & implementable law for data protection & privacy anywhere in the world.
United States
It is protected by laws regulated on both national and state level creating plethora of laws which provides overlapping (and contradictory) protection because of sector specific legislation as US has taken ‘sectoral’ approach to privacy. For instance, in order to ensure easy accessibility of the notice, laws such as California Online Privacy Protection Act, 2003 (CALOPPA) 466 and the GLB Act which requires that websites and financial institution post “clear and conspicuous” privacy notices. Largely, data protection practices carried out in US are based on consent or notices, with an opportunity to opt out of the processing activities, essentially if the user is giving his consent then there is no problem and his data can be used. None of the legislation provides holistic protection from unchecked data collection, misuse or abuse. As US being hub of some of the largest data driven Companies like Face book, Twitter etc, often, the laws present a disintegrated work effort and so, there is a visible need to bring changes in the existing law to stop another “Cambridge Analytica” from happening. Consequently, comprehensive framework to protect data of user to ensure data protection & privacy is the need of the hour.
European Union
Europe has designed most comprehensive framework for data protection, General Data Protection Regulation (GDPR) which was released by European council and Parliament in early 2016. GDPR came into force from 25 May, 2018 and will replace the existing Data Protection Directive. It contains stringent rule and regulation that is required to be followed by all EU member countries and in addition by all those Companies that process personal data of EU resident irrespective of their location. That is not only Companies in Europe but also outside the country dealing with data of EU resident will be required to establish system that will comply with the requirement of GDPR. Such a wide ambit of jurisdiction under GDPR will create impact globally. The new regulation provides stronger right to users over their personal data. These rights include (i) right to be forgotten – where user holds the right to ask the controller to remove his data without any delay, (ii) explicit consent i.e purpose and by whom their data will be used must be well informed to the user, (iii) anonymization of data to protect privacy is required, (iv) mandatory breach notification within 72 hours of being aware is an onus & such other similar rights that furthers one’s privacy. Also, these regulations impose accountability on organizations whereby they are required to put in place stringent procedures for monitoring, reviewing, assessing risk to consumer data and addressing them and at the same time, organizations are required to minimize data processing and retention, appoint data protection officers for monitoring or processing large amounts of sensitive data. The term used again and again ‘Personal Data’ is also defined under Article 4 (1) Personal data are any information which is related to an identified or identifiable natural person. The word used in definition is ‘any information’ which allows interpretation of personal data broadly. Further, the regulations have made special categories of personal data that are subject to additional protections called as ‘Sensitive Data’ defined under Article 8(1) “Sensitive Personal Data” are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life. In general, organisations require stronger grounds to process sensitive personal data than they require to process “regular” personal data. GDPR have left no stone untouched therefore it has also included within
the ambit of personal data, those data which are amended in such a way by hashing or Encryption which cannot be identified by the name of the individual unless you have the key to re -identify the data. It is called as ‘Pseudonymous data’ in this level of protection is lower. GDPR has only excluded those data from its ambit which are amended in such a way by the use of which individual can’t be identified. It is called as ‘Anonymous Data’. GDPR has provided opportunity to organization to build robust mechanism for better data governance.
Conclusion
With the current technology environment, it is inevitable for any country participating in modern economy to defer the enactment of wholesome privacy laws. Comparing India with countries like US, EU clearly India is lagging behind and needs to urgently address the issues involved. A comprehensive law for data protection is the need of the hour in India as it is not immune to global technological revolution rather in many areas, it holds the baton for the same, therefore, a law that will look into every aspect of how data and privacy of individual can be protected must be considered immediately. It has become all the more important to protect privacy of individual after the judgement in Puttaswamy’s case where right to privacy has been declared as fundamental right under article 21 of the constitution.
As economies are marching towards a more digitalized ecosystem, value of data has grown exponentially and if such data are used arbitrarily it can cause immense harm. The law dealing with data protection will increase compliance burden on organizations but if implemented systematically, will give remarkable returns in future to earn a brand value & also the newer ways to monetise the IP created.
Strong legal edifice is needed on which innovations related to data will flourish while having reasonable checks to be monitored by data controller as may be required.
Shaping such a framework based law is a complex process as this requires us to tread the fine line where the balance between privacy concerns of an individual and legitimate state interest, including public benefit arising from scientific and historical research based on data collected and processed must be a struck. The framework needs to be designed in such a way that it ensures an individual the freedom to decide how his personal information be shared and at the same time it must provide opportunity to State to use it for larger good when required.
References
1. Sinha, Smita (May 25, 2018), Annual Consumer Survey on Data Privacy In India, retrieved from: https://www.analyticsindiamag.com/annual-consumer-survey-on-data-privacy-in-india-2018/
2. (February, 2019) Report on number of internet users in India from 2015 to 2023 (in millions), retrieved from: https://www.statista.com/statistics/255146/number-of-internet-users-in-india/
3. IDC (April 2014), The Digital Universe of Opportunities: Rich Data and the Increasing Values of the Internet of Things’, EMC Digital Universe with Research and Analysis by IDC, retrieved from: https://www.emc.com/collateral/analyst-reports/idc-digital-universe-2014.pdf
4. By Ernst & Young (April 2014), ‘Big data: Changing the Way Businesses Operate and Compete’, available
at: http://www.ey.com/Publication/vwLUAssets/EY__Big_data:_changing_the_way_businesses_operate/% 24FILE/EY-Insights-on-GRC-Big-data.pdf
5. Archer Soft, (September 13, 2019)’Why is Data Collection Important in Healthcare’, retrieved from: https://www.archer-soft.com/en/blog/why-data-collection-important-healthcare
6. Big Data Society, (January – June, 2017), Vol: 1- 7, Conceptualising the right to Data protection in an era of Big Data, retrieved from: https://journals.sagepub.com/doi/pdf/10.1177/2053951716686994
7. Data Protection Committee Report of Experts under the Chairmanship of Justice B.N. Srikrishna retrieved from: https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
8. White paper of the Committee of Experts on a Data Protection Framework for India, retrieved from: http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_171127_final_v2.pdf
9. Dr Detlev Gabel, Tim Hickman, (September 13, 2017), ‘Unlocking the EU General Data Protection Regulation’ retrieved from: https://www.whitecase.com/publications/article/chapter-5-key-definitions-unlocking-eu-general-data-protection-regulation
10. Ministry Of Communications And Information Technology (Department of Information Technology) Notification, April 11, 2011 retrieved from : https://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf
11. R Lahoti,(October 20, 1995), Judgement of ‘Burlington Home Shopping Pvt. … vs Rajnish Chibber on 20 October, 1995’ https://indiankanoon.org/doc/130087/
12. Lawteacher.net, (February, 02 2018), ‘Data Protection Laws in India’ retrieved from: https://www.lawteacher.net/free-law-essays/business-law/data-protection-laws-in-india-business-law-essay.php
13. Narseo Vallina-Rodriguez, Srikanth Sundaresan, (May 30, 2017), ‘7 in 10 smartphone apps share your data with third-party services’ retrieved from: https://theconversation.com/7-in-10-smartphone-apps-share-your-data-with-third-party-services-72404
14. Dr D Y Chandrachud, J, (August 24,2017) Judgement on Justice K.S.Puttaswamy (RETD.),and Anr. ..Petitioners Versus Union Of India and ORS. ..Respondents retrieved from: https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf