Data Privacy and Security in INDIA

Author : Himanshu Jakhar, BBA LL.B, fourth year student of Army Law College, Pune 

Abstract 

In the digital era, data privacy and security are paramount due to rising cyber threats and data breaches. India has taken significant steps to enhance data protection through legislation and regulatory measures. The Justice B.R. Krishna Committee, established in 2017, played a pivotal role by recommending a comprehensive data privacy framework. Their recommendations included distinguishing between various types of personal data, emphasizing the importance of consent, and suggesting penalties for data breaches.

In 2023, the Indian government introduced the Digital Personal Data Protection Act (DPDP Act), which incorporates many of the committee’s recommendations but has faced criticism for its exemptions and limitations, particularly concerning government obligations and privacy protections. Indian case laws have further shaped data privacy norms, addressing issues of free speech, privacy, and data sharing. While the DPDP Act represents progress in data protection, continued refinement and oversight are necessary to address evolving challenges and ensure robust protection of personal data.

Introduction 

Data privacy and security are the most important in today’s digital world, where there are many cyber-attacks for data breaches, and their data can be used to harm any individual or organization. To prevent this there are many laws in the world.  India also increased its focus on data privacy and security for this India has significant legislation to deal with data privacy and security matters.

What is data?

Data generally means a collection of information there are many ways to gather the information like observations, measurement, research or analysis, etc.

In the digital world, data refers to any information that is stored, processed, or transmitted electronically.

Data type:-

1. Structured data is neatly organized in a fixed format, making it easy to search and find information in databases. Examples Excel spreadsheets and SQL databases
2. Unstructured data this type of data is data lacks any specific organization and comes in various formats, such as Word documents, social media posts, and videos.
3. Semi-structured data falls somewhere in between, having some organization but not as structured data. Examples of semi-structured data include XML files and JSON files.

What is data privacy?

Data privacy also known as “information Privacy”, means handling and protecting personal data to ensure that individuals have full control of how their information is shared.

Information can be a name, location, contact information, or any personal details.

As we know internet is used at a very large scale so it can create the importance of data privacy. Many Websites, applications, and social media platforms collect the personal data of the user. Some platforms and applications collect the data and give proper safeguards to user data but some other platforms and applications also collect data but do not give proper safeguards which results in a data breach that harms the privacy of individuals.   

Important of data privacy

In many countries including India privacy is considered a fundament right, for the protection of this right these countries have some laws. These laws apply to those who correct data for the general public like websites, applications, platforms, and organizations who are involved in the correction of data, these laws stop them from sharing user data with third parties without user consent. 

Personal data can be misused in many ways:-

1. Personal data can be used to defraud or harass users. 
2. Sell personal data to advertisements or third parties without user consent and because of this users receive unwanted advertising or marketing.

So, this organization must protect the data. There are many reasons why organizations protect personal data:-

1. Data privacy helps people control their information which one is to be public and which one is to be private.
2. To provide privacy to their user this can be created and maintain trust, which is beneficial to the organization.
3. Data privacy empowers people to know how, where, and by who their data is used.

What is data security?

Data security means to practice of protecting digital information from unauthorized access, corruption, or theft of data. It involves implementing various measures and technologies to safeguard data.

Importance of data security

As cyber threats grow around the world, protecting data is very important. Organizations need data security to keep their company and customer information safe from attacks. This includes:

1. Personal Information: Names, addresses, phone numbers, social security numbers, and dates of birth.
2. Financial Information: Bank account numbers and credit card details.
3. Intellectual Property: Patents, trade secrets, and copyrighted or trademarked material.
4. Health Information: Medical records, patient data, and prescription information.
5. Business Information: Sales data, pricing information, and strategic plans

Role of Justice B.R. Krishna Committee in Data Protection and Security Laws

In 2017, the Indian government established a committee led by retired Supreme Court judge Justice B.R. Krishna to draft a data privacy law, which submitted its report on July 27, 2018. The committee’s key recommendations included differentiating between personal data, sensitive personal data, and critical personal data, with the latter requiring processing within India only. Personal data identifies an individual, while sensitive personal data includes intimate details like caste, religion, and sexual orientation. The committee emphasized fair and transparent handling of personal data by service providers, who must inform individuals about data collection and adhere to the ‘purpose limitation’ principle, collecting data only for specific, clear purposes. Consent was highlighted as crucial for data processing, with individuals having the right to withdraw it anytime. Special provisions for children’s data protection were also suggested.

The committee proposed four scenarios for non-consensual data processing: state welfare functions, compliance with legal orders, urgent situations, and employment contracts. They also recommended mandatory appointment of data protection officers in organizations collecting personal data and imposing high penalties for violations, ranging from 2-4% of global turnover or ₹5 crore to ₹15 crore. The jurisdiction of the proposed data protection law would cover data used, stored, disclosed, or collected in India, regardless of processing location. An independent data protection authority was suggested to enforce the law, conduct research, and raise awareness, with rights for individuals to access, correct, withdraw consent, object to processing, and be forgotten. Legal amendments to existing laws such as the IT Act, Census Act, Aadhaar Act, and RTI Act were also recommended.

From 2018 to 2022, several drafts and revisions of the bill were made, and in 2023, the Digital Personal Data Protection Bill (DPDP Bill) was introduced, consulted upon, and passed, becoming the DPDP Act. However, there are notable differences between the DPDP Act and the committee’s recommendations. The Act is criticized for favoring the government and businesses over individuals, covering only digital data, and exempting the government from certain obligations, which weakens privacy protections. The government can also exempt certain startups from the Act, and the Data Protection Board operates under government direction, affecting its independence. The government’s power to request any information potentially undermines privacy. A new right to nominate someone to exercise data rights if the data principal dies or is incapacitated was added. Penalties detailed in the Act range from ₹10,000 to ₹200 crore, depending on the severity of the breach. The DPDP Act represents India’s evolving approach to data privacy, balancing various interests but facing criticism for certain exemptions and limitations.

 Case laws

1. Shreya Singhal vs. Union of India (2015):

In this case, the Supreme Court struck down Section 66A of the Information Technology Act, of 2000, which criminalized online speech. The Court ruled that the provision was vague and overly broad, thereby violating the right to free speech and expression. The case also highlighted concerns about data privacy and surveillance.

2. Karmanya Singh Sareen vs. Union of India (2016):

This case involved a challenge to WhatsApp’s privacy policy and data-sharing agreement with Facebook. The petitioners argued that the policy violated users’ right to privacy. The case underscored the need for stringent data protection laws in India.

3.  Ritesh Sinha vs. State of Uttar Pradesh (2019):

The Supreme Court held that the police could compel an individual to provide voice samples for investigation purposes. This case raised important questions about the balance between privacy rights and the needs of law enforcement.

4.  Internet and Mobile Association of India vs. Reserve Bank of India (2020):

The Supreme Court set aside a circular issued by the Reserve Bank of India (RBI) that prohibited banks from providing services related to virtual currencies. The Court emphasized the need for a balanced approach to regulation that protects individual rights while ensuring security and integrity in financial transactions.

5. Internet and Mobile Association of India vs. Reserve Bank of India (2020):

The Supreme Court set aside a circular issued by the Reserve Bank of India (RBI) that prohibited banks from providing services related to virtual currencies. The Court emphasized the need for a balanced approach to regulation that protects individual rights while ensuring security and integrity in financial transactions.

Conclusion 

In today’s digital world, protecting data is crucial due to increasing cyber threats and data breaches. India has made strides in addressing these issues with important laws and regulations. The Justice B.R. Krishna Committee played a key role by recommending clear guidelines for data protection, including the need for consent and transparency.

The new Digital Personal Data Protection Act (DPDP Act) introduced in 2023 is a major step forward. It includes penalties for data breaches and sets up a data protection authority. However, the Act has faced criticism for exempting the government from some obligations and limiting certain privacy protections.

Indian court cases have also influenced data privacy laws, highlighting the need to balance individual rights with regulatory needs. Overall, while the DPDP Act is a positive development, ongoing updates, and scrutiny are needed to ensure it effectively protects personal data.