Right to Privacy & Enforceable Data Protection Law

Aadhaar, India’s compulsory national biometric ID issued by Unique Identification Authority of India (UIDAI) – through which it gathers vast amounts of personal data, has been made all-encompassing with the Government having issued about 139 notifications calling for the linking of Aadhaar to various aspects of life. As such its wide pervasive use goes well beyond public entitlements or regulated services to sundry services. Aadhaar Act enacted in March 2016 and right to privacy being upheld unanimously by a nine-judge bench of Supreme Court in August 2017, are the two major legislative and legal turning points in the Aadhaar saga. Privacy is the major considerations with regards to the Aadhaar project, besides denial of rights due to Aadhaar. Privacy of Personal data that is any information related to a natural person that can be used to directly or indirectly identify the person and includes – a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address or the biometrics of the person.

India did not actually have a fundamental right to privacy and does not have a comprehensive, enforceable data protection law despite digital technology remaining finely threaded with the fabric of our lives. Information Technology Act, 2000 did provide limited protections but its subordinate regulations remain substantially deficient and practically unenforceable.

Amid an outcry over Facebook’s privacy issues, a new legal framework is required to better identify what information is worthy of robust protection. There are challenges of protecting data in a hyper-digitised environment as the Cambridge Analytica episode has alerted people to the challenges of alleged data breach. Facebook COO Sheryl Sandberg admitted that company knew that Cambridge Analytica (CA) was mishandling user data two-and-a-half years ago, but when the company discovered the problem, execs relied on CA’s assurances that they had deleted the data. Sheryl Sandberg also revealed that Facebook would introduce in America similar privacy standards to those that will be enforced in Europe later this year under the European Union’s new General Data Protection Regulation (GDPR) and ePrivacy laws. The two laws require companies get affirmative opt-in permission from every user for every piece of data any company keeps or processes. The permission process will come as a shock to Facebook users because it will force Facebook to tell them exactly what data it holds on them and who it shares that data with; and it will force users to examine whether they want that level of information sharing to continue.

India has the second highest number of Internet users in the world, and is an important market for many global companies that have staked dominance within distinct silos of digital services. The issues of legitimate uses of data by the governments, political parties or businesses can be settled by formulating a national data protection law for India.

India can craft its own legislation on Data Protection on the basis European Union General Data Protection Regulation (GDPR)  which comes into effect on May 25, 2018 is the most important change in data privacy regulation in 20 years that has been designed to protect the personal data of European Union (EU) residents. This had become necessary as rapid advances in technology and growth in digital economy meant individuals were sharing personal data, and companies and governments used this data on an unprecedented scale. GDPR has global implications and is expected to have a significant impact on Indian IT firms and other service providers with a European Union clientele:

  • GDPR is a stronger harmonious instrument of data protection laws across 28 EU member states
  • GDPR reflects a paradigm shift in the understanding of the relationship individuals have with their personal data, granting the citizen substantial rights in his/her interaction with data controllers and data processors.
  • Data controllers are those who determine why and how data is collected such as a government or private news website;
  • Data processors are those who process the data on behalf of controllers, such as an Indian IT firm to which an E.U. firm has outsourced its data analytics.
  • GDPR mandates that a data controller will have to provide consent terms that are clearly distinguishable, i.e., consent cannot be buried in the fine print that is incomprehensible to the layperson.
  • GDPR requires those collecting data to provide information on the ‘who’ and ‘how.’
  • Individuals will also have the right to have personal data deleted under certain conditions.
  • GDPR makes reporting obligations and enforcement stronger: data breaches will normally have to be reported within 72 hours and failure to comply with the new laws could result in a fine up to 4% of global turnover or €20 million — the maximum amount of the fine.
You might also like