Manmeet Singh Arora
Regional Director, Internationalism Odisha
India is still in the initial stage when it comes to data protection regulations compared to other jurisdictions and the guidelines prescribed by the European Union ("EU") on data protection. compared to the legal regimes which offer interesting insights on data protection laws, as stated below.
Information Technology Act, 2000 and SPDI Rules:
The legal principles regarding data protection are contained in the Information Technology Act, 2000 ("IT Act") and the rules framed thereunder inter alia on matters relating to the collection, storage, disclosure and transfer of electronic data. It prescribes punishment of imprisonment and/or fine for offences pertaining to illegal downloading, destruction, alteration or deletion of data, creation and injecting of viruses into computer systems including illegal access to computer systems, data theft, identity theft, cheating by personation, cyber terrorism, breach of confidentiality, privacy and disclosure of information in breach of a lawful contract, to name a few. Communication, transfer, storage and use of data (and often sensitive, confidential and personal data) have become part and parcel of today's digital transactions. The electronic transactions have become an easier and efficient way of transacting as opposed to the traditional offline paperwork, data protection has become a multi-jurisdictional issue in this borderless digital world, and countries around the world have developed regulatory frameworks to specifically address and protect against loss of privacy. (Information Technology Act 2000 and Information Technology, 2011)
Personal data and Information Technology
According to the Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), mandate’s adherence to specified procedures and measures by a body corporate, which processes, deals with, stores or handles sensitive personal information or data in a computer resource which it owns, controls or operates. Some of the key compliances under the SPDI Rules are as follows:
Obtaining prior written consent from the provider for collecting information, while providing an option to the provider to not provide such information sought from it and to also withdraw his/her consent given earlier in this regard.
Taking steps to ensure that the information provider has knowledge of the fact of collection/purpose of usage and the intended recipients of the information and details of the agency that is collecting.
Safeguarding personal information from retaining longer than is necessary for achieving the corresponding purpose or as is otherwise required under applicable law.
Non-disclosure of personal information to any third party without prior permission (unless such disclosure is required by law or has been contractually agreed with the information provider).
Information may be transferred to any other person that has the same protection and updated firewalls for the same level of data protection as provided under the SPDI Rules provided that it is necessary for the performance of the lawful contract with the information provider.
US’ Federal Trade Commission (FTC)
The information received about data practices over the years, the organisations have created strong channels to receive information. The FTC, for instance, receives information from multi-sector institutions and analyses its self-managed complaint dataset into an intelligible meaningful data and authorities use the information to keep itself updated with new technologies and to enforce the timeless guarantees of data protection. Their qualitative judgment and years of observation and analysis is an integral component of eﬀective supervision of the data protection regime.
The following are the factors laid down for better Compliance and vigilance:
• Transparency measures: to be open about its approach to enforcement action, the action that it takes and the outcomes it achieves.
• Accountability: it will include information on the use of its enforcement powers in its annual report. It will make sure that those who are subject to enforcement action are aware of their rights to appeal.
• Proportionality: it will put in place systems to ensure that regulatory action taken is in proportion to the harm or potential harm caused. It will resort to escalated enforcement when it is satisﬁed that the risk cannot be addressed by negotiation or other less formal means.
• Consistency: it will apply its decision-making criteria consistently in the exercise of its regulatory action powers.
• Targeting: it will target regulatory action on those areas where it is the most appropriate tool to achieve the objectives of the proposed legislation.
A New Data Protection Law on the Horizon
The Indian Government is seeking to strengthen and equip its regulatory framework for data protection and privacy. And a Committee of Experts under the chairmanship of former Supreme Court Justice, Shri B. N. Srikrishna ("Committee"), has been formed to study various issues relating to data protection in India, make specific suggestions on principles to be considered for data protection and suggest a draft Data Protection Bill. The Committee has accordingly released a white paper on November 27, 2017, on a data protection framework for India, seeking public comments. This white paper has come on the heels of the Supreme Court's landmark judgment of August 24, 2017, in the case of Justice K.S. Puttaswamy (Retd.) &Anr. vs. Union of India &Ors., 2017 (10) SCALE 1, where the Court recognized the right to privacy as an intrinsic part of the fundamental right to life and personal liberty under Article 21 of the Constitution of India. The Court observed that 'informational privacy' is a facet of the right to privacy and recognized that dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. The Court referred to its supporting fact that how "'Uber' owns no vehicles, 'Facebook' creates no content, 'Alibaba' has no inventory and 'Airbnb', the world's largest accommodation provider, owns no real estate, but entities like these and other social network providers, search engines, e-mail service providers and messaging applications, are all examples of non-state actors that have extensive knowledge of our activities/financial transactions/conversations, including data procured on health, mental state, shopping habits through sabotaging the content by controlling information and taking the informed consent without the User knowing that he unconsciously consented to the data which the company uses to profile each and every individual and creates a neural network of information into business intelligence which is in every means actionable. The Big data factor and difficulty in controlling the traffic of information flow is the reason behind the addiction o in people's reliance on internet-based services, deeper and deeper digital footprints are being created and there is a need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors and also by the State for espionage activities and the same should be brought under the scanner.
The Committee in the white paper, has suggested that the data protection framework should be based on seven principles: (i) law should be accepting changing technologies, (ii) law must apply to both government and private sector entities, (iii) consent should be genuine, informed, and meaningful, (iv) processing of data should be minimal and only for the purpose for which it is sought, (v) entities controlling the data should be accountable for any data processing, (vi) enforcement of the data protection framework should be by a high-powered statutory authority, and (vii) penalties should be adequate to discourage any wrongful acts. The Committee has further sought public comments on questions relating to the territorial jurisdiction of data protection laws; the extent to which the law should apply outside India such as the inclusion of measures to ensure compliance by foreign entities; definition of personal data; categories of exemptions of entities from certain obligations (e.g., certain actions taken by the state during investigations); conditions of valid consent; exposure of online risks for children, the purpose of the collection; participation rights of data provider in its processing (such as the right to confirm, access and rectify data); enforcement models/tools to be used for code of conduct, breach of personal data, categorization of different data controllers, and creation of a separate data protection authority. The white paper has accordingly discussed penalties for offences under the proposed law, and adjudicating authorities for complaints and noted that awarding compensation to an individual who has incurred a loss or damage due to the data controller's failure is an important remedy to be specified under the law. (White paper on Data Protection Framework for India)
Regulatory Framework in the EU
The development in the data protection regime in the EU has been historical by the introduction of the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC ("General Data Protection Regulation" or "Regulation"). It is worth mentioning, that in accordance with Article 288 of the Treaty on the Functioning of the European Union, the Regulation is binding in its entirety and is directly applicable in all Member States of the EU. Therefore, this Regulation does not require the additional implementation of acts of national law, as the provisions included in it are binding from the date of its entry into force. An important feature of the Regulation is also its direct effect, which means, that both the Member States and the units can rely directly on the measures contained in the Regulation.
The Regulation concerns "the protection of individuals with regard to the processing of personal data and (...) the free movement of such data". Certain fundamental features of the Regulation are specified below:
Article 4(1) of the Regulation, defines the concept of "personal data" as, "the personal information means information about an identified or identifiable natural person (" the data subject"'); an identifiable person is a person that can be directly or indirectly identified, in particular on the basis of the ID such as first and last name, identification number, location data, online ID or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person". Article 4(2) defines the concept of "processing", as "the processing means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated way, such as collection, organization, ordering, storage, adaptation or modification, downloading, viewing, using, disclosure by sending, dissemination or another type of sharing, matching or connecting, limiting, deleting or destroying".
It is also worth emphasizing that as per clause (15) the protection concerning the processing of personal data should not be dependent on forms used for the processing of data. Also, the Regulation is not applicable to the processing of personal data by the relevant authorities in order to e.g. protect the public or national safety under Article 2(d), and to the processing of anonymous information including for statistical or research purposes under clause (26). Extra-Territorial Application: The question of territorial application of the Regulation, is laid down under Article 3, according to which the Regulation is applicable to:
Fair and lawful processing of Data: Personal data must be processed fairly - in accordance with clause (60) of the Regulation i.e. that the administrator should inform the person that such data relates to, about the context, purposes and circumstances of information processed and to be within the limits of the law - in accordance with clause (40) i.e., on the basis of consent expressed by the person to whom the data relates or on the different legal basis.
No Misleading Information: Any misleading information and those that are invalid from the point of view of the purpose of the processing, should be subject of correction or deletions laid down under Article 5(1)(d) of the Regulation.
Processing of Special Categories of Personal Data: It is not permitted to process the personal data of a particular category including sexual orientation, political opinions, religion, racial/ethnic origin or health as laid down under Article 9.
Processing not requiring identification: When the information is not sufficient to identify the person, the administrator is not required to obtain further information necessary for the identification of such natural person, if the objectives of processing do not oblige to do that (Article 11(1)).
Purpose of Collection: Personal data should be processed in accordance with the purpose for which these data were collected. However, if the administrator intends to process this data for other purposes, he is to inform the person to whom the data relates and also provide the necessary information (Clause (50) and Article 14(4)).
Right of Access: The natural person should have access to information it relates to. The administrator, who receives data from that person, should inform the person about the purposes of the processing of such data, about the recipients and also about the right to claim deletion, correction or objection by the administrator (at any time) (Article 15).
Right to be forgotten: Article 17 establishes the "the right to be forgotten", i.e. a natural person to which the data relates, may claim the right to delete data by the administrator in designated circumstances, i.e.: in a situation where personal data are no longer needed for the intentions in which they were collected, were processed in an unlawful manner, or the person withdrew his consent or objected.
Permitted Profiling: Making decisions on the basis of profiling should be permitted where it is expressly permitted by European Union law or the law of the Member State to which the administrator is subject, including the purposes of monitoring and prevention - in accordance with the regulations and standards and recommendations of the institutions of the European Union or national supervisory authorities of fraud and tax evasion and to guarantee the safety and reliability of the services provided by the administrator, or where it is necessary for the conclusion or performance of a contract between a person the data relates to and the administrator, or where the person the data relates to agreed explicitly as laid down under Clause (71).
Imposing Restrictions: Restrictions in individuals' rights to the protection provided with regard to the processing of personal data are justified if they are for the protection of the public security, public health, national security or crime prevention (Article 23).
Safety Measures: The administrator and the processing subject shall implement appropriate methods to ensure the safety of data processing as laid down under Article 32.
According to Article 33, it is the duty of reporting breaches in the protection of personal data, in accordance with which, the administrator should inform the supervisory authority about the breach of personal data protection (within 72 hours). The processor is required to inform the administrator of a personal data breach without undue delay.
Data protection impact assessment: Article 35 states that the administrator estimates the effects of the planned data processing and assesses the possible risks that are associated with the processing of such data.
Data Protection Officer: Under Article 37(1) the administrator and the processor designate a Data Protection Officer (DPO), in the situation when:
Penalties: The provision under Article 83 of the Regulation provides for financial penalties for infringement of the provisions. These penalties shall be proportional but above all effective and dissuasive.
Adequacy Requirements: Transfers of personal data to third countries which have not been recognized by EU as countries with an adequate level of data protection (such as India), can take place only on one of the following conditions as specified under Article 49.
Binding Corporate Rules:
According to Article 47 of the Regulation provides for the concept of "Binding Corporate Rules" (BCR), which can be a benchmark for a viable alternative in cases where the requirements are not met for transfer of data to third countries/organizations outside EU. The rules are defined as personal data protection policies adhered to by a controller or processor established on the territory of a Member State for transfers of personal data to a controller or processor in third countries within a group of undertakings/group of enterprises engaged in a joint economic activity. According to Article 47 of the Regulation, the competent supervisory authority is required to approve binding corporate rules in accordance with the mechanism set out in the Regulation.
Further, the rapid development of the collaboration between EU and Indian companies, especially in the field of information technology the matter of importance should be the data protection protocols on the similar level between the parties are be expected. According to the Regulation, processing of personal data located in the EU by the administrator or the processor. Therefore, in order to be able to legally secure, without the risk of administrative penalties or civil liability towards the customer, at the time of entrusting personal data to third-country entities providing IT services, it will be safest to conclude a data transfer contract with the service provider containing standard clauses on the protection of personal data, approved by the European Commission.
The Future aspects and improvement in Indian Law
As the findings suggest that the EU model is the base for the Indian regulatory framework on data protection but is not sufficiently adequate to address the concerns arising on account of collection and linking of data including biometrics by the Government under the Aadhaar Act and the exponential advancements in technology and digital transactions, which increases the risk of data violations. the Government of India has to keep working on a more effective legal framework for data protection However reading between the lines is the main aspect and detailing for finding more suitable means addressing the issues which are likely to erupt as more and more technology will be bought to use and to make it at par with the global standards. Further, in the meantime, the EU's new General Data Protection Regulation which is coming into effect in May 2018 is expected to have far-reaching implications even in the Indian context, due to its applicability to Indian entities who deal with data of EU nationals (as discussed above).
As on date, India is not recognized by the EU as a country with an adequate level of data protection, which therefore requires additional compliances for transfer and processing of data by such Indian entities. Therefore, from an Indian perspective, it becomes imperative for such Indian entities to implement the data protection requirements stipulated in the EU Regulation within their systems consistent with the technological requirements and to set up due diligence and SOP to make it effective, as their EU counterparts. In future, a Situation Room or National emergency Response Centre is a necessity for tackling the real time threat from enemies foreign and domestic so that the data theft and espionage can be prevented and for this, joint cooperation is required from the Government and the Corporate entities to ensure a strong barricade can be installed to stop the data from going into wrong hands and getting exploited. More technical advancement and latest software’s are required to incorporate data privacy codes and making it more proof from being entrapped and there should be no room from ay educated guess to take place and lead to any such data compromise. There should be more changes in the existing cyber legislation like the offender can be tried in any place irrespective of any jurisdiction imposed in case of Cyber Space is actually a place where the Crime has been committed and the restriction on the jurisdiction is another hurdle and which can be properly legislated to avoid the offender and the suspect to escape penal provisions.
Information Technology Act 2000 and Information Technology. 2011. 2011.
December 2017. Public consultation on White Paper-Data protection framework for India. December 2017.
White paper on Data Protection Framework for India.
Happy to announce that, Legit by Internationalism, The Magazine on Legal Theory by Internationalism, is featured in the Top 100 Legal Blogs of India, by Feedspot.
Find the link here: