ENCODING PRIVACY IN A DIGITAL WORLD

Introduction and Relevance of the topic

The rise of internet and social media has led to privacy concerns as it encroaches our personal
space and gives the online social providers access to the user’s personal data. The cost that
user’s pay for accessing online services is not cash but voluntarily giving up on our personal
data. The flip side – potential abuse and sharing of the data.

In the case of most online providers, the consent to collect data is presumed and one can opt-
out or disable some of these features that allow the provider to collect as well as share the data.
The user gives up the ownership of his data when signing up for these online services.

While there are justifiable uses of data that are vastly beneficial, such centralization of data,
profiling of individuals and increased surveillance, has led to mounting concerns relating to
erosion of privacy of individuals, ability to impact public decision-making process and national
security. Information could be used for the beneficial purpose; but the arbitrary and unregulated
use of personal information has increased concerns regarding freedom of an individual and the
privacy. The concerns are mostly related to centralized databases, individual profiling,
surveillance leading to erosion of individual’s freedom.

Data protection refers to the practices, safeguards, and binding rules put in place to protect
user’s personal information and ensure that users remain in control of it i. The purpose of
personal data protection isn’t to just protect a person’s data, but to protect the fundamental
rights and freedoms of persons that are related to that dataii.

Need for Enabling Business

Data protection doesn’t mean abandoning intelligent business use of personal data – it means
being responsible and transparent with that use; continuing to pursue company objectives, but
not at the expense of, or even with priority over, the individual data rights of the customer iii.
One challenge stands out when framing data protection regime for e-commerce– how to create
a supporting environment for e-commerce that fosters innovation while placing the privacy
concerns at the forefront of the approach. Good legislation should complement market forces
in bringing values and welfare to both consumers and organizationsiv.

Legal Research and Analysis

Data Protection and Privacy
Privacy can have various meanings based on different context. It is important to understand the
concepts of Privacy according to their context. Privacy has been identified with 3 broad types–
spatial privacy (related to physical spaces and things), decisional privacy (related to certain
significant decisions) and informational privacy (related to personal information)v. Data
protection is related to informational privacy. With ubiquitous nature of technology, the impact
of data protection can also be seen on spatial and decisional privacy too.

In its judgement in the Puttaswamy vs. Union of India case, in August 2017, the Supreme Court
recognised the fundamental Right to Privacy under the Indian Constitution.

Existing Indian Lawsvi

Overview
India does not have an independent data privacy legislation; however, it does have what can be
inferred as the code for data protection laws that is embedded in the Information Technology
Act, 2000 (“IT Act”) and Information technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011 notified under the Section
43A IT Act. These Rules provide privacy law for protection of data in electronic transactions.

Data as defined in the IT Act is restricted to collection, possession, handling/dealing or transfer

of “personal” information which related to natural person. Thus, the law is restricted to an
individual and does not deal with data between corporate entities. Also, the law makes no
distinction regarding the obligation of a data collector and a data processor. Some salient
features of privacy rules–

Personal Information vs. Sensitive Personal Data or Information (SPDI)

Data protection law in India does not protect all personal information but only “sensitive”
personal data. The threshold of what is included as part of “sensitive” data is low. The definition
includes critical financial information such as bank account details, debit and credit card details
and other information related to payment instruments. These are deemed to be included as part
of SPDI.

Collection of Information
Regarding information, the obligation is to inform the data subject (an entity whose data is
being protected under the law) that its information is being collected. In case of SPDI, the bar
for compliance is higher since a written consent is mandated which can be revoked by
intimation in writing. Rules 5(2) and 5(4) are laid down in accordance with global best practices
that are known as “data minimization”. To ensure data subjects do not disclose SPDI, it creates
an obligation on data collectors to obtain information only when necessary and must be retained
only for as long as it is necessary to achieve the purpose of collection.

Transfer of Information: Consent vs. Necessary for Performance

Consent does not result into legitimizing all data collection, but only “necessary” information
can be collected and transferred. As opposed to collection, in case of transfer compliance is not
just restricted to SPDI but also applicable to the entire pool of information. Over and above,
information can be transferred to a third party only when (i) the third party also adopts the same
level of data protection as mentioned under the IT Rules; (ii) the transfer is necessary for
performance of an existing contract and (iii) consent of data provider is obtained.

International Laws
GDPR is an important law that has recently been in force in European Union (EU) and the
provisions of this regulation have been referred in the Indian draft Data Protection Policy and
Justice B N Srikrishna Committee report.

GDPR is a legal framework that provides guidelines for the collection and processing of
personal information. While its jurisdiction is limited to EU, any state that transacts with EU
member state and has access to its customer’s critical personal data will have to abide by GDPR
guidelines. Non-compliances also attract a hefty penalty.

While GDPR is not an act but guidelines that can be used to draft legislation by member
nations, yet it is fruitful to compare the broad contours of GDPR with the relevant Indian law
– Data Protection Bill. The major points of difference between the two arevii –
 While GDPR mandates entities to share names and categories of other recipients of
personal data with citizens whose data is being processed, the Indian draft bill does not
require this rule
 Citizens in Indian draft bill cannot demand erasure of their data while there is a separate
article ‘Data reassure’ in GDPR for this provision
 GDPR mandates time frame for which data will be stored by entities while the Indian draft
bill does not mention any such time frame
 GDPR explicitly mentions sharing of the source from which data has been acquired about
citizens if it was not directly collected from him/her while there is no such requirement in
a draft Indian bill
 In the case of a data breach, the entities are not required to share this information with the
citizens whose data is compromised according to draft Indian bill. Instead, the Data
Protection Authority determines whether the breach should be reported to the affected
persons. GDPR provides for such provision where all breaches are to be reported to the
affected persons
 GDPR requires that the data which is being processed about the citizens shall be made
available to him/her while the Indian draft bill mentions the provision of the summary to
the citizens without defining what summary means

Conclusion

Data privacy is a legal right and existing data protection framework in India under the IT Act
is largely inadequate, in terms of implementation, protections and remedies and it lacks basic
protections such as provisions for data breach notificationsviii. Therefore, India urgently needs
to enact a dedicated data protection law.

In framing the data privacy regime, the policy makers will have to balance the access of
businesses to technological innovations in data analytics with the need to protect customer data.
This would also include the requirement of the government to ensure law enforcement and
regulatory authorities would have access to Indian data upon requests and that the government
would be able to limit the unwillingness of MNCs to respond to law enforcement requests.

i
Accessnow.com. Data protection: why it matters and now to protect it. (2018). Retrieved from
https://www.accessnow.org/data-protection-matters-protect/
ii
Njordlaw.com. Three reasons why we need strict data protection regulations. Retrieved from
https://www.njordlaw.com/three-reasons-need-strict-data-protection-regulations/
iii
Information-age.com. Getting Value from your data under GDPR. Retrieved from https://www.information-
age.com/data-under-gdpr-123476524/
iv
Iapp.org. Can we balance data protection with value creation. Retrieved from https://iapp.org/news/a/can-we-
balance-data-protection-with-value-creation/
v
Meity.gov.in. White Paper of the Committee of Experts on a Data Protection Framework for India. Retrieved
from
http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf
vi
Bar & Bench. (2018). Understanding Data Protection Laws in India. Retrieved from
https://barandbench.com/india-law-connect/legal-briefing/understanding-data-protection-laws-india/
vii
Cioandleader.com. (2018). 8 differences between Indian data protection bill and GDPR! Retrieved from
https://www.cioandleader.com/article/2018/07/30/8-differences-between-indian-data-protection-bill-and-gdpr
viii
Nipfp.org.in Data localisation in India: Questioning the means and ends. (2018). Retrieved from
https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf