Professional Documents
Culture Documents
Encoding Privacy in A Digital World: Introduction and Relevance of The Topic
Encoding Privacy in A Digital World: Introduction and Relevance of The Topic
Encoding Privacy in A Digital World: Introduction and Relevance of The Topic
In the case of most online providers, the consent to collect data is presumed and one can opt-
out or disable some of these features that allow the provider to collect as well as share the data.
The user gives up the ownership of his data when signing up for these online services.
While there are justifiable uses of data that are vastly beneficial, such centralization of data,
profiling of individuals and increased surveillance, has led to mounting concerns relating to
erosion of privacy of individuals, ability to impact public decision-making process and national
security. Information could be used for the beneficial purpose; but the arbitrary and unregulated
use of personal information has increased concerns regarding freedom of an individual and the
privacy. The concerns are mostly related to centralized databases, individual profiling,
surveillance leading to erosion of individual’s freedom.
Data protection refers to the practices, safeguards, and binding rules put in place to protect
user’s personal information and ensure that users remain in control of it i. The purpose of
personal data protection isn’t to just protect a person’s data, but to protect the fundamental
rights and freedoms of persons that are related to that dataii.
In its judgement in the Puttaswamy vs. Union of India case, in August 2017, the Supreme Court
recognised the fundamental Right to Privacy under the Indian Constitution.
Collection of Information
Regarding information, the obligation is to inform the data subject (an entity whose data is
being protected under the law) that its information is being collected. In case of SPDI, the bar
for compliance is higher since a written consent is mandated which can be revoked by
intimation in writing. Rules 5(2) and 5(4) are laid down in accordance with global best practices
that are known as “data minimization”. To ensure data subjects do not disclose SPDI, it creates
an obligation on data collectors to obtain information only when necessary and must be retained
only for as long as it is necessary to achieve the purpose of collection.
International Laws
GDPR is an important law that has recently been in force in European Union (EU) and the
provisions of this regulation have been referred in the Indian draft Data Protection Policy and
Justice B N Srikrishna Committee report.
GDPR is a legal framework that provides guidelines for the collection and processing of
personal information. While its jurisdiction is limited to EU, any state that transacts with EU
member state and has access to its customer’s critical personal data will have to abide by GDPR
guidelines. Non-compliances also attract a hefty penalty.
While GDPR is not an act but guidelines that can be used to draft legislation by member
nations, yet it is fruitful to compare the broad contours of GDPR with the relevant Indian law
– Data Protection Bill. The major points of difference between the two arevii –
While GDPR mandates entities to share names and categories of other recipients of
personal data with citizens whose data is being processed, the Indian draft bill does not
require this rule
Citizens in Indian draft bill cannot demand erasure of their data while there is a separate
article ‘Data reassure’ in GDPR for this provision
GDPR mandates time frame for which data will be stored by entities while the Indian draft
bill does not mention any such time frame
GDPR explicitly mentions sharing of the source from which data has been acquired about
citizens if it was not directly collected from him/her while there is no such requirement in
a draft Indian bill
In the case of a data breach, the entities are not required to share this information with the
citizens whose data is compromised according to draft Indian bill. Instead, the Data
Protection Authority determines whether the breach should be reported to the affected
persons. GDPR provides for such provision where all breaches are to be reported to the
affected persons
GDPR requires that the data which is being processed about the citizens shall be made
available to him/her while the Indian draft bill mentions the provision of the summary to
the citizens without defining what summary means
Conclusion
Data privacy is a legal right and existing data protection framework in India under the IT Act
is largely inadequate, in terms of implementation, protections and remedies and it lacks basic
protections such as provisions for data breach notificationsviii. Therefore, India urgently needs
to enact a dedicated data protection law.
In framing the data privacy regime, the policy makers will have to balance the access of
businesses to technological innovations in data analytics with the need to protect customer data.
This would also include the requirement of the government to ensure law enforcement and
regulatory authorities would have access to Indian data upon requests and that the government
would be able to limit the unwillingness of MNCs to respond to law enforcement requests.
i
Accessnow.com. Data protection: why it matters and now to protect it. (2018). Retrieved from
https://www.accessnow.org/data-protection-matters-protect/
ii
Njordlaw.com. Three reasons why we need strict data protection regulations. Retrieved from
https://www.njordlaw.com/three-reasons-need-strict-data-protection-regulations/
iii
Information-age.com. Getting Value from your data under GDPR. Retrieved from https://www.information-
age.com/data-under-gdpr-123476524/
iv
Iapp.org. Can we balance data protection with value creation. Retrieved from https://iapp.org/news/a/can-we-
balance-data-protection-with-value-creation/
v
Meity.gov.in. White Paper of the Committee of Experts on a Data Protection Framework for India. Retrieved
from
http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf
vi
Bar & Bench. (2018). Understanding Data Protection Laws in India. Retrieved from
https://barandbench.com/india-law-connect/legal-briefing/understanding-data-protection-laws-india/
vii
Cioandleader.com. (2018). 8 differences between Indian data protection bill and GDPR! Retrieved from
https://www.cioandleader.com/article/2018/07/30/8-differences-between-indian-data-protection-bill-and-gdpr
viii
Nipfp.org.in Data localisation in India: Questioning the means and ends. (2018). Retrieved from
https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf