Professional Documents
Culture Documents
Data Protection
Data Protection
The challenge of data privacy is to use data while protecting an individual's privacy
preferences and their personally identifiable information. The fields of computer
security, data security, and information security design and use software, hardware, and
human resources to address this issue.
Legality
The legal protection of the right to privacy in general – and of data privacy in particular –
varies greatly around the world.2
Laws and regulations related to Privacy and Data Protection are constantly changing, it is seen
as important to keep abreast of any changes in the law and to continually reassess compliance
with data privacy and security regulations.3 Within academia, Institutional Review
Boards function to assure that adequate measures are taken to ensure both the privacy and
confidentiality of human subjects in research.
Privacy concerns exist wherever personally identifiable information or other sensitive
information is collected, stored, used, and finally destroyed or deleted – in digital form or
otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues.
Data privacy issues may arise in response to information from a wide range of sources, such
as:4
Healthcare records
Criminal justice investigations and proceedings
Financial institutions and transactions
Biological traits, such as genetic material
1
Uberveillance and the social implications of microchip implants : emerging technologies. Michael, M. G.,
Michael, Katina, 1976-. Hershey, PA. ISBN 978-1466645820. OCLC 843857020
2
Rakower, Lauren (2011). "Blurred Line: Zooming in on Google Street View and the Global Right to
Privacy". brooklynworks.brooklaw.edu. Archived from the original on 11-11-2019.
3
Robert Hasty, Dr Trevor W. Nagel and Mariam Subjally, Data Protection Law in the USA. (Advocates for
International Development, August 2013.)"Archived copy" (PDF). Archived from the original (PDF) on 09-11-
19. Retrieved 11-11-19.
4
Programme Management Managing Multiple Projects Successfully. Mittal, Prashant. Global India Pubns.
2009. ISBN 978-9380228204. OCLC 464584332.
Residence and geographic records
Privacy breach
Location-based service and geolocation
Web surfing behaviour or user preferences using persistent cookies
Academic research
5
List of OECD Member countries – Ratification of the Convention on the OECD". OECD. Retrieved 11
November 2019.
6
World Economic Outlook Database". International Monetary Fund. 11 November 2019.
7
"Soviet Union rejects Marshall Plan assistance This Day in History — 7/2/1947". History.com. Retrieved 11
November 2019.
contributions from member countries at varying rates and had a total budget of €374 million
in 2017.
Openness Principle
There should be a general policy of openness about developments, practices and policies with
respect to personal data. Means should be readily available of establishing the existence and
nature of personal data, and the main purposes of their use, as well as the identity and usual
residence of the data controller.
Accountability Principle
A data controller should be accountable for complying with measures which give effect to the
principles stated above.
Member countries should take all reasonable and appropriate steps to ensure that trans-border
flows of personal data, including transit through a Member country, are uninterrupted and
secure.
A Member country should refrain from restricting trans-border flows of personal data between
itself and another Member country except where the latter does not yet substantially observe
these Guidelines or where the re-export of such data would circumvent its domestic privacy
legislation. A Member country may also impose restrictions in respect of certain categories of
personal data for which its domestic privacy legislation includes specific regulations in view
of the nature of those data and for which the other Member country provides no equivalent
protection.
Member countries should avoid developing laws, policies and practices in the name of the
protection of privacy and individual liberties, which would create obstacles to transborder
flows of personal data that would exceed requirements for such protection.
NATIONAL IMPLEMENTATION
In implementing domestically the principles set forth in Parts Two and Three, Member
countries should establish legal, administrative or other procedures or institutions for the
protection of privacy and individual liberties in respect of personal data. Member countries
should in particular endeavour to:
a) adopt appropriate domestic legislation;
b) encourage and support self-regulation, whether in the form of codes of conduct or
otherwise;
c) provide for reasonable means for individuals to exercise their rights;
d) provide for adequate sanctions and remedies in case of failures to comply with
measures which implement the principles set forth in Parts Two and Three; and
e) ensure that there is no unfair discrimination against data subjects.
INTERNATIONAL CO-OPERATION
Member countries should, where requested, make known to other Member countries details
of the observance of the principles set forth in these Guidelines. Member countries should also
ensure that procedures for transborder flows of personal data and for the protection of privacy
and individual liberties are simple and compatible with those of other Member countries which
comply with these Guidelines.
Member countries should establish procedures to facilitate:
information exchange related to these Guidelines, and
mutual assistance in the procedural and investigative matters involved.
Member countries should work towards the development of principles, domestic and
international, to govern the applicable law in the case of transborder flows of personal data.
Data privacy: India
Article 21: Article 21 of the Constitution of India provides that “No person shall be deprived
of his life or personal liberty except according to procedure established by law”. However, the
Constitution of India does not specifically recognize ‘right to privacy’ as a fundamental right.
ii. Whether the ‘right to privacy’ is a fundamental right was first considered by the Hon’ble
Supreme Court in the case of M. P. Sharma and Ors. v Satish Chandra, District Magistrate,
Delhi and Ors.8 , wherein the warrant issued for search and seizure under Sections 94 and 96
(1) of the Code of Criminal Procedure was challenged. The Hon’ble Supreme Court had held
that the power of search and seizure was not in contravention of any constitutional provision.
Further, the Hon’ble Supreme Court refrained from giving recognition to right to privacy as a
fundamental right guaranteed by the Constitution of India by observing as under: -
“17. A power of search and seizure is in any system of jurisprudence an overriding power of
the State for the protection of social security and that power is necessarily regulated by law.
When the constitution makers have thought fit not to subject such regulation to constitutional
limitations by recognition of a fundamental right to privacy, analogous to the Fourth
Amendment, we have no justification to import it, into a totally different fundamental right,
by some process of strained construction. Nor is it legitimate to assume that the constitutional
protection under Article 20(3) would be defeated by the statutory provisions for searches.”
8
(1997) 1 SCC 301.
(c) the means which are adopted by the legislature must be proportional to the object and
needs sought to be fulfilled by the law.9 Therefore, going forward any laws which seek to
encroach upon the right of privacy of an individual would need to meet the test of
proportionality and reasonableness. It will take a few years before jurisprudence around what
constitutes reasonable and proportionate State interference settles temporarily. The validity of
Adhar Scheme will now be tested on the basis of this judgment.
It is often argued that India should adopt ‘rights based’ data protection model as opposed to
today’s ‘consent based’ model. Under the consent based model, the data controller is free to
use, process and share the data with any third parties, once the consent of the user is obtained.
However, not many are aware of the actual consequences of the indiscreet data sharing at the
time of providing consent. On the other hand the ‘rights based’ model allows the users to have
greater rights over his/her data while requiring the data controller to ensure than such rights
of the users are not breached. This leads to a greater autonomy of the users over their personal
data.
The decision of the Hon’ble Supreme Court empowers the citizens of India to seek judicial
relief in case of breach of its data privacy rights. This could have an impact on the privacy and
protection policies implemented by tech companies in India. The users can not only raise torts
based claims but can also invoke their fundamental right to privacy.
9
Mohd. Arif v Registrar, Supreme Court of India- (2014) 9 SCC 714.
c) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter
any computer source code used for a computer resource with an intention to cause damage
shall be liable to pay damages. shall be liable to pay damages by way of compensation not
exceeding the sum of INR 1,00,00,000 (Rupees One Crore) to the person so affected.
ii. Section 43A - This section is bedrock of data protection and provides that where a body
corporate possessing, dealing or handling any sensitive personal data or information in a
computer resource which it owns, controls or operates, is negligent in implementing and
maintaining reasonable security practices and procedures and thereby causes wrongful loss or
wrongful gain to any person, such body corporate shall be liable to pay damages by way of
compensation, which shall not exceed a sum of INR 5,00,00,000 (Rupees Five Crore).
iii. Section 66 C – This section deals with identity theft and provides that whoever,
fraudulently or dishonestly makes use of the electronic signature, password or any other
unique identification feature of any other person, shall be punished with imprisonment for a
term which may extend up to three years and shall also be liable to pay a fine of up to INR
1,00,000 (Rupees One Lakh)
iv. Section 66 E – This section provides that whoever, intentionally or knowingly captures,
publishes or transmits the image of a private area of any person without his or her consent,
under circumstances violating the privacy of that person shall be punished with imprisonment
which may extend up to three years or with fine not exceeding INR 200,000/- (Indian Rupees
Two Lakh) or with both.
v. Section 72 – This section provides that any person who has secured access to any electronic
record, book, register, correspondence, information, document or other material without the
consent of the person concerned and thereafter, discloses such electronic record, book,
register, correspondence, information, document or other material to any other person shall be
punished with imprisonment for a term which may extend to two years, or with fine which
may extend to INR 1,00,000 (Rupees One Lakh) , or with both.
vi. Section 72A - This section provides that, any person, including an intermediary28 who,
while providing services under the terms of a lawful contract, has secured access to any
material containing personal information about another person, with the intent to cause or
knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the
consent of the person concerned, or in breach of a lawful contract, such material to any other
person shall be punished with imprisonment for a term which may extend up to three years,
or with a fine which may extend up to INR 5,00,000 (Rupees Five Lakh), or with both.
The GDPR establishes a set of rules for the protection of personal data throughout the EU. It
seeks to strengthen individual fundamental rights and facilitate business by ensuring more
consistent implementation of data protection rules EU-wide. The EU hopes the GDPR will
further develop the EU Digital Single Market (DSM), aimed at increasing harmonization
across the bloc on digital policies. The GDPR identifies what is a legitimate basis for data
processing and sets out common rules for data retention, storage limitation, and record
keeping. The GDPR applies to (1) all businesses and organizations with an EU establishment
that process (perform operations on) personal data of individuals (or “data subjects”) in the
EU, regardless of where the actual processing of the data takes place; and (2) entities outside
the EU that offer goods or services (for payment or for free) to individuals in the EU or monitor
the behaviour of individuals in the EU. Processing certain sensitive personal data is generally
prohibited. Stronger and new data protection requirements in the GDPR grant individuals the
right to:
Receive clear and understandable information about who is processing one’s personal data
and why;
Consent affirmatively to any data processing;
Access any personal data collected;
Rectify inaccurate personal data;
Erase one’s personal data, cease further dissemination of the data, and potentially have third
parties halt processing of the data (the “right to be forgotten”);
Restrict or object to certain processing of one’s data;
Be notified without “undue delay” of a data breach if there is a high risk of harm to the data
subject; and
Require the transmission of one’s data to another controller (data portability).
The potential high penalties for noncompliance have attracted significant attention, since a
company or organization can be fined up to 4% of its annual global turnover or €20 million
(whichever is greater). Fines are assessed by the national supervisory authority (a Data
Protection Authority, or DPA) in each member state and subject to appeal in national courts.
The GDPR also requires some companies to hire data protection officers.
Many U.S. firms have made changes to comply with the GDPR, such as revising and
clarifying user terms of agreement and asking for explicit consent. While it creates more
requirements on companies that collect or process data, some experts contend that the GDPR
may simplify compliance for U.S. firms because the same set of data protection rules apply
across the EU. Also, companies established in the EU that engage in cross-border data
processing primarily only have to liaise with the supervisory authority of the EU country
where the firm is based (the “lead” authority), possibly decreasing administrative costs.
However, a firm is still subject to oversight and enforcement by the supervisory authority of
every country where it does business.
U.S. firms have voiced several concerns about the GDPR, including the need to construct a
compliance bureaucracy and possible high costs for adhering to the GDPR’s requirements.
While large firms have the resources to hire consultants and lawyers, it may be harder and
costlier for small and mid-sized enterprises (SMEs) to comply, possibly deterring them from
entering the EU market and creating a de facto trade barrier. Some U.S. businesses, including
several newspaper websites and digital advertising firms, opted to exit the EU market rather
than confront the complexities of GDPR. Some industry surveys show that GDPR’s
restrictions on the use and sharing of data may be limiting the development of new
technologies and deterring potential mergers and acquisitions. Although the GDPR is directly
applicable in EU member states, implementing legislation is required to enact certain parts of
the GDPR (e.g., appointment of a supervisory authority; ability to levy penalties). Critics note
that the GDPR permits diverging national legislation in specified areas (e.g., employment
data) and contend that this could lead to uneven implementation or enforcement. They also
note the potential for localization trade barriers in areas where divergence is allowed. The EU
reports that GDPR has increased European citizens’ awareness of their rights. Since taking
effect, European DPAs have received almost 145,000 GDPR complaints and have initiated a
range of enforcement actions, including issuing fines. In January 2019, France’s DPA (or
CNIL) imposed a €50 million fine on Google for a “lack of transparency, inadequate
information and lack of valid consent regarding the ads personalization.” In July 2019, the
United Kingdom’s DPA (the ICO) issued the largest penalty to date, imposing a €230 million
fine on British Airways for a data breach that affected half a million passenger records,
including users’ name, address, login, payment card, and travel booking details.
CONCLUSION
If we compare the present stage of data processing laws in India with the countries of Europe
and USA then we find that these countries are far ahead of India in this respect. Those
countries have particular and comprehensive laws relating to data protection and privacy.
There is one another thing which is to be noted that different type of data should be divided
into different categories as per the utility and importance of data. So, we are required to frame
a scheme that should be based on the categorical division of data as like USA, and even in the
UK, although there is no such categorical division but still some type of data is defined as
sensitive data; for the disclosure of this sensitive data. The provisions of the IT Act are
basically or the destruction/extraction of data, there is great lack of comprehensive guidelines
in this regard and the companies are required to rely on their private contracts, which process
is in itself complex lengthy. There are no special provisions related to the privacy of an
individual, only sec 72 deals with the violation of privacy, and that is confined only to those
persons on whom the power is conferred by this act.
Although there is one proposed Data Protection Bill, 2013 which deals with the collection use
and disclosure of the personal data. Some of the provisions are taken from the European
Directive on the Data Protection. In the act no category wise division of data was made, in
this regard we have to take inspiration from US laws.
So, a comprehensive data protection law is the need of the hour in India, although to follow
the foreign law of either UK or USA in totality will not be a good option. We have to divide
different type of data into different categories and then different degrees of protection should
be provided to different type of data. But that should be contained in one act, not in different
scattered pieces of legislation. We also required to prepare practical guidelines that what type
of personal data can be provided to others in specific circumstances, and what should not so
there may not be complexities as like in the case of UK. If we go for the enactment of a
comprehensive data protection laws then it would reduce the instances of data theft and more
and more foreign companies and firms would be interested in growing their business in India;
it would work like a boom to the sector of Information Technology in India.
BIBLIOGRAPHY
1. http://www.vaishlaw.com/article/information_technology_laws/data_protection_law
s_in_india.pdf?articleid=100324
2. http://uk.practicallaw.com/1-505-9607
3. http://www.majmudarindia.com/pdf/Data%20Protection%20in%20India.pdf
4. http://www.gala-marketlaw.com/77-gala-gazette/gala-gazette/261-india-data-
protection-and-the-it-act-india
5. http://ptlb.in/clpic/wp-content/uploads/2014/01/Data-Protection-Laws-In-India-And-
Privacy-Rights-In-India.pdf
6. http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_india_en.pdf
7. http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf
8. http://legalknowledgeportal.com/2013/06/24/data-privacy-and-protection-law-in-
india-understanding-the-regime/
9. http://nopr.niscair.res.in/bitstream/123456789/3561/1/JIPR%2011(2)%20125-
131.pdf
10. http://www.legalserviceindia.com/article/l368-Data-Protection-Law-In-India.html
11. http://www.lawteacher.net/business-law/essays/data-protection-laws-in-india-
business-law-essay.php