Data Privacy and Data Protection

Data play a huge role in everyday life. It is present in lots of obvious ways from shopping online
we have to type our name and address. But data collection can also be less divisible for example
data brokers you probably never heard of them but this businesses specializing in creating in
debt profile of individuals for advertises as single profile may drawn out of 1500 data points .
This can include person sexuality, browsing history and even medical records.

In the digital age data plays a huge role in everyday life’s it present in lots of obvious ways when
we shopping online for example and have to type your name and address but data collection also
be less visible, take data broker for example you probably never heard of them but there
business specializing creating in-depth profile for individuals advertises a single profile might
draw 1500 data points this can include a person sexuality browsing history politically affliction
and even medical records. One US based data broker axiom claimed to have files to have 10% of
the world population, it’s not just business of course.

Privacy and Data Protection

Article 12 of the universal declaration of Human Rights treats privacy as distinct human rights. It
says that, No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence.1

Everyone has the right to the protection of the law against such interference or attacks. This is
simple enough giving a more privacy actually means has proved harder.2

Depending on the context it can be in the right of freedom of four in the right to be learned, the
right controlled one’s own body, the right protects your reputation, the right of your family life
or the right of sexuality on your own definition, there are other ambiguities also.

In Lego terms, privacy isn’t an absolute right .This means it can be restricted for a certain
reasons, for examples to protect national security or public safety or if it conflicts with other
rights like the right to feel expression. An example could be a public figure in working privacy to
avoid disclosing the financial record. Contrary to popular believes data protection is not the same
thing as privacy. Privacy is a broad concept preferring to the condition which label a basic
foundation of human dignity and autonomy. Data protection is more specific. It’s concerned with
the ways the third party is handles the information they hold about us. How it is collected,
1
https://www.indiatoday.in › India

2
https://www.humanrights.com/what-are-human-rights/videos/right-to-privacy.html
processed shares, stored and used. In other words privacy is a big picture and data protection is
one corner of it. Like privacy data protection is also subjected to limits. For example when
warrant is obtained allowing no enforcement excess the phone record of the suspect. A more data
protection is someway more clearly than privacy. How it is applied legally can still vary greatly
depending on which country you are in. The digital age has created a new ways to collect,
access, analyze and use data. Often across more multiple boards jurisdiction and surprisingly this
posses challenge for human rights. One challenge related to huge companies about data .The
internet business is not depend on people who sharing the personal data in exchange to access to
content, services and social media platform. While you not pay anything out front to go on face
book they still make money from you by selling your personal information to the advertises. By
clicking agree to terms and service uses technically concerned in this motto. But in practice no
one actually read the terms. This is a problem beginning because no one knows what they are
really signing up to, which creates an opportunities for misuse. Challenge realties to the
collection of personal data by governments. Technological developments now enable
governments to monitor our conversations transactions and the locations we visit. In some
countries including Russia, Brazil, Australia and South Korea companies are legally required to
store this data locally for long periods of time. Making it easier for governments to get
information on their citizens. These measures are often introduced in the name of fighting cyber
crime and terrorism. But without adequate protections this data can easily be abused to target
dissidents and activists, undermining freedom of expression and the rights to association and
assembly. And these are just the technologies we have now. Emerging technologies like the
internet of things wearable’s and artificial intelligence are likely to pose new challenges to
human rights. As human rights defenders we need to be prepared for these. There are many
bodies and forums where privacy and data protection issues are discussed and defined. National
and regional courts have a crucial role here. The European court of human rights for example has
imposed limits on stop and search practices by the police and on the amount of time data can be
legally retained. At the national level it’s common to find a specific public body responsible for
privacy and data protection. This can be a specialist post or an ombudsman. But the extent to
which privacy is defined and protected varies greatly between different jurisdictions. For
example there is no clear right to privacy in African Charter on Human and People’s Rights.
However there are mechanisms at the international level following a UN resolution on the right
privacy in the digital age. The human rights council has established a new special rapporteur for
privacy and various internet policies forums like the internet governance forum, the council of
Europe, the organization for economic cooperation and development and conferences like hope
and sci-fi also contribute to shaping the scope of privacy in the digital age. And finally we have
companies; the decisions of companies can also have a huge impact on data protection and
privacy rights. For example by building end-to-end encryption into their software as whatsapp
did in early 2016. Let’s look at two examples of privacy and data protection in the real world,
first let’s look at the Apple vs. FBI case. After the 2016 terrorist attacks in US city of San
Bernardino. The FBI asked apple for the information stored on the iphone of one of the suspects.
However apple’s operating system is encrypted and only accessible through a pin code. The FBI
asked Apple to modify the system to let them in. Apple refused, opening a lively debate on the
right to privacy versus security needs. The case was almost taken to court but in the end the FBI
found a vulnerability to crack the phone. In privacy terms this was a legal setback. If the case had
gone to court it could have helped popularize the risks of weakening encryption for society and
establish what constitutes a legitimate limitation on privacy by the state .Next let’s look at
surveillance in Kenya. In Kenya a combination of invasive surveillance measure and a lack of
adequate data protection facilitated a crackdown on civil society in 2013, which was documented
by peace brigades international. Many human rights defenders had their officers raided
computers hacked and phones tapped by the government. One of the ways human rights
defenders have been fighting back is by pushing for the ratification of Kenya’s first data
protection law long stalled in parliament. If implemented properly this could limit the worst
excesses of state surveillance. Kenya is by no means the only country to bring in surveillance
legislation justified by security concerns. But this example is a good demonstration of how
seemingly abstract restrictions on online privacy can have physical consequences in the offline
world.

So human rights defenders in order to protect and strengthen privacy and data protection should
take an easy step such as taking digital security measures yourself. This can be simple as using
encryption and anonymity tools and encouraging your friends to do the same. Human rights
defenders can also advocate for alternative digital business models which aren’t based on the
extraction and sale of data. Economic pressure on the existing model is already growing. For
example over the last few years the number of users using ad block software globally has
exploded. There is evidence that this already pushing companies to less invasive advertising
practices. Engagement in debates at the national and regional level is of course crucial. Where
privacy protections are weak, human right defenders need to actively advocate for stronger ones.
And even where they are stronger we need to make sure legislation is keeping up with new
technological developments like the internet of things. Ultimately if we want things to change
human rights defenders need to make these issues accessible and relatable. By being more
creative about the way we talk about them. When people see how data protection and privacy
affects them on a day to day basis they may be more inclined to engage with these concepts.

Draft Personal Data Protection Bill

The government has invited feedback from the public on the Draft Personal Data Protection Bill.
If it is enacted as law the draft bill will govern the use of data of Indian citizen by both the
government and private entities incorporated in India and abroad. The bills come in the aftermath
the privacy declared in India as fundamental right under the constitution of India. The bill has 3
broad sects of provision it defines personal data, it has guideline on use of personal data and it
creates a system for regulating personal data. Firstly, the personal data of an Indian citizen could
be any data which could make a person identifiable such as their names, government issues
identifiers like pan card and aadhar card, their gender and the caste, their location and even their
spending habits and movie preferences. Some data is identified as sensitive by the bill this
include financial transaction, genetic information, sexual orientation their caste, religious and
political belief. Personal and sensitive data is collected from an individual when they do any
task. For instance transacting online, getting a new phone connection and even enrolling under a
government welfare scheme requires individual to disclose their personal data to the organization
whose services they wish to access. Secondly, the obligations of data fiduciaries in the bill who
collects and uses the data. At the time of collection the individual gives consent to the
organization to use the data for specific purpose and also to share with other organizations if
needed. The organization may collect only as much data is needed and the data will be stored till
the purposes are fulfilled. Further a copy of data must be stored within the territory of India.
However the draft bill allows certain situations in which personal data may be collected and used
without following these restrictions. For example a law may authorize the government to use
personal data in the interest of national security or for research and journalistic purposes is also
permitted without being subjected to these restrictions. Thirdly the usage of personal data can be
regulated or monitored by setting a data protection authority by the bill to act as a regulator of all
the data fiduciaries. This authority will frame regulations about the usage of personal data,
monitor data fiduciaries to make sure that they processing data lawfully and also investigate and
penalize the fiduciaries for breaking the law. Anyone contravening to the provision of laws will
pay fine to the authority as well as compensation to the individual. Further jail time is also
providing for certain violations. The report of the Justice B.N.Krishan Committee provides the
detail background of the provisions of the bill.

When the Supreme Court has given the judgment on privacy we accord the highest sanctity and
we would like India’s Data Protection Law to become some kind of model for the global world
also which is also a blend of security, safety, privacy and innovation.

GDPR on 27 April 2016, the EU General Data Protection Regulation (GDPR) was adopted and
on 25 May 2018, it came into full effect, thereby marking a milestone in data protection laws
across the EU. The nucleus of the GDPR is to unify and strengthen data protection for
individuals within the EU as well as address the export of personal data outside the European
Union (EU), which implies it protects the misuse of personal identifiable information (PII) of
any kind of EU citizens.

The development will not solely change the business landscape in the EU will additionally
influence global markets and multinationals. Organizations had two years to understand,
comprehend and implement the regulation in spirit and, as a consequence, demonstrate
compliance.
The challenges

Weak data protection law in India: India’s outsourcing industry, which is calculable to be worth
over 150 billion USD, contributes nearly 9.3% of the GDP. 2The EU has been one of the biggest
markets for the Indian outsourcing sector and India’s relatively weak data protection laws make
us less competitive than other outsourcing markets in this space.

Cross-border restrictions: mostly inflexible, the GDPR reduces the extent to that businesses will
assess risks and build selections once it involves transferring information outside the EU. Indian
firms would want to implement sufficient safeguards, as required under the GDPR, in order to
transfer personal data outside the EU, thereby further increasing compliance costs.

Greater risk of penalties and litigation: Article 3(Territorial scope) of the GDPR makes it clear
that the regulation are going to be applicable despite whether or not or not the process takes
place in the EU. This means no business for Indian firms that don't accommodates the GDPR or
increased compliance cost for those that do and therefore the risk of giant penalties on failing to
do so.

The opportunities

Business opportunity instead of compliance burden: Indian IT companies serving the EU market,
their second largest after the US, would be needed to adjust to the GDPR. However, instead of
seeing this as a further burden in terms of compliance, Indian companies ought to see it as a
colossal business chance sound at their doors.

Opportunity to square out: Over the years, Republic of India has become a technology hub
equipped with deep experience and a proficient resource pool. The GDPR may be a chance for
Indian corporations to square out as leaders in providing privacy compliant services and
solutions.

Developments in India’s privacy landscape: The ‘adequacy requirements’ beneath the GDPR
enable the European Commission to contemplate whether or not the legal framework prevailing
within the country to that the private knowledge is wanted to be transferred affords adequate
protection to knowledge subjects in respect of privacy and protection of their knowledge. In the
wake of recent developments and therefore the Supreme Court finding of fact, a knowledge
protection framework has been planned by the Sri Krishna Committee. It will be appealing to see
how the forthcoming legislation shapes up and whether or not it'll satisfy the standards arranged
down beneath the GDPR.

For the IT, BPO and pharmaceutical industry in India, Europe is a substantial marketplace. The
volume of the IT industry in the top two EU member states (i.e. Germany and France) is
estimated to be around 155–220 billion USD.1 Thus, for the Indian IT industry to keep
continuing to do business in Europe, it needs to reckon with the GDPR.

Conclusion

Data privacy and data protection laws by their very nature required to be dynamic, perpetually
increasing and up to touch upon new impediments and hindrances. One such hindrance was the
recent WannaCry ransomware cyber-attack which affected many globally. At an equivalent time,
domestically, one such encouraging step towards data protection is the Supreme Court case
ruling on ‘right to privacy’.

It is imperative for foreign companies establishing business in India to ensure that their local
Indian entity adheres to Indian data privacy and data protection law requirements even if the
local entity has been following international best practices in this regard. Further, the privacy
policies and other related policies of a body corporate should be in line with the Rules so as to
protect the SPDI of the information provider.