Current Indian Legal Position on Data Protection & Privacy with respect to Websites & Mobile Applications | Technology Lawyer in Delhi NCR | IT Attorney in Delhi NCR | Corporate Lawyer in Delhi NCR |
Technology Lawyer in New Delhi | Technology Lawyer in Delhi NCR | Technology Lawyer in Delhi | Technology Lawyer in Noida | Technology Lawyer in Gurugram | Technology Attorney in New Delhi | Technology Attorney in Delhi NCR | Technology Attorney in Delhi | Technology Attorney in Noida | Technology Attorney in Gurugram | Corporate Lawyer in New Delhi | Corporate Lawyer in Delhi NCR | Corporate Lawyer in Delhi | Corporate Lawyer in Noida | Corporate Lawyer in Gurugram | Corporate Attorney in New Delhi | Corporate Attorney in Delhi NCR | Corporate Attorney in Delhi | Corporate Attorney in Noida | Corporate Attorney in Gurugram | IT Lawyer in New Delhi | IT Lawyer in Delhi NCR | IT Lawyer in Delhi | IT Lawyer in Noida | IT Lawyer in Gurugram | IT Attorney in New Delhi | IT Attorney in Delhi NCR | IT Attorney in Delhi | IT Attorney in Noida | IT Attorney in Gurugram |
Unlike the European Union, India does not have specific legislation governing data privacy. Even when the Information Technology (IT) Act, 2000 was enacted, it lacked provisions concerning data privacy. However, the 2008 amendment to the Information Technology (IT) Act inserted Section 43A, which deals with the liability of body corporates having failed to protect sensitive personal data collected from individuals. The compensation prescribed under the provision could extend up to five crore rupees. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A of the Information Technology Act, includes a list of items under the expression “sensitive personal data.” It includes all data which is not freely available or accessible in the public sphere such as passwords, financial information (debit card number, bank account number etc.), sexual orientation, bodily condition, biometric data, etc. The body corporate is required to provide a privacy policy indicating the data it seeks to collect coupled with its purpose. The same has to be carried out for a lawful purpose if at all, it is considered necessary for the purpose. Further, body corporates are not permitted to retain sensitive personal data for a longer period than it is necessary.
As per the latest cyber laws and their rules all the websites are required to have a dedicated “Privacy Policy” towards their visitors and registered users. Further, the websites and the web portals are personally responsible for the protection and safe upkeep of the data collected.
Though elements of Section 43A and the 2011 Rules contain elements of the European Union Global Data Protection Regulation, (the “EU GDPR”) yet the regulations are not as strict compared to the GDPR. Further, in a nine judge bench judgment of the Hon’ble Supreme Court i.e. Justice K.S. Puttswamy (Retd.) & Anr. v. Union of India & Ors., Writ Petition (Civil) No. 494 of 2012, Right to Privacy and the protection of data has become a vital issue.
In this light, the Personal Data Protection Bill, 2018 (“the Bill”), which is pending in the Parliament, it seeks to model an EU GDPR model in India, making consent of an individual for processing his or data mandatory. Though this is not the first time that a Bill on privacy is being introduced in the Parliament, but is perhaps the most user-driven.
Under the Bill, the definition of “sensitive personal data” has been extended to include genetic data, sexual orientation, sex life, intersex status, caste or tribe, religious and political beliefs or affiliation. The data principal i.e. the user has been vested with certain rights concerning his/her data such as seeking access to the same or seeking corrections. The fiduciary, i.e. the one who collects the data, has been extended to mean the State, body corporates in India and the citizens of India. In certain circumstances, the term may extend to data fiduciaries incorporated outside India. The fiduciary is bound to disclose certain information to the data principal such as the purpose and nature of data processing, rights of the data principal to withdraw such consent, the procedure for withdrawal such consent etc. Similar to the Information Technology Act, 2008, the Bill also imposes a limitation period on the fiduciary to keep the information of the data principal only as long as may be reasonably required. The Bill lays down the grounds for which “personal data” and “explicit personal data” may be processed, such as –
- Based on consent;
- For functions of the State;
- In compliance with the law or any order of any court or tribunal;
- Necessary for prompt action;
- For purposes related to employment;
- For reasonable purposes.
The Bill permits certain exemptions for data processing such as Security of the State, Journalistic purposes, legal proceedings etc. Further, The Bill imposes restrictions on the cross-border exchange of personal data by ensuring that the data fiduciary has at least one copy of personal data.
Data Protection & Data Privacy are the two most important domains which have got the attention of the Legislators whereby a definite and direct responsibility is being fixed upon the person who is collecting data and the same includes not only websites and web portals but also include Mobile Applications respectively.
Possible Implications of GDPR on India –
The GDPR is considered as ground breaking legislation when it comes to privacy and data regulation. It is non-territorial legislation, which applies to the EU as well as other countries, including India. Since, India, at present does not have legislation, which solely focuses on data protection; the EU GDPR encourages the social media giants and other MNCs to improve their cyber security measures to limit any potential data theft. The Bill and the GDPR have fundamental differences. The relationship between the data principal and the data fiduciaries, under the Bill, is that of trust, something that has not been seen in any legislation thus far. Another difference is that heavy fine which may arise from violations of the Bill. The GDPR mandates a penalty up to 20 million euros or 4% of the worldwide annual revenue of the last financial year, whichever is higher, which is a major concern for MNCs in India.
Data reveals that GDPR has been user-friendly in its one year of enforcement. Fines over 50,000,000 Euros have been imposed on social media websites, including Google. The most common complaints were the method of processing personal data, lack of transparency in the same and the right of the individuals to access it.
A major feature of the GDPR is the inclusion of “adequacy requirements” which limits the exchange of personal data to any International organization or third country which does not provide “adequate level of protection.” Since this will directly impact business in India, there are concerns, which have to be dealt with.
Firstly, if the GDPR or the proposed Personal Data Protection Bill, 2019 is intended to protect the right to privacy, specific mechanisms included in such legislation must be analyzed carefully. For example, the Indian Data Protection Commission’s Report did not mention the economic impact of the Bill, unlike the EU. Informational privacy is a fundamental right in the EU, yet the EU IA estimated the benefits and costs of the proposed to GDPR, which has formed the basis of the study of the usefulness of GDPR.
Secondly, as per a study, job-growth in India is in a very poor position and many individuals are leaving the job market. In such a situation, it is important to study the impact of cross-sectoral privacy law on the economy. Data privacy is no doubt important and provides the citizens’ safeguards against misuse of their data. However, considering the fact that India already has a data protection law (IT Act) and privacy being declared a fundamental right through a judicial pronouncement, the GDPR might not be ideal. Due to high compliance cost and heavy fines, it could potentially negate the growth of MSMEs in the next few years, which the Government of India has been constantly trying to build. However, due to the absence of any concrete data or study on the subject, there is not much that can be said about the same.
Authored By: Adv. Anant Sharma & Mayank Barman