Data Protection legislation– Ensuring Privacy and Security in a data driven world

The recent years have seen a remarkable shift in the way people communicate, learn and do business. Most of the transactions have moved from the analogue (remember the old landline phones) to digital modes. This transformation has resulted in a large amount of data being collected and processed. Data is often described to be the “new oil” with many new businesses thriving on the data that they own.

The new sharing economy has seen software applications and mobile apps being built to use data in a big way, whether it is Facebook or Google or Uber. The Government departments and agencies are no exceptions to this trend and there is a lot of focus on moving citizen services to digital platforms. Although delivering government services through digital means provides convenience, it has its own risks with respect to the security of data and privacy of citizens.

With the explosive growth of new technology including artificial intelligence, data analytics and Internet of Things, the use and abuse of data is often unimaginable. Seemingly anonymous information can easily be correlated by data analytics to link the data to real persons. Research has shown that with the help of big data analytics it is possible, and often very easy, to identify individuals from anonymized data. Researchers from the University of Texas, used anonymized data set released by Netflix and showed that it is possible to re-identify a Netflix user from the data set¹.

Big Data analytics could be used by Governments to predict behaviour of citizens, often raising issues of privacy and transparency.² These technologies are also used by corporations to target their products and services to users by data mining and analysing their data, with marketers learning when a customer is pregnant even before their near and dear ones³.

Right to Privacy and the need for data protection

The 9 judge bench of the Hon’ble Supreme Court has held that right to privacy is indeed a fundamental right in K. S. Puttaswamy & Ors. v. Union of India & Ors. [W.P.(C) 494/2012]. The Apex Court held that “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”

Justice D.Y.Chandrachud has dealt with in detail the aspects of data protection and informational privacy in this judgment. He has held, “177. The sphere of privacy stretches at one end to those intimate matters to which a reasonable expectation of privacy may attach. It expresses a right to be left alone. A broader connotation which has emerged in academic literature of a comparatively recent origin is related to the protection of one’s identity. Data protection relates closely with the latter sphere. Data such as medical information would be a category to which a reasonable expectation of privacy attaches. There may be other data which falls outside the reasonable expectation paradigm. Apart from safeguarding privacy, data protection regimes seek to protect the autonomy of the individual. This is evident from the emphasis in the European data protection regime on the centrality of consent.

178 Another aspect which data protection regimes seek to safeguard is the principle of non-discrimination which ensures that the collection of data should be carried out in a manner which does not discriminate on the basis of racial or ethnic origin, political or religious beliefs, genetic or health status or sexual orientation.

179 Formulation of a regime for data protection is a complex exercise which needs to be undertaken by the State after a careful balancing of the requirements of privacy coupled with other values which the protection of data sub-serves together with the legitimate concerns of the State.”

The Apex Court recommended “the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. ” There is an urgent need for a law to govern the collection and processing of data by private enterprises and the Government.

The state of the current law

Section 43A of the Information Technology Act, 2000 along with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 provide the current legal framework for handling of sensitive personal data. However, the framework provides for limited recourse options for a person aggrieved by misuse of his data. Under Section 43 A of the above Act, the body corporate is liable to pay compensation by way of damages only in the event of a wrongful loss or wrongful gain caused due to negligence in  in implementing and maintaining reasonable security practices and procedures.

The current legal framework is woefully inadequate to meet the challenges posed by the massive data collection done by both corporates as well as the Government.

Data Protection legislation– The Challenges and the way ahead

India has often leapfrogged in the technology domain, especially in the field of telecommunications, to embrace the latest technologies. The data protection regime should also do a leapfrogging act so that the legislation is future ready to meet the challenges posed by Artificial intelligence and big data.

The Central Government has constituted a committee under the Chairmanship of Justice B.N.Srikrishna to make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and to suggest a draft data protection bill. The Committee has come up with a white paper on Data Protection Framework for India and has sought public comments on it.

India can learn from the experiences of jurisdictions like the European Union to formulate its data protection legislation, while taking care to avoid the pitfalls. Eben Moglen, Professor of law and legal history at Columbia Law School has in an article published shortly after the Puttaswamy judgment focused on the need to use “environmental law” with its strict liability provisions instead of transactional law to govern transactions affecting privacy of citizens⁴.

Consent obtained from an individual to collect and process data should be an informed and explicit content. Recent incidents have shown how telecom companies have exploited the Aadhaar authentication drive to get people enrolled for their payment banks without their informed consent. The proposed legislation should have clear deterrents against such acts.

The Report of the Group of Experts on Privacy under the Chairmanship of Justice A.P.Shah recommended nine national privacy principles, viz, Notice, Choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. These principles could form a good starting point for the drafting of a data protection legislation.

The General Data Protection Regulation, which will be enforced in the European Union from May 2018 gives some guidance for a good data protection law that takes care of individual rights, accountability and security among other aspects. The legislation should provide users options to seek information about the usage and processing of their data, the right to rectify data, the right to restrict processing, right to data portability to obtain and reuse their data and the right to object their data being used for profiling. Citizens should have a right to ensure that their data is used securely. They should also have a right to be informed in the event of a breach. Children should also be offered sufficient protection so that there is no misuse of their data.

The proposed data protection legislation should thus ensure rights of data subjects along with an effective redressal mechanism offering fast and efficient recourse to citizens in the event of misuse of data by entities collecting or processing data.