Understanding Data Privacy in India

“People have entrusted us with their most personal information. We owe them nothing less than the best protections that we can possibly provide.”

                                                                                                                                     -Tim Cook

With the global expansion of technology-driven industries, data privacy is an essential issue that must be addressed. Governments all across the world have enacted legislation to protect the interests of data principals (the individuals to whom personal data belongs) and the liabilities of data fiduciaries (entities that control storage and decide the means and purpose of the processing of data).

The General Data Protection Regulation (GDPR) of the European Union is the dominating framework, with extensive measures to protect data privacy. The GDPR has affected numerous countries in crafting their respective data privacy legislations. GDPR has an impact on Thailand’s Personal Data Protection Act (PDPA) and Brazil’s General Personal Data Protection Law (LGPD).

In India, The issue of data privacy is quite different. Privacy protection has generally been implemented in the corporate sector through contractual agreements or regulatory obligations that apply to data originating in nations with privacy or data protection legislation. Organizations are increasingly focused on information and cyber security to preserve sensitive data as digitization accelerates. While the Indian government has been working on a Data Privacy bill since 2006, the majority of Indian customers are still unaware of the need of preserving their privacy or the potential implications of indiscriminate personal data processing. 

As a result, legal efforts by the government and data protection measures implemented by businesses are prompted by the rapid use of new technologies in consumer profiling such as artificial intelligence, data analytics, and process automation. This poses two critical questions: are consumer interests effectively protected, and is the data obtained used responsibly and solely for its intended purpose? 

Personal data has become a valuable commodity in today’s digital age, and companies are gathering and keeping massive amounts of information about their customers. While this information can be utilised to improve consumer services and experiences, it also poses substantial concerns to their privacy rights. Data breaches and other privacy infractions have become more widespread in recent years, raising concerns about data privacy. This article will look at the importance of data privacy, how organisations violate privacy rights, and what efforts can be taken to prevent these violations.

What is Data Privacy?

The protection of personal information from unlawful access, use, disclosure, or destruction is referred to as data privacy. Individuals have the right to control how their personal information is collected, used, and shared. Personal information might include a variety of data, such as a person’s name, address, phone number, email address, social security number, financial information, and other details. The amount of personal data gathered and held by organisations has grown tremendously with the increased use of technology and the internet, making data privacy a vital problem for people and society as a whole.

What Is The Need Of Data Privacy In Companies?

Data privacy is essential to companies that gather, store, and use personal information. Companies must emphasise data privacy for a variety of reasons, including legal compliance, personal information protection, consumer trust, competitive advantage, and ethical duties. Companies must follow data privacy rules and regulations, and failure to do so may result in legal and financial fines. To prevent identity theft, fraud, and other nefarious objectives, personal information such as names, addresses, phone numbers, email addresses, social security numbers, financial information, and other sensitive data should be protected. Consumers trust companies with their personal information, and it is up to companies to keep this confidence by safeguarding their data. Furthermore, companies that emphasise data privacy can gain a competitive advantage by demonstrating their dedication to preserving consumer data, which can result in greater customer loyalty and brand reputation. Finally, companies have an ethical obligation to safeguard their customers’ and employees’ personal information. This includes taking all essential precautions to prevent data breaches and responding swiftly and effectively if a breach occurs. As a result, data privacy is essential for companies to maintain their reputation while also protecting their customers’ and employees’ personal information.

How Companies Are Breaching Privacy Rights?

Companies are now collecting and storing large amounts of personal data from their customers through the use of the internet. While this information can be utilised to improve consumer services and experiences, it also poses substantial concerns to their privacy rights. Unfortunately, many businesses are violating their customers’ privacy rights, either purposefully or unwittingly, by failing to take necessary efforts to protect their personal information.

Data breaches are a common technique for businesses to violate privacy rights. Hackers and cybercriminals can break into company databases and steal personal information such as names, addresses, and financial information. Individuals might suffer greatly as a result of this type of breach, which can result in identity theft, financial fraud, and other types of cybercrime. 

Another way for companies to violate privacy rights is through the sale or misuse of personal data. Many businesses acquire personal information for marketing purposes; however, some may sell this information to third parties without the customer’s knowledge or consent. This can result in unwanted marketing calls, emails, or text messages, which can be both annoying and intrusive. Personal data can be exploited for more sinister objectives, such as identity theft or stalking, in extreme circumstances.

Furthermore, some companies may exploit personal information to discriminate against specific categories of individuals. A company, for example, may utilise data to target certain individuals with increased prices for goods or services. This form of prejudice can be difficult to identify and can have serious consequences for individuals.

The Law of Privacy In India

The Constitution of India does not patently grant the fundamental right to privacy. However, the courts have read the right to privacy into the other existing fundamental rights, ie, freedom of speech and expression under Art 19(1)(a) and right to life and personal liberty under Art 21 of the Constitution of India. However, these Fundamental Rights under the Constitution of India are subject to reasonable restrictions given under Art 19(2) of the Constitution that may be imposed by the State. Recently, in the landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India and Ors., the constitution bench of the Hon’ble Supreme Court has held Right to Privacy as a fundamental right, subject to certain reasonable restrictions.

The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data.

Section 45 of the IT Act clearly states:

“Whoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding twenty-five thousand rupees to the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees.”

Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.

The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with protection of “Sensitive personal data or information of a person”, which includes such personal information which consists of information relating to:-

• Passwords;
• Financial information such as bank account or credit card or debit card or other payment instrument details;
• Physical, physiological and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric information.

The rules provide the reasonable security practices and procedures, which the body corporate or any person who on behalf of body corporate collects, receives, possess, store, deals or handle information is required to follow while dealing with “Personal sensitive data or information”. In case of any breach, the body corporate or any other person acting on behalf of body corporate, the body corporate may be held liable to pay damages to the person so affected.

The Data Protection Bill, 2022

On November 18, 2022, the Ministry of Electronics and Information Technology (“MeitY”) released a new version of India’s data protection bill. Titled the Digital Personal Data Protection Bill, 2022 (“DPDPB”), the document is a fourth iteration in a long series of draft laws. After considerable debate and apprehension over the last few versions, the DPDPB adopts a more business friendly and simple approach, while largely upholding the spirit of its predecessors. We provide a short summary of some of the standout provisions of the draft law.

Given below are the highlights of the act:

1. Application of the Act

The provisions of the Act do not apply to personal data, which is offline, of an individual in record for over 100 years and whose processing is non-automated and done for domestic purposes.[1]

2.     Consent withdrawal

The applicants are required to provide the terms of data collection in clear and plain language to the user[2] with an option to withdraw their consent at any time, not affecting its lawfulness before such consent was withdrawn[3].

The individual has the option to appoint a person to give, manage, review, or withdraw consent on her behalf.[4]

Earlier, access to the platform was given only upon acceptance of the terms and conditions of such data.

3.     Reduced compliance burden

By limiting the scope of the bill to data protection, transfer, storage, and detraction of personal data, in contrast to what previously was data management, data governance and cybersecurity, the compliances have been reduced tremendously.

4.     Amendment to the IT Act

This results in the removal of the overriding effect that the IT Act had thus reduced the penalties for negligence by companies handling sensitive personal data.[5]

5.     Exemptions to transfer personal data outside India

Some exemptions have been provided for reasons such as arbitration, research purposes, the interest of the government, and enforcement of legal rights or claims, among others. It also provides that the Central Government will notify territories outside the country to which personal data may be transferred per specified terms and conditions.[6]

6.     Penalties

The earlier provision providing for penalties of Rs. 15 crores or 4% of the total worldwide turnover of any data collection or processing entity has now been replaced.

The new bill provides for the setting up of a new regulatory body with the power to impose penalties up to Rs.250 crore for failure to take reasonable security safeguards, up to Rs.200 crore for failure to notify the Board and affected individuals of personal data breach and non-fulfilment of additional obligations relating to children, up to Rs.150 crore for non-fulfilment of additional obligations relating the o person determining purpose and means of processing personal data, up to Rs. 10,000 for breach of duties of individual and up to Rs. 50 crores for non-compliance with other provisions of the Act.[7]

However, the 2019 data privacy Bill was withdrawn due to opposition from digital business majors, civil society, and also from the Government’s own expert Committee. There was also a growing realisation that a new data privacy legislation cannot be a ‘net loss’ to Indian businesses, especially start-ups. Data driven businesses in India were alarmed by restrictions on the use and export of Indian persons’ data. At the same time, Indian civil society groups and think tanks decried portions of the Bill that added to the Indian Government surveillance powers, and excepted their activities from scrutiny. 

The Bill went through a series of public consultation, and was then referred to the Indian Parliament’s joint expert committee for their views. The JPC undertook more stakeholder consultations, and in late 2021 recommended an overhaul of the draft Bill. It has been noted that the JPC ended up recommending 81 changes in a total of 99 provisions of the Bill.

What is the Future for Data Privacy In India?

Faced with rising unemployment and inflation, and fiscal tightening all around, the Indian Government is keen to push laws that will lead directly and immediately to wealth creation and (importantly) job creation. A standalone data privacy law is crucial to driving India’s digital economy, as well as ensuring smooth data flows to companies and customers in the big US and EU markets. There is a keen sense in the Government that the new data bill should not harm businesses, particularly start-ups. In this context, a ‘rather safe than sorry’ approach is predicated on the notion of avoiding any harm to India’s own start-up and IT industry sectors. 

There are indications that, post the 2019 bill’s withdrawal, two separate sets of laws that are now on the anvil. One is a new privacy bill with an emphasis on data localisation, and more targeted at digital business majors holding vast volumes of Indian data (like social media, phone manufacturers, etc.). The other is a related overhaul of India’s 20 year old Information Technology Act, 2000, that may be replaced by a new Digital India Act.

How To Prevent Breach Of Privacy?

There are several steps that a company can take to prevent data privacy breaches: 

• Strengthen security measures: The first and most critical step in preventing data privacy breaches is to implement strong security measures such as encryption, access limits, and firewalls. Encryption is the process of transforming sensitive data into a coded language that only authorised people or systems can read. Firewalls operate as a barrier between a company’s internal network and external networks or the internet, while access controls limit who can access specific data. Companies can lessen the risk of data breaches and protect sensitive information by implementing these measures.
• Employees must be trained on data privacy: Employees play a crucial role in preventing data breaches. Employees ought to receive training on data privacy best practises, such as handling sensitive data, detecting phishing efforts, and reporting security problems. Using strong passwords, avoiding public Wi-Fi, and not disclosing personal information online are all examples. Employees might also benefit from training in recognising suspicious behaviour and reporting it to the appropriate authorities.
• Perform regular security audits: Companies should undertake regular security audits to discover potential weaknesses in their systems and processes. Audits might highlight areas that need to be improved, such as old software, weak passwords, or unprotected data storage. Frequent audits assist businesses in staying ahead of emerging threats and ensuring that they are utilising the most up-to-date security procedures.
• Limit data access: Companies should restrict access to personal data to only those employees who require it to execute their job tasks. Companies can lessen the risk of accidental or purposeful data breaches by restricting access. Employees should only have access to the data that is absolutely necessary to accomplish their job.
• Monitor systems for suspicious activity: Companies should put in place monitoring systems to detect and respond to suspicious activities, such as unauthorised data access attempts or odd data usage trends. This can include real-time network traffic monitoring, activity records, and alerts for suspicious activity. Companies can respond swiftly to suspected breaches and prevent data loss by monitoring for unusual activities.
• Update software and systems: To address known vulnerabilities, companies should constantly update their software and systems with the most recent security patches. This includes updating staff operating systems, web browsers, and other software. To limit the danger of exploitation by hackers, updates should be adopted as quickly as feasible when they are available.
• Have a breach response plan in place: Companies should have a breach response plan in place that explains what steps to take in the case of a data breach, such as contacting affected persons and regulatory agencies. A breach response plan should include a list of key employees who will be in charge of dealing with the breach, a communication plan for alerting impacted parties, and a process for determining the cause of the breach.

Conclusion

In the digital era, Companies that collect, store, and use personal data have a responsibility to prioritise data privacy. Personal information protection is critical for legal compliance, preserving customer confidence, achieving a competitive advantage, and meeting ethical commitments. A data breach can have serious implications, such as legal and financial penalties, loss of customer trust, and damage to a company’s brand. As a result, companies need to take all necessary precautions to prevent data breaches, such as creating data security processes, teaching staff on data privacy, and periodically evaluating and updating data privacy policies. Companies that prioritise data privacy can not only protect their customers and staff, but also earn a competitive advantage and a great reputation in the marketplace.