ABSTRACT
The digitization of education to procedure of opening of a bank account, the wave continues to spread throughout the public and private fields across the world. The Internet, no doubt, has made our lives easy and much hassle free. Social Media giants and e-commerce are in its peak all thanks to pandemic. The presence of internet is ever growing. With its development a new type of crime, known as cybercrimes have also emerged. The world in unison has recognised cybercrimes as real threat to the humanity. One of the aspects when considering cybercrimes is data. While we embark on digital era, several concerns especially relating to ‘data protection and regulation’ have crept up. In this paper we are going to understand the linkage between privacy and data protection ®ulation and hence the need of legal framework in this regard. Firstly, we will look into Indian approach towards the matter with the help of legislation on point and related judicial pronouncements. Secondly, we will also peer through the global outlook on the matter by looking at laws,if any, concerning data protection and regulation in the world’s leading economies like the European Union, USA and China.
KEYWORDS : Privacy, Data, Digitisation, Data Protection
INTRODUCTION
Cyber crimes at one point are inherently connected with breach of privacy of a person or people at large. This connection pretty much lies in the nature of how technologies have evolved and how so called digitization works.
The simplest of illustration in our country’s scenario is an Aadhar card. Today, while applying for a passport the concerned authority asks our consent for access to our Aadhar card and upon approval the details therein are automatically incorporated in our respective applications. UIDAI basically is storage of data relating to identity of Aadhar Card holders. By virtue of Aadhar Card most of the governmental agencies, corporates, bank and other public institutions have cut short the long form filling procedures. Another related example is DigiLocker which again is a governmental personal storage cloud. It has our all identity related and, in most cases, educational documents too. The digitization therefore skips the conventional paperwork and stores/records information in electronic form by virtue of internet facilitated platforms. In a similar manner, social media allows us to share pictures and messages with our friends or world at large.
The commonest of cyber crime is leakage of individual’s personal pictures or messages to the public platforms without his or her consent. This is nothing but breach of privacy of an individual.
The discussion herein is concerned with how the data we share online by virtue of social media or e-commerce or any governmental agency needs to be protected.
Apart from illustration mentioned above, data can also be used to incite violence by targeting vulnerable groups. It can again be used in prejudice to economical and commercial interests of the country. A notable case study in this regard is –“Facebook–Cambridge Analytica data breach scandal”. In 2018, the Facebook–Cambridge Analytica data scandal was a major disgrace, with Cambridge Analytica collecting the private data of millions of people’s Facebook profiles without their permission and using it for Political Advertising. It was defined as a watershed flash in the country’s understanding of private data, prompting a seventeen (17) per cent drop in Facebook’s cut-rate and summons for stricter laws governing tech companies’ usage of private data.[1]
Another debate on the issue is between the government and corporations which possess the data. In an ongoing case between Government and WhatsApp, Government is asking for access to encrypted chats of WhatsApp. While Government is quoting national interest for the access, the corporation defends the claim citing breach of their privacy policy and consumer interest.
Why is data even collected?
Simply put, the corporations or governmental agencies collect data in huge numbers, store it and analyse it to draw up inferences regarding consumers’ choices so as to provide better services. The data analytics has advanced so much so that whatever content we see online has been curated according to our preferences deduced from the data collected. The indulgences into different forms of media give corporations idea of what consumers like. The data analysed in health sectors give government area of concerns looming on public at large. The psychological behaviour of an individual can also be deduced from what he/she indulges in on online platforms. Such psychological inferences can be widely used in criminology.
Such significance of data is the reason for its vulnerability.
Position in India
In the light of above background, it will now be useful to look into Indian Legal Framework with respect to right to privacy and data regulation. However, at the outset it must be noted that the Supreme Court in KS Puttaswamy case[2] held that right to privacy is a fundamental right enshrined in Article 21 of Constitution of India. As per Statista, as of February 2021 76% Indian Internet users are proactively looking for better ways to protect their privacy.
The Information Technology Act, 2000
The Act was enacted in compliance with UN resolution A/RES/51/162, dated the 30th January, 1997 which adopted Model Law on Electronic Commerce. The Act gave legal recognition to transactions carried by virtue of electronic data exchanges.
Sec 2(o) – “Data” means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
Sec 43A- provides for compensation to individuals by body corporate upon their failure to protect the data which has caused wrongful loss to such individuals or wrongful gain to any person.
Chapter XI exclusively deals with the acts considered as offences. Therein –
Sec 66E deals with violation of privacy only with respect to bodily privacy. It defines sharing of pictures of an individual’s private area without consent as punishable.
Sec 66F provides for cyber terrorism. Any person with the requisite intent committing the act of unauthorised accessing or denial of computer resource and thereby causing disruption to property or injuries/ death of individuals or adversely affecting any critical information structure will be guilty of cyber terrorism.
The Act also gives power to the Government to direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource when it expedient to do so in interest of the country and reasons in writing must be recorded.[3]
The abovesaid provisions were enacted when digitization of process was very new and social media hadn’t penetrated much in the country. Therefore, they do not deal with data privacy very exhaustively. However, in current scenario given the tools available generating and storing data of public with pervasive presence of digital media it becomes necessary to have an exhaustive law which deals with data and its regulation by the concerned entities under supervision of the Government. It is notable to observe that in KS Puttaswamy case the SC held that data privacy is an equally important part of right to privacy. The SC categorically stated – “the balance between data regulation and individual privacy raises complex issues requiring delicate balances to be drawn between the legitimate concerns of the State on one hand and individual interest in the protection of privacy on the other.”[4]
Therefore, the Central Government has put forward – Digital Personal Data Protection Bill,2022 which will be discussed in 2023 in the monsoon session of the Parliament. The following bill proposes to establish a comprehensive code for personal data protection and regulation. The following bill if approved will enact a separate board for taking grievances relating to data privacy breach. It gives utmost priority to the consent of an individual whose data is being stored while laying down explicit obligation for the data fiduciary. The corporations all around the world have appreciated India’s initiative in the said direction.The following bill is in the direction of making Indian legislative system at par with global standards and need.
Position in Europe
In 2016 the EU adopted General Data Protection Regulation (GDPR). It is the most exhaustive piece of legislation existing in the world with respect to data protection. Its foundation again rests on basic human right of privacy. It is divided into 11 chapters with 99 articles. It not only regulates data protection within the EU but also imposes obligations on any data holder outside the union handling data of any country of the union to which GDPR is applicable. GDPR places the individual’s right to privacy in the centre of the legislation and thus is one of the stringent laws in the world. The individual is entitled to know the purpose behind any collection of data only after which he/she can consent to it or not. It is notable that the individual can withdraw his or her consent too. It also focuses on data minimisation i.e. only absolutely necessary personal data with respect to the objective of the collector must be collected. GDPR is known for its stringent penalties for breaches.
The GDFR has served and continues to serve as template for data protection laws for all the countries despite its prima facie stance towards the public and stringent position with respect to data collectors and processors.
Position in the USA
Privacy protection is modelled on protection of liberty. Unlike the EU, USA lacks a federal law on data protection and regulation. However, it has certain federal laws imposing obligations on different institutions relating to :
Federal Agencies – Privacy Act of 1974
Health- Health Insurance Portability and Accountability Act (HIPAA)
Financial services- The Gramm-Leach-Bliley Act
and other corporations with respect to data collection and its access to third party. There’s another piece of legislation- Children’s Online Protection Act, focussing on privacy of children under the age of 13 and protection to any related data which any corporation collects. California has a notable piece of legislation called-California Privacy Rights Act which deals with consumer’s data protection and regulation comprehensively and stringently.
Position in China
There are 2 latest pieces of legislation which China enacted to protect its citizen’s data. It has been said that it is modelled on Europe’s GDPR. First is, Personal Information Protection Law (PIPL) it is a comprehensive code having 8 chapters dealing with right to privacy of an individual and obligations of institutions & corporations. It gives individuals to delete or alter their data. Second is, Data Security Law , it provides for categorisation of data accordance to their importance and thus imposing restrictions on its transfer.
REVIEW OF LITERATURE
Yashraj Bais[5] while drawing up a detailed analysis between privacy and data protection strongly emphasises on how ensuring privacy or condemning its breach is a segment of public duty. He further adds that as a nation we have upheld right to privacy and now when we have entered into “Cyber Era” data protection has emerged as a vital segment of privacy.
U. Alafaa[6] stresses on the responsibility of companies and corporation to maintain a system for protection of data of its consumers. Not only it should be backed up by exclusive law but is also a necessity to ensure the trust of the public on the institutions and the government. There are sure challenges in maintaining data privacy, given the rate at which it is increasing and the often conflict in laws in cases of cross border transfers. However, the effort in the direction must continue.
In ‘An Overview of the Changing Data Privacy Landscape in India with Regard to the Role of Data Controllers’[7] the authors pitch for necessity of an exclusive data protection law and articulately point the characteristics around which it should be built like – Technology agnosticism, Holistic application, Data minimisation, Controller accountability, Structured enforcement, and Deterrent Penalties.
In ‘Big data privacy: a technological perspective and review’[8]the authors have highlighted how most of the avenues that have eased our lifestyle our dependent on data analytics. The institutions are relying on ‘big data’ to make advancements. There are definitely moral concerns with respect to collection and processing of such data but there are several technological hindrances too. In such scenario, the global intent of cooperation is required. The possible solutions lie in maintaining the anonymity, data minimisation and having an informed consent of the public.
Ibrahmin Khatri[9] suggests for development of cyber security programs to manage 3rd part attacks. He further adds that upcoming corporations must prioritize data protection and privacy from the start rather than approaching after some binding compliance or any cyber-attack. He concludes that data in modern time is not less than an asset for the corporations therefore security regime for it can not be compromised.
The authors of “Privacy and Data Protection in Cyberspace in Indian Environment”[10]
proposes that there should data privacy can be developed only when it is holistically taken care of at every step i.e data collection, data process, data storage and data access. In India the regime around the data protection can only be built by integrating legal, technological and political issues.
RESEARCH METHODOLOGY
The paper aims at providing the reader the general scenario regarding legislative position of data protection in India and other leading countries. Right to privacy has been recognised as a human right and following paper delves into emerging concerns relating to it in the current digital era. The study firstly illustrates how data collection comes into picture and how both public and private sector institutions are using it. Further, Indian Legal framework has undergone huge change and is moving further ahead on how our policies are adopting to new norms keeping its citizens’ interest safe. While the comparative can not be drawn, but approach of first world countries has been well taken into account. The following paper is written after considering latest research studies on the issue and newspaper articles. The cited literature gives rounded concerns and possible solutions with respect to the topic of the paper.
SUGGESTIONS
It cannot be stressed upon more that Artificial Intelligence is more or less part of our lives now. The working mechanism of Artificial Intelligence lies on generation and collection of big data. AI has definitely made our lives smarter. However, right to privacy is also at risk of breach. Therefore, an exhaustive code to define the limits of operation relating to digital data must be in place. Data Minimisation proposes to be a balanced approach and this must be crystallised in form of legislation only after a thorough decision with all the stakeholders. The corporations must not put their consumers’ interest at risk for commercial gains. A self-regulation mechanism must also be devised as part of any corporation policy. Anonymised data is again a great step towards maintaining commercial and consumer interest in place. Right to privacy must necessary incorporate right to be forgotten and thus facility of deleting personal data completely from online segment should be provided.The transparency of the data collection mechanism is again vital part of the whole process to form an informed consent of the individual. Further, the exemption to Government in name of national interest and security is justifiable but it can not be based on mere apprehensions. The abuse of the privilege is always there and hence strong limits must also be defined for governmental exemptions. Lastly, awareness programs regarding healthy online experience with aim of imparting knowledge of privacy regulations and commonly used deceptive techniques must be conducted by the government and as well the commercial organisations.
CONCLUSION
The technological advancements should always be accompanied with legal development. Information Technology Act 2000 was enacted as recognition to digital era and stepping stone towards Internet Law. Data Protection and regulation law is further step in the said direction. It has been rightly said that privacy cannot be without security. Informational Privacy as observed in KS Puttuswamy case must be built upon threefold requirement which is – procedure/legislation in place, followed by rational reasons for breach if required holding reasonable nexus with purpose and lastly necessary exemption must be granted after thorough perusal of the requirement and interests at stake. Data protection regime must not built in ignorance of right against discrimination. UNCITRAL again speaks for global approach and has time and again reiterated for the need of data protection laws and its regulation based on trans-border cooperation between nations. A new strategy behind terror activities is based on hacking into data clouds, therefore international law in this regard is sure called for.
India by virtue of its draft bill becomes a part of global discussion which will surely lead us to a better and safe future.
Aditi Singh Pal
LL.B. 3rd Year
Law Centre-I, Faculty of Law, University of Delhi
[1] Facebook–Cambridge Analytica data breach scandal, Fotis Law- Lawtify(July11 2023, 8:59PM), https://fotislaw.com/lawtify/case-study-on-facebooks-data-breach/
[2] KS Puttaswamy v Union of India, (2017) 10 SCC 1
[3] Information Technology Act,2000, Section-69,Acts of Parliament (India)
[4] KS Puttaswamy v Union of India, (2017) 10 SCC 1
[5] Yashraj Bais, Privacy and Data Protection in India: An Analysis, Volume 4, International Journal of Law Management & Humanities (2021), Pg 1793
[6] Alafaa, Princess, Data Privacy and Data Protection: The Right of User’s and the Responsibility of Companies in the Digital World. (January 7, 2022). Available at SSRN: https://ssrn.com/abstract=4005750 or http://dx.doi.org/10.2139/ssrn.4005750
[7] S. Sandesh Saravanan and M. Kannappan, An Overview of the Changing Data Privacy Landscape in India with Regard to the Role of Data Controllers, Volume 119, International Journal of Pure and Applied Mathematics (2018), 920
[8] Priyank Jain,Manasi Gyanchandani and Nilay Khare, Big data privacy: a technological perspective and review, Journal of Big Data (2016)
[9]Ibrahim Khatri, The significance of cybersecurity and data privacy in the era of digital transformation, TOI, 10th July 2023
[10] Shrikant Ardhapurkar et. al. ,International Journal of Engineering Science and Technology
Vol. 2(5), 2010