corona, coronavirus, mask

DIGITAL PROTECTION OF PERSONAL INFORMATION LAWS AND ITS DEVELOPMENT IN INDIA.

ABSTRACT:

Lately the concept of Data Protection has become a concerning topic, advocating for the protection of personal information and individuals privacy. With the development of  technology and availability of social media and digital means, every work and  every service is now rendered through online mode. While it has been a boon to the netizens, on the other hand it has also become a threat to the ones who fall victims of various types of  cyber crimes. As cyberspace is expandings its wings, so do cyber crimes. Hence the Indian Government has focused on making stringent laws, rules and regulations to control cyberspace and cyber crimes. India’s first legislation which had given an exhaustive framework of Data protection is THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (DPDP ACT). Even though it is not the first framework that is made in the view of regulating digital data and its protection, it is a primary legislation that is solely concentrated on the concept of Right to privacy and the protection of personal data and the data processing. Apart from this piece of legislation, there was previously an Information Technology Act,2000 which was made to regulate the electronic platform and its atrocities. Also it is notable that in the recent case of Puttuswamy vs. The Union of India Right to privacy was declared as a fundamental right and this laid down the bases for the enactment of  this new Data Protection Act of 2023. The present Research paper tries to provide the evolution and development of digital data protection laws in India.

KEYWORDS: DATA PROTECTION LAW, DIGITAL PERSONAL DATA PROTECTION LAW, 2023, DEVELOPMENT OF DIGITAL DATA PRIVACY, DATA FIDUCIARIES, DATA PROCESSING, CONSENT, DATA PRINCIPLE, DATA PROTECTION BOARDS.

INTRODUCTION:

With the emerging technology it is important to have laws that focus on the protection of netizens from the atrocities which may arise in this evolution process. Having Artificial Intelligence work for us is much more convenient than lagging manual processes but at the same time this technology is becoming dangerous with the advancement of AI, with the help of AI many entities or individuals are exploiting the freedom of having access to others personal information and informative data which is supposed to be confidential, to overcome these atrocities Indian legislation had started taking steps forwards in the way to overcome the evil and to regulate the technology for the first time by enacting the Information Technology Act of 2000 where the electronic media is becoming prominent to the present point of Digital protection of personal information Act, 2023. This Research paper is going to provide an elaborate view of this development from the initial framework of legislation which covered data protection and the scope of the entities accessing the personal information to the stringent laws of restricting and regulating the parties to the data. The recent enactment was a result of the landmark case of Puttaswamy vs. Union of India, where the right to privacy was declared as a fundamental right that falls under the ambit of the Right to life. It is notable that even in between these enactments our Indian legislation tried to regulate digital personal information through various rules and regulations like RSP rules in 2011 and financial institutions like RBI and IRDAI issued various directions in the year 2023 to protect the outsourcing information of these entities. Thus, the present research paper covers the evolution and development of the digital data and personal information protection laws of India.

RESEARCH METHODOLOGY:

The present Research Paper is based on Secondary Sources and is descriptive in nature this paper is written to provide an overview on the concept of Digital Protection of Personal information and its Development in India. Secondary sources like journals, articles, blogs, and newspapers were used for this research.

REVIEW OF LITERATURE :

The roots of this DPDP Act, 2023 lies in the case of Puttaswamy vs. Union of India[1] where for the first time spotlight on the importance of privacy was determined and it was upheld by the Supreme Court that the Right to Privacy falls under the ambit of Right to Life and it is declared as a fundamental right of every citizen. The importance of Privacy was analysed by  J.Chandrachud under the head of Essential Nature of Privacy as “the idea of privacy as being based on autonomy and as an important side of dignity “Dignity cannot exist without privacy. Both reside within the inalienable values of life, liberty and freedom which the Constitution has recognised Privacy is the ultimate expression of the sanctity of the individual. It is a constitutional value which straddles across the spectrum of fundamental rights and protects for the individual a zone of choice and self-determination”[2] This judgement highlighted the importance of privacy in order to live a dignified life. After this verdict, the Government of India had constituted a committee for the drafting of data protection law which was headed by J.B.N.Srikrishna in the year of 2018. The Personal Data Protection Bill was first drafted in 2018 and underwent public opinion. The revised 2019 version was approved by the cabinet ministry and presented in Lok Sabha. A standing committee reported on the 2019 Bill in December 2021. However, on August 3, 2022, it was withdrawn from Parliament. A new draft, the Digital Personal Data Protection Bill, 2022, was released for public consultation in November, receiving over 20,000 suggestions. The revised Digital Personal Data Protection Bill, 2023, was approved and passed in Lok Sabha on August 7 and in Rajya Sabha on August 9.,[3]On 11th August, Draupadi Murmur, the President of India gave assent to the Bill of 2023 which made into Digital Personal Data Protection Act, 2023.[4] The current legislation bears resemblance to the Data Protection Laws of the European Union and Singapore. It shares similarities with the General Data Protection Regulation Act passed in 2016, effective from 2018, though the DPDP Act of 2023 differs slightly.[5] Some argue that the legislation aligns more closely with Singapore’s Personal Data Protection Act of 2012[6]. This indicates that India, as the 5th largest economy, has focused on implementing stringent laws, akin to other economies, to safeguard citizens’ data and facilitate international businesses under safer norms.

LAWS RELATING TO THE DATA PROTECTION :

Ever since the development of technology started Legislation has been trying to monitor and enact new laws relating to technology regulation and data breaches. Before the recent development of the Digital Personal Data Protection Act, of 2023 some privacy laws which concerned about atrocities such as data infringement and intrusion of sensitive data by collecting them through the entities.

The foremost privacy law is the Information Technology Act, of 2000. This piece of legislation was provided for the legal recognition of electronic transactions, contracts, and data transfers which are completely paperless communications which are commonly called E-commers. Under this legislation for the first time data protection provisions like penalties for such data breaches, and the powers granted to the government in situations where it can access information and the liability of intermediaries were broadly discussed. Section 43A of the IT Act,2000 states that “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected”[7]. This shows the importance of Privacy protection and the compensation for the same was prescribed also it is notable that the upper limit for the compensation was not provided which shows the seriousness of the punishment. “Section 72A of the IT Act,2000 talks about the Punishment for the disclosure of the information in breach of lawful contract. And this section prescribes  punishment with imprisonment of one year which may extend to three years or with a fine which may extend to 5 lakhs or with both”[8].  Under Section 69 of the IT Act, 2000, an exception to the general rule of maintenance of privacy was provided to the government when they satisfied prescribed conditions which were necessary for the interest of the state sovereignty or integrity of the state, Defence of India, Security of state, for the friendly relations with foreign states, public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. By issuing directions or authorising by government to intercept or monitor or decrypting of data even if it is related to the personal in nature in any computer source. Section 72 provides a safe harbour for intermediaries and is not liable when a social media platform or an internet server acts as an intermediary for the third-party data.[9]

Subsequent laws on Digital Information Monitoring in India:

One of the subsequent developments of the Privacy Laws or Data protection laws is Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘RSP Rules’) deals with the sensitive information of a person and such information which consists of matters relating to: 

  • Passwords
  • Financial Information like Bank details, Credit card, Debit card or other payment instruments
  • Physical, Psychological and mental health conditions
  • Sexual orientation
  • Medical records and history
  • Biometric records etc

Are considered as Sensitive Information and also stated that Information relating to the above clauses when given to body corporates for security purposes or even if the body corporate receives such information for processing or storing is considered sensitive information and shall not be disclosed.  It was stated in Section 5 of the RSP Rules,2011, about the collection of data where the consent of the owner of such Sensitive information is necessary for the use of such information. Notably, the entire set of rules talks about sensitive information and the data and the norms that are to be followed for the transfer of such information by the body corporate to other entities or the public.[10]

Another set of Rules and Regulations that were made in the Ambit of protection from cyber crimes and provide security to the information is of Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘CERT-In Rules’)[11]It is the national nodal agency for responding to computer security incidents as and when they occur and performs various functions in the area of cyber security, cyber incidents, information security practices, etc. Also, the directions impose a 6-hour timeline where the incidents of cyber security must be reported to CERT-IN and also it has increased the ambit of types of issues that are to be reported at CERT-IN. Even in the Financial sector, there are many regulations relating to Data Outsourcing where there is a higher possibility of data breach and misuse by outsiders when the information is outsourced. The regulatory bodies such as the Reserve Bank Of India (RBI), Securities and Exchange Board of India (SEBI) and Insurance Regulatory and Development Authority of India (IRDAI) are also initiating to pass rules and regulations to protect and preserve their data from the growing cyberspace. To mention some of such regulations, IRDAI (Insurance Web Aggregators) Regulations, 2017 regulate ‘insurance web aggregators’ or insurance intermediaries, who ‘maintain a website for providing an interface to the insurance prospects for price comparison and information of products of different insurers and other related matters.’. In furtherance, the IRDAI has recently issued the IRDAI Information and Cyber Security Guidelines, 2023 (as of April 24, 2023) for insurance intermediaries.[12] Also to name another such regulation of the financial sector is RBI (Outsourcing of Information Technology Services) Directions, 2023 which was issued on 10th April 2023, and comes into force from 1st October 2023 it is to regulate the outsourcing agreements and policies which are to be protected as the main function of banks is to deal with the personal data of the individuals.[13]These regulations apply to RBI entitled entities such as urban banks, commercial banks, non- non-banking financial companies.

Recent Development of Data Protection Law:

The Latest development of privacy law is the Digital Personal Data Protection Act, of 2023. This Act introduced systematic regulations solely concentrating on Data Privacy. To understand the Act we have to understand  words that would help us realise the work of this Act. they are defined under Section 2[14] of DPDP Act,2023:

“(g) “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;

(i) “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;

(j) “Data Principal” means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child;

                         (ii) a person with disability, includes her lawful guardian, acting on her behalf;

(k) “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;

(u) “personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data;

(x) “processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;”

These words help us understand the working of this Act, to understand the words better, the word consent manager is the one who acts as a mediator between the individual who provides information to the corporate entity, and the word Data Fiduciary means the corporate entity or any other entity which deals with the Personal information is defined as Data Fiduciary, the word Data Principle defines the individual who is providing his own information to a data fiduciary is data principle, processing means the act for which the data fiduciary collected the digital data is processing whether it could be storage, use, collection, adaptation etc..,word data processor is the person who performs the processing on behalf of the data fiduciary is called a data processor.

Consent Plays an Important Role :

The Present Act pressures the point of ‘consent’ it was provided under “Section 6(1) The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose”[15]

This provision states that every act of processing should be done with the consent of the data principle. And also under Section 6(4) provided for the withdrawal of the consent given by the data principle at any time.

Legitimate Use :

It was clearly mentioned under Section 7[16] of DPDP Act,2023 that the processing by Data Fiduciary  must be for a legitimate use only such as:

  • When the information was provided voluntarily by the data principle
  • When it is provided for the state or for any of its instrumentalities for obtaining any kind of benefit or subsidiary or service or certification.
  • For state or its instrumentalities of any function under Law in force in the interest of Sovereignty and integrity of the state or for security purposes.
  • To fulfil any obligation under any law in force on a person to disclose the information to the state or any of its instrumentalities.
  • For compliance to any judgement or order or decree issued under any law for the time being.
  • For responding to medical emergencies involving a life threat.
  • For taking measures to provide medical services to a person in the time of outbreak of epidemic or any harm to public health.
  • For taking measures to ensure safety or to provide assistance or services to any individual during any disaster.

General Obligations to Data Fiduciary and Data Principles :

Total of eleven obligations were prescribed to the Data Fiduciary under Section 8[17] of the DPDP Act, 2023. And under Section 15[18] of the DPDP Act, 2023 five obligations were followed by the Data Principle such as 

  • Comply with the law in force
  • Shall not impersonate another person while providing their personal information
  • Shall not suppress any material facts or information
  • Shall not make any false or frivolous  grievances or complaints.
  • To furnish only such information which is verifiably authentic.

Exceptions :

Under Section 17[19] of DPDP Act,2023 provides exceptions where under such situations the Government can process the Personal Data without consent  is prescribed as :

  • When such processing of personal data is necessary for the enforcement of legal right or claim.
  • The processing of such data is done by a court or tribunal or any other authority which is entrusted by law when such processing is necessary under law.
  • When such processing is necessary for the interest or prosecution or detection or prevention of any offence.
  • Personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India
  • When such processing is necessary for the merger or amalgamation of two or more companies or demerger of two or more companies authorised by the court or tribunal.
  • The processing of information is necessary for obtaining financial status or assets and liability of a person who has defaulted the payment of loans or of any financial instruments subjected to processing prescribed under the law relating to data disclosure.

Breaches and Penalties of the said provisions were provided under Section 33[20] of DPDP Act,2023 where its penalties were prescribed under the Schedules from one to six.

SUGGESTIONS / CONCLUSION : 

Due to the Digital Personal Data Protection Act, of 2023, every sector has gone through some changes which had a positive impact at the same time negative impact as well. Mainly the pros are that this Act brought a layer of protection over the entities which works especially with the data related to individuals like banks, corporate businesses where shareholders and many more entities like that had a very good impact, as this statute is providing protection as well as by imposing obligations not only on the Data Fiduciary but also on the Data Principle it created a perfect balance between the parties. Also, notably, this piece of legislation had shown great impact on the Financial institutions as this added another protection layer to the regulations they already had concerning customer protection, data privacy, outsourcing etc., but the Amendment brought by this Act on the Right to Information Act, 2005, especially on section 8(1)(j) might be a deteriorating point where it takes away the ambit of seeking information at the larger interest of the public makes no sense. Apart from this, the other concepts and provisions of the Act can lead to greater changes in the cyber world. Hence the Digital Protection of Personal Information Laws and its Development in India can be seen as a process in which at every stage the Indian legislation tries to build stronger regulations to protect the privacy of individuals.

Karedla Vinya Sai Suguna,

JC College of Law, Guntur, Andhra Pradesh.


[1]Puttaswamy vs. Union of India, AIR 2017 SC 4161, (2017) 10 SCC 1

[2]Ashami Raj Trivedi, Legal Service India, https://www.legalserviceindia.com/legal/article-7891-case-study-the-case-justice-k-s-puttaswammy-v-s-union-of-india.html

[3] Digital Personal Data Protection Act, 2023, Available at Wikipedia, https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act,_2023#cite_note-:8-6

[4] Digital Personal Data Protection Bill gets President Assent, Available at ET Online, https://economictimes.indiatimes.com/news/india/digital-personal-data-protection-bill-gets-nod-from-president/articleshow/102660125.cms ( Last Updated on 12th, August, 2023 at 01:56 A.M).

[5] Arun Prabhu, Arpita Sengupta & Anoushka Soni, India’s New Data Protection Law: How Does it Differ from GDPR and What Does that Mean for International Businesses?, Cyril Amarchand blogs, October 10, 2023, https://corporate.cyrilamarchandblogs.com/2023/10/indias-new-data-protection-law-how-does-it-differ-from-gdpr-and-what-does-that-mean-for-international-businesses/#more-7395

[6] Common Concepts In The Data Protection Laws Of India And Singapore, 7th September, 2023, https://hsfnotes.com/data/2023/09/07/common-concepts-in-the-data-protection-laws-of-india-and-singapore/

[7] Section 43A of IT Act,2000, https://www.indiacode.nic.in/show-data?actid=AC_CEN_45_76_00001_200021_1517807324077&orderno=49

[8] Section 72A of IT Act,2000, https://indiankanoon.org/doc/69360334/

[9] Vijay Pal Dalmia, Data Protection Laws in India, 13th December 2017, Available at, https://www.mondaq.com/india/data-protection/655034/data-protection-laws-in-india—everything-you-must-know

[10] RSP Rules, 2011, https://upload.indiacode.nic.in/showfile?actid=AC_CEN_45_76_00001_200021_1517807324077&type=rule&filename=GSR313E_10511(1)_0.pdf

[11]Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘CERT-In Rules’), https://www.cert-in.org.in/PDF/G.S.R_20(E).pdf

[12] Technology Laws, Available at, https://www.ahlawatassociates.com/area-of-practice/technology-laws/#:~:text=The%20primary%20legislations%20governing%20the,Information%20Technology%20(Reasonable%20Security%20Practices

[13] RBI Release Master Directions to Outsourcing of IT Services, 15th May, 2023, https://www.khaitanco.com/thought-leaderships/RBI-Releases-Master-Direction-To-Regulate-Outsourcing-of-IT-Services#:~:text=The%20Direction%20 will%20come%20 into force%20before%20the%20Effective%20Date.

[14] DPDP Act,2023, Section 2 https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[15] Section 6 of DPDP Act,2023

[16] Section 7 of DPDP Act, 2023

[17] Section 8 of DPDP Act, 2023

[18] Section 15 of DPDP Act, 2023

[19] Section 17 of DPDP Act, 2023

[20] Section 33 of DPDP Act, 2023.