Menu

Evolving legal standards for data privacy in the Digital Age

Publications, Research paper

Abstract

In the digital era, rapid technological progressions have revolutionized the landscape of data gathering, processing, and storage, prompting substantial worries about data privacy. This abstract investigates the changing legal requirements for data privacy, analysing how different jurisdictions are altering their regulatory frameworks to handle the complexity brought on by current technology. Traditional privacy rules, largely based on pre-digital values, have struggled to keep up with the volume and scope of modern data operations. In response, new regulatory methods have ascended, with a greater emphasis on openness, user permission, and data protection. To address the issues of cross-border data transfers, there is an increasing movement towards global privacy standards synchronization. The interaction of national privacy legislation and international accords emphasises the importance of a coordinated approach to ensuring that privacy safeguards are effective across countries. Legal norms for data privacy will need to adjust as technology evolves, particularly advances in artificial intelligence and blockchain. The future of data privacy law will be shaped by emerging ideas such as privacy by design, ethical data usage, and increased enforcement tools. This abstract emphasises the changing nature of data privacy law, as well as recurrent efforts to strike a balance between innovation and the need to preserve individual privacy rights. It emphasises the significance of ongoing legislative adaptation and international collaboration in protecting data privacy in an increasingly interconnected world.

Keywords

Artificial Intelligence, Data Privacy Laws, Cross-Border Data Transfer, General Data Protection Regulation, Digital Personal Data Protection Act.

Introduction

In today’s digital age, our personal information is more valuable than before and with rise in use of social media among the users, e-commerce and online banking, we tend to share more of our personal information on the sites than before. These technological advancements have made our lives easier but also bring along various risks to our privacy and security. Data privacy is when, how and to what extent the personal information of an individual can be shared to others, personal information can be name, address, phone number, etc. Whereas Data Protection is the legal safeguarding of the information against any misuse, abuse or damage.

Why data privacy matters? Our personal information is used by the sites and the advertisers use it to target us with personalized ads. Social media companies and e-commerce sites use the information to analyse our behaviour and preferences and show us similar and engaging trends. But when our data falls into wrong hands, it can be used for various wrong reasons. Hackers tend to use the personal information to commit identity theft, access our bank accounts, etc. Data privacy refers to the protection of personal and sensitive information and secure it from unauthorized misuse, from the hackers.

Data privacy laws are crucial for protecting individuals and organizations in context of rapid technological progressions. It provides protecting for personal and non-personal information and aims to build stronger trust and confidence. It prevents data breaches and identity thefts and also, aims to safeguard and preserve the right to privacy[1], which is inherently protected under Article 21 of the Constitution of India. A nine- judge Constitution bench headed by Chief Justice, J.S. Khekar on 24th August, 2017 gave a landmark decision on Right to Privacy. Supreme Court ruled that Right to Privacy is “intrinsic to life and personal liberty” and is inherently protected under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.[2]

Historical Evolution of Data Privacy Laws

Data privacy is not a new concept. The concept of privacy has evolved over time and was repeatedly brought to attention. In the year 1984, privacy was given recognition statutorily through the Universal Declaration of Human Rights (UDHR) by virtue of Article 12(4). In year 1980 came the Organisation for Economic Cooperation and Development (OECD) guidelines on the protection of privacy and cross border data flow of personal information. Meanwhile, various countries had starting framing and drafting their own data privacy laws for their nations respectively, as early as Germany in 1970. The landmark General Data Protection Regulation (GDPR) came into effect on May 25, 2018, restructuring the data privacy laws and protection laws.

In the Indian context, privacy has been a matter of debate in the judicial courts, with some addressing data privacy as a fundamental right and meanwhile, others not acknowledging it as a fundamental right under Article 21 of the Constitution of India. After a long wait, finally, in 2017, the case of K.S. Puttaswamy v. Union of India (2017)[3] pronounced the right to privacy a fundamental right which is safeguarded under Article 21 of the Indian Constitution. Various statutes already existed which governed the right to privacy, i.e., Information Technology Act (2000), Indian Penal Code (1860), etc. But there was absence of a comprehensive law related to this context. Eventually, after a long wait of 7 years and after several attempts to implement the privacy laws, India has finally adopted a full-fledged data protection and privacy law on August 9, 2023. The India Digital Personal Data Protection Act (DPDPA), 2023, aims to establish a comprehensive framework for the protection and privacy of personal data.

Digital Personal Data Protection Act (DPDPA), 2023

This act is a landmark act which was implemented after several attempts that aims to safeguard the privacy of individuals in the digital age. This act came into effect on September 1, 2023, and it applies to all individuals and organizations that process personal data of individuals across the national territory. The DPDPA protects the personal information that is collected and processed in India, regardless of the place from where the data was collected. It also applies to processing of personal information of Indian citizens, even if the information is processed and collected from outside of the national territory. This act doesn’t apply to any form of personal information that is:

  1. Processed for law enforcement or for national security purposes
  2. Processed for the purpose of journalism or artistic works
  3. Processed for personal or family purpose

The DPDPA is a notable piece of legislation that will have an acute impact on the method by which the organizations collect, use and share the personal information across the country. The act provides the individuals with greater control over their personal data and imposes strict responsibility upon the organizations that process such information.

Technological Advancements and its impact

Big Data Analytics is the process of unravelling trends or patterns in large amount of data to help make data-informed decisions. There processes use similar techniques like clustering and regression and applies it to more extensive data with newer tools. They help the organizations collect data, process it, improve the quality and analysing the processed information through data mining, predictive analytics and deep learning. The capacity to analyse more data at a quicker rate may greatly benefit an organisation by allowing it to use data more efficiently to answer crucial issues. It is cost efficient, focuses on product development and tracks the market trends. Along with benefits also comes the challenges, and in order to overcome the challenges, the organizations must make the big data accessible, maintain the quality of the data, keeping the processed information secured and finding the right tools and techniques to work.

The technology of Artificial Intelligence that we are witnessing today, has not always been like this. Most of the AI that we’re experiencing today is narrow which means that it has been consciously programmed to be competent to one specific area. It is at times referred to as augmented intelligence to focus on its ability to enhance the human intelligence. AI and big data have a reciprocal interaction. While big data analytics procedures exist, most of the true value of big data can only be exploited via the use of AI approaches. In the other way, big data provides AI with an enormous and diverse set of input data from which to develop and learn. In this regard, AI and big data are inextricably linked. AI relies on this personal user data to create intelligent functioning. However, this also affects data privacy – our capacity to govern how firms acquire, share, and utilise our personal information. As AI grows and changes, so will the regulations be governing data privacy. It’s critical to grasp this link so that we can create a future in which everyone benefits from AI while maintaining control over their personal data. AI data collection techniques comprises of:

  1. Web scraping, accumulating user information from websites automatically and without user consent;
  2. Biometric data, using face recognition, fingerprints, and other biometric tools to intrude into person’s privacy and gathering sensitive information;
  3. Social media monitoring, by analysing social media activities and preferences without explicit user consent or awareness;
  4. IoT devices, devices connected to Internet of Things (IoT) provide AI systems with real-time data from our homes, businesses, and public locations may be fed into AI systems. This data can expose personal details about our everyday lives, resulting in a continual flow of information about our habits and behaviours.

The regulation of AI is one of the most important topics in privacy law. AI introduces the possibility of algorithmic bias, in which AI systems’ judgements disproportionately influence specific persons or groups. It is critical that privacy legislation address this issue and provide standards to reduce the likelihood of biassed outcomes. Furthermore, privacy regulation should focus on AI data processing procedures, assuring openness and responsibility in the collection, use, and storage of personal data.

Data privacy regulations and standards

To make AI development safe and to secure the data, various data regulatory frameworks exist. Few of the frameworks include:

  1. The General Data Protection Regulation (GDPR)

It is a European Union (EU) law which protects the personal data of an individual. It aims at protecting the rights of an individual and giving them control over their data. It consists of 99 articles which are categorised into 11 chapters. Its sole purpose is to safeguard the individuals’ fundamental rights and freedoms, particularly their right to protect their personal data. GDPR improves data rights for citizens and consumers. Rights include: Individuals must provide express consent to have their personal data gathered. Access to any personal data held by an organisation will be made easier. It is amongst the world’s strictest data privacy and security laws in the EU.

  • The California Consumer Privacy Act (CCPA), 2018

Catching the sight of the data privacy laws in the European Union (EU), California too come up with its law for data privacy, i.e., Consumer Privacy Act (CCPA). It, like the GDPR, allows Californians to quickly access company data files. However, it goes one step further by allowing citizens to opt out of having their precious data profiles sold to dodgy third-party brokers and advertising without their knowledge. There will be no more backdoor profiting from our digital lives. Its sole purpose is to protect, promote and enforce the rights of consumers as a class, and to prevent any violation of rights of the consumers under this act. It includes various rights, such as, Right to know, Right to delete, Right to opt-out, Right to correct and Right to limit use.

  • Children’s Online Privacy Protection Act (COPPA), 1998

It is a US federal law which gives parents the control over what information websites can collect and gather from their kids. It guards the privacy of children under 13 years of age. Websites and online services are required to obtain parental consent before collecting personal information about children and to safeguard any information they collect about children. It requires the parental consent before gathering personal information from children. The information gathered must be revealed to the parents. Websites must engage in technical and administrative safeguards to protect the information. The parents have the right to withdraw their consent and request the deletion of their child’s data. The websites must communicate to the parents that the information collected shall not be used for any other purpose and it was collected to protect the child’s safety. Violating COPPA can result in penalty of minimum $46,517 per violation and Federal Trade Commission often levies average fines of up to $400,000[4].

Cross-Border Data Transfers

It refers to the transfer of personal information across international borders, e.g., detecting credit card fraud at point of sale is an example of cross-border data flow. It involves the movement of personal information, financial credentials, or digital content across international borders. It induces challenges related to privacy, security and compliance with different regulations. Cross-border data transfers must follow established compliance standards and protocols to ensure the security of personal data. Data protection laws often require controllers to meet specific requirements when transferring personal data across borders. For example, the General Data Protection Regulation (GDPR) requires organizations to meet certain conditions when transferring personal data to a country outside the EEA. Detecting credit card fraud is one example of the benefits of cross-border data flows. When you swipe your credit card, your bank’s computer can analyse your purchase and location in seconds. Non-compliance with such laws can result in penalties.

Emerging trends and Future directions

These implemented laws aim to increase the enforcement and impose stricter enforcement of the privacy regulations along with penalties in cases of non-compliance. It aims on focusing greatly on the privacy of the children and the sites they surf. It intents to raise awareness about the privacy rights amongst the individuals as legal enforcement increases. Artificial Intelligence (AI) and Machine Learning (ML) can help the organizations as well as individuals inspect the data while alongside protecting the privacy rights. Organizations tend to invest more in private technology to handle the data of the individuals in a more secure manner. India’s updated privacy laws established a Data Protection Board wherein Data protection officers supervise and impose penalties, determine non-compliance, etc. The future of data protection in India is set to witness significant advancements with the planned amendments and updates to the Digital Personal Data Protection Act (DPDPA) and the Information Technology (IT) Rules. These updates aim to address emerging challenges such as misinformation and deep fakes linked to artificial intelligence. The amendments will also refine the rules relating to AI and privacy, with a focus on cybersecurity and other relevant areas. Anticipated impacts of the upcoming legislation include a more robust framework to manage the complexities introduced by new technologies such as AI, machine learning and the Internet of Things (IoT). The legislation is likely to expand its scope to cover the vast data generated by interconnected devices, thereby improving the protection of personal information from breaches and unauthorized access. Additionally, technology and innovation play a crucial role in data protection. Advances in AI and machine learning will improve data security by enabling real-time threat detection and response.

Case Studies

Data privacy compliance has significant impacts on the reputation, trust as well as the rights and interests of the data subjects.

In healthcare industry, the case study explains about the patient data breach at XYZ Hospital. In this case study, XYZ Hospital experienced a data breach wherein the sensitive information about the patient, including medical records and the personal details, was compromised. The breach took place due to vulnerability in their electronic health records system, which granted unauthorised access.

In financial sector, the case study reads out the Monzo data privacy incident. Monzo is a digital bank in the UK, and it reported a data breach in 2019 that affected approximately 480,000 customers. The incident was caused by a bug in the bank’s software that allowed certain employees to access customers’ PINs, which are normally encrypted and stored securely. The bank discovered the issue during a routine check and fixed it within hours. The bank also notified its customers and advised them to change their PINs as a precaution. The bank said there was no evidence of unauthorized access or fraud and that no external parties were involved in the incident. The bank apologized for the incident and assured its customers that their money and accounts were safe. The incident also prompted the bank to review its data security and privacy policies and procedures.

In E-Commerce companies, data privacy case study includes Amazon, which is one amongst the largest e-commerce platforms in the world, with over millions of sellers and active customers. Amazon collects and uses the personal data from its customers and sellers, such as their names, addresses, payment credentials, purchase history, reviews, browsing history, and more. In 2018, Amazon disclosed that it had accidentally exposed the names and other information of some of their customers due to a technical glitch. Amazon didn’t reveal as to how many customers were affected or the amount of data that was exposed. Amazon did not provide any compensation to any of those affected customers.

Conclusion

Data privacy and protection regulations in India mirror the worldwide panorama of data’s rising supremacy in a digitally enhanced era. The introduction of the DPDP Act is a step forward in protecting personal data, giving Data Principals more sovereignty over their data, and establishing responsibility for data protection agencies. The Act highlights essential concepts such as data minimisation, accuracy, accountability, purpose restriction, and so on, as well as introducing Data Principal rights. It monitors Data Fiduciaries’ performance of their responsibilities and levies penalties for noncompliance with the requirements. In its whole, the DPDP Act serves the reasons for which it was enacted, although it is not without criticism. criticise and defend the Supreme Court’s decision on privacy. The clauses dealing with sensitive personal data were removed from the original bill when it was converted into an Act. Many argue that the DPDP Act is vague about how consent is acquired and data is processed, and that it contains broad exemptions for the government, making it essentially a squandered opportunity. The Act is intended to strike the appropriate balance between its accomplishments and criticisms, as well as uphold the Supreme Court’s decision on privacy. Looking ahead, the projected enhancements and adjustments to India’s legislative framework for data security demonstrate a forward-thinking attitude to resolving the complications posed by cutting-edge technology such as artificial intelligence and the Internet of Things. The combination of improved security technology and comprehensive regulation paves the way for the preservation of individual privacy rights while promoting the expansion of the digital economy. As I conclude, it is obvious that data protection regulations in India are always evolving, reflecting the dynamic interplay of technology, legislation, and societal demands.

References

RUHANI DUHAN

UILS, CHANDIGARH UNIVERSITY

[1] AIR 2017 SC 4161

[2] In 2012, Justice K.S. Puttaswamy (Retd.) filed a petition in the Supreme Court challenging the constitutionality of Aadhaar on the grounds that it violates the Right to Privacy.

[3] (2017) 10 SCC 641

[4] Federal Register / Vol. 78, No. 12