DATA PROTECTION REGIME IN INDIA: An analysis in light of EU’s GDPR

As India moves towards the goal of a digital economy it needs an adequate law to protect Data and protection of rights of the citizens while keeping the personal data. This article shall analyze whether the digital developments in India are in consonance of the data protection regime in India and in the world where Privacy is acknowledged as the fundamental right, can India build on data protection laws like GDPR (General Data Protection Regulation) of EU.

The country currently has seen many developments which demanded pressing need of data protection regulation in India. Aadhar, a scheme of the government for unique identification system and targeted delivery of services is one of them.

EXISITNG LAWS GOVERNING THE DATA PROTECTION REGIME

Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize intrusion into one’s privacy caused by the collection, storage and dissemination of personal data. The 2011 Rules under the IT Act and the recent ‘Guidelines for securing Identity Information and Sensitive Personal Data or Information (SPDI) in compliance to VDR Act, 2012 and the IT Act, 2000 attempt to ensure that Right to Privacy of the citizens is not being violated.

The SPDI Rules mandate certain requirements for the collection of information,[1]and insist that it be done only for a lawful purpose connected with the function of the organization.[2] In addition, every organization is required to have a detailed privacy policy.[3]The SPDI Rules also set out instructions for the period of time information can be retained,[4] and gives individuals the right to correct their information.[5]Disclosure is not permitted without consent of the provider of the individual, or unless such disclosure is contractually permitted, or necessary for legal compliance.[6] When it comes to sharing information with Government agencies, then the consent of the provider is not required and such information can be shared for purposes such as verification of identity, prevention, detection and investigation including of cyber incidents, prosecution, and punishment of offences.[7]

The SPDI Rules apply only to corporate entities[8] and leaves the government and government bodies outside its ambit; the rules are restricted to sensitive personal data’, which includes attributes like sexual orientation, medical records and history, biometric information etc.,[9]and not to the larger category of personal data.

Further, the Cyber Appellate Tribunal (CyAT) which hears appeals under the IT Act has issued its last order in 2011. The absence of effective enforcement machinery, therefore, raises concerns about the implementation of the SPDI Rules. It is thus necessary to make a comprehensive law to adequately protect personal data in all its dimensions and to ensure effective enforcement machinery for the same.[10]

COMPATIBILITY OF EXISTING LAWS

Data protection entails [1] privacy policy, [2] consent and notification, [3] use/ retention and withdrawal, [4] disclosure and [5] transfer. With regards to all the essentials, only privacy and consent have complied via the IT Act and Rules. These include the right to confirm if data about oneself is being collected, the right to access data, the right to rectification of data, the right to data portability, the right to restrict processing, the right to erasure, the right to object to processing. There arises need for data protection laws to hold stakeholders accountable, penalize for any breach and guarantee security and confidentiality of information.

IMPLICATIONS AND NEED

Comparison of the data protected by the current legislation in India and covered via EU GDPR. EU GDPR categorizes ‘special category data’ which includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, or data relating to the health, sex life and sexual orientation of an individual. However, ‘personal data’ as per the SPDI Rules is defined as Passwords, financial information such as bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health condition, sexual orientation, medical records and history and biometric information. Therefore, there exist a very narrow scope of data which is protected via IT act in comparison with the data protection via EU’s GDPR.

Other major differences in the GDPR and the existing framework at India could be seen below:

1.Principles of processing and collection of data (Data transfer for electronic commerce)

GDPR –

GDPR: Art.5 of GDPR

• GDPR specifically confers protection to natural persons and their rights and freedom upon data processing. This is not expressed in the IT Act.
• The principles given in GDPR apply in relation to data processing.

IT ACT AND RULES

Rule 5 of IT Rules, 2011

On the other hand, the principles under IT Act apply to the collection of information and use. It does not mention processing. Principles listed in the GDPR but not mentioned in IT Act are data integrity, protection from unlawful processing, accountability, fairness and transparency.

2. Lawfulness of processing

GDPR

Art.6 of GDPR

• GDPR lists five additional conditions on the necessity of processing and also confers upon the Member States the power to introduce specific requirements for processing.
• Similar conditions are not mandated under the IT Act.
• (a) performance of the contract to which data subject is party (b) compliance with legal obligation to which controller is subject (c) protecting vital interests of data subject or another natural person (d) protecting public interest or in exercise of official authority vested in controller (e) fulfilling legitimate interests of controller or third party

IT ACT AND RULES

Rule 5 of IT Rules, 2011

Unlike the GDPR, the IT Act does not have a provision that specifically deals with “lawfulness” of processing.

3.Sensitive personal data

GDPR

Art.9 of GDPR

EU GDPR categorizes ‘special category data’ which includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, or data relating to the health, sex life and sexual orientation of an individual.

IT ACT AND RULES

Sec.43A of the IT Act, 2000 and Rule 3 of IT Rules, 2011

Personal data as per the SPDI Rules is defined as Passwords, financial information such as bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health condition, sexual orientation, medical records and history and biometric information

4.Rights

GDPR

Art. (14 -18), Art. (20 – 22) and Art. 7(3) of GDPR

• IT Act excludes reference to some important rights given in GDPR. These are Right of access, Right to restrict processing, Right to data portability, Right to object, Right to erasure, Right in relation to automated decision making and profiling.

IT ACT AND RULES

Rule 5(6), Rule 5(3), Rule 5 (7) of IT Rules, 2011

• Unlike the GDPR, IT Act does not use the word “Right”.
• Rights recognized are Right to rectification, Right to be informed and the Right to withdraw consent.

5.Punishment for disclosure of information

GDPR

Art.83 of GDPR

GDPR imposes civil liability only. GDPR, on the other hand, does not impose criminal penalties but makes way for imposition of high administrative fines for infringement of provisions under it. Data breach, similar to the one provided under Sec.72A of the IT Act, can attract administrative fines up to 10,000,000 EUR under GDPR.

IT ACT AND RULES

Sec.72A of IT Act,2000

• IT Act imposes criminal liability also.
• § The IT Act imposes criminal liability. Sec.72A of the IT Act applies when there is disclosure of personal data by the service provider in breach of contract. Just like Sec.43A, it has to be proved that the disclosure was brought about with the intention of causing wrongful loss or gain to the person concerned and without the consent of the person concerned or in breach of contract. This section imposes a penal liability on the offender punishable with imprisonment up to 3 years or fine up to 5 lakh rupees or both.

---

One territory to be considered is the electronic consent architecture in India, which is worldwide, to begin with; however, this should be extrapolated further. For example, Indian residents ought to have the capacity to guarantee punishments, if organizations neglected to get clear consent to utilize their own data. Likewise, there is the topic of what constitutes as individual and sensitive data. Unreservedly accessible data like a man’s name and email ID could be delegated individual data, while data about a man’s total assets or speculation choices, ought to be dealt with as sensitive data, which requires more grounded administration and consistency measures. Computerized advertisers ought to have the capacity to use innovation to characterize data classifications in view of such guidelines.

They additionally need to comprehend the tenets for portability of client data – what can be shared or not shared; with or without their consent; with the opposition or industry on the loose. Indian endeavors managing client data additionally need to store, sort out and give get to control to client data in their ownership in agreement to worldwide standards. This will acquire any data insurance administration and consistency standards that might be actualized by the Government, which is probably going to happen soon. India Inc. could consequently gain from GDPR and jump the bend as it has done previously, with innovation arrangements in parts like managing an account, telecom and so on.

Hence, the GDPR has affected many international organizations as it aims to protect the data of European citizens by any means which implies even the data used for the marketing by the organizations shall be covered under it and hence all the companies which are interacting with European organization indirectly or directly have to GDPR compliant. In accordance with the GDPR, The IT Act and Rules lacks in terms of rights which are being protected and recognized and India need such a framework and there is need for revaluation of the ‘Sensitive Personal Data’ in India and need to increase the ambit in order to cater needs and provide protection to citizens against technology and government schemes like Aadhar, Digi locker etc.

By – Aarushi Sahu

Symbiosis Law School, Pune

Sources

[1] Rule 5(1), SPDI Rules.

[2]Rule 5(2), SPDI Rules.

[3]Rule 4, SPDI Rules.

[4] Rule 5(4), SPDI Rules.

[5] Rule 5(6), SPDI Rules.

[6]Rule 6, SPDI Rules.

[7] Rule 6(1), SPDI Rules.

[8] Section 43-A, IT Act.

[9] Rule 3, SPDI Rules.

[10] White Paper, Meity.

---

Disclaimer– This document is intended to provide information only. If you are seeking advice on any matters relating to information on this website, you should contact us directly with your specific query or seek advice from qualified professionals only. We have taken all reasonable measures to ensure the quality, reliability, and accuracy of the information in this document. However, we may have made mistakes and we will not be responsible for any loss or damage of any kind arising because of the usage of this information. Further, upon discovery of any error or omissions, we may delete, add to, or amend information on this website without notice.

---

Click Here for more Articles

Click Here to write your own Blog/Article on Legal Bites