It is almost impossible for any person today to live without digital and technological aid, it will be very hard to refrain from using social media apps, shopping apps, transaction apps today as we are heavily dependent on them. Thinking about our life without these aids is almost unimaginable. Along with the great ease and facility that this digital era provides us, there is a word of caution which each of us should be aware of. The data which we provide for anything has a great chance to be altered or misused against the individual to invade our privacy or harm us in any possible way. The incidents of cybercrime are very common making India among the top 5 countries to be affected by cybercrime.
To address this very main issue, data protection acts come into play to protect the interests, rights, and privacy of the people. These legislations govern the collection, use, transmission, and dissemination of that data, regulates the compilation, recording, organization, storage, updating or alteration, consultation, retrieval, usage, consolidation, blocking, erasure, or destruction of personal data while maintaining the free flow of information to facilitate creativity and growth.
Data can be divided into two categories: public data and personal data. Public data is information that is available to the general public, such as court records, birth records, death records, and basic business information. Private data, on the other hand, is confidential to an entity or agency and cannot be publicly disseminated by others without the subject's consent. Financial data, family information, browsing details, interests, psychological traits, locations and travel experience, attitudes, skills, photos, aptitudes, and similar information are all included. It may be a mixture of these characteristics or even inferences based on the distilled results.
HISTORY AND EVOLUTION
In 1970, the German state of Hessia passed the world's first data protection law. The term "informational self-determination" was first used in Germany in the course of a constitutional decision concerning personal data gathered during the 1983 census.
However, a significant shift in privacy legislation occurred in 1995, when the European Union (EU) passed Directive 95/46/EC for the first time. This directive established an organized framework for EU member countries for inter-country personal data transfer/flow, protection against unlawful processing of personal data, data processing regulation, and classification and protection of sensitive data, but it was recently superseded by the all-new EU Act — General Data Protection Regulation (GDPR), which took effect on May 25, 2018.
Thereafter, many countries came up with legislation for regulating and protecting the data. The Philippines passed The Data Privacy Act of 2012, Canada passed the Personal Information Protection and Electronic Documents Act (PIPEDA), 2001 Brazil's General Personal Data Protection Law (LGPD) became law on September 18, 2020, India came up with The Data Protection Bill, 2019 which is still to be passed by parliament.
DATA PROTECTION LAWS AROUND THE WORLD
There is no international law to regulate data protection currently. The United Nation Conference on Trade and Development (UNCTAD) is a UN body which partially looks upon this issue by way of surveys and providing data of the legislation across the world. UNCTAD’s Cyberlaw Tracker, launched in 2015, provides a repository of relevant laws in four legal areas essential for building trust in e-commerce: e-transactions, cybercrime, consumer protection, as well as data and privacy protection.
According to the data of the United Nations Conference On Trade And Development(UNCTAD), 66% of total countries have legislation on data protection, 10% have draft legislation, and 19% of countries with no legislation.
European Union’s, General Data Protection Regulation (GDPR) can be considered as legislation that is followed by a large number of countries. It is strictly followed by 27 members of the Union and has inspired the rest of the countries around the world to model their legislation on these lines.
In Justice K S Puttaswamy and Anr. Vs. Union of India and Ors., the Hon'ble Supreme Court of India ruled that the right to privacy is a constitutional right protected by Article 21 of the Constitution. Following that, a committee led by Justice B.N. Srikrishna was formed to investigate the problems around data security in India. The act aims to modernize India's existing data security legislation, which is regulated by the Information Technology Act of 2000. It proposes to regulate the collection of personal data of individuals by the Indian government, Indian companies, and foreign companies. The Personal Data Protection bill (PDPB), 2019 is broadly modeled after EU General Data Protection Regulation (GDPR).
The bill divides data into three classifications: Critical, Sensitive, and General. Sensitive personal data includes financial data, health data, sex life, sexual orientation, biometric data, transgender status, caste or tribe, religious and political affiliations, etc. With the user's express permission, sensitive data can be stored outside of India. Critical personal data will be notified by the government every once in a while and must be stored and handled only in India. Every non-critical and non-sensitive data is classified as general data, which has no restrictions on where it can be processed or handled.
The bill provides its subject certain rights, which are:
The right to request confirmation from the fiduciary as to whether or not their sensitive data has been processed.
The right to seek correction of inaccurate, incomplete, or out-of-date personal data.
The right to have personal data transferred to any other data fiduciary in certain circumstances
The right to limit a fiduciary's continued disclosure of their personal details if it is no longer required or consent has been revoked.
The bill describes social media intermediaries as services that enable two or more users to share, distribute, upload, disseminate, or generate content. This would allow the government to designate them as data fiduciaries, requiring them to abide by the provisions of the Bill.
DATA PROTECTION AUTHORITY AND EXEMPTIONS
The bill calls for the creation of a Data Protection Authority to safeguard data subjects' interests, discourage abuse of personal data, ensure compliance, and raise data protection awareness. The authority will have the power to keep a database on its website with the names of important data fiduciaries and a ranking in the form of a data trust score that will show whether or not they are complying with the bill's provisions.
Every legislation has some exemptions’ because the blanket protection of an individual’s right is not possible, and these exceptions are required for the smooth running of the administration. The bill consists of the regulatory sandbox, under which some authorities and entities are exempted from complying with the provisions of the act. A sandbox is mandated by the data protection authority to support and facilitate artificial intelligence, machine learning, and other emerging technologies.
FINE AND PENALTY:
The bill carries stiff penalties. For collecting or transferring personal data in breach of the Act, a fine of INR 15 crores or 4% of the data fiduciary's annual revenue, whichever is greater, will be levied. In the event that the data fiduciary fails to perform a data audit, a fine of INR 5 crores or 2% of the data fiduciary's annual revenue, whichever is greater, will be levied.
The government has the right to access personal information for a variety of purposes, including national security, sovereignty, and dignity. This might lead to the state intruding into citizens' lives, defeating the bill's intent. The process for appointing members is still a source of contention.
The General Data Protection Regulation (GDPR) went into effect in 2018 and is the world's most comprehensive privacy statute to date. It has since inspired the revision of existing legislation and the development of new ones all over the world. Countries like Brazil, Australia, Japan, South Korea, India, the USA, Thailand, Chile, New Zealand, South Africa, and Canada have revisited their existing law and created data protection laws inspired by GDPR.
Article 17 of the General Data Protection Regulations (“GDPR”), as well as Recitals 65 and 66, guarantee the Right to be forgotten. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”. The non-compliance to the rules will attract punitive punishments and hefty penalties for the companies, businesses, or whoever violates the law.
SOME KEY DIFFERENCES BETWEEN PDPB AND GDPR
The GDPR does not apply to non-personal or anonymized data, but under clause 91 of the bill, the government is allowed to request non-personal data from data fiduciaries and data principals in order to make policy decisions.
Financial information is not included in the GDPR definition of sensitive personal data, although it is included in clause 2(36) of the bill's definition of sensitive personal data. As a result, the bill's concept of sensitive personal data is broader than GDPR.
There is no similar clause in the GDPR for the classification of 'critical personal data.' Under Indian law, the central government will be able to classify what constitutes "critical personal data."
The GDPR requires that data be stored in a recognizable form, with an allowance for extending the storage period. If data needs to be kept for a longer period of time, the bill includes express "consent" from the data principal.
THE UNITED STATES
In the United States, there is no comprehensive set of privacy rights or standards that cover the use, storage, and dissemination of data. Instead, there is just a small amount of sector oversight. Second, the approach towards data protection varies for the public and private sectors. The government's actions and powers in relation to personal information are clearly established and addressed by large, sweeping legislation such as the Privacy Act and the Electronic Communications Privacy Act, among others. Certain industry-specific norms exist for the private sector, such as The Federal Trade Commission Act (FTC) protects consumers from unfair business practices.
The US model allows the collection of personal information as long as the individual is informed of such collection and use. However, it has been viewed as inadequate in key respects of regulation.
Privacy law, in the United States, is often a messy combination of public regulation, private self-regulation, and regulations that vary by state. Also, the duty of enforcement of these regulations is under several different government organizations Federal Communications Commissions (FCC) and Health Insurance Portability and Accountability Act (HIPAA). There is no uniform law or rule to decide the storing period of data, companies can keep the data indefinitely depending upon their own terms and conditions.
The recent California Consumer Privacy Act (CCPA), has many provisions that overlap with GDPR. California may be only one state out of fifty, but it has inspired legislators on both sides of the spectrum to launch a slew of parallel data protection bills and legislation in other states and at the federal level.
ICELAND:- Iceland has often been referred to as ‘Switzerland of data’. The Data Protection Act of 2000 in the Nordic Island nation is stringent about obtaining ‘unambiguous and informed consent' before harvesting personal data.
IRELAND:- The Data Protection Act of 1988 gave the island nation a head start on data privacy legislation, and the ePrivacy Regulations of 2011 built on the foundation.
AUSTRALIA:- The Australian Privacy Principles (APP) is a compilation of 13 principles that regulate the gathering of personal information, and it is backed by the powerful Office of the Australian Information Commissioner, which will hear public complaints and undertake free inquiries.
DENMARK:- Denmark's citizens' privacy is protected by a federal body called the Danish Data Protection Agency, which is based on the Personal Data Processing Act of 2000. Personal data should only be obtained with the user's express permission, and it can't be revealed to third parties for commercial purposes without their consent, according to this rule.