Privacy law refers to the laws that deal with the regulation, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organizations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.
Privacy laws are considered within the context of an individual's privacy rights or within the reasonable expectation of privacy. The Universal Declaration of Human Rights states that everyone has the right to privacy. The interpretation of these rights varies by country and is not always harmonious.
Privacy law in India:-
Article 21 of the Indian Constitution is a fundamental right that guarantees the protection of life and personal liberty. On August 24th, 2017, the Supreme Court in the decision of Justice K.S. Puttaswamy (retd.) &Anr vs. Union of India and Ors held that privacy is a constitutionally protected right that arises out of Article 21 of the Indian Constitution. The protection under Article 21 is not absolute and is subject to certain restrictions. For instance, the right could be restricted if there is a law created by the legislature to restrict the same (such law should promote a legitimate state interest, should not be arbitrary, and should be proportionate to the object of the law). A draft Personal Data Protection Bill is presently under consideration. As of date, the current framework for data protection is set out in the Information Technology, 2000 ("IT Act") and the rules issued thereunder, most importantly the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011).
Recent development and decisions regarding Data Privacy by govt.:-
On 2nd September 2020, the Ministry of Electronics and Information Technology (MEITY), Government of India invoking its power under section 69A of the Information Technology Act read with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009 and because of the emergent nature of threats, blocked 118 mobile apps. As per the notification issued by MEITY, these apps were engaged in activities that are prejudicial to sovereignty and integrity of India, defense of India, security of State, and public order. Further, MEITY had received many complaints from various sources including several reports about the misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users' data in an unauthorized manner to servers that have locations outside India. The compilation of this data, it's mining, and profiling by elements hostile to the national security and defense of India, which ultimately impinges upon the sovereignty and integrity of India, is a matter of very deep and immediate concern which required emergency measures. This move by MEITY was to safeguard the interests of crores of Indian mobile and internet users. This decision is a targeted move to ensure the safety, security, and sovereignty of Indian cyberspace.
Current Laws in India:-
India does not have a stand-alone personal data protection law to protect personal data and information shared or received in a verbal or written or electronic form. Though protections are available, they are contained in a mix of statutes, rules, and guidelines.
The most prominent provisions are contained in the Information Technology Act, 2000 (as amended by the Information Technology Amendment Act, 2008) read with the Information Technology [Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information] Rules, 2011 (SPDI Rules). It is the primary law in India dealing with cybercrime and electronic commerce. SPDI Rules, as the name suggests, only cover data and information which is exchanged in an electronic form and not those received through non-electronic communication.
When this IT Act, 2000 came into force on October 17, 2000, all the laws and procedures about the given Act lacked the protection and provisions required to protect one's sensitive personal information provided electronically. This eventually led to the introduction of the Information Technology Bill, 2006 in the Indian Parliament which then led to the Information Technology (Amendment) Act, 2008 whose provisions came into force on October 27, 2009. It inserted Section 43A in the Information Technology Act, according to which, if:
A corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.
Also Section 72A, according to which: the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both, in case disclosure of the information is made in breach of lawful contract.
Penalty for the same is mentioned in Section 72 of the IT Act. The Section provides that: any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such electronic record, book, register, correspondence, information, document or other material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.
Section 75 mandates that provisions of this Act shall also apply to an offense/contravention committed outside India by any person if the conduct constituting an offense involves a computer/computer network located in India.
However, the scope and coverage of the IT Act and Rules are limited. The majority of the provisions only apply to sensitive personal data and information' collected through 'computer resource'. The provisions are restricted to corporate entities undertaking the automated processing of data and consumers are only able to take enforcement action in relation to a small subset of the provisions. There is no provision on data localization which was the major concern and reason for the ban of the Chinese apps in India.
The Personal Data Protection Bill, 2019:-
After the Supreme Court's landmark judgment in the Justice KS Puttaswamy case, which held that privacy is a constitutional right, the MEITY formed a 10 member committee lead by retired Supreme Court judge B.N. Srikrishna for making recommendations for a draft Bill on the protection of personal data. After working on it for a year, the committee submitted its report titled "A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians " along with the draft bill on personal data protection. The revised Personal Data Protection Bill, 2019 (Bill), was introduced by Mr. Ravi Shankar Prasad, Minister for Electronics and Information Technology, in the Lok Sabha on December 11, 2019. Currently, the Bill is being examined by a 30-member team of the Joint Parliamentary Committee (JPC) and is asked to present its report in the winter session of the Parliament in December 2020.
Salient Features of the act:-
Application of the act:- The Bill governs the processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India by;
i. Government, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;
ii. Data fiduciaries or data processors not present within the territory of India, if such processing is—
in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
in connection with any activity which involves profiling of data principals within the territory of India.
iii. However, it will not apply to anonymized data. Anonymisation in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority; Anonymised data means data that has undergone the process of anonymization;
Kinds of personal data:-
The Bill has categorized data under three broad heads– Personal Data, Sensitive Personal Data, and Critical Personal Data.
i. Personal data includes data that pertains to characteristics, traits or attributes of identity, which can be used to identify an individual, collected online or offline.
ii. Sensitive Personal data includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
iii. Critical Personal Data means such personal data as may be notified by the Central Government to be the critical personal data.
Restriction on transfer of personal data outside India:-
i. Personal Data can be processed and stored outside India
ii. Sensitive Personal Data should be stored in India and may be transferred outside India for processing if explicitly consented to by the data principal for such transfer and subject to certain additional conditions such as:
a. the transfer is made pursuant to a contract or intra-group scheme approved by the Authority and it has made provisions for effective protection of the rights of the data principal under this Act, including in relation to further transfer to any other person;
b. the Central Government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organization on the basis of its finding that—
(i) such sensitive personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements; and
(ii) such transfer shall not prejudicially affect the enforcement of relevant laws by authorities with appropriate jurisdiction; and
c. Critical personal data can