The term ‘personal data’ means any information relating to an individual through which such individual is directly or indirectly identifiable. This information can thus be related to a person’s physical, psychological, economic, cultural, or any other identity through which the person can be identified in the social world. Technological advancement has seen an unprecedented and constant upward spike since the advent of the internet age. Many of these technologies need to be fed with real data to function properly. Therefore, there has been an increase in the need and thereby, demand for data in the market. This has led companies and other stakeholders to collect, store, transfer, share, and use large amounts of data in recent times. This gave rise to what we today know as big data. This only increases every day with the increase in new users joining the internet regime and availing of web services in various forms.
Although the internet age seems utopian due to the convenience it provides to the human race, we have now realized that there are also darker parts to it. This realization is what has sparked human interest in the concept of ‘data privacy’. As humans realize the numerous shortcomings and security concerns associated with sharing of data, especially when done through an online medium (as it can be said to be more dangerous than the offline data collection endeavors due to its spontaneity, lesser awareness in public and unregulated nature), the collective need of individuals, organizations, and nations, for ensuring privacy and security of personal data has gained momentum.
Preserving Personal Data
One outcome of this realization could be seen in the Indian government’s recent decision to ban hundreds of computer or mobile phone applications that it found to be collecting, sharing, and using consumer data in a manner that could prove to be a threat to citizens’ and national security of India. This move of the Indian government can be seen as a practical extension of the Indian Supreme Court’s decision in the case of Justice K.S. Puttaswamy vs Union of India, recognizing and affirming a person’s ‘right to privacy’ as a fundamental right guaranteed under Article 21 of the Constitution of India.
The Right to Privacy encompasses within itself the privacy regarding one’s personal information shared across any media or platform. This decision as well as a general realization on part of Indian scholars and government that the existing legal regime [Information Technology Act, 2000, Indian Penal Code, 1860, etc.] is doing little to prevent data breaches and thus, secure and ensure data privacy to its citizens, led to the formulation and tabling of the Personal Data Protection Bill (PGPB), 2019 in the Indian Parliament by the Ministry of Electronics and Information Technology. This PGPB was then handed over to a Joint Parliamentary Committee for analysis by experts and stakeholders. On 16 December 2021, the Committee report and finalized Data Protection Bill, 2021 was published. The Bill is still pending before the Parliament of India.
Data Privacy Laws in India
At present, the Information Technology Act, 2000 (as amended by the Information Technology Amendment Act, 2008) read with the Information Technology Rules are at the forefront of what can be pursued as India’s data privacy or security regime as they primarily deal with electronic commerce and cybercrime in India. Therefore, it does not cover offline data transactions. The 2008 Amendment was significant as it introduced Section 43A to the Act and attempted to fill the gap in protection and provisions required for the protection of an individual’s electronically provided sensitive personal information. The section makes any corporate body dealing with sensitive personal data or information responsible for its protection of it. It holds the corporate body liable to pay damages to the affected person(s) in cases of negligence in maintaining reasonable security to protect concerned data resulting in wrongful loss or wrongful gain to any person.
Therefore, it is a provision aimed at increasing personal data security. Further, Sections 72 and 72A strengthen this position by providing “the punishment for any person who has secured access to mentioned data or information in pursuance of any of the powers conferred under the IT Act Rules or Regulations and discloses it to any other person without the consent of the person concerned” and “the punishment for disclosure of information in breach of lawful contract”, respectively. The punishments constitute heavy fines and imprisonment for up to three years. It can be seen through these provisions that the Act is limited in its scope as it only applies to corporate entities involved in collecting automated processing of ‘sensitive personal data and information’ through ‘computer resource’ and the victim consumers of data breaches can take action in relation to limited provisions.
Nonetheless, the Act broadens its scope as it is made extraterritorial in its application by Section 75 makes its provisions applicable to “an offense/ contravention committed outside India by any person if the conduct constituting an offense involves a computer/ computer network located in India.” However, the effectiveness of the Act at the extraterritorial level cannot be said to be high due to jurisdictional restrictions. The present data privacy scenario in India is, therefore, clearly non-exhaustible and limited in its coverage. The new-age Data Protection Bill, 2021 seeks to strengthen India’s position on this front by introducing a consumer-oriented data privacy law. India is further focusing on restricting cross-border data transfers and on formulating a data localization policy.
Laws in the Western World
The situation in the European Union (EU) and the USA differ from that in India. The EU has the most comprehensive data privacy and security law in the world in the form of the General Data Protection Regulation (GDPR). It is the EU’s central law that emerged after a need for uniformity and updating of outdated provisions was felt under the previously existing regime, namely, the Data Protection Directive (DPD). The GDPR is consumer-oriented and finds its basis in the “Privacy by Design” school of thought as enshrined by it under Article 25. It brought all the members of the EU at par and in agreement with each other regarding data privacy and security requirements to protect their citizen’s data and is well-drafted. It is seen as a basic framework by most nations in order to build their own data laws. The data privacy regime in the USA is different from this as it lacks a central federal data privacy and security law. The data privacy front at the federal level in the US is currently held by different industry or age-focused vertical legislations namely, the US Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA), 1996, the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLBA), etc. These legislations lack the proper coverage and update in provisions required for ensuring complete data privacy in the internet era.
Although the US has no federal legislation to regulate internet-based operations, attempts are being made in the US at state-level to bring into force state level, new-generation consumer-oriented data privacy, and security laws. One such example is the California Consumer Privacy Act (CCPA) focusing on ensuring the consumers’ data privacy on the internet. The states of Maine and Nevada have also implemented state-level data privacy legislation along with California.
Other states have followed suit by introducing bills regarding data privacy. These are the Massachusetts Data Privacy Law, New York Privacy Act, Hawaii Consumer Privacy Protection Act, Maryland Online Consumer Protection Act, and North Dakota’s HB 1485. Efforts are also being made to introduce a federal data privacy law in the US. This is evident from recent proposals in this regard- Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S.2499), Consumer Data Privacy and Security Act of 2021 (S.1494), and the Online Privacy Act of 2019 proposed by Congresswoman Eshoo.
Comparison of Data Privacy Laws of India with the Western World
All three countries- India, the EU, and the USA are moving towards consumer-oriented data privacy and security regime. India’s Data Protection Bill, 2021 is primarily based on the European Union’s General Data Protection Regulation (GDPR) framework, which in turn is in line with the “Privacy by Design” school of thought prevalent in the USA. The Indian Bill goes a step further by trying to create unique legislation tailored to India’s growing need for data privacy and security as one of the largest consumer markets in the world. It encompasses not just personal but also non-public personal information (NPI) within its scope, as updated till 2021. This approach can be first observed in USA’s Gramm-Leach-Bliley Act (GLBA) which protects any “information collected about an individual in connection with providing a financial product or service unless that information is otherwise publicly available”. Such information is what is generally referred to as non-public personal information (NPI).
In the US, a consumer can opt out of their NPI being shared with a “non-affiliated” third party. The GDPR too, in its general approach, takes a similar view. However, the consumer flexibility and choice provided by these legislations may vary. For example, under GLBA, the consumers cannot control or restrict the sharing of their NPI with companies that are affiliated with the banking or insurance company that they are sharing their NPI. This may put the consumers in a tight spot regarding sharing their NPI with the concerned company as they are left with only two options- either to avail of the services of the concerned company or not. In today’s era of consumer-friendly markets and consumer-oriented privacy laws, GLBA’s lack of flexibility and space for consumer choice can be said to be losing on this front. Indian and the EU, both legal regimes protect non-anonymized data.
The CCPA, California state law in the US embodies several unique features such as the ‘data subject access request (DSAR)’, the ‘right to delete’, ‘right to sue’ to victims of a data breach (limited right), etc. The GDPR and the upcoming Indian regime, both provide for legal remedy for any concerned person to directly sue a processor for damages. By virtue of these, any covered business (under CCPA) cannot sell personal data without prior web notice regarding such sale and sufficient opportunity to opt-out of the data subject(s). A similar provision has been seen in the proposed Indian Data Protection Bill, 2021. The Indian Bill has taken a preventive approach and defines in detail the information that needs to be displayed at the commencement of data collection to obtain consent, before sharing data with other parties and in event of a data breach.
The concept of notification of data breach to the concerned customer or data subject or data principal can be found in all three regions. The CCPA further provides a very broad definition of personal information and therefore, takes a similarly expansive view as that of the EU’s GDPR. The CCPA also provides a long list of identifiers that it considers as a data subject’s personal information. This too is similar to GDPR’s perspective as GDPR has specifically mentioned several such identifiers to reduce confusion in the EU market. The Indian Data Protection Bill, 2021 also seems to follow this line.
However, the ‘probabilistic identifiers’ (or quasi-PII) are a unique feature introduced by the CCPA. The CCPA also provides a data security clause, although vague, by asking companies to “implement and maintain reasonable security procedures”. There is hope for development in this regard by keeping the Center of Internet Security’s Top 20 controls and the NIST Critical Infrastructure Security (CIS) Framework at the base of such development. Another feature in the US proposed state bills is consumers’ right to sue for any violation of law without suffering a loss of money or property as a result of the violation, something missing from the current Indian law as being liable under Indian law currently requires a wrongful loss or wrongful gain to take place from an alleged data breach.
The US proposed state laws also talk about completely restricting websites from non-consensual passing on of any customer’s information to third parties, and imposing the role of data fiduciary on all businesses and thereby, holding them to be legally responsible for all consumer data that they hold. Similar provisions can be seen in India’s Data Protection Bill, 2021. Even under GDPR, the data controller is held ultimately responsible for the security and processing of the data. The liability is also placed on the cloud provider under Article 5 of GDPR to protect the security of data given to it by the data controller. This leads to another similarity between the Indian and US law as they use the terms ‘data fiduciary’ and ‘consumers’ or ‘data principals’ which are similar to the EU’s ‘data controller’ and ‘data subject’. The US Bill and laws, EU’s GDPR, and the Indian Data Protection Bill, 2021 also all provide for the right of confirmation and access to information, the right of correction and erasure, and the right to be forgotten. However, the intensity and scope of their application may differ from region to region. The same is the case with grievance redressal and penalties across these jurisdictions.
The comparison of data privacy laws of the three regions- India, the EU, and the USA has led to the following observations. One, the general trend of implemented and upcoming data privacy regimes in these areas are similar to one another and have the ‘Privacy by Design’ principle at its base with its advocacy for consumer-oriented data laws and collection of the minimum required and necessary data from data subjects and deletion of such on completion of the purpose for which it was collected for.
The major dissimilarity in the general scenario of the three regions can be seen in their present scenario, that is, in the laws in force at the present day in these regions. While the EU has implemented a central full-fledged data privacy legislation, India lacks behind with its central legislation with limited data privacy provisions with limited scope. The US falls further behind as regards the implementation of data privacy legislation providing for the protection of personal data as regards the internet of things. However, it can be said that India and USA are at par in their efforts of creating a strong and effective data privacy regime with the introduction of related bills in their parliament. But at present, only the EU can be said to have a data privacy law in full strength and capable of protecting the citizens’ interests. The regimes also differ in the applicability of their laws. While the EU and Indian laws, presently in force, are extraterritorial in their application, US law lacks this feature.
Finally, it can be safely assumed that the upcoming data privacy law regime in all three regions will be similar in the sense that they will promote principles and provisions such as Privacy by design, transparency, security safeguards, corporate responsibility, notification of data breaches within a reasonable time as soon as possible, appointment of Data Protection Officers to advise firms, Data Protection Impact Assessments, data audits, etc.
With this said, we have high hopes for the Indian Data Protection Bill, 2021 as it improves highly on the previously suggested Personal Data Protection Bill, 2019, and is still undergoing debates in the parliament. It also goes a step further by trying to be unique legislation tailored to India’s growing need for data privacy and security as one of the largest consumer markets in the world.