Blog authored by Jessica Mariam Vinod, law student of Government Law College, Thrissur.
India is going through an era where cyber crimes are rising at an alarming rate. The situation seems to be out of control. Looking at the list of cybercrimes in the recent past including cyberstalking, bullying, phishing, identity theft, hacking, online harassments, etc, clearly shows that the IT Laws haven’t given the expected results despite all the endless efforts to bring the crime rate under control. One of the most discussed and prevalent cyber crimes include privacy issues. This is a grievous and serious matter to be given due focus as it is a clear intrusion to the privacy of citizens. Men and women are equally victims of cybercrimes. However, most reported cyber crimes are those against women.
Data Protection Law in India
India has no specific legislation on data protection. India is not a party to any International Convention on the protection of personal data, equivalent to the GDPR or the Data Protection Directive. But the legislature did amend the IT Act to include Section 43A and Section 72A, which gives the right to compensation for improper disclosure of personal information. The amendments came to force from 27th October 2009.
Later, the Central Government issued Information Technology Rules, 2011(The Rules), under Section 43A of IT Act (11th April 2011). Clarification to ‘The Rules’ was issued on 24th August 2011, ‘The Clarification’.
Issues, Case laws and Judgements
Controversies regarding the privacy issues of citizens concerning Aadhaar Act,2016 is still prevalent and citizens are anticipating new legislation to come into force for personal data protection. Financial and Telecom sector are subject to obligations of confidentiality under sectoral laws. In the landmark case of JUSTICE K S PUTTUSWAMI v. UNION OF INDIA, the right to privacy was challenged and the honourable Supreme Court recognised right to privacy as a fundamental right under Art.21 of Constitution as an element of the right to life and personal liberty. Court held that any information about a person and the right to its access needs to be given the protection of Privacy. Thus pronounced was the Privacy Judgement on 24th August 2017. The court stated that individuals should be vested with the rights to control the commercial use of their identity. It’s the first time the Supreme Court expressly recognised the right of the individual over their data. In the same judgement, it was held that to enforce the right to privacy against Private entities may require legal intervention. The Supreme Court in the final judgement on Aadhar upheld its validity and held that Aadhaar Act does not violate the right to privacy when a person agrees to share his/her biometric data. Yet, the Supreme Court barred private firms from making use of Aadhar card for KYC Authentication purposes. But Aadhar will continue to be in use for various other purposes like PAN Card & ITR filing.
Personal Data Protection Bill (PDP Bill)
India couldn’t put it’s citizens’ Protection & Privacy at stake. Thus the Government of India formed a committee to propose a draft statute on Data Protection. The Committee proposed draft law and Government of India has issued the Personal Data Protection Bill, 2019 (PDP Bill). It will be India’s first law on Protection of Personal Data and will lead to the repeal of Section 43A of IT Act. It has not yet been implemented and is still under discussion. Joint Parliamentary Committee is considering the Bill. Along with it, the revised draft is expected to be issued this year. Yet the implementation will occur in a phased manner.
Comparison of PDP with existing provisions
Rules under Section 43A of IT Act applies only to Corporate Bodies or any person located within India or to any offence committed by a person outside India using a system or network in India. However, the PDP Act applies also to people outside India in connection with a business run in India, providing service or goods to individuals in India or profiling of Individuals in India.
The Bill has brought in the concept of ‘Data Fiduciary’ & ‘Data Processor’.This is equivalent to the concept of Controller and Processor under GDPR.
The Rules applies only to electronic records, Aadhar Act applies to Manual and Electronic records and PDP applies to both electronic and manual records.
Right to be Forgotten
It is a great concept which can be included in Right to Privacy and even to PDP Bill. It is well known that the browsing history even if erased is visible. In such a case, if a person wants to come out of his/her once existed negative thoughts or bad habits, the eternal existence of his/her history shouldn’t become a social stigma. A system should be introduced where the activities’ history of a person on the Internet gets completely erased after a specific period. When a person’s internet history is visible to another, that should also be considered as an intrusion to the privacy of that person.
One of the main cyber-risks is to believe they don’t exist. That’s what happens most of the time. People believe they won’t fall victims to cyber crimes and fail to be alert. Have in mind, that being victims to cyber crimes can happen to anyone. The best way is to keep eyes and ears open to detect spams. Never blindly trust messages and don’t act without checking the authenticity of the messages or sites. Terms and conditions of various sites should be read and understood well. These are the simplest way to keep ourselves & thereby our country safe.