The right to privacy was deemed a basic right under the umbrella of life and liberty in Article 21 of our Constitution by India's Supreme Court in 2017. The data protection act was introduced in 2019 and is pending its approval.
The actions a company takes to guarantee that data is secure and private are called data protection. Data privacy is one aspect of keeping data protected, while data security is the umbrella that encompasses what data is collected and how it is being secured. Data protection refers to a collection of privacy laws, rules, and practices that minimise privacy invasions by gathering, storing, and sharing personal data. Any information or data that can be used to identify a specific individual, collected by a government agency, a private company, or another entity, is referred to as personal data.
Legislators and regulators increasingly recognise data’s significance for advancing technology and the economy. As a result, 2021 saw significant changes in several industries related to personal data and data privacy protection.
The Joint Parliament Committee’s report on the planned data protection law changed the tone and scope of the Data Protection Bill in 2021 legislation. While the Bureau of Indian Regulations created data privacy guidelines as an assurance framework for businesses, the Reserve Bank of India created limits for lending services and payment aggregators. Additionally, the central government issued due diligence guidelines for internet gateways to follow.
What is Data Protection Act in India?
The right to privacy was deemed a basic right under the umbrella of life and liberty in Article 21 of our Constitution by India’s Supreme Court in a landmark decision issued in 2017. The data protection act was introduced in 2019 and is currently pending in parliament. The main objective was to accord a set of rights to individuals, i.e., Data Principles, and impose a set of responsibilities on Data Fiduciaries (any organisation or private company collecting data). The right to privacy is a fundamental right, focusing on the intersection of the digital economy and personal data security and localisation. Global data privacy and protection legislation were made possible by the EU’s GDPR, and one of the newest is the Personal Data Protection Bill which is now being developed in India.
Regulations Relating to Data Protection in India
Time is of the essence, according to advocates of data privacy, even though the bill still has not been passed and may even be replaced by a completely new one that, in the opinion of critics, must better address the needs of data protection in a developing technology ecosystem that has produced dozens of profitable start-ups in recent years. The absence of a regulatory framework puts data at a high risk everywhere. Ransomware assaults are thought to have increased by 120 per cent in India in 2021, while they still only represented a small percentage of the 1.15 million registered cyberattacks across all industries.
The Bill of Data Protection, 2021
The main principles of the bill are individual consent, notification of data breach, transparency (privacy policies and prior notices outlining data processing practices), purpose-based processing, technical security, and the rights of people who provide sensitive personal data, like a social security number, or personal data with a high level of sensitivity, like name and email address. With these rights, people would have easier access to, remove, and correct their data, giving them more control over how it is processed.
The law governing the management of privacy rights was established in August 2021. The High Court of Madras denied a petitioner’s request for the erasure of his court and criminal records after the petitioner was found not guilty in the case. The court dismissed the case because it was in the public interest to complete its task. The court added that these rights were more effectively implemented once India established legislation protecting personal data. It is worthwhile to consider a few of the requirements outlined in the JPC’s report and the updated DPB. Consider the data localisation standards that apply to sensitive and important personal data. The transmission of information from India to a foreign nation would be constrained.
The Information Technology Rules, 2011
The Information Technology Rules, 2011, have been published by the government. The Rules solely address the safeguarding of “Sensitive Personal Information or data of a Person,” which includes personal data that includes information about:-
- Information about your finances, such as the data of your bank account, credit card, debit card, or another form of payment
- condition of one’s physiological, physical, and mental health
- Biometric profiles
- Medical history and records.
The regulations outline the acceptable security policies and procedures that the body corporate, or any individual acting on the body corporate’s behalf, is obligated to adhere to when handling “Personal Sensitive Information or data.” In the event of a breach, the body corporate or any person acting on its behalf may be held responsible for compensating the individual harmed.
The regulations outline the acceptable security policies and procedures that the body corporate, or any individual acting on the body corporate’s behalf, is obligated to adhere to when handling “Personal Sensitive Information or data.” In the event of a breach, the body corporate or any person acting on its behalf may be held responsible for compensating the individual harmed. Information disclosure made knowingly and wilfully without the subject’s consent and in violation of a valid contract is punished by up to three years in prison and a fine of Rs 5 lakhs under section 72A of the Information Technology Act, 2000 in India.
Regulators, lawmakers, the judiciary, and businesses can anticipate a busy year in 2022. Despite rumours of a potential re-draft of the bill, India is about to follow the EU’s example and streamline its data protection laws after the General Data Protection Regulation entered into effect more than three years ago. A universal data protection law and sector-specific rules working together could lead to discussions and measures about various privacy issues. Furthermore, it would be worthwhile to watch and research how the current legislation would be applied to strategies based on decentralisation and anonymisation, given the quick uptake of cutting-edge technologies like blockchain and AI.
To better understand the different types of data they collect, how it moves throughout the organisation, and where it is stored, organisations should consider conducting periodic assessments and audits of their privacy procedures. Then, they should start taking corrective action to close any gaps they find.