Data Protection in India

India’s rapid growth in terms of technology, economy and other factors has brought out the issue of Data Privacy and Protection. India so far has lacked any substantive legislative framework focusing primarily on Data Privacy and Protection. The need for this Legislature prompted the government to form a committee of experts to draft a data protection Bill and the first bill in the year 2006 was based on European framework of European data privacy directive 1996.

Existing legislative safeguards

Data protection safeguards in India are mainly provided by the Information Technology (IT) Act, 2000. IT Act, 2000 and IT Rules (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), 2011, together provide the basic legislative safeguards for data security, privacy and protection in India. The sections 43A and 72A were added by the amendment of IT Act, 2008.  Section 43 and 43A of IT Act deals with unauthorized access of information and leakage of sensitive personal information along with the compensation to be paid to the victims in case of such breach of data. Cyber Appellate Tribunals have been set up to deal with such cases and various other breaches under the IT Act under Section 48. Section 72 of the IT Act deals with disclosure of information which is in breach of a contract and punishment for it, which may be imprisonment for a term which may extend to 3 years or with fine upto 5 lakh rupees or both. 

Judicial Safeguard following the AADHAR Judgement

Data protection was first recognized by the Supreme Court in the year 2017 in the case of Justice KS Puttaswamy v. Union of India, widely known as the Aadhar Judgement. The court felt the need for a strong data protection law and demanded the government to enact the same, as the existing safeguards were not sufficient enough. The court further recognized the various principles of data protection which are data retention, data minimization, purpose limitation and data security for the purpose of enactment of a proper legislation on data protection which should conform with the right to privacy of the individual. The Judgement had made a remarkable impact on the Indian Data Protection systems from where the Personal Data Protection Bill, 2018 was carved out. 

Data Protection Bills 2018 and 2019

The government appointed the committee of experts headed by retired Chief Justice BN Srikrishna in the year 2017 for Data Protection Bill. The committee submitted the draft of the Personal Data Protection Bill in the year 2018. The said bill was presented in the Lok Sabha recently in December 2019 for discussion and approval. The bill has been criticized by many on various grounds. The bill has been termed as a regressive bill which is giving personal data of people in the government. The bill characterizes data on the basis of three categories which are:

• Personal Data: includes characteristics, attributes, traits, features, etc. of an individual
• Sensitive Data: includes financial data, biometric data, sexual orientation and related data, religious beliefs, political beliefs, etc.
• Critical Data: includes Anything that the government at any time can deem critical, such as military or national security data
• The bill doesn’t describe what all data falls under critical data and provides for data to go outside of Indian soil, both of which are controversial topics.

The following sections of the clause makes the PDP, 2019 proposal open ended wherein the government can have access to certain data:

• 91 (1) Nothing in this Act shall prevent the Central Government from framing any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse, insofar as such policy do not govern personal data. 
• 91 (2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

The 2018 draft remained silent on what considerations the government will factor for classifying critical data.

A Concluding Note

According to the Supreme Court in the Puttaswamy judgement (2017), the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy, whereas the growth of the digital economy is also essential to open new junctures of socio-economic growth. In this context, the government policy on data protection must not dissuade framing any policy for the growth of the digital economy, to the extent that it doesn’t infringe on personal data privacy.