Personal Data Protection Bill | Right To Privacy UPSC | IAS Target IAS Target

Personal Data Protection Bill

02 Apr 2022

Category : Science and Technology

Topic: Personal Data Protection Bill

Introduction

We live in the 21st century where we no longer have to wait in large lines in front of banks for financial services, & we can get any item delivered to our home after placing an online order. That is the benefit of information technology. With the advent of the internet and its expansion in accessibility, we are witnessing a new world in which communication, accessibility, information exchange, & transparency are improved. But, as the saying goes, there will be some drawbacks for every gain. As technology advances, so does its misuse, which is virtually unavoidable given the rising usage of the internet for the interchange of sensitive, private, & commercial information. Several questions are raised, including who owns this information. Who will have access to it? What, if any, restrictions apply to the use of this information? As with all things technological, the law pays for a catch-up. Jurists all across the world are struggling to reconcile conventional legal concepts with the excessively intrusive times we live in. Several countries requesting and wanting access to information from their citizens and companies further complicates this stance. What, on the other hand, are the privacy constraints? Can information be asked for basic services, travel, or even government benefits? Is national security more important than privacy?
At all times, privacy was an important aspect of human life. However, as more data is digitized and information is exchanged online, data privacy is becoming more important. Data privacy relates to how data is managed based on its perceived importance. It's not simply a business problem; people have a lot at risk when it comes to the privacy of their information.

Data Privacy

Data surrounds and produces us in almost everything we do. The first type is information that we freely provide, & the 2nd type is information that is created every time we do something whether it's traveling, ordering a meal, or utilizing transportation. There is little question that this information is extremely valuable, and that multiple firms are willing to pay for access to it. Indeed, in this era of global and nearly free internet access, information is the new money. What's more exciting is that you don't know the full scope of the information possibilities. As technology progresses, new applications increase the value of information.
The amount of information created by the usage of different technological devices and applications has expanded significantly in recent years. Today's businesses receive enormous value from reviewing vast amounts of data and frequently base their business plans on such evaluation. While the importance of corporate efficiency cannot be overstated, the burning question is whether people have control over how other people access and analyze data on them.
Several questions are raised, including who owns this information. Who will have access to it? What, if any, restrictions apply to the use of this information? As with all things technological, the law pays for a catch-up. Jurists all across the world are struggling to reconcile conventional legal concepts with the excessively intrusive times we live in. Several countries requesting and wanting access to information from their citizens and companies further complicates this stance. What, on the other hand, are the privacy constraints? Can information be asked for basic services, travel, or even government benefits? Is national security more important than privacy?
Privacy is the right to be alone or to be free of character assault or mistreatment. The right to privacy is the right to be free of unwelcome advertisement, to live a quiet existence, and to be free of unwarranted public intrusion on topics that are not necessarily of public importance.
There is no new constitutional right to privacy. It was a common law concept, and a breach of privacy gives the individual the right to sue for tort damages. Tremayne's Case was one of the earliest on the subject (1604). The case included the London Sheriff entering a residence to carry out a legal writ. While respecting a man's right to solitude, Sir Edward Coke stated that "the house of everyone belongs to him as his castle and stronghold, as well for his defense against damage and violence, as for his relaxation”. The concept of privacy continued to evolve in England during the nineteenth century and is now firmly entrenched around the world. In the case of Campbell v. MGN3, the court found that "where there is an intrusion in a circumstance where a person might reasonably expect his privacy to be respected, such intrusion will be susceptible of giving rise to liability unless the intrusion can be justified".
Indian Law on the Right to Privacy according to Article 21 of the Indian Constitution,” No individual shall be deprived of his life or personal liberty unless under the method provided by Law”. On August 24, 2017, the Supreme Court held that the right to privacy is a basic right guaranteed by the Part III of the Indian Constitution. This Law and Regulation choice will have far-reaching consequences. New rules will now be evaluated using the same criteria that laws that infringe personal freedom are evaluated under Article 21 of the Indian Constitution. The right to privacy is now indisputably accessible-the question that remains unusual is its contours and limitations.
There is no comprehensive data protection and privacy regulation in India. The present laws and policies are primarily sectoral. As of today, the necessary provisions of the Information Technology Act, 2000 and its regulations regulate the collecting, processing, & use of private information & sensitive private data or information by a corporate entity in India, in addition to other sectoral legislation.
In the case of M. P. Sharma & Ors. v Satish Chandra, District Magistrate, Delhi, & Ors., where the warrant granted for search and seizure was challenged under Sections 94 and 96(1) of the Criminal Code of Procedure (CrPC), the Supreme Court (SC) 1st considered whether the "right to privacy" is a fundamental right. The Supreme Court (SC) concluded that the right to search and seize did not violate any constitutional provisions. In addition, the Court failed to acknowledge the right to privacy as a fundamental right protected by India's Constitution.
Following that, in the case of Gobind v State of M.P., the police's right to housekeeping was deemed incompatible with the right to privacy guaranteed by Article 21 of the Indian Constitution. The Supreme Court decided that police legislation violated the idea of private liberty, and it also perceived the right to privacy as a basic and fundamental right protected by the Indian Constitution, but it supported the growth of the right to privacy on a case-by-case basis and denied it as an absolute right.
As a result, the fundamental right to privacy may give birth to two interconnected safeguards:
  1. Against the world at large, and to be respected by everyone, including the State: the right to determine what personal information is disclosed into the public domain.
  2. Against the State: as a logical corollary of democratic principles, limited governance, and state power limitations.
As a result of this decision, the right to privacy has become more than merely common law, and it is now more solid and sacred than any legislative right. As a result, such invasion of privacy must now be justified in the framework of Article 21 of the Constitution by legislation requiring a fair, just, and reasonable method.

Current Concerns

The Supreme Court established a three-part requirement for the state to interfere with basic rights. While the State may intervene to protect the State's lawful interests:
  1. There must be a law in place to justify a violation of privacy and sensitive information, which is an express requirement of Article 21 of the Indian Constitution;
  2. The nature & content of the law imposing the limitation must fall within the reasonableness area prescribed by Article 14; and
  3. The means used by the legislatures.
As a result, any rules targeted at violating an individual's right to privacy must meet the proportionality and reasonableness standard. It will take some time for the law to definitively define what constitutes reasonable and appropriate state intrusion. In contrast to the current consent-based paradigm, it is frequently argued that India should embrace rights-based information privacy frameworks. Once the user's consent has been obtained, the information controller is free to handle, use, and share the information with any third party under the consent-based model. However, most people are aware of the true consequences of indiscreet data sharing at the time of acceptance. The rights-based paradigm, on the other hand, allows consumers to have greater control over their information while requiring the information controller to ensure that users' rights are not violated. As a consequence, clients have more control over their personal information.
The Supreme Court's determination in the previous judgments allows Indians to seek legal redress if their data privacy rights are violated. This might influence India's internet enterprises' privacy and security practices. Consumers can not only file torture claims, but they can also assert their fundamental right to privacy.

Concerns and difficulties

The nature of data is protected by Indian laws.

Because India lacks a comprehensive data protection structure, the main legislation dealing with data protection is the IT Act & the Information Technology (Reasonable Security Practices & Procedures & Sensitive Personal Information) Rules, 2011. Under the Information Technology Act and the IT Rules, personal data and sensitive personal data or information, such as password-related information, financial information such as bank account or credit card or debit card or other payment tool details, physical, physiological, & mental health conditions, sexual orientation, medical records, and history, are primarily intended to be protected.
Material and information that is freely available in the public domain, on the other hand, is not considered sensitive personal data or information. Furthermore, the limits only apply to a business organization collecting and disseminating data.

Who has the power to get personal information?

According to Rule 5 of the IT Rules, no corporate entity or individual acting on its behalf shall gather sensitive or private information and data unless:
  1. The data is acquired for a justifiable reason about the corporate body's function or process, or
  2. The information is obtained for a justifiable reason related to the corporate body's function or activity.
  3. Obtaining such knowledge for that purpose is deemed appropriate.
Furthermore, the person providing the information must be told that the information is being collected, the purpose of the collection, the intended receivers of the information, the name and address of the agency collecting the information, & the agency holding the information.

Timetable for retaining personal data.

Any company or individual who holds sensitive personal data or information on their behalf cannot keep it for any way too long than is compulsory for the reasons for which the information or data may be legally used or is otherwise needed for the time being under any law, and such knowledge may be used only for the purpose for which it was gathered.
Furthermore, before collecting information, the body corporate or any person acting on its behalf must offer the source of the information with the option of not providing the data or information sought to be gathered. The data supplier has the option of withdrawing its previously granted consent at any time, whether the services are accessible or not.
In contrast to the current consent-based paradigm, it is frequently argued that India should embrace rights-based information privacy frameworks. Once the user's consent has been obtained, the information controller is free to handle, use, & share the information with any 3rd party under the consent-based model. However, most people are aware of the true consequences of indiscreet data sharing at the time of acceptance. The rights-based paradigm, on the other hand, allows consumers to have greater control over their information while requiring the information controller to ensure that users' rights are not violated. As a consequence, clients have more control over their personal information.
The Supreme Court's determination in the previous judgments allows Indians to seek legal redress if their data privacy rights are violated. This might influence India's internet enterprises' privacy and security practices. Consumers can not only file torture claims, but they can also assert their fundamental right to privacy.

Extend the scope of personal data sharing with 3rd parties

The corporate entity receiving the information may disclose sensitive personal data or information to any 3rd party if prior authorization is obtained from the provider of such information, such disclosure is agreed upon in the contract between the recipient & the information provider, or disclosure is required to comply with a legal obligation.
However, if the information is shared with government organizations mandated by legislation to acquire information, including sensitive private data or information for identity authentication purposes, or to prevent, detect, investigate, including cyber incidences, prosecute, and punish offenses, no such approval from the information supplier is required.

Employers' obligations concerning employee personal data collection

Employers often collect sensitive private data from their workers, such as health information, economic data, and so on. If the employer or company stores such personal information on a personal computer, such employer, if a corporate body, is required to have in place a comprehensive documented information security program and information security policies that include managerial, technical, operational, and physical security control measures commensurate with the protected information assets. Employers can also follow 'the international Standard IS/ISO/IEC 27001 on Information Technology (IT) – Security Techniques – Information Security Management System (ISMS) – Requirements’.
Furthermore, under Rule 4 of the IT Rules, the employer, as a corporate body that gathers, receives, has, shops, and employee data is required to have a privacy policy in place to manage or disseminate such private data. The firm must also offer employees a copy of the privacy policy for review and post it on their website.

Conclusion and Analysis

From the above discussion, it is clear that a comprehensive legislative framework controlling the acquisition and transmission of private information is urgently required. There are no comprehensive regulations governing the processing of private data that is not private data or information that is not sensitive in and of itself. After being acquired by Facebook Inc., WhatsApp Inc. changed its privacy policy, and users were notified that their WhatsApp account data would be shared with Facebook to improve Facebook ads and product experiences, and users were asked to agree to the updated terms for continued use of WhatsApp on or before September 25, 2016.
In light of this expansion, Karmanya Singh Sareen and others filed a written suit with the Delhi High Court, saying that eliminating the privacy of WhatsApp users' information and sharing it with Facebook violated the users' fundamental freedoms protected by Article 21 of the Indian Constitution.
While deciding on the sensitive matter like privacy, the Delhi High Court (HC) ordered that if users choose to delete their WhatsApp account entirely, WhatsApp will delete user data entirely from its servers & refrain from exchanging user data with Facebook and that users who choose to stay on WhatsApp will not be communicated with their current information/data/details until September 25, 2016. The court also directed the government of India to explore if putting messaging apps like WhatsApp within a statutory regulatory framework is a possible option.
Personal information protection is intimately linked to privacy, which is every person's right to live his or her life & freedom without arbitrary interference with his or her private life, family, home, or communication, among other things. The phrase private, as opposed to public, must be understood. As a result, in today's intrusive era of information technology (IT), the right to be left alone and its security is critical. Because no one legislation in India covers data protection fully, the legal clauses governing the same must be derived from numerous legislative acts.