Data Protection In India

Srishti Saxena
15 May 2017 1:02 PM GMT
Data Protection In India
Your free access to Live Law has expired
To read the article, get a premium account.
    Your Subscription Supports Independent Journalism
Subscription starts from
(For 6 Months)
Premium account gives you:
  • Unlimited access to Live Law Archives, Weekly/Monthly Digest, Exclusive Notifications, Comments.
  • Reading experience of Ad Free Version, Petition Copies, Judgement/Order Copies.
Already a subscriber?

People are increasingly making their personal information available publically. Today there is an unprecedented amount of personal data available with Government and Private Sector Players. Digital India, Aadhaar and Demonetization drives have added to the already growing pool of personal data with various public and private players to pursue their activities. Indian law does not define personal data. The same has been defined by EU’s general data protection guidelines [REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL] as any information relating to an identified or identifiable natural person. From this definition it is clear that personal information includes biometric and economic information as well.

Publically available personal information pose a greater risk for Indians because majority of population is illiterate and there is no law mandating data protection. Individuals are repeatedly transmitting their personal information for various activities. Aspects such as the purpose for collecting personal information, how will this information be used,  security mechanisms put in place for protecting such information , for how long will this information be stores, what will be the procedure for destroying such information etc are not known by the individual nor have these aspects been defined uniformly in any law. India’s has no specific legislation focusing on data protection. A few principles of data protection are scattered through IT Act, Guidelines issued by RBI, TRAI etc.

Any kind of processing of personal data should be fair and transparent. Providers of personal information should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. Particularly, the specific purposes for which personal data is processed should be explicit and legitimate and determined at the time of the collection of the personal data. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing. Basic principles guiding processing of Personal data are as follows:-

  • Lawfulness, fairness and transparency. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

  • Personal data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

  • Collection of Personal Data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This is also known as the principle of Data minimization. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject

  • The agency collecting personal data should ensure accuracy of data-delete/rectify inaccurate data. Data Quality Principle entails that personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date

  • Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

  • Personal data should be processed in a manner that ensures appropriate security of such data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. This principle of integrity and confidentiality entails that personal data should not be disclosed, made available or otherwise used for purposes other than those specified except: (a) with the consent of the data subject; or (b) by the authority of law. As per the Security Safeguards Principle, personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

  • A data controller should be accountable for complying with measures which give effect to the principles stated above.

  • Data protection rules should be applicable to all entities and persons handling personal data – both private and public sector bodies. There is no rationale as to why principles such as openness, purpose limitation, use limitation, etc. should not be applicable to public bodies generally. Certain specialised functions such as those related to crime and investigation, national security, taxation should be exempted from the general obligations and should be subject to specific rules.

It can be seen from above that protection of personal data and Right to privacy are intrinsically linked. Only a strong emphasis on the right to privacy can ensure that personal data is not shared or leaked incessantly without any checks. It is duty of the State to ensure individual autonomy. However, in recent times the very concept of the individual autonomy is also at risk. Right to privacy has its roots in the law of tort under which any unlawful invasion of privacy gave a cause of action for damages. The right to privacy has two aspects involved (1) unlawful invasion to privacy affords a tort action for damages resulting from an unlawful invasion of privacy and (2) the constitutional recognition given to the right to privacy which protects personal privacy against unlawful governmental invasion. The first aspect of this right must be said to have been violated where, for example, a person's name or likeness is used, without his consent, for advertising or non-advertising purposes or for that matter, his life story is written whether laudatory or otherwise and published without his consent as explained hereinafter. In recent times, however, this right has acquired a constitutional status.  It is not enumerated as a fundamental right but has been read into Article 21.  The Indian courts have to be thanked for the right to privacy’s development and evolution through the years. The first decision on right to privacy was Kharak Singh v. State of U.P. Since then the concept has evolved with every invasion to privacy.

One of the most important piece of legislation protecting our data at present is the Information Technology Act (hereinafter IT Act). The IT Act makes hacking and tampering with computer source an offence and penalizes unlawful access to data. However does not prescribe any minimum security standards which the entities having control of data should comply with except in cases of Personal sensitive information. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 defines personal sensitive information as Sensitive personal data or information of a person means such personal information which consists of information relating to;— (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules [Rule 3 of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011]. These rule list out the obligations of a body corporate while dealing with Personal Sensitive Information and in some cases personal information. Body corporate has been defined under section 43A of the IT Act as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. The law requires where in pursuance of a lawful contract personal or sensitive information is disclosed then it is incumbent upon the body corporate to disclose its privacy policy. The privacy policy should contain the policy for handling with such data, body corporate’s policies and procedures, type of personal data that is being collected, the purpose and usage of such information and details about its disclosure and reasonable practices put in place. However, the reality is very different. The collectors of personal information simply draft a standard privacy policy and put it up on their website without following these guidelines. The provider of personal information is rarely aware of these policies and the fact that he has to give his consent for use of such personal information. This lack of awareness is then deemed as consent by the holders of personal information and use it for any purpose as it deems fit. The consent of the provider of personal information has been reduced to a mere formality. Rule 5 seeks to address this very problem and states that the body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information. The provider of sensitive information shall have an option to not provide the data or withdraw its consent give earlier.

While collecting information directly from the person concerned the body corporate has to ensure that the person concerned has knowledge of the fact that information is being collected, purpose for which the information is collected, intended recipients of information and the name and address of the agency that is collecting the information and the agency that will retain the information. The Body corporate can collect sensitive personal data or information only for its lawful function and collection of information is considered necessary for that purpose. Data relating to sensitive information can be retained for such time as is required for the purpose of collecting such information or is required by any law. Such information can be used the collected information only for the purpose for which the information has been collected.

Personal data cannot be disclosed to a third party without the consent of the provider except in the following cases:-

  1. Information is shared with Government agencies mandated under the law to obtain information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution and punishment of offences. The Government agency in such cases cannot share or publish the information received with any other person.

  2. Personal Sensitive Information is required to be disclosed by an order under the law.

The body corporates handling personal sensitive information should have reasonable security practices in place [Rule 8, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011]. International Standard IS/ISO/IEC 27001 on “Information Technology-Security Techniques – Information Security Management System- Requirements” is one such standard. Body Corporates who have implemented IS/ISO/IEC 27001 standards or other best practices are deemed to comply with reasonable security standards.

Apart from these generic rules the Aadhaar Act [The Aadhaar (Targeted delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016] provides for specific protection of biometric data given to obtain Aadhar number by an individual. The Aadhaar Act mandates that the Unique Identification Authority of India (hereinafter Authority) shall ensure security and confidentiality of identity information and authentication records of individuals. Sharing of core biometric information and its use for any purpose other than generation of Aadhaar numbers and authentication is prohibited. Identity Information available with a requesting entity cannot be used for any purpose other than that specified to the individual at the time of submitting any identity information for authentication. Such Identity Information cannot be disclosed further, except with the prior consent of the individual. However, such restrictions regarding confidentiality do not apply in respect of any disclosure of information made pursuant to an order of a court not inferior to that of a District Judge and incase disclosure is required in the interest of national security in pursuance of direction of an officer not below the rank of Joint Secretary to the Government of India [Section 33 , The Aadhaar (Targeted delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016]. Rule 22 of the Aadhaar (Enrolment and Update) Regulations, 2016 provides that the following measures for ensuring Data Security. It is mandatory for requesting entities and authentication Service Agencies to have their servers used for Aadhaar authentication request formation and routing to CIDR to be located within data centers located in India. Authentication Service Agency are required to establish dual redundant, secured leased lines or MPLS connectivity with the data centres of the Authority. Requesting entities shall use appropriate license keys to access the authentication facility provided by the Authority only through an ASA over secure network.

Both IT Act and Aadhaar Act impose penalty for default however the penalty imposed is very less as compared to the importance of information. The penalty is supposed to deter any unauthorized action however, this penalty will have little or no deterrence. Vidhi Centre for Legal Policy has also highlighted that these data protection laws are inadequate.  On the international front several countries have enacted data protection laws such as Canada, U.K., and Australia etc.  One comprehensive piece on data protection are the EU’s general data protection regulations. It regards protection of personal data as a fundamental right. This right is however not an absolute right. It must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This concept of proportionality has also recognized by Indian law in the Aadhaar act wherein national security is carved out as an exception to the rule of non-disclosure of identity information. IT Act also allows similar disclosures to Government agencies mandated under the law to obtain information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution and punishment of offences. The Government agency in such cases cannot share or publish the information received with any other person.

IT Act and Aadhaar Act leave certain open ended issues such as what can be termed as personal data, treatment of personal information of deceased person, right to be forgotten, the differentiation between data controller and data processor and their respective obligations towards data subjects have not been provided. It is for this reason there is a need to have a uniform stringent law protecting personal data. Data protection laws have gained greater significance today, especially when India is marching towards complete digitization.

The data protection law should be equally applicable on public and the private sector. Today, personal information is not only being held by the Government. It is increasingly being held by private players such telecom companies, banks etc. This law should be applicable to natural persons irrespective of their nationality and residence. Similarly it should equally apply to processors/controllers of personal data of Indian citizens situated in India or situated abroad. The protection afforded should be applicable to both manual as well as automated methods of data processing. Specific exceptions should be carved out where data is being shared solely for personal reasons such as social networking or is needed for purposes of national security and integrity. At the same time the law should ensure that the service providers providing a medium of exchange of data for personal reasons shall be bound not to disclose or use such information. It should be ensured that data provider’s consent for disclosure in all cases should be an affirmative and informed act. Silence or inactivity or consent through overload of information should not constitute consent. There is a need to have standards for maintenance of records with respect to processing of data, method of notification of data breach and standard operating procedure in case of such breaches. Complaint mechanisms need to be defined wherever personal data is involved. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data personal data is secure and the data controller/processor are held accountable for every breach.

Srishti Saxena is working as an Assistant Manager (Legal) in Goods and Services Tax Network.

Next Story
Share it