Data is a big thing. No, I’m not talking about “big data”, which is something related but different. I am referring to data of all sorts; from your dental bills to databases of the IRS.
As information technology has evolved (and is evolving) to unprecedented levels and the discourse of data and information has become widespread due to the proliferation of websites; data protection and privacy is the hot topic of debate today.
The web is expanding as you are reading this article. The web has become entangled with apps, networks, information and data. Posting information on the web has been never been easier. From birthday wishes to death threats; from school reports to medical diagnosis; the web accounts almost every dimension of human life. But much easier is it, to copy and circulate information than to create it in the web.
This calls for stringent data protection laws across all services of the internet.
Most jurisdictions have evoked data protection and privacy laws. No one has done it better than the European Union, from whom India has a lot to learn. The European Data Protection Directive (Directive 95/46/EC) of the European Parliament and of the Council set the standard on data protection. The Directive has been adopted into the national laws of the members of the European Union. Immediately, India should learn these three aspects from EU Data Law:
India should have a data privacy law in the first place.
Before we start comparing data privacy laws with the EU or the any other jurisdiction, India should bring out its own data privacy legislation. Whether the legislation would be comprehensive or porous, having on in the first place would show that India is serious about Data Protection.
Currently Data Privacy is regulated by the Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
A sui generis legislation for Data Protection for the Union had been on the boil for almost a decade. A Personal Data Protection Bill was introduced in 2006, however, it was never passed by the Parliament; nor was it re-introduced.
Recently the European Court’s decision on the “right to be forgotten” stirred up quite a controversy and debate. The court ordered Google to delete old and irrelevant information of users and to omit websites from its search results which provided such information.
The EU Court was imposing the data quality and relevancy principle embedded in the EU Data Law, which required data to be processed as are “adequate, relevant and not excessive in relation to the purpose for which they are collected and/or further processed.” Let’s not debate on how saucy the judgement is; but let us admit the fact that the EU was strict in imposing liability on data controllers. As a result, Google has started deleting such information from its results.
The Right to Data Privacy and Data Protection
EU Law treats data protection and privacy as a right rather than a privilege. The Council of Europe Convention 108 explicitly recognises the right to privacy; which the proposed Indian data protection bill has omitted to do so. Yes, one could derive the right to stem from Article 21 and 19 of the Constitution of India; but it makes a difference when it is expressed through statute.
The EU Laws concords the rights as enshrined in the Universal Declaration of Human Rights and the European Convention on Human Rights. Failing to recognise the right to data privacy and protection as fundamental rights through statute prevents them from being regarded as cavalier.
Image from here
Basil Ajith is a lawyer, a former student of the Kerala Law Academy Law College and currently working as General Manager (Operations) at the legal academic services firm Law Pundits LLP. His primary areas of interest are International Law, Internet Law and Intellectual Property Law. He runs a blog-site on international law named International Law Made Easy. Apart from law he has varied interests including music, writing, arts, technology and the Bible.