We need data protection and privacy law

Protecting individual’s right to privacy is a fundamental right

Privacy is an entitlement of every free man and woman. Article 21 of the Constitution, as interpreted by the Supreme Court, is the heart of the fundamental rights. It states that, no person shall be deprived of his or her life or personal liberty except according to the procedure established by law. Right to privacy, i.e. safeguarding of personal information from public domain to avoid unwarranted interference, is an integral component of Article 21 of the Constitution.

In the era of internet induced information explosion, right to privacy extends to protection of personal data on the web domain. On the one hand, science and technology is revolutionalising our lives and on the other, privacy has become a luxury in this digital era. The recent revelation that Facebook has been allowed by WhatsApp to use the personal data of users for commercial purpose has once again revived the demand for a stringent privacy law in India.

Facebook has been given access to the names, phone numbers and other personal data of millions of WhatsApp users for advertising purpose. Sharing this kind of metadata may give Facebook a better view of users’ online communication activities, affiliations and habits, but it runs the risk of making private WhatsApp contacts into more public Facebook connections.

In India, over 70 million people are using WhatsApp. Facebook has more than 142 million active users in India out of which at least 133 million users are accessing the site through mobile phones. Therefore, the access would have implications for millions of users of the social networking sites.

Besides risks relating to individual privacy, lack of data protection has serious security implications also. With the advent of technology and e-commerce, the problems related to the same are also increasing day by day. India itself has faced a tremendous increase in cyber crimes and data stealing.

The cyber protection cells have witnessed various instances of data theft recently. Some recent press reports have indicated that 2014-15 saw the largest number of incursions and hacks into government websites. It’s obvious that this lack of accountability to individual data poses a significant risk to the individuals and agencies concerned. In 2015 itself, the websites of TRAI, the Indian Army, JNU, ISRO and CBI websites were hacked.

India presently does not have any express legislation governing data protection or privacy. Unlike the EU, India does not have any separate law which is designed exclusively for the data protection. As of now, the issue of data protection is generally governed by the contractual relationship between the parties and the parties are free to enter into contracts to determine their relationship defining the terms personal data, personal sensitive data, data which may not be transferred out of or to India and mode of handling of the same.

Prior to 2011 the situation of the laws related to data protection was very vague and ambiguous. The relevant laws in India dealing with data protection were the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. However, both these Acts were not fully equipped to deal with data protection and privacy. The concept of “personal data” is not even defined in the IT Act.

In 2011, India felt the need for a strict and stringent data protection law. Thus, a new set of rules named the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 came into picture. A draft was prepared in 2011 with the objective to protect individuals against misuse of their personal data by government and private agencies, including unauthorised sharing of Aadhar data of Indian citizens. The scope of the bill was later expanded in 2014 to include all residents of India, citizen or otherwise.

There is an imperative on the part of the government to expedite formulation of a legislation that will guarantee protection to individuals against breach of their privacy through unlawful means.

India, being the host and the biggest platform of data outsourcing needs an effective and well formulated mechanism for dealing with these crimes. In the absence of a specific legislation, the Indian software and outsourcing industry has been taking initiatives on its own that would provide comfort to the foreign clients and vendors.

The National Association of Service & Software Companies (NASSCOM) has been the driving force behind many private sector efforts to improve data security. For sustaining and encouraging the BPO boom, India needs to have a legal framework that meets with the expectations, both legal and of a public nature, as prevail in the jurisdictions from which data is being shipped to India.

In practical terms the biggest hurdle for India is to have its framework of domestic data protection laws officially adjudged and publicly perceived as “adequate”. A dedicated data protection law would give further impetus to not only the outsourcing industry but to the foreign direct investment policy at large.

Undoubtedly, the concept of data privacy and protection is at a nascent stage in India. But, the lack of a comprehensive legislation pertaining to privacy and data protection has been a matter of concern. A new legislation dealing specifically with the protection of data and information present on the web is the dire need of the day. At the same time, the new legislation should maintain a balance between individual privacy and tightening its grip on the increasing rate of cyber crimes.

The minister of state for Personnel, Jitendra Singh, had informed Rajya Sabha in August, 2015 that the Centre was in the process of drafting a legislation that will guarantee protection to individuals against breach of their privacy through unlawful means. It has been more than a year since Digital India was launched.

The need for a robust and comprehensive privacy legislation to protect the rights of citizens is imminent at this stage. India is a signatory to the TRIPS and is, therefore, bound to have its domestic laws conform to the requirements of its Article 39, which deals with protection of undisclosed information.

With the passage of time, India has seen the emergence of various legal challenges pertaining to preservation and protection of sensitive personal data and information. Keeping an eye on its recent data misuse scams and also to protect individual’s right to privacy which is treated as part of fundamental right to life, the government should come up with a comprehensive data protection policy.

No legislation is effective without making sure it can be implemented. Therefore, a specialised agency should be created under the act with enforcement powers to regulate, monitor, set standards and investigate complaints.

Srouce – http://www.mydigitalfc.com/op-ed/we-need-data-protection-privacy-law-896