With the advancement in technology, personal data created and stored in hard disk cloud, database, memory disk, internet, computer, etc., continues to grow at limitless rates, thereby leading the data to enter the Public Domain. This data is then subjected to maxim threats, which are classified into two categories - external threats to information security such as threats from hackers, network security threats, denial-of- service attacks, software threats, etc. and internal threats which are often associated with misuse or misrepresentation of information, data breaches and leaks.

The term Data Protection means legal control over access to and use of data stored. In other words, it refers to a series of continuous and repetitive processes, sound policies and privacy laws to reduce intrusion in one's privacy.

On August 24, 2017, a nine-judgebenchof the Supreme Court, in the landmark case of Justice K.S. Puttaswamy and Anr. v. Union of India and Ors22, has ruled "Privacy" as a Fundamental Right essential to life and liberty, and thereby, it has been put under the ambit of Article 21 of the Indian Constitution. The bench comprised Chief Justice Khehar and Justices J. Chelameswar, S.A. Bobde, R.K. Agrawal, Rohinton Nariman, A.M. Sapre, D.Y. Chandrachud, Sanjay Kishan Kaul and S. Abdul Nazeer.

The Judgement was delivered by Justice D.Y. Chandrachud, wherein he stated "Ours is an age of information. Information is knowledge. The old adage that 'knowledge is power' has stark implications for the position of the individual where data is ubiquitous, an all- encompassing presence. The internet has become all pervasive as individuals spend more and more time online each day of their lives... the internet is used to carry on business and to buy goods and services."

It was further stated, "Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state."

In order to have an effective and efficient data protection mechanism in India, Justice BN Srikrishna Committee was formed, which has submitted the draft bill on personal data protection to the Ministry of Electronic and Information Technology on July 27, 2018. As per the draft bill, "Personal Data" means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.

Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state." In order to have an effective and efficient data protection mechanism in India, Justice BN Srikrishna Committee was formed, which has submitted the draft bill on personal data protection to the Ministry of Electronic and Information Technology on July 27, 2018. As per the draft bill, "Personal Data" means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.

1. The draft bill aims to establish the following :

  • Fiduciary relationship and obligations on the part of the fiduciaries
  • The manner in which personal and sensitive data is to be processed
  • Establish safeguards for transparency and accountability
  • Establishment of Data Protection Authority Imposition of penalties

2. The draft bill has introduced concepts which are the essence of data protection , such as:

  • Data fiduciary: Any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
  • Data principal: Refers to the natural person, such as an individual, a Hindu undivided family, a company, a firm, the state, an association of persons or a body of individuals and every artificial judicial person.
  • Data processor: Means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary.

3. The key aspects of the Personal Data Protection Bill are:

Data protection obligations

  • The bill imposes duty on the person processing the personal data of data principal to process such personal data in a fair and reasonable manner that respects the privacy of the data principal. Collection of personal data to be limited to the purpose of processing. The data fiduciary shall be responsible for complying with the obligations in respect of any processing undertaken by it or on its behalf.

Grounds for processing personal data

The Bill makes consent an essential part of processing data. No data shall be processed without the consent of the data principal. However, the data shall be processed without consent only on certain grounds specified in the draft bill, such as:

  • If processing is necessary for any function of Parliament or any State Legislature or for any service or benefit to the data principal.
  • For compliance with any order or judgement of any Court or Tribunal in India.
  • To respond to any medical emergency involving a threat to the life, a severe threat to the health or outbreak of disease.
  • Recruitment or termination of employment of a data principal by data fiduciary.
  • Prevention and detection of any unlawful activity, mergers and acquisition, credit scoring, recovery of debt and whistle blowing.

Grounds for processing sensitive personal Data

The term 'Sensitive Personal Data' includes passwords, financial data, health data, biometric data, genetic data, and data on caste or tribe or religious and political beliefs. The sensitive personal data may be processed on the basis of explicit consent for:

  • Any function of Parliament or any State Legislature,
  • For any service or benefit to the data principal.
  • For compliance with any order or judgement of any Court or Tribunal in India.
  • To respond to any medical emergency involving a threat to the life, a severe threat to the health or outbreak of disease.

Rights of Data Principal

The Data Principal are granted certain rights such as:

  • Right to confirmation whether the data fiduciary is processing or has processed the personal data and access to the data.
  • Right to correction of inaccurate, misleading or incomplete personal data.
  • Right to data portability.
  • Right to be forgotten, i.e., the right to restrict or prevent continuing disclosure of personal data by a data fiduciary.

Transfer of personal data outside India

Personal data other than those categorized as sensitive personal data may be transferred outside the territory of India under the following conditions:

  • Transfer is made subject to standard contractual clauses or inter-group schemes that have been approved by the Authority.
  • The Central Government has prescribed that transfers to a particular country or sector within a country is permissible.
  • The Authority approves a particular transfer or set of transfers as permissible.
  • In furtherance to the above, the data principal has consented to such transfer of personal data.

Exemptions

Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law be permitted, provided it is authorized by a law made by Parliament and State Legislature.

Conclusion

The Ministry of Electronics and Information Technology has announced that before the Draft Bill is passed by the Parliament, it will undergo intensive parliamentary consultation. The Ministry solicits comments from General Public on the Draft Bill in order to ensure that it is indeed the need of the hour and beneficial to the interests of the individuals. The Draft Bill, when enacted will give way to new data privacy regime, which is based on trust and efficient mechanism between the Data Fiduciary and Data Principal. The Draft Bill imposes series of obligations on the State and makes it accountable for processing the personal data of an individual, thereby protecting both - the personal data and the constitutionally guaranteed right to privacy.

Footnote

22 WRIT PETITION (CIVIL) NO 494 OF 2012

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.