INTRODUCTION
What is online privacy? How is it defined? Is it the presence of a choice, a sense of control over who can access someone’s personal information? Is it secrecy and obscurity to avoid exploitation? Privacy has no widely accepted and recognized definition. The most intuitive notion in regard to privacy is that it protects the things that we intentionally want to shield from exposure. Except, this control provided by tech companies is largely an illusion. Everyone’s online activity is monitored freely, not in an outright attempt to harm but to make internet experience better and easier. It is done to provide suggestions based on past interests and targeted advertising. This is why there is a need for a solid data protection law in every country. The absence of such an important feature can only be attributed to the fact that previously, the internet was fairly new, and rapidly developing— at a speed that was difficult to comprehend and adapt by lawmakers. Countries are finally coming around to developing privacy laws for the protection of personal data.
At the moment, India doesn’t specifically have any legislation relating to data protection, but it ascertains regulatory mechanisms for data protection and privacy through amendment under the Information Technology Act, 2000.[i]The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha for this very purpose, and it proposes to supersede the current provisions being used. So, let's discuss the key feature of this bill and how can it help protect the personal information of individuals.
RIGHTS OF THE INDIVIDUAL
The bill protects the rights of the individual so that their personal information cannot be used without their consent. The individual can obtain confirmation from the fiduciary on whether their data is being processed. They can seek to correct or update data, and the personal data referred to any other data fiduciary in certain circumstances.
The personal data that is retained for processing shall be deleted after processing is done. The individual also has the right to be forgotten, given that the order is given by an adjudicating officer. There is an emphasis laid on the rights of the children. Data Fiduciary must verify the age and obtain parental consent while processing sensitive data of children.
WHAT THE ACT WILL DO TO PROTECT YOUR RIGHTS?
The personal data obtained has to be used with the consent of the owner. There are only a few essential exceptions to this rule. These include data accessed to provide benefit to the individual by the state, legal procedures, medical emergencies, concerning the employment of the individual, or rational purposes like prevention of fraud, debt recovery, etc.
The Act also puts restrictions on the transfer of data outside India. The data can be transferred outside the country only with the explicit consent of the individual. The Act also seeks to strengthen the data protection framework enabled by the data fiduciaries. Failure to full such obligations can result in the punishment with a penalty that can extend to 5 crores or 2% of their total worldwide turnover, whichever is higher.
Companies no longer have the right to process personal data just because it is in their legitimate interest without notifying users. Previously, companies were allowed to collect information which they used freely and the rules that applied to them were wholly self-regulated. Now, the sensitive data that is obtained needs to be processed with strict regulations in place. The violation of the Act in terms of data processing is punishable with a fine of 15 crores or 4% of their total worldwide turnover, whichever is higher.
WHAT TO DO IF THE RIGHT HAS BEEN INFRINGED?
The data protection system would not be secure without an independent authority and way to deal with the grievances. The Act wants to establish a new position of the Data Protection Authority of India that will protect the interests of the individual and prevent the misuse of personal data. It will also be responsible for spreading awareness about data protection, ensure compliance with the bill.
The authorities would have the power to launch independent investigations into cases. Any person aggrieved with an order made by the authorities can still appeal in the
Appellate Tribunal.
CONCERNS OF THE ACT
It is perfectly normal for the government to add a few exceptions to Act that can access sensitive information for the benefit of the individual, safety, and security of the nation and prevention of incitement to offenses. But here, the center has the power to exempt any agency of the government from this act in the interest of sovereignty and integrity of India. The language here is purposely vague which dilutes the essence of the law. The government must not seek any exceptions or discounts to data protection and privacy rights when it comes to government use.
It must be a bigger obligation for the government to ensure data protection as it could be potentially a security risk as well. A cybersecurity incident in the U.S. resulted in records of millions of federal employees and family members being stolen.[ii] These limitations being proposed by the government should be prevented and exceptions must be clearly defined. This section of the legislation was heavily criticized.[iii]
The Act levies heavy fines on violation of the obligation of data protection, these fines should be applied on a limited basis, especially in small and medium enterprises, that aren’t aware of the obligation of data protection or simply do not understand it. If in case they don’t engage in significant data processing then we can look towards a more gradual approach to sanctions that do not involve imposing hefty fines, like implementing higher fines in cases of relapse— so that smaller businesses do not suffer.[iv]
Finally, the consent of the user or the individual is prominently discussed in this Act. No information can be used without the permission of the individual. This sort of control can be overwhelming. There is the implication that if we do not exercise this control, we are putting ourselves at risk. A complete and custom control over our privacy comes with the practical obligation of exercising this right, the inability to do which will result in our tactical failure. The consent-based mechanisms for personal data protection might not be very effective.[v]
CONCLUSION
The Personal Data Protection Bill, 2019 is a progressive reform of personal data protection legislation in India. It must be an efficient, user-centric, comprehensive, and clear set of rules which can be understood and followed by private and public entities.
REFERENCES
[i] Riya Jain, Privacy Concerns in the Wake of Technological Advancements in India. THE LEGAL JOURNAL ON TECHNOLOGY (Jul 27, 2020) https://www.thelegaljournalontechnology.com/post/privacy-concerns-in-the-wake-of-technological-advancements-in-india (last visited on Jul 31, 2020). [ii] Patricia Zengerle, Megan Cassella, Millions more Americans hit by government personnel data hack, REUTERS, 2015. https://www.reuters.com/article/us-cybersecurity-usa/millions-more-americans-hit-by-government-personnel-data-hack-idUSKCN0PJ2M420150709(last visited on Jul 31, 2020). [iii]Sobhana K. Nair, BJP, Opposition MPs oppose exemptions under Data Protection Law, THE HINDU, 2020. https://www.thehindu.com/news/national/bjp-opposition-mps-oppose-exemptions-under-data-protection-law/article32206621.ece (last visited on Jul 31, 2020). [iv] Creating a data protection framework: A Do’s and Don’t’s Guide for lawmakers, ACCESS NOW, 2018.https://www.accessnow.org/cms/assets/uploads/2019/11/Data-Protection-Guide-for-Lawmakers-Access-Now.pdf(last visited on Jul 31, 2020). [v]Anirudh Barman, Will India’s Proposed Data Protection Law Protect Privacy and Promote Growth?, CARNEGIE INDIA, Mar 9, 2020. https://carnegieindia.org/2020/03/09/will-india-s-proposed-data-protection-law-protect-privacy-and-promote-growth-pub-81217 (last visited on Jul 31, 2020).
Comments