This article was written by Stuti Shreya during her internship with LeDroit India.
Data is the new oil.
The term data mining has gained much relevance in the recent past. In the past decade we
have witnessed an increment in the user generated data as well as an increment in the
industrial value of data. The way this data is collected, transferred and used; it creates an
immense responsibility on the Government to protect data related rights of the citizens. When
it comes to personal data, it is a valuable source. It acts as a building block for creating new
business model. It creates an effective marketing strategy to develop effective consumer
goods and services. But here is the main issue; in the past recent years there have been cases
of data breach scandals and that too from big companies like Facebook, Uber, Ebay etc.
Where millions of individual data were compromised and these data were as personal as
credit card scores. In circumstances like these there is a much need of data regulation. A kind
of regulation that not only signifies that individual data belongs to the individual but any
organisation that beaches such data will be heavily fined as well. It acts like a guard for a
reasonable disclosure of data. It is possible through data protection that there is a remedy to
an unreasonable access of individual data and its harmful processing. Let’s shed a light on
General Data Protection Regulation to understand how data processing is regulated and what
steps have been taken in India for ethical processing of data.
WHAT IS GDPR?
The General Data Protection popularly called as GDPR is a European Law. The GDPR was
embraced on 14 April 2016, and became enforceable starting 25 May 2018. It’s a European
belief that in order to pursue sustainable democracy there must be a privacy of individual
data. The entire purpose of GDPR is to meet these requirements and to improve the quality of
past EU data protection command. It sets compulsory rules for the companies and
organisations to use individual’s personal data in an ethical way. A data that directly or
indirectly identifies a living person is a personal data. Examples of such data could be name,
phone number, information with regard to past purchases, contact list, health, online
presence, online behaviour etc. This data is processed in ways like collecting, storing,
structuring, organising, disclosing and even destructing data. Any organisation that collects
these data must have to abide by the GDPR rules and requirements. The application of GDPR is extra territorial; this means there should be compliance of GDPR by even those entities which are situated outside EU and are using the personal data of EU citizens.
General Principles of GDPR:
1.The data processing has to be done in a lawful way. It should be fair and transparent.
The prime most requirements is consent of the Data Subject, the consent can be
obtained in the circumstances like; a) Data Subject is a party to a contract and his
consent is necessary for the performance of contract. b) Data processing is necessary
for the performance of a certain task that is carried out for public interest or in the
exercise of official authority.
2.The processing of these data is to be done for a specific purpose only. The purpose
has to be legitimate and processing should not be done any further specifically when
the purpose is incompatible with initial one. There can be an exceptional circumstance
under which an incompatible purpose can be permitted but that has to be approved by
the GDPR rules only.
3. The data which is being processed should be adequate i.e nothing less or nothing
more than the purpose for which it is being used. In other words the data should be
related to that purpose and has to be used in that proportionate way.
4. There has to be a timeline for which this data is being used and it should not be used
in a way that it permits the identity of data subject for longer than necessary.
5. The consent should be obtained to process data; the consent should be apparent, well-founded and unambiguous. If there are multiple purpose of processing then consent
has to be obtained for all of them. If the assent is given with regards to a composed
affirmation concerning different issues, the assent solicitation should be unmistakably
discernable from different issues, in a comprehensible and effectively open structure,
utilizing clear and plain language.
PROTECTION OF DATA IN THE INDIAN CONTEXT
The Indian Government took a step to protect data through its legislation of Personal Data
Protection Bill (PDBP). The Personal Data Protection Bill, 2019 (“PDPB”) was presented
in Lok Sabha by the Minister of Electronics and Information Technology, on December
11, 2019. The bill is yet to become an act to attain enforceability. This act focuses to
control the Data Processing of the personal data of the Indian residents. Digitalisation is
the need for an economy to grow at a fast pace, with numerous global players attracted as
investors; it becomes necessary for these players to comply with PDPB. Following the
footsteps of EU’s GDPR, it also allows global companies to conduct business in the
Indian market adhering to the requirement of ethical processing of data. Considering
citizen data as a nation asset, India carries a bit more provisions than GDPR. The approach is to localise data, that is; store and protect the data within the boundaries of the nation and to safeguard it, in such a way that it can only be used in its defence and strategic interests. It may also require companies to change their business strategies and approach in order to provide their products and services. Off course this will increase the complexities to conduct a business but understanding these issues will help the business
houses to plan in furtherance, consider future regulations. Ultimately it leads to the
decision making of whether to continue, enter or exit.
To understand its impact on the conduct of companies and organisations it is imperative
to know the features of this bill, these are discussed as under:-
- The processing of data is very similar to GDPR.
- It is the duty of data fiduciary to verify the age and obtain parental consent when they
are processing the personal data of children. The measures they can take are
safeguard the data, d) educate the Authority by notice break regarding any close to
home information e) review its approaches and lead of strategies each year, f) attempt
information appraisal where huge information fiduciary embraces information
handling that includes new advancements or delicate individual information g) huge
information fiduciary will delegate an information insurance official to instruct and
observing the exercises with respect to the information trustee, and h) foundation
complaint redress systems to address grievances of people.
- The data cannot be obtained without consent except in certain cases, these exceptions
are a) if State requires it for the good of the individual b) in case of suits c) if there is
a medical emergency to respond d) the data is related to employment e) data required
to figure out fraud or its prevention f) mergers, acquisitions and recovery of debt.
- The individual have rights such as a) to confirm the fact from the fiduciary that their
personal data is being used b) look for rectification of erroneous, fragmented, or
update individual information, c) information transportability have individual
information alluded to some other information guardian in specific conditions, and d)
option to be failed to remember: limit proceeding with revelation of their own
information by a trustee, on the off chance that it is not, at this point important or
assent is removed.
- The bill also proposes a Data Protection Authority which will look into ensuring the
compliance of the bill. The authority will also take preventive steps to protect the data
of individuals and will raise awareness about data protection. The orders of the
authority can be appealed to an Appellate Tribunal. Any further appeals can be filed
to the Supreme Court.
- Any agency of the government will be exempted from the applicability of the act if
data was processed for a) security and sovereignty of the state, friendly relations with
other nations, b) with regard to these matters, to prevent a cognisable offence, c)
statistical data research, d) journalism, e) prosecution, investigation or prevention of
- If the data is sensitive and personal it can be transferred outside India only if there is
an explicit consent with storage of it in India. In case of a critical data, its processing
will only be done in India.
- In case of non-compliance with Personal Data Protection Bill; there will be two tier of
penalties and compensation a) Upon the failure of the information trustee to satisfy its
commitments for information assurance might be culpable with a punishment whichmay degree to Rs.5 crores or 2% of its all overall turnover of the former monetaryyear, whichever is higher. b) Handling information infringing upon the arrangementsof the PDPB is culpable with a fine of Rs.15 crores or 4% of the yearly turnover ofthe information trustee, whichever is higher.
- Re-recognizable proof and handling of de-distinguished individual informationwithout assent is culpable with detainment of as long as three years, or fine, or both.
”Privacy is not an option, and it shouldn’t be the price we accept for just getting on the
internet.” – Gary Kovacs
Before, almost no consideration has been paid in India to individual information and
protection. It’s normal for buyers here to impart their own data to various organizations and
substances – PAN card, Aadhaar card, versatile number, email id, address, telephone
numbers – are effectively given out. Individual information is continually abused by various
organizations or specialist co-ops. Information burglary or selling information is extremely
normal however it needs to stop. At the point when an information break occurs, the business,
element or individual liable for the penetrate should be punished. Today, organizations pay
almost no notice to the protection of the Indian buyer. Whenever got continually calling or
utilizing clients’ very own information to request business without their authorization or
assent, they ought to likewise be pulled up and punished. Information classification and
protection is an essential right. Indian clients need to figure out how to practice this privilege
as the economy turns out to be carefully determined.
Of course there are going to be flaws in the proposed bill but at this point of time it is
necessary to have a bill as a first step to combat data breach. The proposed bill has well
defined laws and regulations which can be amended as per suitability. At the point when
PDPB becomes viable, the standards of information insurance guidelines would be
comparable across the EU, California, Canada, and India. An organization that figures out
how to follow the guidelines of one locale can undoubtedly agree to the guidelines of another.
Uniform principles, like ISO 9000, would advance worldwide trade. A systematic
computerized market would be a mutual benefit for residents, countries, and worldwide
”Without privacy, there was no point in being an individual.” – Jonathan Franzen
As per the PDPB being authorized into an Act, there are a few compliances to be trailed by
associations handling individual information to guarantee insurance of protection of people
identifying with their Personal Data. Information security and insurance is a crucial
establishment for an arising information driven economy like India. Consent promoting will
be the following landmark brands or advertisers should take cognisance of, as India changes
from an information helpless economy to an information rich economy. The number of cell
phone clients in India is crawling more than 750 million shoppers with smart phone clients
expected to arrive at 490 million by 2022. This will prompt a ton of portable information use
and, subsequently, individual information and data opening up in the public area. These days,
a ton of information is mentioned by various organizations or elements in the enlistment or buy structure, solicitations and installments or when while enrolling for online membership.
Be that as it may, its motivation isn’t characterized. Accordingly, the measure of individual
information that will be impacting everything – individual, conduct, attitudinal and monetary
– so information security will be of principal significance to ensure the I-age and residents.