Right to Privacy as Fundamental Right
Right to Privacy as Fundamental Right
The Supreme Court of India in the case of Justice K.S Putta Swammy Vs. Union of India 2017 had declared the Right to Privacy as Fundamental Right under the Constitution of India
DATA PROTECTION Digital Personal Data Protection Act (DPDP Act 2023):
Data protection is the process of safeguarding important information from corruption, compromise or loss. Data is the large collection of information that is stored in a computer or on a network. The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates.
DPDP Act set nationwide standards for the handling of all types of Personal Data- “Any Data about an individual’s who is identifiable by or in relation to such data”. This includes data like an individual’s names, Phone Number and Aadhar details.
It is a part of worldwide trend of Government regulating the handling of personal data. However, India’s privacy Laws does not expressly define Sensitive Data. DPDP Act Applies to all the places with in the territory of India and processing of Digital Personal Data takes place overseas but offers it good and services in India.
Some of the key factors which need introspection are as follows:
· Protection of Personal Data to prevent data breaches using techniques like data isolations, Encryption and access Control.
· Restricting the use of Customer Data to its stated Purpose.
· Forbidding the retention of Personal Data when it is no longer needed
· Impact on individual in case of Data Breach granting certain right to individuals over their Personal Data.
· Granting certain Right to individual over their Personal Data.
The LAW aimed to bring a balance between the Rights of the user and the need for the processing of Personal Data.
DATA PRINCIPLE- A Person to whom the personal data relates, children and person with disability their parents a legal guardian.
DATA FIDUCIARY– A person who controls the purpose and means of handling personal data like a small business, a startup or a bank.
DATA PROCESSER– A person who handles processes data for the data fiduciary.
SIGNIFICANT DATA FIDUCIARY– They may be designated by Central Government keeping in consideration factors like Volume and sensitivity of the data processed or Risk to National security and Electoral Democracy.
LIST OF ENTITIES:
1. Individual
2. Hindu Joint Family
3. Company
4. Firm
5. Association of person may or may not be registered
6. The State as defines under the Article 12 of the Indian Constitution
7. Other Legal Person
“The Act defines personal data as any data about an individual who is identifiable by or in relation to such data. “
Data Fiduciaries must implement necessary safety measures to prevent any data breach. It may include technical and organization measures comply with the obligation and other provisions. If the Government of India had issued any notification restricting the transfer of data to any other country or business must be complied with.
Right of Data Principle:
1. Right to Access- They can request the detail. The details of all data fiduciaries and data processors with whom their personal data is shared.
2. Right to Correction–
· Correct in any inaccuracies
· Update their personal data
· Complete their personal data
Requests have to be fulfilled within reasonable time.
3. Right to Erase- The personal data can be deleted.
4. Right to Grievance Redressal- They resolve and issues regarding an act or commission of Data fiduciaries. Obligation or the enforcement of the data fiduciaries rights. Unless the data principle fails to get their grievance redress though this mechanism they can approach data protection board.
5. Right to Nominate- In the event of Death, Unsoundness of Mind or infirmity of Body.
6. Right to Revoke Consent- It can be revoked any time though they should bear any consequences arising from such revocation.
|
Nature of violation/breach |
Penalty |
|
Failure to implement security safeguards |
Up to INR 250 crores (~ $30.213 million) |
|
Failure to notify a breach to the board |
Up to INR 200 crores (~ $24.17 million) |
|
Non-compliance with the special provisions regarding children |
Up to INR 200 crores (~ $24.17 million) |
|
Non-compliance with the obligations of SDF |
Up to INR 150 crores (~ $18.127 million ) |
|
Non-compliance of obligations by the data principals |
Up to INR 10,000 (~ $120) |
|
Violation of any voluntary undertaking if any |
Up to the extent applicable to that breach |
|
Violation of all other provisions than mentioned |
Up to INR 50 crore (~ $6 million) |
POWER AND OBLIGATION OF CENTRAL GOVERNMENT:
.jpg)
1. Without consent: If a processing is necessary or the performance of any function of the state authorized by Law like any service or benefit, issuance of permits and licenses.
2. Data Portability: The state has been exempted from the requirement to convert automated data in to structured, commonly used machine readable formats where processing is necessary.
3. Transfer of Sensitive & Critical Personal Data: Cross border transfer or sensitive personal data is possible when Central Government allows the Transfer of data to a country or an International organization.
4. Power of the Government exempt any Agency of Government: The Central Government can exempt any Govt. agency regarding a processing of specified personal data in the interest of Sovereignty and Integrity of India, Security of the state, friendly relation with the foreign stats and public order. In addition to this it can be granted from the grounds of preventing incitement to commit any cognizable offence.
5. Exemption of certain provisions: In the interest of prevention, detection, investigation and prosecution of the any offence for any other contravention of any law.
6. Exempt certain Data Processers: Central Govt. has the power of exemption to process the personal data of data principle not within the territory of India.
7. Issue Direction: The Central Government may issues direction Sovereignty and Integrity of India, Security of the state, friendly relation with the foreign stats and public order.
KEY FEATURS:
Applicability to Non- Citizens: The act applies to Indian residence and business collecting the data of India residence, non-citizen living in India whose data processing “In connection with any activity related to offering of goods and services happens outside India” Example: An U.S citizen residing in India being provided digital good or services in India by a provider based outside India.
Purpose of Data collection and processing: the Act allows personal data to be processed for any Lawful purpose. The consent of the concerned individual is taken, consent which is free, specific, informed, unconditional and unambiguous with clear affirmative action and for a specific purpose. Individual has a right to withdraw their consent.
Legitimate Uses are:
(a) Individual has voluntarily provided personal data for a specific purpose.
(b) It enables different Govt. agencies providing these services to access personal data stored with other agencies of the government.
(c) Sovereignty or Security
(d) Fulfilling a Legal Obligation to disclose Information to the State.
(e) Compliance Judgments, Decrees or Orders
(f) Medical Emergency or threat to life or epidemics or threat to public health.
(g) Disaster or Breakdown of Public Order.
Rights of Users/Consumers:
The right to get a summary of all the data connected and to know the identities of all other data fiduciaries/processors with whom the data has been shared.
Obligation on Data Fiduciaries: These includes-
(a) Maintaining Security and Safeguards
(b) Ensuring completeness, accuracy and constancy of Personal Data.
(c) Intimation of Data breach in a prescribed manner to Data Protection Board of India
(d) Data Erasure on coincident withdrawal or on expiry of the specific purpose
(e) Data Fiduciary having to appoints a Data Protection Officer and set up grievance Redress Mechanism
(f) Consent of parent/ guardian being mandatory in the case of Children/Minor (Under 18 Years of Age).
The Law prohibits tracking behavioral monitoring and targeted advertising directed at children. Govt. can prescribe exemption from these requirements for specified purposes.
Additional obligation includes:
(a) Appointing a Data Protecting Officers based in India who will be insurable to the board of directors or the governing body of the significant data Fiduciaries (SDF) and will also serve as the point of contact for Grievance Redressal
(b) Conducting data protection impacts assessment and Audits. SDF may not necessarily register in India.
Restriction by Govt.: The Govt. may restrict flow of data to certain countries by notification. This may be due to National Security Purposes.
Exemption from Obligation under the Law: In certain cases:
(a) Where processing is necessary for enforcing and legal right or claim.
(b) Personal data has to be processed by Courts or Tribunals, or for the Prevention, Detection, Investigation or Prosecution of any offences.
(c) Where the personal data of NRI is being processed within India.
In addition these include:
1. Processing in the Interest of Security and Integrity
2. Necessary for Research, Archive or Statistics
3. The Govt. can exempt certain classes including start ups- Notice, Completeness, Accuracy, Consistency and Erasure.
4. One Provision allows the Govt. to, “Before Expiry of Five Years from the date of commencement of this Act,” declare that any provision of this Law shall not apply to such Data Fiduciaries for such period as may be specified in the notification.
.jpg)
Regulating Data Privacy: The DPB is not a regulatory entity and the board has very limited mandate to oversee the prevention of data breaches and direct remedial action and to conduct enquires and issue penalties for noncompliance. The board does not have any power to frames regulations or code of conducts or to call for information to supervise the working of business it can only do so during the process of conducting enquires.
The members of the board will be appointed by the Govt. and the Terms and Condition of the service will be prescribes by the Govt.
For the first time India has a statutory frame work for Data Protection:
1. The Exception carved out for consent empowers the states significantly and place state imparities of a different level. This provision would mean that Govt. agencies would have to be exempted from purpose limitations that require personal data to be deleted after the purpose of the data is met.
2. Providing Blanket exemption from the whole Law in the interest of Sovereignty, Security, Integrity, Public order and preventing incitement. This ensures a complete no application of data protection law to the state agencies.
3. Provision like these creates a separate category that is beyond the preview of data privacy requirement.
4. The Govt. has the power to declare that any provision of this Law will not apply to any business or class of business within Five year of commencement of the Law. There is no time frame for the operation of this exemption or any guidance on how this provision is to be used.
5. The Govt. has some unguided rule making power for exempting business from certain requirements regarding the processing of children’s data.
6. When Judged against the tenets of India Administrative Law which requires that laws should no confer unguided an excessive discretion on implementing authority are potentially in violation of Indian Constitution.
7. The DPB is an independent agency with limited mandate and the Govt. will create mechanism for the selection and the appointment of its members. The Law sets out qualification for members but it does not state how many members shall be on the board and requires only one of them to be a legal expert. It is a problem as the board main function is to issues penalties and direction for noncompliance.
8. The Design DPB faces to maintain internal separations of functions between the members conducting enquiries and the Chairperson. Since the Chairperson appoints members to conduct enquires they may potentially not discharge this function impartially in all the cases.
Conclusion:
The regulatory Developments an institutional arrangement that’s take shape over the next few years will decide how well personal Data privacy is protected. The new law provides the necessary scaffolding, but it is not sufficient for de-facto data privacy to materialize. The fact that a significant degree of discretionary power on substantive issues is wasted with the Central Govt. means that a lot will depend on how well the Govt. is committed to protecting privacy.
– MAMTA SINGH SHUKLA
(ADVOCATE DELHI HIGH COURT)
MOBILE – 9560044035
Email id – adv.mamtasinghshukla@gmail.com