Data ProtectionFundamentals of IT LawIT ComplianceTechnology Law / Cyber Law
General Data Protection Regulation: Indian perspective
As the world moves towards digitization and our dependency on computers and similar gadgets increases, security concerns about the data are also on the rise. Many people have now started questioning the data that is collected by various apps and service providers. People have started fearing misuse of their data. The recent controversy regarding data leak about Facebook has only strengthened this fear.[1]
In 2011 in an agreement with the Federal Trade Commission (FTC), Facebook stated that the company cannot share user data “without explicit permission.” In further developments, a 280-pages internal document and interviews of 50 former employees of Facebook and other corporate partners have revealed that Facebook allowed access to user data despite these protections.[2]
In 2013 early June, a cyber strategist of CIA, who had previously worked with Dell and later with cybersecurity consultant Booz Allen Hamilton, revealed some thousand documents that caused much upheaval around the world. Edward Snowden is believed to have leaked thousands of highly classified NSA documents to The Guardian and The Washington Post.
After the leaks many earlier unknown facts came to light, NSA along with the Five Eyes Alliance[3][4] had placed virtually the entire world under their surveillance.[5]
Barack Obama in his speech on the NSA surveillance and the leaks, dated June 7th, 2013 had said, ”You can’t have 100% security then also have 100% privacy and zero inconveniences.”[6]
The leaks, or rather the revelations by Snowden forced various governments to revamp their security. The USA government was widely criticized, but the surveillance continues.[7]
In a bid to secure data of its citizens and put a stop on its misuse, the European Union brought in General Data Protection Regulations[8] which replaced the obsolete Data Protection Directives[9].
The General Data Protection Regulation is the regulations that require businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. It covers nearly all companies that deal with the data of EU citizens whether be banks, insurance companies, social media platforms, financial companies, or even search engines.
GDPR was enacted in April 2016, replaced the Directives of 1995. Unlike the Directives, which have just persuasive value and require the various states to formulate their own policy, the Regulations are binding and hence, mandatory for all the 28 member states to comply with.
GDPR comprises of 99 articles, and make it mandatory for all businesses which directly or indirectly use, process and/or store data of EU citizens, to comply with the regulations. As explained in the EU’s GDPR website, the legislation has been so designed as to “harmonize” data privacy laws across Europe, providing greater protection and rights to individuals.
In his treatise on EU data protection law, Kuner advises organizations to seek paths other than consent to justify their processing of personal data.[10] He recommends that companies “reduce their reliance on consent as a legal basis for data processing to situations where it is absolutely necessary.” Kuner’s recommendation from 2007 was based on his reading of the Directive and similar advice regarding the limited use of this doctrine is merited under the GDPR as well.
India, in an attempt to make Data Protection stringent, brought Data Protection Bill 2014, which was feeble at data management strategy.
Data protection law in India is currently facing many problems and resentments due to the absence of a proper legislative framework. There is an ongoing explosion of cyber crimes on a global scale. The theft and sale of stolen data are happening across continents where physical boundaries pose no restriction or seem non-existent in this technological era. In this age, when India is the largest host of outsourced data processing [11], it could be an easy target of cyber sabotages and could become an epicenter of cybercrimes.
The Data Security Council of India (DSCI)[12] is a not for profit, premier industry body on Data Protection in India. Its objectives include making the cyberspace safe, secure and trusted by establishing best practices and initiatives in cybersecurity and privacy. DSCI also engages with governments and their agencies, associations and think tanks for policy advisory.
In India, the various BPOs and other IT companies handle all kinds of sensitive data of customers, privacy, therefore is of paramount importance. The Data Protection Bill 2014 is one such attempt at making such companies that do not make efforts at maintaining people’s privacy. Section 7 of the bill talks about the obligation on part of the organization collecting personal data. “Organization” as defined is any, government or private.
Hon’ble Justice Srikrishna in his report on Data Protection, presented before the GoI explained the need for a Data Protection Authority: a group of cyber experts and other high ranking officials for Controller Accountability. In the seven key principles, Justice Srikrishna laid down for Data Protection Law, he also mentions deterrent penalties.
Section 9 and 10 of the Data Protection Bill 2014 talks about the penalty to be imposed and offense by the company respectively. The penalty imposed under section 9 is “three-year jail or fine up to ten lakhs.”[13] Whereas in GDPR, the penalty imposed is up to €20 million, or 4% annual global turnover – whichever is higher.[14]
The Aadhaar Amendment Bill passed by the government on January 2, 2019, deals, inter alia with disclosure of personal data after seeking permission from a judicial officer not below the rank of a district judge. The Srikrishna committee report explains the need for a DPA along similar lines of GDPR.
One of the main issues of DPA is that many times the Internal Reporting System fails, as was in the case of Snowden, as it was later reported, Snowden could not trust the internal reporting mechanism, one of the main reasons he decided to go public with the data. He feared that if he reported this to the Internal Committee, his voice shall be muted and the facts buried.[15]
[1]https://www.bbc.com/news/topics/c81zyn0888lt/facebook-cambridge-analytica-data-breach, last accessed Feb 5, 2019
[2]https://timesofindia.indiatimes.com/business/international-business/facebook-reportedly-gave-tech-giants-access-to-users-private-messages/articleshow/67160156.cms, last accessed Feb 5, 2019
[3]https://www.omicsonline.org/open-access/the-intelligence-club-a-comparative-look-at-five-eyes-2332-0761-1000261.php?aid=89994, last accessed Feb 5, 2019
[4]https://www.theguardian.com/world/2013/dec/02/history-of-5-eyes-explainer, last accessed Feb 5, 2019
[5]https://en.wikipedia.org/wiki/List_of_people_under_Five_Eyes_surveillance, last accessed Feb 5, 2019
[6]https://obamawhitehouse.archives.gov/the-press-office/2013/06/07/statement-president, last accessed Feb 5, 2019
[7]https://thehill.com/policy/technology/310457-spying-after-snowden-whats-changed-and-what-hasnt , last accessed Feb 5, 2019
[8]https://eugdpr.org/ , last accessed Feb 5, 2019
[9]https://epic.org/privacy/intl/eu_data_protection_directive.html, last accessed Feb 5, 2019
[10]KUNER, supra note 173, at 68.
[11]https://www.outsource2india.com/services/data_entry_india.asp, last accessed Feb 5, 2019
[12]https://www.dsci.in/, last accessed Feb 5, 2019
[13]u/s 9 of the Personal Data Protection Bill 2014 (23 0f 2014)
[14]https://www.itgovernance.co.uk/dpa-and-gdpr-penalties, last accessed Feb 5, 2019
[15]https://www.theguardian.com/world/2013/oct/18/edward-snowden-us-would-have-buried-nsa-warnings-forever, last accessed Feb 5, 2019