Happy Data Protection Day! 28th January is celebrated since 2007, globally, the Data Protection or privacy day. On this date in year 1981 “Convention 108”, first legally binding international instrument in the area of data protection, was opened for signature. International jurisprudence of data protection and privacy is almost 40 years old now. 130 countries around the globe have their data protection laws and regulations. But the personal data of 130 crore Indians (equivalent to 17.7% of world’s population) is still fragile and unprotected due to lack of a sound and robust law of data protection and privacy. Data breaches and scandals like Cambridge Analytica and Pegasus made headlines in Indian media but no significant actions were taken because we do not have effective laws to implicate the actions of wrongdoers.
Let’s go back in time
Right to Privacy was declared as a fundamental right under the purview of Indian constitution for the first time in the case of PUCL v. Union of India. It was unanimously reaffirmed by a nine-judges-constitutional-bench in the famous AADHAR Case (Justice K.S. Puttaswamy v/s Union of India, 2017). In this judgement, Justice Chandrachud mentioned “Informational Privacy”, or the privacy of personal data and facts, is an essential facet of the right to privacy. Under this judgement apex court of India directed the Legislative body to frame a law to safeguard the right of Indian residents in their personal data. Since then several bills and frameworks related to data protection were tabled viz. Data protection bill, 2018 and Data Protection bill, 2019, Non-Personal Data Governance Framework, Digital Information Security in Healthcare Bill (‘DISHA’) etc.
The contemporary privacy law in India
The only law to safeguard the sensitive personal data in India is Sec. 43A of Information Technology Act, 2000. This provision abides a body corporate, possessing, dealing or handling sensitive personal data to implement and maintain reasonable security practices. It puts a civil liability on body corporate in case of negligence and wrongful loss to any person arising out of mishandling of data. In year 2011, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 came into existence under the 43A of IT Act. This provides some safeguard to sensitive personal data including passwords, financial information, physical, psychological and mental health conditions, sexual orientation, medical records and biometric information, etc. But these obligations are incompetent to safeguard the personal data of Indian residents effectively. I am hopeful in the coming Parliamentary session the bills pending will be discussed and Indian residents will be protected against excessing processing of personal data by private organizations and surveillance by government bodies.
I congratulate all my friends across the globe who enjoy a Right to Data Protection (Right to access, information, forgotten, object, erasure, rectification, and data portability), as facilitated by domestic laws and are celebrating the privacy day. We Indians hope to join you soon.