The Advocate-General of India, Mr. Mukul Rohatgi has recently stated in his submissions to the honorable Supreme Court that the Government is working on a Data Protection & Privacy Law. The AG also said that TRAI has already started drafting this framework. The Government is expecting to enact it by Diwali.
Privacy and protection of data are two of the most sensitive topics in cyberspace. Although the Indian Law is set to deal with them specifically as per the earlier report, the Information Technology Act has only helped LEAs and the courts to an extent. The present condition could have become even worse if we did not have detailed criminal laws like the Indian Penal Code.
When we talk about data protection and privacy laws in the recent times, one name that stands out is GDPR. The European General Data Protection Rights, 2016 is due to come into effect on May 25, 2018. It is being touted as the most stringent data privacy law around the world.
GDPR has introduced penalties on the data controllers and processors for not complying with reasonable cyber security practices. The prescribed penalties are as high as ₹ 140 crores. It is also applicable to the companies which are not established in the Union. In short, if there is any company that deals with the data of any person residing in the European Union, it comes under the ambit of GDPR.
Apart from the penalties and reasonable cyber security practices, GDPR also gives a number of rights to a data subject. For the purpose of this legislation, a data subject is a natural person residing in the European Union. You can read more about GDPR here.
Applicability of GDPR in Indian Context
The Information Technology Act, 2000 has been the only law dealing specifically with cyber crimes in India. Considering the dynamic nature of cyber crimes and ever evolving nature of technology, the IT Act has been criticized for its effectiveness even after the amendments made over the last 17 years. .
Coming back to what the AG said, there are a few rights (as prescribed by GDPR) that the Indian Data Protection & Privacy law should have as well.
The Right to Information
A data subject has an exclusive right to ask for any information related to the collection of his personal data. Under Article 12, one can ask for the following details when he has given his consent for the collection of data:
- Purpose & Interest behind the collection of his personal data,
- The list of recipients receiving his data,
- The period for which the company will store his data,
- Identity and contact details of the company, and
- Details of the Data Protection Officer (DPO).
When a company has collected personal data without the consent of the person concerned, the company is responsible to:
- Give all the details as mentioned above,
- Inform the person concerned about the collection of his personal data, and
- Expressly mention the categories of collected personal data.
The Right to Access
Article 15 gives a right to access to the data subjects of the Union. Adding this right in Indian Data Protection & Privacy law will ensure that an Indian citizen has right to access following information:
- Different types of the details as mentioned above, and
- Details of the third party (or an international organization) to which data is being transferred.
Also, a data subject can get a copy of his personal data from the concerned company or organization.
The Right to Rectification
Inclusion of this right will give a legal remedy to the citizens in getting their data rectified. This will substantially reduce the number of cases of misrepresentation due to the inaccuracy of the data collected. Article 16 of GDPR deals with this right.
The Right to Erasure (Commonly known as the Right to be Forgotten)
Under Article 17 of GDPR, a data subject can ask for the removal of his personal data without any delay under following conditions:
- Purpose behind the data collection has been achieved,
- The data subject has withdrawn his consent given and there is no legal ground for further processing of his personal data,
- The data subject objects to processing of his personal data under Article 21,
- The organization has done unlawful processing of data,
- There is a legal obligation for erasure of data.
In India, there is no specific legal provision dealing with this right. Recently, Kerala HC allowed an appeal to remove the name of petitioner from the copy of judgment available online. (You can read more about this judgement here)\ Moreover, the Right to be Forgotten will also help the victims in cases of Revenge Pornography & Hate Crimes.
The Right to Object
Under Article 21, a data subject can object to the use of his personal data. He can also restrict a data processor or a data controller under Article 22. With the help of this right, a data subject can opt out of becoming a part of the automated decision-making process. The automated decision-making process includes advertisements, customer behaviors, etc.
The only data protection law in India is the set of supplementary IT Rules to the Act which do somewhat lay down guidelines for companies collecting sensitive data of users. In some ways, they do touch upon some of the provisions of the GDPR as well yet there are some flaws in the backdrop.