Data has replaced oil to become the number one service of the 21st century. It is evident how important data is in this era when we look at the fact that the most leading companies like Google, Microsoft, Amazon, Apple and Facebook belong to the data sector. This data, however, needs to be safeguarded. Data protection is the process in which data is protected from being misused by a third party. Data protection establishes a relationship between collecting and distributing data, the impression and the need for privacy, and the legal bearings surrounding it. It is the branch of security that engages in proper management of data. The need for data protection in today’s dynamic world has been acknowledged by the court of law as well as the common jargon. This research does a comparative study of the data protection laws in India and the data protection laws in the European Union.
DATA PROTECTION AND RIGHT TO PRIVACY
Data can be classified into public data and private data. Public data is the information which can be easily accessible by the public. Few examples of public data can be Court judgements, policies of the government, public assets of a company, etc. Personal data, on the other hand, is the information which is private to that particular individual or organization and it would require permission of the individuals to access it. Some examples of personal data are financial details, information about family, sexual preferences, browsing history, etc. While anyone can access public data freely, accessing personal data without permission can lead to severe legal consequences.
For example, in 2013, Google Inc. was charged of publicly sniffing Wi-Fi with its Google Street View Vehicles that roamed on the roads of the US by the US Court of Appeals for the Ninth Circuit in Joffe v. Google. The Court held that the company was guilty of accessing personal data of individuals by hacking into their Wi-Fi.
The meaning of privacy in the field of Law dates back to 1890 when Samuel D. Warren and Louis D. Brandeis, in their paper titled ‘The Right to Privacy’ said that a legal injury does not only mean a physical injury but also as an injury to the feelings. Every physical injury had a remedy but humans needed a remedy for their mental injury and right to privacy. That is where the concept of data protection comes in.
It can be said that data protection is the legal process to ensure right to privacy. In simple words, the meaning of privacy can be understood as the right of any individual to decide what kind of his data can be accessed by others and how. Data protection and privacy are co-dependent. One cannot exist without the other. If there is right to privacy then it means there is the need for data protection and vice-versa.
ORIGIN OF THE RIGHT TO PRIVACY IN INDIA
Fundamental Rights are guaranteed in Part III of the constitution of India. The constitution guarantees the right to life and personal liberty under Article 21. The Article not only guarantees right to life but rather a life with ‘dignity’, making the Article constitutionally multi-dimensional. Privacy and data protection go hand in hand. The sole purpose of data protection is to safeguard the privacy of an individual.
The term privacy however, is dynamic and its application changes with changing times. Privacy is recognized by the Law of Torts, the Law of Contracts and even the property laws acknowledge privacy. This privacy, however, was recognized by the judiciary as a part of the fundamental rights only recently in 2017 in the landmark case of Justice K. S. Puttaswamy v Union of India & Ors.
In the cases of M.P. Sharma & Ors. vs. Satish Chandra, DM, Delhi & Ors. in 1954 and Kharak Singh vs. The State of U.P & Ors. in 1963, the Supreme court had held that right to privacy is not a fundamental right and is not guaranteed by the Indian Constitution. Since the concept of right to privacy was relatively new at that time, the court dismissed the idea of it being a fundamental right. However, in Justice K. S. Puttaswamy case, the court overruled its decision in the aforementioned cases and declared the ‘right to privacy’ as a fundamental right under the purview of Article 21.
It was also held that although “right to privacy is a fundamental right”, it is not absolute and is subject to restrictions regarding legality, proportionality and the need for a proportionate aim.
DATA PROTECTION LAWS IN INDIA
At present, India does not have any Act or legislation specifically for protection of data but the regulatory mechanism in the country for data protection and privacy is the “Information Technology Act, 2000” and “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011”. Besides this, data is also protected under Article 21 of the Indian Constitution.
SOME IMPORTANT SECTIONS OF THE IT ACT
- Section 43 A: Section 43 A of the IT Act creates a liability on any organisation which deals with handling personal data directly or indirectly, to pay compensation to any person who suffers a wrongful loss due to the leaked data by the acts of the organisation.
- Section 72 A: Section 72 A fines any person or intermediary who has secured some personal data which he knows would likely cause a wrongful loss or wrongful gain, discloses the private information to a third party. Such individual is liable for a three year imprisonment or a fine of Rupees five lakh or both.
THE PERSONAL DATA PROTECTION BILL, 2019
The Bill was introduced in the Lok Sabha in December 2019. It aims at protecting people’s personal data from entities which collect and use data. It gives certain rights to the individuals to protect their data. The bill aims to provide protection to personal data from
(i) the government,
(ii) foreign companies and
(iii) companies embodied in India.
The bill protects individual’s privacy by allowing the data fiduciary to access personal data by consent only, with the exception of
(i) medical emergency,
(ii) legal proceedings and
(iii) when required by the state to benefit the individual.
The bill also seeks to set up a Data Protection Authority. If the government is the sole provider of the service such as driver’s license then the question of data protection does not arise. But if we take health insurance as an example where the government can provide a service alongside private factors then this raises the question of why should a public insurer be given an exemption from taking consent when the private insurance companies under the bill are required to.
OFFENCES UNDER THE BILL
- Publishing data in violation of the Bill would amount to a fine of Rs. 15 crore or 4% of the yearly turnover of the organization, whichever is higher
- Failure to conduct a re-audit which would result in a fine of Rs. 5 crore or 2% of the yearly turnover of the organization, whichever is higher
- Re-identification and processing of unidentified personal data without consent would result in fine or imprisonment up to 3 years, or both.
Data fiduciaries can be exempted from the provisions of data processing if data is processed for prevention, investigation or prosecution of any offence. In such cases the entities only have to ensure that the processed data is for a clear and lawful purpose.
The Bill was passed in the Parliament and was then referred to a Joint Committee which would give its report before the coming financial budget as to whether the Bill would become an Act. Once implemented, the Bill would amend section 43 of the “Information Technology Act, 2000” and the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011”.
DATA PROTECTION LAWS IN THE EU
Peter Semayne v Richard Gresham, one of the first privacy cases dates back to 1601 in the UK. The regulatory mechanism for data protection in the European Union is called the GDPR. The General Data Protection Regulation, which came into effect in May 2018, are said to be the toughest in the world. The new GDPR regulations cover up things that could identify people like name, contact details, sexuality, location, etc. Companies need your consent before they want to process your personal data. The penalties for the offences are massive. The GDPR was implemented in the UK too despite the Brexit deal.
The GDPR ensures that the citizens are immediately notified when their data has been hacked in three days so that they can take proper measures to solve the issue. The GDPR also bring a ‘Right to be forgotten’ which applies to data that the users wish to deleted or no longer be associated with. If an individual believes that a dodgy company is holding information on them then they can demand that they hand over everything that they have. The right to be forgotten means an individual can erase himself completely from the system but with some exceptions. Hospitals, government agencies and even journalists are exempted from that rule.
If you process the personal data of or to the EU citizens, the GDPR applies to you irrespective of your nationality. Millions of people outside the EU will be affected by the GDPR because companies that have access in the European countries all have to sign up to the rules along with organizations based outside of Europe who store data of EU citizens. So the GDPR is something that would affect the way the whole world thinks about data.
- Failure to comply with the GDPR guidelines can result in a fine of €10 million or 4% of the global turnover, whichever is higher.
So that would mean that if a Silicon Valley multi-giant commits a serious breach then they would get slapped by a multi-billion fine
- If an organization breaches rights of individual’s privacy or ignores access requests data, it is fined with €20 million or 4% of global turnover.
- A fine of €10 million or 2% of worldwide turnover will be applied to organizations who breach privacy in some other ways.
HOW DID GOOGLE FAIL TO MEET THE REQUIREMENTS OF THE GDPR?
The GDPR guidelines require any data fiduciary to be transparent about its usage and storage of individual’s data. Google, however, failed to do that and as a result a complaint was bought against it. The biggest GPDR fine issued as of May 2019 is €50 million to Google. Google was the 5th company to receive a fine for violating the GDPR guidelines. The previous fines were not as huge as the fine of 50 Million Euros on Google.
The complaints that were charged against the multi-billion dollar company were “for not properly disclosing to users how data is collected across its services — including its search engine, Google Maps and YouTube — to present personalized advertisements”.
In the 21st century, the era of advancing technology where everything is available at our fingertip, it is the need of the hour to create safe spaces and boundaries to protect our personal data from being misused either by the government or any other individual.
While the European Union has the strictest laws for data protection and privacy, India is yet to have a regulatory mechanism on the same. The proposed PDP Bill, 2019, if passed would be the legislating statue for data protection in India. If we compare the GDPR of the EU to the PDP Bill 2019 of India, the GDPR have extraterritorial applicability while the PDP Bill aims at extraterritorial application in a few cases only. Companies will have to follow stricter rules in PDP Bill guidelines as compared to the GDPR guidelines. The PDP Bill offers a clear and strict legal consequence for the breach of its guidelines as compared to the GDPR.
 Joffe v. Google, 746 F. 3d 920, 926 (9th Cir. 2013).
 Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harvard Law Review 193, 192-220 (1890).
 K.S.Puttaswamy v Union of India & Ors., (2017) 10 SCC 1 (India).
 M.P. Sharma & Ors. vs. Satish Chandra, DM, Delhi & Ors., (1954) AIR 300 (India).
 Peter Semayne v Richard Gresham, 77 ER 194 (UK).
Symbiosis Law School, Hyderabad