“The goal is to turn data into information and information into insights”- Carly Fiorina
Data has replaced all essential items to become the most valuable commodity in the 21st century. Over the last few of years, there has been a considerate increase in the amount of data that is generated and processed with the usage of different devices and applications.
Section 2(1)(o) of the Information Technology Act, 2000 defines "data" to mean “a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form like computer printouts magnetic or optical storage media, punched cards, tapes or stored internally in the memory of the computer.”
Companies and businesses these days derive a significant value by analysing the ‘big data’ and regulate their working strategies based on such research models. While the fact that such analyses bring efficiency into the business cannot be denied, however, the burning question thus arises is ‘whether people have an idea or control over the manner in which the data concerning them is accessed and used by others?’
Data can be categorised differently into personal data and public data. Public data may include court records, birth records which can be made available to the general public. On the other hand, sensitive private data means personal information consisting of either security passwords, financial information like bank account or credit/debit card details or other payment instrument information, any physical, physiological and mental health records and history, sexual orientation of a person, biometric date etc. Sensitive private data or information cannot be made available freely in the public domain or given under the access to Information technology act 2005 because every person has the right to be left alone from unwarranted publicity or to be free from misuse or abuse of one’s individual identity.
The right to privacy is not a new concept. It has been a subject of common law wherein privacy of an individual has been considered as a person’s birth right. Article 21 of our Constitution provides that “No one shall be deprived of his life or personal liberty except according to procedure established by law”. In various judgements the courts have upheld the right to privacy as an essential one. In the case of R. Rajagopal and Anr. v State of Tamil Nadu  the Hon’ble Supreme Court opined that, “the right to privacy is implicit in the right to life and liberty which the constitution guarantees to its citizens under Article 21 and it means the right to be let alone”. Also, in the K.S Puttaswamy & anr vs Union of India , the Supreme Court recognised the right to privacy as a constitutional right and even accepted “Informative privacy” as a facet of the right to privacy.
Bill PERSONAL DATA PROTECTION
The Personal Data Protection Bill, 2019 seeks to provide for protection of personal data of people, and even establishes an Authority for Data Protection. The Bill regulates the processing of personal data by government, companies incorporated in India, and foreign entities dealing with personal data of people in India. The Bill mentions rights of the individual which include the right to obtain confirmation from the concerned fiduciary on whether their personal data has been processed, seek correction of inaccurate or incomplete personal information, have personal data transferred to any other data fiduciary in some circumstances, and restrict disclosure of their private sensitive data by a fiduciary, if it is not necessary or consent is taken back. The Bill also sets up a Data Protection Authority which will take measures to protect interests of individuals, prevent misuse and ensure compliance with the Bill.
DATA PROTECTION LAWS IN INDIA
INFORMATION TECHNOLOGY ACT 2000 (as amended 2008): The Information Technology Act 2000 is the most significant legislation with a potential effect on data privacy, although it mostly deals with electronic transactions and digital signatures. Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, for doing acts like illegally securing access to someone’s computer, intentionally introducing any computer contaminant or computer virus into a system, destroying, deleting or altering any information residing in a computer. Section 65 of the IT Act penalises anyone who Tampers with Computer Source Documents. Section 66 provides punishment for offences committed under section 43. On the other hand, section 72 provides Penalty for Breach of Confidentiality and Privacy and section 10A in the IT Act deals with the validity of contracts formed through electronic means.
However, even after the extensive amendments made to the 2000 Act by the Information Technology Act 2008 it only covers a small part of what is normally dealt with by information privacy legislation. Therefore, in spite of such legislations, the impact of the IT Act on the public sector is minimal and the misuse continues to invade people’s privacy.
CREDIT INFORMATION COMPANIES (Regulation) Act 2005: The Credit Information Companies Act 2005 is the only Indian legislation to contain a comprehensive set of data protection standards. RBI is the regulatory body under the Act. This Act provides one model for a more general data protection law for India, but there is no evidence that it is being enforced or adhered to. The Act provides compulsory involvement of the Indian finance industry in a pervasive information surveillance system so as to comply with this data protection law. No company can carry on with its credit information business without registering itself under the Act as a credit information company.
THE RIGHT TO INFORMATION ACT 2005 (RTI ACT): The ‘right to information’ provided by the 2005 national legislation has a wider scope, it covers ‘information held by or under the control of any public authority’. ‘Public authority’ means ‘any institution of self-government established or constituted under the Constitution, any law of the Centre Parliament, of a State Legislature, or under delegated legislation, and includes bodies owned or controlled by government or directly or indirectly substantially financed by government.’
In the Supreme Court case of People's Union for Civil Liberties v Union of India  the court decisively interpreted Article 19(1)(a) of the Constitution of India to include by implication the right to information in the constitutional guarantees of freedom of speech and expression. Thus, the reach of the legislation is broader to all tiers of government and substantially beyond that.
THE PROTECTION OF HUMAN RIGHTS ACT 1993: The Protection of Human Rights Act 1993 defines ‘human rights’ as the rights concerning one’s life, liberty, equality and dignity as guaranteed by the Constitution. NHRC which has the power to investigate, on the basis of a complaint or its own motion, a human rights violation, or negligence in preventing such violations by a government servant. If an investigation hints at such a violation, the Commission can suggest that government or authority pay compensation for damages, commence any prosecutions that are open, and go to courts for directions, orders, or writs However, it lacks independent powers to take any remedial actions.
THE NATIONAL CONSUMER DISPUTES REDRESSAL COMMISSION: The National Consumer Disputes Redressal Commission was established under the Consumer Protection Act 1986 to promote and protect the consumers’ rights, and to enable a secure, less expensive and speedy mechanism for redressal of their grievances. The Act allows complaints to be made by consumers in relation to an ‘unfair trade practice’ which is defined widely enough to include different types of complaints about misuse of personal data as well. The CDRC system in the Nivedita Sharma Case has resulted in a vital data protection advances, relating to the large-scale disclosures of personal information.
CONCERNS AND DIFFICULITIES
India’s data privacy and protection laws are presently facing various problems and resentment due to the lack of an appropriate legislative framework. Since India does not have a comprehensive information privacy & protection mechanism, the primary enactment that deals with protecting personal data is the IT Act. However, it does not serve all the purpose because of the continuing explosion of cybercrimes globally. The theft and sale of the stolen data occur across all Indian companies. The IT and BPO sectors, in the absence of stringent laws manage to have access over confidential and personal data of individuals throughout the world, including their credit/debit card details, medical records, financial history etc. Such data stored electronically might even get exposed in the hands of malicious people who often misuse it. Thus, security vulnerabilities and data leakages are very common these days and need immediate attention.
India is still at an initial stage of developing regulations for data privacy and personal data protection. It needs a strong legislative structure that serves both legal and public standards to exist in the jurisdictions from which data is mailed to our country. At present, India does not have significant protection to personal data with regards to all or most of the privacy principles, in any industry, to satisfy the international standards. Some of the rules and principles are promising but the most significant legislative protections are not functioning as yet.
The rules which have been given the most substantive legal implementation are the right of access in relation to public authorities, the security principle concerning the private sector, the right to quit from direct marketing such as telemarketing, and data protection principles regarding credit reporting. Thus, in reality, the greatest obstacle and requirement for India, today, is to have its own national data protection law system which can-not only be adjudicated in accordance to the established standards but is also viewed as highly suitable for its citizens.