By- Mahima Agrawal
Privacy is an integral right and continuous to be a much-debated issue in this digital era. Modern world is increasingly recognising the need and importance of keepingpersonal information private and safe. The legal world is also acknowledging this significant change in the way of life and is increasingly recognising the need of effective safeguards for keeping such data protected.
The Indian Judiciary included the Right of a person to its own Personal Information in the Right to Privacy and included it as an integral part of Article 21 of the Indian Constitution. This was held by the Apex Court in the famous 2017 judgment in the case Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India And Ors.[1] This paved way for protection of personal information in a much effective manner, since any breach or misuse of such information in the future, would be considered as a violation of a Fundamental Right.
Before this case the claim of inclusion of Right to Privacy as a Fundamental Right, was rejected by the Apex Court in significant past judgments like M.P. Sharma v Satish Chandra DM Delhi[2]andin Kharak Singh v State of Uttar Pradesh[3]. The personal data collected for varied uses digitally and manually, was protected in a constricted manner with insufficient capacity within the Information Technology Act, 2000. Later owing to the judiciary’s take on this matter of significant importance, that the Parliament addressed this issueset up Justice Srikrishna Committee for creating a law on Privacy Protection and further introduced the Personal Data Protection Bill, 2019 (“Data Law”).
This is a legislative milestone and a step forward for data protection norms in India since such a bill is important for comprehensively addressing this complex issue. This Data law addresses the debated issue of storing, using and accessing relevant data in form of personal information. This Bill will substantially affect all the sectors of economy since using personal information for identification purposes is a general norm in all the industries.
The bill also attracts significant attention due to its similarities, in the penalty prescriptions, with its counterpart European law- GDPR. GDPR is an advanced law that majorly affects the IT world, owing to its strict norms for administrative lapses in compliance services. Learning from this experience the Indian industries and concerned sectors are increasingly learning, debating and discussing the ambit and reach of this law. There is therefore an urgent need for disseminating the data law in India. Moreover, in light of these stringent data protection laws that India is likely to witness in the near future it is advisable that concerned organisations, industries and bodies reassess their process and mechanism of handling personal data so that they do not face harsh punishments under the new law.
Data collected of Minors
We are living in times where our personal records define our identity and we are often known by the serial no. or roll no. of those huge recorded information. Even as a kid or child it is mandatory for us to provide different data in form of personal information to our schools. This data is collected in different forms and is stored and used for various activities by the schools. All essential educational records like progress and disciplinary reports are processed through this data. Therefore, educational institutions especially schools share a greater burden of protecting personal data since they are maintaining records of personal information for minors which is highly sensitive in nature and repercussions are aplenty and dangerous.
Minors under Personal Data Protection Bill, 2019
Any natural person to whom the data containing personal information relates to is referred to as a Data Principal under this Data Law and hence is protected especially there are stricter provisions for data relating to minors. Also, certain major rights like right to have their data erased is also provided to the Data principals which includes the demands made by a minor. Whereas one who processes the data or determines the purpose for processing it is known as a Data Fiduciary.
The Bill also ensures that the minors are protected from any harm therefore makes it mandatory that the process and mechanism of collection and storing data is transparent and schools are accountable. Additionally, profiling or behavioural monitoring of children is restricted since it can cause a loss of reputation or grave humiliation to the young and sensitive.
Key Provisions
The complex issue of informed consent is dealt with Section 11, 12,13 and 14 of the Bill. It is emphasised that consent plays an important role in retaining and processing of personal information. Section 3(2) of the billdefines Anonymization and sets a specific standard for it. Additionally an expanded right is provided to data principal in the form of a right to demand the summaries of their data along with the compilation of the identities of all the fiduciaries who can access their data.
A new concept ‘consent managers’ have been introduced. These bodies or entities will serve the principals and assist them in managing their consents across the various platforms. Increasing e-commerce also introduced complications with social media intermediaries. Section 26 of the law helps regulate these intermediaries.
Criticism
People perceived this as a progressive law for data privacy as well as user rights however large sections of the society viewed this as a mere façade since it sought to protect the data of the citizens in a sleight of hand manner since the government allowed a lot of exemptions for itself. The breadth of relief provided to the government for processing, collecting and storing is substantially more than what was rhetorically hoped.
The omnipresent digital media structures the background against which these discussions unfurl. Prominently our society established the relation of complementary rights between right to information and right to privacy, thus permitting citizens to approach choices taken by the legislature concerning their own and even non-individual information. Data onslaught by foreign corporations like Facebook and Google are questioned vehemently however the government is made the protector of data sovereignty and is allowed access almost fully. It is allowed to access non-personal data even though technically they should not be granted such access since it is a clear breach of privacy and is a disturbingly huge surveillance and control granted to the state in a democracy.
Creating a mandatory position for establishing Data Protection Authority (DPA) is revolutionary and necessary only on superficial basis.They appear to be established for safeguarding rights and interests however the huge powers vested in this body right to explain ability allows the DPA to ensure that the data fiduciaries are protected and the challenge by the data principals can be refuted with an explanation that they themselves deem fit rather than much accountable methods like RTIs. The constitution of DPA seems arbitrary since no member from the judiciary is a part of it. Due to which it appears that the citizen’s rights can be compromised in spite of the new data law.
Moreover, the data principal is provided a statutory right to revoke his consent from continuous disclosure at his own will and time. However, when dealing with such irrevocable consent the process of obtaining consent for specific purpose and then subsequently removing it after use is possible only in certain case. Technologies like blockchain which store data in a collection of nodes cannot possibly erase data and require consent that allows to restore data even when they have exhausted the purpose. It is possible for them to ensure that they would not access data but erasing it is not a possibility. Therefore, right to erasure and right to forgotten need to be further defined.
Likewise, section 2 manages the issue how the law will apply to processors or fiduciaries when they are not inside the Indian domain and territory. The Data Protection Bill will apply to those situations where it identifies with profiling of information standards of the data principals inside the Indian territory. Subject to Section 33(1) of the Data Protection Bill, the sensitive individual information might be moved outside India, only when it is stored within Indian territory.
However, much the same as the web sources and Internet,blockchain is a worldwide framework, the admittance to which is permitted to everybody anyplace and the information stored is effectively available to everybody. Further, it requires that so as to handle individual information outside India, an unequivocal consent must be acquired whereas any information put away on a blockchain may likewise be gotten to outside India, and henceforth an express consent for the equivalent may not be a default.
Therefore, the Bill needs to be further sought out with taking due advice from specific industries regarding the possibility of protecting personal information while using it.
Reference
[1]Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors, WRIT PETITION (CIVIL) NO 494 OF 2012 [2]M.P. Sharma v Satish Chandra, District Magistrate, Delhi 1954,1954 AIR300:1954 SCR 1077 [3]Kharak Singh v State of Uttar Pradesh (1962), 1963 AIR 1295: 1964 SCR (1)332
Note- Views and opinions as expressed in this article are solely of the author and Indian Legal Wing is not liable for the same. The information contained in this article is for general information purposes only. We endeavour to keep all the information up to date and try our level best to avoid any misinformation or any kind of objectionable content. If you found any misinformation or objectionable contents in this website please report us at indianlegalwing@gmail.com