DATA PROTECTION: AN ENCUMBRANCE OF A REALITY

Ayush Nigam & Soumya Singh*

INTRODUCTION

The idea of the right to privacy is multi-faceted. The right to privacy has been acknowledged in contemporary culture,
both legally and in everyday speech. Article 21 safeguards the right to privacy and promotes individual dignity. In recent
years, there has been a rising concern about the vast quantity of personal information stored in computer systems.
The right to privacy refers to an individual's ability to regulate how personal information is collected, used, and
disclosed. Personal information can include, but is not limited to, personal interests, habits, and activities, family and
educational records, communications (including mail and telephone records), medical data, and financial records.

An individual might be readily damaged by the availability of incorrect or deceptive computerised data about him or
her that could be transmitted to an unauthorised third party at rapid speed and for a low cost. This increase in the
usage of personal data offers a lot of advantages, but it also has a lot of drawbacks. Furthermore, the convergence
of technology has created a new set of privacy and data protection concerns. Personal data is easily accessible and
communicative because to cutting-edge technology. The right to privacy and data protection are inherently at odds.
The primary goal of data protection should be to balance these competing informational interests.

CONCEPT OF PRIVACY

The concepts privacy and right to privacy are difficult to grasp. It's been used in a variety of ways in various contexts.
“Zero contact between two or more individuals in the sense that there is no interaction or communication between
them, if they so choose,” according to Edward Shils. Privacy has been acknowledged in contemporary culture, both
legally and in everyday speech. However, various legal systems stress different things, thus it differs. Privacy is a
neutral relationship between persons or groups or between groups and person. Privacy is a value, a cultural state or
condition directed towards individual on collective self-realization varying from society to society. Every citizen has a
right to safeguard his own privacy. The said right of privacy is the right to be let alone1. Personal choices governing a
way of life are intrinsic to privacy. It enables individuals to preserve their beliefs, thoughts, expressions, ideas,
ideologies, preferences and choices against societal demands of homogeneity
To exercise one’s right to privacy is to choose and specify. It is to choose which of the various activities that are taken
in by the general residue of liberty available to her that she would like to perform2. Privacy is the constitutional core of
human dignity. Privacy has both a normative and descriptive function. At a normative level privacy sub-serves those
eternal values upon which the guarantees of life, liberty and freedom are founded. At a descriptive level, privacy
postulates a bundle of entitlements and interests which lie at the foundation of ordered liberty. A person has autonomy
over his own personal choices. The right to privacy is protected as an intrinsic part of the right to life and personal
liberty under Art. 21. Right to privacy is a natural, primordial, basic, inherent and inalienable right3.

THE EXISITING REGIME OF LAWS

INFORMATIONAL PRIVACY
Informational privacy is an emerging phenomenon. Privacy means the right to control the communication of personally
identifiable information about any person. It requires a balancing attitude; a balancing interest. Thus, it ultimately

* Ayush Nigam is a student of 2nd year, B.A LL.B(hons), Symbiosis Law school, Pune and Soumya Singh is Student of 2nd Year, B.A LL.B, Lloyd law
College [Authored on 30th June, 2021]
1
R. Rajagopal v. State of Tamil Nadu, MANU/SC/0056/1995.
2
Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors, MANU/SC/1044/2017.
3
Ajay Hasia and Ors. vs. Khalid Mujib Sehravardi and Ors, MANU/SC/0498/1980.
Published in Article section of www.manupatra.com
requires a healthy and congenial inter-relationship between the social good and the individual liberty. With the advent
of technology and internet, new dimensions are being added to the traditional notion of right to privacy like informational
privacy or data privacy. Technology allows an individual to generate both personal and non-personal information about
him in the cyberspace knowingly or unknowingly. According to Westin, “the complete authority on the disposal of
personal information lies with the individual as a part of his privacy right. He further says, Privacy as the claim of
individuals, groups or institutions to determine for themselves when, how and to what extent Information about them
is communicated to others”4. In toto information privacy or data privacy is the relationship between collection and
dissemination of data technology with the public expectation of privacy, and the legal and political issues surrounding
them.

“We are in an information age. With the growth and development of technology, more information is now easily
available. The information explosion has manifold advantages but also some disadvantages. The right to privacy is
claimed qua the State and non-State actors.”5.Thence “a careful and sensitive balance between individual interests
and legitimate concerns of the state needs to be maintained. It is only upon the matters concerning legitimate aims of
the state would the state be allowed to encroach upon the aspect of informational privacy of an individual. The
legitimate aims of the state would include for instance protecting national security, preventing and investigating crime,
encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These
are matters of policy to be considered by the Union government whilst designing a carefully structured regime for the
protection of the data”.

PERSONAL DATA PROTECTION BILL 2019

Introduction of personal data protection bill back in 2019, was seen as a legislative endeavour perceived as light at the
end of a dark tunnel of regulatory flux concerning data protection and privacy in India, however it may be too little
coming too late. The future remains uncertain, with an unprecedented delay being noticed in the working of the joint
parliamentary committee the Indian rules surrounding data protection are still a legal quagmire.

To complicate matters further with numerous terms and concepts still left undefined and recent regulatory initiatives
introducing new sectoral policies/ draft regulations around different types of data and how it is handled, processed and
protected put in the public domain by different Government departments is creating more confusion and unnecessary
complications. While the stated object of the Bill was to provide for protection of personal data of individuals, and
establish a Data Protection Authority to implement the same, - the very purpose of the Bill stands a high chance of
being jeopardized with the Bill providing the government with unregulated and broad powers to exempt its agencies
from the provisions of the Bill for certain circumstances. Besides, discretionary powers to the executive branch of the
government must be accompanied by clear and specific guidelines for the executive to exercise the power. This
cardinal rule is ignored by the Bill where in the procedure, safeguards and oversight mechanism to be followed for
surveillance the same is said to be prescribed in the rules made by the Government itself.

The Bill lacks many necessary safeguards that are needed to protect the right to privacy and also significantly, dilutes
right to privacy and increases State power to surveillance without creating adequate checks and balances and this is
a big concern since the proposed framework is unlikely to protect privacy adequately. This is likely to have disastrous
consequences for the stated objective of protecting individual's personal information and privacy. It is perhaps this lack
of clarity of vision that is much need to enable policymakers in resolving the competing interests of the ability of
individuals to exercise their right to privacy and the need for community data to facilitate bottom-up innovation, the
private sector's ever increasing appetite for personal data, and the State's function and surveillance agendas.

st
4
Raymond T. Nimmer, Information Law (West Law, Minnesota, 1 edn. 2002).
5
Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors, MANU/SC/1044/2017.
Published in Article section of www.manupatra.com
In a sense we can already see the early signs acknowledging that the current proposed personal data protection bill
seems to be suffering from various crippling effect, and while back in 2019 there was some hope for reforms, we by
choice or by compliance need to stick to the old redressal system which is being still followed

JUSTIFIABLE CONCEPT OF DATA PROTECTION

The Information Technology act (2000) complemented by the Information Technology (Amendment) Act, 2008
(defining data, civil and criminal liability) and Information Technology (Reasonable Security Practices and Procedures
and Sensitive Personal Data or Information) Rules, 2011 (Dealing with protection of ‘Sensitive personal data or
information of a person’, which includes such personal information which consists of information relating to; Passwords;
Financial information such as bank account or credit card or debit card or other payment instrument details; Physical,
physiological and mental health condition; Sexual orientation; Medical records and history and Biometric information)
are currently the only legislation to date which covers the key issues of data protection in the Indian context.

According to section 2(1)(o) of the Act, the Information Technology (Amendment) Act, 2008 “ ‘Data’ means a
representation of information, knowledge, facts, concepts or instructions which are being prepared or have been
prepared in a formalised manner, and is intended to be processed or is being processed or has been processed in a
computer system or computer network, and may be in any form (including computer printouts magnetic or optical
storage media, punched cards, punched tapes) or stored internally in the memory of the computer”.

The IT Act defines certain key terms with respect to data protection, like access, “Computer, Computer network,
Computer resource, Computer system, Computer database, Data, Electronic form, Electronic record, Information, &
Intermediary, Secure system, and Security procedure albeit it doesn't provide for any definition of personal data. The
idea behind the aforesaid section is that the person who has secured access to any such information shall not take
unfair advantage of it by disclosing it to the third party without obtaining the consent of the concerned party.
Furthermore, in the legislation, “Third party information is defined to mean ‘any information dealt with by an intermediary
in his capacity as an intermediary’. However, as a matter of undeniable fact, the IT Act doesn't provide any definition
of personal data. Furthermore, the definition of "data" would be more relevant in the field of cyber-crime. Data-
protection consists of a technical framework of security measures designed to guarantee that data are handled in such
a manner as to ensure that they are safe from unforeseen, unintended, unwanted or malevolent use.

CIVIL LIABILITY AND DATA PROTECTION

The Above enumerated laws provide for civil liability in case of computer database theft, trespass & unauthorized
extraction of data. This complemented by section 43 further strengthens crimes of cyber contraventions such as those
related and needed related to: -

i) Unauthorised access to computer system/s, computer network or resources,

The legislation though not intended for this specific purpose of data protection does a fabulous work by not just
providing the definitive schematic theme of crimes, but also as a deterrent measure also includes compensation for
those who are affected. This kind of thought process is not generally seen and is always a welcome step. Section 43A
provides for ‘compensation for failure to protect data’ because ‘Where a body corporate, possessing, dealing or
Published in Article section of www.manupatra.com
handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is
negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful
loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to
the person so affected ”. There is no limitation imposed on the compensation that can be awarded. Section 43A which
provides for civil action for security breaches is based on the concept of ‘sensitive personal information'. Other than
that, there is no special protection in Indian law for sensitive personal information. Section 43A provides for
compensation to an aggrieved person whose personal data including sensitive personal data may be compromised by
a company, during the time it was under processing with the company, for failure to protect such data whether because
of negligence in implementing or maintaining reasonable security practices.

This provision, therefore, provides a right of compensation against anyone other than the person in charge of the
computer facilities concerned, effectively giving a person a right not to have their personal information disclosed to
third parties, or damaged or changed by those third parties. The section is equally able to be used by data controllers
or the subjects of personal information against third parties. It is only that they will be ‘affected in different ways which
justify compensation. It also provides that accessing data in an unauthorized way is a civil liability.

CRIMINAL LIABILITY AND DATA PROTECTION

The above stated legislation furthermore, provides for criminal liability in case of computer database theft, privacy
violation etc. The Act also makes wide ranging amendments in chapter XI enfacing sections 65-74 covering a wide
range of cyber offences, including offences related to:-
i) Unauthorised tempering with computer source documents,
ii) Sending offensive messages through communication service etc,
iii) Dishonestly receiving stolen computer resource or communication device,
iv) Identity theft,
v) Cheating by personation by using computer resource,
vi) Violation of privacy, transmitting of material containing sexually explicit act, etc., in electronic form,
vii) Knowingly failing to comply with any order of controller, interception or monitoring or decryption of any information
through any computer resource,
viii) Securing access or attempting to secure access to any computer resource which directly or indirectly affects the
facility of Critical Information Infrastructure, any misrepresentation to or suppressing any material fact from the
Controller or the Certifying Authority.

India does not have specific data protection legislation, other than the IT Act, which may give the authorities sweeping
power to monitor and collect traffic data, and possibly other data. The IT Act does not impose data quality obligations
in relation to personal information and does not impose obligations on private sector organizations to disclose details
of the practices in handling personal information.

VIOLATION OF CONFIDENTIALITY AND PRIVACY

The terms violation of confidentiality and privacy are described under the IT Act. Section 66-E very eloquently explains
violation of privacy as 'whoever, intentionally or knowingly captures, publishes or transmits the image of a private area
of any person without his or her consent, under circumstances violating the privacy of that person. Section 66-E
explanation (e) has also explained violation of privacy as ‘circumstances in which a person can have a reasonable
expectation that
(i) he or she could disrobe in privacy, without being concerned that an image of his private area was being
captured, or
(ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a
Published in Article section of www.manupatra.com
 public or private place.
Section 72 further provides for penalty for breach of confidentiality and privacy, as meaning any person securing
access to any electronic record, book, register, correspondence, information, document or other material without the
consent of the person concerned discloses such electronic record book, register, correspondence, information,
document or other material to any other person. Section 72 A then goes on to explain the law of privacy and asserts
that disclosure of information in breach of lawful contract ‘save as otherwise provided in IT act or any other IT law for
the time being in force, any person, while providing services under the terms of lawful contract, has secured access to
any material containing personal information about another person, with the intent to cause or knowing that he is likely
to cause wrongful loss or wrongful gain discloses and without the consent of the person concerned, or in breach of a
lawful contract, such material to any other person' amounts to breach of privacy and provides for punishment for the
same.

Sections 66 E, 72, and 72A require the consent of the concerned persons but, within limited scope as it would be
difficult to consider that it could provide a sufficient level of personal data protection. Indeed, these sections confine
themselves to the acts and omissions of those persons, who have been conferred powers under the Act. These
sections provide for monitoring violation of privacy, breach of confidentiality and privacy, and disclosure of information
in breach of lawful contract. Breach of confidentiality and privacy is aimed at public and private authorities, which have
been granted power under the Act.

CONCLUSION

Privacy is a basic human right and computer systems contain large amounts of data that may be sensitive. Chapters
IX and XI of the Information Technology Act define liabilities for violation of data confidentiality and privacy related to
unauthorized access to computer system, network or resources, unauthorized alteration. Data protection may include
financial details, health information, business proposals, intellectual property and sensitive data.

However, today's technology allows anybody to access any information on anyone from anywhere at any time, posing
a new danger to private and sensitive data. Technology has gained worldwide acceptability as a result of globalisation.
Different nations have established different legal frameworks from time to time, such as the DPA (Data Protection Act)
1998 in the United Kingdom, the ECPA (Electronic Communications Privacy Act of 1986) in the United States, and so
on. Special privacy laws exist in the United States to safeguard student education data, children's internet privacy,
medical records, and private financial information. Self-regulatory initiatives in both nations are assisting in the
definition of enhanced privacy. Although the right to privacy is protected by the Constitution, its growth and
development is fully at the discretion of the government, which must adopt proactive measures. It is exceedingly difficult
to keep information from leaking into the public domain in today's linked world if someone is motivated to do so without
resorting to extremely oppressive tactics. The Information Technology (Amendment) Act, 2008 deals with data
protection and privacy, although not in a comprehensive way. To sum up, the IT Act has an issue with data protection,
and separate legislation is desperately needed to strike an appropriate balance between personal liberty and data
protection.

Published in Article section of www.manupatra.com