Digital Age and Data Protection Laws in India

by Anshuman Pandey

Supreme Courtin KS Puttaswamy v. Union of India[I] held privacy as the fundamental right under Article
21 of the Constitution, later in the Internet and Mobile Association of India v. RBI[II]upheld the
cryptocurrency business, debate for data protection is on the floor. As India is pushing for Digital Age
including health, identity, etc., it is now necessary to reshape the relationship between the users and
those entrusted with our personal data by forming a comprehensive data protection law for the country.

Various approaches are taken to form the data protection laws, for example, USA follows the laissez-
faire approach. The amendments to the US Constitution reflect the right to privacy, i.e. First, Fourth,
Fifth and Fourteenth Amendment of the Constitution. Their approach is based upon the understanding
of constitutional liberty as freedom from state control.

European Union has enacted the General Data Protection Regulation (GDPR) in May 2018, this has
replaced the existing Data Protection Directive of 1995. It is a comprehensive framework dealing with all
kinds of processing personal data, providing rights and obligations of the parties in detail.

China has adopted a consent-based framework for the strict control on cross-border sharing of the
personal data, its basis is primarily on averting national security risks. Its cybersecurity law came into
force in 2017[III], containing principles to handle personal data.

There is no universal legislation to govern data privacy at a global level and is dependent upon the
jurisdiction’s own understanding and the relationship between the citizens and the state.

India’s scenario is different, being a diversified country, understanding of the citizen-state relation is not
clear. Therefore, In India the conceptualization of the state in the constitution is based upon two planks:

The state is the facilitator of human progress commanded by the Constitution i.e. Directive Principles of
the State Policy (DPSP) inscribed in part IV of our Constitution to serve the common good.
State is prone to excess so it is checked by effectuating both a vertical (federal structure) and horizontal
(three organs of the government) separation of power, as well as by investing every individual with the
fundamental rights that can be enforced against the state.

These two planks are the base of the evolution of data privacy laws in India, as per Directive Principles of
the State Policy, the state should thrive and in particular, direct its policy towards securing that the
ownership and control of the material resources of the community are so distributed as best to subserve
the common good[IV]. In addition to the DPSP, right to privacy in Justice Puttaswamy case has been
recognized as an integral component of fundamental right under Article 21 of the Constitution

The debate of privacy laws in India is not new and can be traced back to the cases of M.P. Sharma v.
Satish Chandra, District Magistrate[V]and Kharak Singh[VI]which held that the right to privacy is not
protected by the Constitution of India; constituent assembly also made a proposal to guarantee every
citizen the right to secrecy of correspondence in clause 9(d) and the protection to be secure against
unreasonable search and seizures in their persons, houses, papers and assets. Since the law relating to
search and seizure was already provided under Cr.P.C., this provision was not incorporated in our
constitution.

The right to privacy which is now guaranteed under Part III of the Constitution is not an absolute one
and is subject to the satisfaction of certain tests and as agreed by most of the judges of the bench, the
European standard of the Proportionality has to be applied to test the privacy infringement in the
future. The test conducted will be based upon the principle of just, fair and reasonable standard
evolved under Article 21 of the Constitution.

After the judgment, although the right to privacy was added to Part III of the Constitution, the ruling has
not defined what privacy is and it is left upon the adjudicators to give interpretations to understand the
term.

The current position of India in terms of the Data Privacy Laws

India has moved closer to building a proper data protection legal structure as it has drafted an extensive
data privacy bill and has submitted it to the government in 2018. It is the need of the hour to implement
such data protection laws in India as it would be a base for the government’s ‘Digital India’ Campaign.
The bill proposed shall apply to both the government and the private entities. Another challenge to put
sanctions upon the entities not present within the territories of India but use personal data in
connection to any business carried in India will be solved as the proposed bill extends to such data
controllers also. The Data Protection Bill, 2019 makes four major distinctions between data and the
restrictions vary as per their level. They are first is the non-personal data, second is the personal data,
from which an individual can be identified easily, third is the Sensitive Personal Data (SPD) which
includes information that is likely to cause greater harm, or harm of graver nature (caste, religious and
political belief, sexual orientation, financial data, health data, biometric data, etc.), the fourth category
of data is Critical Personal Data (CPD), which has not been defined and just found mention in the bill and
leaving it open to the government to define as per future need[VII].

Privacy Threats from Outside India

Various entities try to keep data outside of the country of business in order to escape the jurisdiction
and sanctions. Data Protection Bill, 2019 identifies circumstances under which data has to be
mandatorily stored in India.

The privacy threats can be classified into three categories:

That which involves invasion by a state into a person’s physical body;

Information privacy which captures unauthorized uses of personal information;

Privacy of choice, or “individual autonomy over fundamental personal choices”.

There are instances where tech giants have used deceptive means to gain access to the personal data of
individuals. Even if India wants to take stringent legal action against the companies, it is not possible
because that would be an empty threat, given that existing legal recourse in India under the Information
Technology Act, 2000 is inadequate. So, there is an urgent need to call for data sovereignty and it can be
seen through Indian action that it is thriving for the same.

Therefore “localization” of data under the Data Protection Bill, 2019 is going to play a key role in data
protection and this goes beyond GDPR, whose restrictions are limited to countries with an inadequate
level of data protection rather than a blanket requirement to store data within the country[VIII].

The approach that India should adhere to:

Since India is pressing for the Digital India campaign and has the potential to lead the world into a digital
economy, it should make use of the existing strengths in information technology, demographic dividend
and ensure overall empowerment based on data-driven access to services and benefits.

Approachability, Comprehensibility, Legibility and Readability are some of the factors legislators have to
take into consideration while drafting the privacy policy. Although it would be a hectic task to ensure the
jurisdiction because of the borderless nature of the internet which needs to have some sort of
extraterritorial jurisdiction.

Conclusion:

Recent developments in privacy laws in India have led to significant progress towards a comprehensive
data privacy regime, one increasingly urgent in India, either it is the inclusion of privacy under Part III of
the constitution or the draft of the Data Protection Bill, 2019. Law introduces a series of rights and
obligations modeled on global standards. Personal data being the lifeblood for both modern economy
and politics, national storage of data is need of the hour to reflect the ambition of both Indian business
and the government to stake their claim. Although accountability has been discussed for the misuse of
data by the entities in the Data Protection Bill, 2019, there is not enough clarification regarding the
misuse of data by the government itself and its accountability.

the author is in his 4th year of B.A. LL.B. (Hons.) course at National Law University and Judicial Academy,
Assam

[I]Writ Petition (Civil) No.494of2012

[II]Writ Petition (Civil) No.528 of 2018

[IV]Article 39(b) of the Indian Constitution

[V]1954 AIR 300, 1954 SCR 1077

[VI]1963 AIR 1295, 1964 SCR (1) 332

[VII]https://caravanmagazine.in/government-policy/srikrishna-committee-data-protection-government-
accountable

[VIII]Amba Kak, The Emergence of the Personal Data Protection Bill, 2018 A Critique, Economic &
Political Weekly Vol LII No 35.