DATA - THE NEW OIL

Data have replaced oil as the most expensive commodity in the 21st century. The result is that 5 of the world's most powerful companies are in the data sector, namely Amazon, Google, Apple, Microsoft, and Facebook. When we look at both goods closely, we understand the resemblance of data and oil. The worldwide raw oil is unusable and must be refined and purified by many processes to manufacture petroleum, diesel, kerosene, gasoline, etc. The raw data often must be processed or analyzed to turn it into usable data, for example, for health information about geolocation.

History

Data may be divided differently into public data and personal data. Public data, such as court records and birth records, is accessible to the general public. No clear guidelines are regulating Personal Data processing.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, however, state that a corporate body or any person processing personal information on behalf of the corporate body should provide a privacy policy.

The Personal Data Protection Bill in Parliament in 2006 proposes seven processing principles to have complied for the purpose of personal processing data, namely:

(i) the processing of personal data must be fair and reasonable;

(ii) it should be for a specific purpose;

(iii) only the personal data necessary for that purpose should be collected;

(iv) it should be lawful;

(v) the individual should be given adequate notice of the processing;

(vi) processed personal data should be complete, accurate, and not misleading; and

(vii) personal data may only be stored for as long as reasonably necessary to fulfill the purpose for which it is processed.

Sensitive personal data, as the concept of personal data or confidential data, are often available in compliance with the legislation. It means personal information consisting of:

(i) passwords;

(ii) financial details such as bank account or credit card or debit card or some other payment instrument;

(iii) the status of physical, psychic, and mental fitness;

(iv) sexual orientation;

(v) health reports and history;

(vi) biometrical data;

The confidential personal data or records obtained in compliance with the Access to Information Act 2005 or any other relevant statute does not contain information available or made publicly accessible. In addition to identifying wealth, caste, race, religion, or the policy of affiliation as confidential personal data, the PDP bill introduces a vague concept of individually sensitive data.

On the other hand, private data is confidential to a person/organization and, therefore, cannot be publicly revealed without the express consent of the party or organization. It covers financial information, family data, psychological aspects, locations and travel experience, actions, talents, images, abilities, etc.

India has adopted a special biometric identification number for citizens, named 'Aadhaar.' Aadhaar is governed by the Aadhaar Act, 2016 and its rules and regulations (Targeted Delivery of Financial and Other Subsidies Act). Entities in controlled sectors such as financial services and telecommunications are subject to confidentiality obligations under sectoral laws, which require them to keep personal customer information confidential and use it for specified purposes or only in the manner agreed with the customer.

Lastly, personal data is protected, utilizing indirect safeguards developed by common law courts, equity principles, and trust breach law. In the judgment of Justice K.S Puttaswamy & Another vs. Union of India, which was delivered in August 2017, the Supreme Court acknowledged the right to privacy as a constitutional right under Article 21 of the Constitution. "Informative privacy" was accepted as a facet of the right to privacy, and the court held that privacy protection ("Privacy Judgment") also had to be given to a person's information and the right of access to that information. The court declared that each and every individual should have the right to control the commercial use of his or her identity and that from this right emanates the "right of individuals to use their identity and personal information exclusively commercially, to control the information available on the Internet about them and to distribute such personal information for restricted purposes only."

Fundamental rights may only be enforced against the state and the state's instrumentalities and accepted by the Supreme Court in the same judgment that protection of the right to privacy against private individuals can require legislative intervention. Consequently, the Government of India formed a committee to propose a draft data protection statute. The committee proposed draft legislation, and the Indian government issued the Personal Data Protection Bill, 2019 ("PDP Bill"), based on the committee's proposal. It will be India's first personal data privacy law, which will repeal S. 43A in the IT Act.

Personal Data Protection Bill

The Ministry of Electronics and Information Technology formed a committee in July 2017 to discuss data security aspects. The Committee was chaired by the retired judge of the Supreme Court, Justice B. N. Srikrishna. In July 2018, a proposed Personal Data Privacy Bill was tabled by the Committee. The Project was approved as Personal Data Security Bill 2019 by an Indian cabinet minister on 4 December 2019 and was tabled in Lok Sabha after further deliberation on 11 December 2019. A Joint Legislative Committee addressed the PDP Bill, publishing a new draft PDP Bill in 2020.

Therefore, the PDP bill must be approved by both houses before it becomes law and published in the official gazette. On 11 December 2019, the Indian Parliament tabled the Personal Data Protection Bill 2019. By 17 December 2019, the bill was reviewed by the Joint Parliamentary Committee (JPC) in consultation with different organizations. The bill covers personal data privacy measures and recommends that an Indian Data Protection Authority be created for that purpose. The 2019 Bill incorporates some important clauses which have not been protected by the 2018 Bill, meaning that every government department can be removed from the bill and the right to be forgotten. And after adoption, the bill will be applied in phased forms. No details on this transition timetable is currently available.

Justice B. N. Srikrishna criticized the revised Bill for turning India into an "Orwellian state." Justice Srikrishna said, "Government can access data from private data or government agencies on the grounds of sovereignty or public order at any time. That has dangerous implications. "In their comment, a think tank shares this view. Apar Gupta of the Internet Freedom Foundation notes that "Privacy is mentioned only once in this voluminous document — 49 references to 'security' and 56 references to 'technology'" imply that the Bill does not do enough to protect the privacy of an individual. Internationally, fresh criticism stems from an advisor to a group proposing an alternative text. A reasonably critical review is available from a scholar working with an American co-author in India. On several fronts, the role of social media intermediaries is being more tightly regulated.

Data protection laws in India

Data protection refers to a range of privacy rules, regulations, and procedures intended to reduce sensitive data acquisition, transmission, and distribution interferences with one's privacy. Personal data usually refers to data, whether obtained by a government or a private entity or corporation, belonging to an individual associated with such information or data. The Constitution of India patently does not confer the universal right to personal privacy. However, the courts have read in other established constitutional rights, i.e., freedom of speech and expression in compliance with Article 19(1)(a), and the right following Article 21.

However, under the Indian Constitution, these Fundamental Rights are subject to reasonable restrictions laid down in Article 19(2) of the Constitution, which the State may impose. Previously in the landmark case Justice K S Puttaswamy (Retd.) & Anr. Vs. Union of India and Ors., the Honorable Supreme Court's constitutional bench, held the right to privacy as a fundamental right, subject to certain reasonable restrictions.

India has no specific data protection or privacy rules. There are various laws relating to data privacy legislation in India, such as the Information Technology Act, 2000 and the Indian Contract Act of 1872. Codified data privacy legislation is desperately needed. The IT Act, 2000, deals with civil concerns about restitution payments and the (criminal) penalty in cases of infringement and infringement of personal data by misrepresentation or abuse of personal data. In compliance with section 43A of the IT Act, 2000, a corporate body is held accountable by the court where, as a result of its incompetence in enforcing and upholding fair protection procedures, the corporate body is responsible for paying damages to the individual concerned if the body possesses any sensitive data and discloses any sensitive personal information.

The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with the protection of "Sensitive personal data or information of a person", including personal information related to:

• Passwords;

• Financial information such as bank account or credit card or debit card or other payment instrument details;

• Physical, physiological, and mental health condition;

• Sexual orientation;

• Medical records and history;

• Biometric information.

The rules provide reasonable security practices and procedures to be followed by the corporate body or any person who collects, receives, possesses, stores, deals, or handles information on behalf of the corporate body. In the event of any breach, the corporate body or any other person acting on behalf of a corporate body, the corporate body may be held responsible for paying damages to the person so affected. The Rules provide that every corporate body needs to maintain reasonable safety practices and procedures. A corporate entity or individual operating on its behalf shall be considered to have adopted appropriate security practices and procedures where they have established these security practices and standards and have a comprehensively recorded information security policy and information security policies, including commensurate management, technological, operational, and physical security control measures. The Ministry listed the IS/ISO/IEC 27001 International Standard on "Information Technology-Security Techniques-Information Security Management System-Requirements" as one of those standards. Corporate bodies that follow other standards are required to have their safety practices and standards notified and approved by the Ministry for effective implementation. A corporate body is expected to have its security practices and procedures accredited and audited by an independent auditor who is authorized by the central government at least once a year, or when its computer resource is substantially upgraded.

According to Section 72A IT Act, 2000, disclosure of information, intentionally and deliberately with knowledge of the same is punishable by imprisonment for a period of up to three years and a fine of up to Rs 5,00,000, without the permission of the individual concerned and in breach of the lawful contract. It is required to be noted that Section 69 of the IT Act, which constitutes an exception to the general rule of privacy and confidentiality of records, provides that if the Government is satisfied that it is in the interests of:

• the sovereignty or integrity of India,

• defense of India,

• security of the State,

• friendly relations with foreign States,

• public order,

• for preventing incitement to the commission of any cognizable offense relating to the above,

• for investigation of any offense, or

• By order, it can direct any appropriate government agency to intercept, track or decrypt or trigger the interception or monitoring or decryption of any information produced, transmitted, obtained, or stored in any computer resource.

The information is such that it should be disclosed in the public interest, and the government may require disclosure of such information. Details concerning anti-national activities against national security, infringements of the law, or statutory obligation or fraud that fall under this category.

Lack of jurisprudence

India's data protection law is currently facing many problems and resentment because of the lack of a proper legislative framework. Globally, there is a continuing explosion of cybercrimes. The theft and sale of the stolen data occur across the vast continents. Physical boundaries in this technological era do not pose any restrictions or appear non-existent. Being the world's largest host of outsourced data processing, India could become the epicenter of cybercrimes. This is primarily due to the lack of appropriate legislation. India's Data Security Council (DSCI) and the Department of Information Technology (DIT) also need to rejuvenate their efforts on similar lines in this regard. However, the best approach will come from good statutory requirements, along with sufficient knowledge of the public and the employees. It is high time we in India had to pay attention to data security. There is a lack of cybersecurity in India, and the same requires rejuvenation. If even the cybersecurity of PMO is compromised for many months, we must wake up now, at least. In India, data breaches and cybercrimes cannot be minimized until we implement strict cyber laws. We can't do that by actually declaring a cat to be a tiger. India's cyber law also needs sound cybersecurity and effective cyber forensics to support it.

Indian IT and BPO companies manage and provide access to private and sensitive data of all forms of people worldwide, including their credit card numbers, financial reports, and even their medical records. These corporations store classified information and data online, and they may be revealed through the hands of their staff. Among them, unscrupulous elements are frequently misused. In high-profile Indian businesses, security vulnerabilities and data leakage occurred. Latest cases of data leakage in the BPO industry have raised questions regarding data protection.

There is no specific data protection legislation in India. Despite the introduction of the Personal Data Protection Bill in Parliament in 2006, the light of the day is yet to see. The bill seems to be building on the general basis of the Data Privacy Directive of the European Union, 1996. It follows a comprehensive model with a bill aiming to govern personal data collection, processing, and distribution. It is important to note that the bill's applicability is restricted to personal data, as described in the bill's clause 2.

The Bill concerns government and private companies' data functionalities. It shall be given for the appointment of data controllers with general supremacy and expertise over topics covered by the Bill. It also provides that, in addition to restitution for costs to claimants, criminal fines will be enforced on offenders. The Bill is a step in the right direction. However, the Bill is now delayed because of a lack of paperwork. Whereas the IT Law contains the rules on cyber and IT law in India and seeks to determine to what extent a Party has access to data stored on a computer, the need for stringent data privacy regulations cannot be resolved.

The IT Act of 2000 has been amended with a view to tackling cybercrime issues, and two essential regulations have been introduced that impact heavily on the legal framework of data security. The amending Act combines these Clauses 43A and 72A in the IT Act. However, the specifications on data protection and trust are significantly inadequate. The cases of data robbery at BPO have raised questions about data protection in recent years and the protection of international data in Indian hands in the overseas sector, media, and the legal community. Thus, the reforms are more response from the government to recent privacy abuses and other incidents than a reaction to data protection. India has more to do with cybercrime concerns and e-commerce concerns.

Recent amendments to the IT Act

Section 43A states that if a company maintains, distributes, or handles any confidential personal data or information is deficient in enforcing and maintaining fair safety rules or procedures, this causes any individual wrongful loss or misuse in the computer that is owned, regulated, or operated. That entity shall be liable for compensatory damage. The term corporate entity is sufficiently broad to include a company, a company, a sole proprietor, or any other group of persons engaged in professional or business activities. And then on reasonable safety practices and procedures including safety practices and procedures including security practices and procedures desiring to protect information unauthorized damage, use, modification, disclosure or impairment as may be specified either:

(i) in an agreement; or

(ii) in any law in force, and in the absence of an agreement or rule, as the Government of the Union may prescribe.

In particular, it implies that the parties may specify the level of protection they expect from the disclosing parties in the event that the parties are liable to pay damages under their contract. infringements are not acceptable. However, the Amendment Act failed to define sensitive personal data or information. In consultation with professional bodies or associations that it deems necessary, it merely stated that the personal information was such that it was suggested by the Union Government.

Section 72 is limited to knowledge obtained by virtue of a power granted under the IT Act. On the other hand, the scope of Section 72A is wider than existing Section 72 and applies to the disclosure of a person's personal information (without consent) when delivering services under a lawful contract and not merely to the disclosure of information obtained under the powers conferred under the IT Act. The word intermediate was inserted in Section 72A. This was defined in the amendment as an individual (for any particular electronic record) who receives, stores, or transmits any recording or service on behalf of another person and includes telephone service providers, network service providers, Internet service providers, web hosting service providers, search engines, online payment sites, online auction sites.

The proper requirement for Indian law can be analyzed when comparing Indian law with the law of developed countries. U.K. does have its 1998 Data Security Act (DPA). This Act is instituted for the protection and privacy of individuals' personal data in the UK. Under this Act, the persons and organizations that store personal data must register with the information commissioner, named the government official to oversee the Act. The law places limits on data collection. Personal data may only be collected for one or more defined and valid purposes. They may not be processed further in any way that is inconsistent with the intent or purposes for which they are processed.

Both the U.S. and the European Union are focusing on enhancing the protection of their citizens' privacy, with the U.S. taking a different approach to privacy than the European Union. The United States has adopted a sectoral approach based on a mix of legislation, regulation, and self-regulation. In the United States, data are grouped into several classes based on their usefulness and significance. After that, the various data groups are granted a different degree of security. Whereas the IT Act's provisions essentially deal with data extraction, data destruction, etc. Organizations cannot achieve full data security by eventually forcing them to sign separate private contracts to keep their data protected. Those arrangements are as enforceable as the general contractor.

In all its member countries, the European Union has implemented a detailed Directive on Personal Data Protection. The US has also complied with the EU Directive through the Safe Harbor Agreement to encourage EU countries' businesses. It would also be prudent for India to comply with the EU directive as there is a great deal at stake here. Notwithstanding attempts to provide a law on data security as a separate discipline, our legislature has left some holes in the 2006 bill. The bill was drafted entirely on the structure of the UK Data Protection Act, whereas the requirement today is a comprehensive law. So it can be suggested that compiled drafting based on US data protection laws would be more favourable to today's requirement. Unauthorized use or transmission of this credit data is subject to prohibitive fines. Credit information can only be used to identify a potential customer's creditworthiness and cannot be used or transferred for any other purpose to unauthorized persons. The IT Act again exclusively protects credit data, which is just one aspect of personal data.

Any piecemeal legislation is insufficient; we require a comprehensive data protection legislation to protect data subjects' rights, which will vehemently prohibit the use of data collected for any purpose other than that for which it was. The Information Technology Act, 2000, is not permanent law on data security or privacy. It does not lay down any specific principles regarding data protection or privacy. The Information Technology Act, 2000, is a general law that articulates on a range of subjects, such as digital signatures, public key infrastructure, e-governance, cyber contraventions, cyber offenses, and privacy. It has one Act syndrome. Comparing the Information Technology Act, 2000 provisions with the European Data Protection Directive (EC/95/46), OECD Guidelines on Privacy Protection and Trans border Flows of Personal Data, 1980, and the US Safe Harbor Principles would be erroneous.

The Information Technology Act, 2000, takes a piecemeal approach to data security and privacy issues. There is an absence of any actual legal framework under the EU Directive, OECD Guidelines, or Safe Harbor Principles in the form of data protection authority, data quality, etc. that adequately addresses and covers data protection issues. The lack of data protection legislation is a huge blow to the outsourcing industry in India. A comprehensive Privacy Policy protects consumers in the United States, the European Union, and part of that privacy protection is the obligation for companies not to move personal data to countries that do not provide adequate protection. As a result, European trade unions have cited data protection as an issue that should be taken into consideration in many international outsourcing deals. This stops the personal data flow, which has a terrible impact on our outsourcing industry.

Conclusion

India requires a legislative framework to sustain and encourage the BPO Boom, which complies with the jurisdictions from which data is transmitted to India with both legal and public standards. Practically speaking, India's biggest challenge is to formalize and broadly consider its domestic data protection regime as appropriate. The EU formally states and specifies the right countries on its 1995 Data Security Directive. To date, this white list has only been compiled by a number of countries such as Argentina, Canada, Australia, and Switzerland. If India could also be included in the list by implementing appropriate legislation, the EU member states will then be able to export data to India without obligatory, complicated, and lengthy procedures. Rather than being a service provider for corporate America and Europe, India sees itself as the place where the corporations are created. Therefore India could expand far beyond being a mere service provider to multinational companies worldwide by having a strong data security law.

Tanmay Gujarathi