Reading time : 10 minutes
This article is prepared for the purposes of understanding and documenting the Cyber Laws currently in India in the context of Data Privacy and Cyber Security as well as the upcoming new laws on Data Privacy;
The word “data protection” has become synonymous with other state-guaranteed citizen rights in recent years. The development of technology has accelerated dramatically since the turn of the century, and it has now become a vital element of human life. Today, these technologies have become so intertwined with a human’s day-to-day life that they now save vital information on the user. That is why data protection has become so important in protecting an individual’s interests.
Importance of Data Protection in cyber Law-
With the advancement of Artificial Intelligence (AI), several software apps such as Facebook, Google, and others have emerged that can not only gather and retain a user’s personal data but also process it for any other purpose. In 2018, the Cambridge Analytica case drew the attention of numerous governments to the protection of their citizens’ personal data. Around 80 countries around the world have implemented various privacy policies to protect their citizens’ personal data, such as GDPR (General Data Protection Regulation) in the European Council, Brazil Internet Act, 2014 in Brazil, Personal Information Protection and Electronic Data Act (PIPEDA) in Canada, and so on.
This large number of countries appears to indicate many governments’ concerns about the security of their citizens’ personal information. As a result, data protection is included as one of the branches of cyber law in the implementation of many legislations around the world.
- Data Protection Under Indian Law–
In India, there are no particular regulations for data protection; instead, the IT Act “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011” governs data privacy and protection. The Indian courts have, from time to time, interlaced the concept of privacy with the interpretation of the right to life and personal liberty under Article 21 of the Constitution.
Currently, India lacks a comprehensive data privacy law.The Justice BN Srikrishna Committee, established by the Ministry of Electronics and Information Technology (MeitY), introduced the Draft Personal Data Protection Bill, 2019 (the “PDP Bill”).
The PDP Bill attempts to make India’s data protection laws more broad. The PDP Bill is intended to apply to the government, Indian enterprises, and international organisations dealing with personal data of Indian citizens.
On December 11, 2019, the PDP Bill was tabled in the Lok Sabha and was promptly referred to a Joint Parliamentary Committee for further consideration. The administration had given the Parliamentary Committee till February 2020 to present its findings to the Lok Sabha. This deadline has been pushed back until February 2021. The Parliamentary Committee, on the other hand, has yet to submit its report to the Lok Sabha.
It is critical to remember that basic rights are only enforceable against the state, and that privacy is not enforceable against non-state actors (apart from few exceptions). This raises the question of which laws apply to privacy breaches involving non-state actors. To address the issue, Information Technology Act, 2000 (“IT Act”) was amended in the year 2008 to bring in new provisions such as Section 43-A and Section 72-A.
Section 43-A of the IT Act primarily deals with the compensation for negligence in implementing and maintaining ‘reasonable security practices and procedures’ in relation to ‘sensitive personal data or information’ (“SPDI”) while Section 72-A of the IT Act mandates punishment for disclosure of ‘personal information’ in breach of lawful contract or without the information provider’s consent.
Under section (2) of section 87 read with section 43-A of the IT Act, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) were released on April 13, 2011. The SPDI Rules only apply to Indian corporations and individuals, and in a few circumstances, the rules only apply to relationships between individuals and corporations.
The Data is broadly divided into 2 categories:
- Personal Data
- Sensitive Personal Data
The Privacy Rules define “personal information” and “sensitive personal data or information” as follows:
Personal information is any information about a natural person that, when combined with additional information available or anticipated to be available with a body corporate, is capable of identifying that person, either directly or indirectly.
Sensitive personal data is defined in the Rules as “sensitive personal data or information.” The following sorts of data or information are deemed personal and sensitive, according to Rule 3:
- Bank Account details
- Credit/debit card details
- Present and past health records
- Sexual orientation
- Biometric data
A body corporate must get prior consent from the information source for the purpose of using the SPDI under Rule 5. Such information should only be gathered if it is necessary and required for a valid reason related to the body corporate’s operation.
The body corporate must also take reasonable steps to ensure that the information provider is aware of the data collection, the purpose of the data collection, the intended recipients, and the name and address of the data collection and retention agency. The information should be used only for the purpose for which it is collected and should not be retained for a period longer than what is required.
In the Supreme court judgment of Kharak Singh vs The State Of U. P. & Others it as stated by majority that right to privacy is a fundamental right but there are certain restrictions on the basis of compelling public interest.
And the most recent judgment of by the Supreme Court on Privacy is Justice K. S. Puttaswamy v Union of India this case was decided by the majority judges. The constitutional bench held that right to privacy is a fundamental right but having some restrictions.
In this case it was asked whether the Indian Constitution even has a fundamental right to privacy, since it is not explicitly stated. The nine-judge bench said that Indians do have this fundamental right, and that Aadhaar would have to be tested against it.
The Indian government has formed a committee to examine data protection issues in India and has proposed a draft data protection act. The above Supreme Court’s decision represents a significant step forward in India’s debate over privacy and data protection.
The body corporate must give the information source the right to examine and update the SPDI, as well as the ability to withdraw consent at any time in connection to the information that has been submitted. If the consent is revoked, the body corporate has the option of refusing to deliver the products or services for which the information was requested.
A body corporate may transfer SPDI to other body corporates outside India under rule 7, if the transferee ensures the same or equal degree of data security as the body corporate as defined by the Rules. However, the transfer may be allowed only if it is required to carry out a legal contract between the body corporate and the information provider.
Collection and Disclosure:
Disclosure to Third Party:
The body corporate shall obtain permission from the information supplier before sending the information to a third party other than government entities. The body corporate can only give them information if it is specifically stated in the contract.
Under section 72A of the (Indian) Information Technology Act, 2000, knowingly and intentionally disclosing information without the consent of the person concerned and in violation of a lawful contract is punishable by imprisonment for up to three years and a fine of up to Rs 5,00,000 (approximately US$ 8,000).
It’s worth noting that section 69 of the Act, which is an exemption to the general rule of maintaining information privacy and secrecy, states that if the Government is persuaded that it’s essential in the interest of:
- the sovereignty or integrity of India,
- defence of India,
- security of the State,
- friendly relations with foreign States or
- public order or
- for preventing incitement to the commission of any cognizable offence relating to above or
- for investigation of any offence,
It may direct any relevant government agency to intercept, monitor, or decrypt, or cause to be intercepted, monitored, or decrypted, any information generated, transmitted, received, or stored in any computer resource, by an order. This section gives the government the authority to intercept, monitor, or decrypt any information in any computer resource, including personal information.
The government may demand disclosure of information when it is in the public interest to do so. This category may include information about anti-national acts that are against national security, law or statutory obligation violations, or fraud.
The key principles that apply to the processing of personal data:
The processing of personal data is based on six data protection principles, all of which are fundamental. This processing must adhere to the standards outlined in Article 5(1) of the GDPR.
The first premise is about legality, justice, and transparency. In regards to data subjects, it mandates that personal data be treated in a legitimate, fair, and transparent manner. Transparency requires that all information and communications relating to the processing of personal data be readily available and understandable. In addition, clear and simple terminology must be employed in this regard.
The purpose limitation principle is the second principle. It means that personal data should only be acquired for specific, explicit, and legal purposes, and that they should not be processed in any way that is incompatible with those goals. However, keep in mind that subsequent processing for public interest, scientific or historical research, or statistical purposes is not regarded incompatible with the original aims and is thus permitted.
Data minimization is the third principle. Personal data must be appropriate, relevant, and limited to what is necessary in relation to the purposes for which they are processed, according to this principle. In practise, this means that data cannot be processed unless it is absolutely necessary to meet the aforementioned goals.
The fourth principle is accuracy, which means that it is vital to ensure that personal data is correct and up to date where necessary. Personal data that is erroneous, in light of the reasons for which it is processed, must be erased or corrected as soon as possible.
Storage Limitation is the sixth principle. It means that personal data must be maintained in a form that allows data subjects to be identified for no longer than is necessary for the processing’s purposes. When these data are processed for public-interest purposes, scientific or historical research purposes, or statistical purposes, they can be kept for longer periods of time. However, data subjects’ rights and freedoms must be protected in these situations as well.
Integrity and Confidentiality:
Finally, the sixth principle of integrity and confidentiality mandates that proper security of personal data be provided during the processing of personal data. Protection against unauthorised or unlawful processing, destruction, and damage should be included. To comply with this criterion, appropriate technological or organisational steps must be taken: such data security measures can include the use of encryption, authentication, and authorisation procedures.
- Summary of Personal Data Protection Bill (PDP), 2019
The Personal Data Protection Bill, 2019 released on 10 December 2019 introduced key changes from its draft version which was released last year on 27 July 2018 (PDPB 2018). Post approval by the Union cabinet, the India Personal Protection Bill, 2019 (PDPB 2019) was introduced in the Lok Sabha (Parliament) by the minister of electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019.
The bill governs the processing of personal data by:
2. Companies incorporated in India
3. Foreign companies dealing with personal data of individuals in India
The Bill seeks to provide for protection of personal data of individuals and established a Data Protection Authority for the same. It was decided to refer the Bill to a Parliamentary Select Committee for review. Post this review the India PDPB 2019 will be introduced in the Budget session (tentatively in first week of Feb 2020).
Protection of Personal data of data principal is at the core of draft Personal Data Protection Bill, 2019 (hereafter referred to as “PDPB” or “BILL”). This means once the bill is enacted and enforced, privacy will no longer be an option and cannot be ignored. Among many significant provisions, the PDPB proposes substantial penalty for violation of the stated requirement. Such Provisions, along with heightened focus on collection and use of personal data, will require organizations (referred in the Bill as Data Fiduciary and Data processor) to revisit their risk acceptance criteria and establish a robust privacy and data protection framework.
Key Provisions of the Bill
The bill aims to modernise India’s present data protection legislation, which is governed by the Information Technology Act of 2000. It aims to control the processing of personal data of persons by the Indian government, Indian companies, and foreign companies. Individuals’ personal data is governed by certain provisions. The following are some of the bill’s most important provisions:
- Definition of Personal Data–
Personal data is defined under the law as information about a natural person’s characteristic, trait, attribute, or any other aspect that aids in that person’s identity. The bill also establishes a distinction between sensitive and critical personal data.
Financial data, health data, sex life, sexual orientation, biometric data, transgender status, caste or tribe, religious and political affiliations, and other sensitive personal data are examples.
Any data that will be notified as important personal data by the Central Government is considered crucial personal data.
- Data Fiduciary–
Any business or individual who determines the purpose and means of processing personal data is referred to as a data fiduciary. Certain obligations connected to the Data fiduciary are enumerated in the bill, some of which are as follows:
- Only clear and lawful motives should be used to process personal data.
- The Data Principal’s privacy, i.e. the person to whom the data belongs, should be protected.
- For the purposes of collecting personal data, the Data Fiduciary must provide a notice to the Data Principal.
- The bill places limitations on the Data Fiduciary’s ability to keep personal data collected after it is collected.
- The Data Fiduciary is also held liable for adhering to the bill’s obligations regarding data processing.
- Data Processing without consent–
The bill allows for data processing after obtaining approval from the Data Principal, although data can also be processed without consent in the following situations:
- For the fulfilment of any state duty authorised by law
- In order to comply with any court order or judgement
- For the aim of employment or anything similar
- Whistleblowing, preventing and detecting illegal conduct, mergers and acquisitions, credit scoring, debt recovery, and other reasonable goals are examples of acceptable reasons.
- Rights of the Data Principal–
The bill also establishes rights that a data principal can exercise, such as the right to obtain information about the manner in which the data fiduciary processes personal data and the right to seek information about the method in which the data fiduciary processes personal data. The bill also allows the data controller the ability to rectify and delete any personal data.
- Social Media Intermediaries–
The law defines Social Media intermediaries as services that allow one or more users to share, post, disseminate, or produce content. This will empower the government to classify them as data fiduciaries, requiring them to abide by the Bill’s terms.
- Data Protection Authority–
The law calls for the creation of a Data Protection Authority to safeguard data subjects’ interests, prohibit misuse of personal data, ensure compliance, and raise data protection awareness. The authority will be able to keep a database on its website with the names of key data fiduciaries and a rating in the form of a data trust score that will show whether or not they are complying with the bill’s provisions.
- Transfer of Personal Data outside India–
The bill places limitations on the export of sensitive and important personal data outside of India. Sensitive personal data may be transmitted outside of India if certain circumstances are met, such as the transfer being undertaken under the terms of a contract or intra-group arrangement that has been approved by the Data Protection Authority (Authority) and after consulting with the Authority, the Central Government approves the transfer.
- Regulatory Sandbox–
The data protection authorities must establish a sandbox to promote and support the use of artificial intelligence, machine learning, and other developing technologies. The entities that will be included in the sandbox will not be required to comply with the Bill’s restrictions.
- Offences and Penalties–
The bill carries stiff consequences. For processing or transferring personal data in violation of the Bill, a fine of INR 15 crores or 4% of the data fiduciary’s annual revenue, whichever is higher, is applied. If the data fiduciary fails to undertake data audit, a fine of INR 5 crores or 2% of the data fiduciary’s annual turnover, whichever is higher, would be imposed.
- Re-identification and processing of de-identified personal data:
Any person who, knowingly or intentionally-
Re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or
Re-identifies and processes such personal data as mentioned in clause (a), without the consent of such data fiduciary or data processor.
Such persons shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or both.
- Cognizable and non-bailable offences:
Notwithstanding points contained in the code of Criminal Procedure, 1973, an offence punishable under this Act shall be cognizable and non-bailable.
No court shall take cognizance of any offence under this Act, save on a complaint made by the Authority.
- Offences by Companies:
Where an Offence under this Act has been committed by a Company, every person who, at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
The Quantum of Punishment depends on the nature of offence.
- Offences by Central of State Government Departments:
Where it has been proved that an offence under this Act has been committed by any department or authority or body of the state, by whatever name called, the head of such department or authority or body shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
The Quantum of punishment depends upon the nature of offence.
Data Protection Authority of India-
Powers and Functions of Authority:
- The Authority would be set up by the Central Government
- The appointment and associated terms and conditions for the authority will be taken care by the central government
- The Authority shall, by regulations, specify codes of practice to promote good practices of data protection and facilitate compliance with the obligations under this Act.
- Without prejudice to the generality of the foregoing and other functions of the Authority shall include-
- Monitoring and Enforcing
- Taking prompt and appropriate action in response to personal data breach in accordance with the provisions of this act;
- Maintaining a database on its website containing names of significant data fiduciaries along with a rating in the form of a data rust score indicating compliance with the obligations of this act by such fiduciaries;
- Examination of any data audit reports and taking any action pursuant thereto;
- Issuance of certificate of registration to data auditors and renewal, withdrawal, suspension or cancellation thereof and maintaining a database of registered data auditors and specifying the qualifications, code of conduct, practical training and functions to be performed by such data auditors;
- Classification of data fiduciaries;
- Monitoring the cross-border transfer of personal data;
- Specifying the codes of practice;
- Promoting awareness and understanding of the risks, rules, safeguards and rights in respect of protection of personal data amongst data fiduciaries and data principles;
- Monitoring technological developments and commercial practices that may affect protection of personal data;
- Specifying fees and other charges for carrying out the purposes of this Act;
- Receiving and inquiring complaints under this Act; and
- Performing such other functions as may be prescribed.
Processing of Personal Data and Sensitive Personal Data of Children
Before processing personal data and sensitive personal data about children, data fiduciaries must use appropriate age verification and parental consent systems.
The manner for verification of the age of child shall be specified by regulations, taking into consideration
- The volume of personal data processed
- The proportion of such personal data likely to be that of child
- Possibility of harm to child arising out of processing of personal data
- Such other factors as may be prescribed
Consent and Rights to Data principles
Personal data can only be handled with the consent of the data subject, which must be granted no later than when the processing begins.
A Valid Consent would be-
- Specific, having regard to whether the data principal can determine the scope of consent in respect of the purpose of processing;
- Clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
- Capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.
Explicit consent- Sensitive personal data may be processed on the basis of explicit consent
- The data fiduciary shall bear the burden of proof to establish that consent has been given by the data principal for processing of personal data
- If the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal
- The data fiduciary shall not make the provision of any goods or services or the quality of those goods and services, performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose.
- The sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal.
Rights Of Data Principles-
PDP Bill grants a wide range of rights to data principals that can be exercised:
- Right to be forgotten
- Right to confirmation and Access
- Right to Correction and erasure
- Right to Data portability
Transparency and Accountability measures
- Privacy by Design policy–
Every data fiduciary shall prepare a privacy by design policy; Subject to the regulations made by the Authority, the data fiduciary may submit its privacy by design policy prepared under pt. (1) to the Authority for certification within such period and in such manner as may be specified by regulations; The Authority, or an officer authorized by it, shall certify the privacy by design policy on being satisfied that it complies with the requirements pt. (1); The privacy by design policy certified under sub-section (3) shall be published on the website of the data fiduciary and the Authority
The data fiduciary shall notify, from time to time, the important operations in the processing of personal data related to the data principal in such manner as may be specified by regulations.
- Security Safeguards–
Every data fiduciary and the data processor shall implement necessary security safeguards, having regard towards the nature, scope and purpose of processing personal data, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing to data principals.
- Personal Data Breach
In case of a personal data breach that is likely to cause harm to the data principal, the data fiduciary must notify the same to the Authority along with information with respect to the nature of the personal data that has been breached, number of data principals affected by the breach, consequences and measures taken to remedy the breach within the prescribed time frame
- Data Protection Impact Assessment
Where the significant data fiduciary intends to undertake processing involving new technologies, large scale profiling, use of sensitive personal data such as genetic data or biometric data, which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions.
- Record Keeping and Data Audits.
Accurate records of data lifecycle, periodic review of security safeguards and DPIA will have to be maintained by the data fiduciary. The data fiduciary must have its policies and its processing activities audited annually by an independent auditor
- Other provisions for cyber security taken by RBI under the Security and Risk Mitigation Measures for Electronic Payment Transaction According to RBI, with cyber-attacks becoming more unexpected and electronic payment systems being exposed to new sorts of misuse, banks must implement certain minimal checks and balances to reduce the impact of such assaults and mitigate the damage. As a result, banks are required to implement security and risk control measures, surrounding Securing Card payment transactions, Securing Electronic Payment Transactions
- Banks should guarantee that the terminals used by merchants to capture card payments (including double swipe terminals) are approved for PCI-DSS and PA-DSS (Payment Card Industry-Data Security Standards) (Payment Applications -Data Security Standards)
- All acquiring infrastructure that is now operative on IP (Internet Protocol) based solutions should be required to undergo PCI-DSS and PA-DSS certification by banks. Acquirers, processors/aggregators, and large merchants should all be included.
- Electronic payment methods such as RTGS, NEFT, and IMPS have evolved as channel-agnostic means of transferring funds. These have grown in popularity thanks to the online banking channel, and it is critical that such distribution routes be safe and secure as well. The following are some of the additional measures that banks need to implement:
- Customer-initiated options for setting a limit on the value/mode of transactions/beneficiaries may be available. If a customer wants to go beyond the limit, an additional authorization may be required.
- A limit on the number of beneficiaries per account that can be added each day should be explored.
- When a new beneficiary is added, an alarm system may be implemented.
- Banks may implement a velocity check on the number of transactions processed each day/per beneficiary, and any questionable transactions should trigger an internal and external alert.
- For such payment transactions, the addition of an additional factor of authentication (ideally dynamic in nature) should be explored.
- Banks may explore requiring all clients to sign digital signatures for large-value payments, starting with RTGS transactions.
- As an additional validation check, capturing the Internet Protocol (IP) address should be considered.
- The benefits of bank sub-membership in centralised payment systems have been made available to the clients of such sub-members. To maintain safety and limit reputation risk, banks adopting sub-members should ensure that the security measures put in place by the sub-members are on par with the standards followed by them.
- Some of the kinds of cybercrimes recognised in the IT Act, 2000 for protection of the stakeholders are enlisted below–
|Sections – IT Act,2000||Brief Description of the provisions|
|Sec 43(a)||Unauthorized Access|
|Sec 43(b)||Unauthorized Downloading, Copying or Extraction|
|Sec 43 (c)||Computer Virus, Worm, Contaminant|
|Sec 43 (d)||Damaging a Computer|
|Sec 43 (e)||Disruption of a Computer|
|Sec 43 (f)||Denial of Service Attacks,|
|Sec 43 (g)||Facilitating Unauthorized Access|
|Sec 43 (h)||Tampering or Manipulating Computer|
|Sec 43 (i)||Destruction, Deletion or Alteration|
|Sec 43 (j)||Source Code Theft|
|Sec 43-A||Compensation for failure to protect data:|
|Sec 65||Tampering with computer source documents:|
|Sec 66B||Punishment for dishonestly receiving stolen computer resources or communication device:|
|Sec 66C||Punishment for identity theft:|
|Sec 66D||Cheating by personation:|
|Sec 66E||Violation of Privacy:|
|Sec 66F||Cyber Terrorism|
|Sec 67||Transmitting obscene electronic material:|
|Sec 67A||Electronic material containing sexually explicit act|
|Sec 67B||Child Pornography|
As can be understood from the above points and coverage of Cyber Laws in this country that there is going to be a significant paradigm shift in Data Privacy and Cyber Security Laws in India in tandem with the growing chorus around these subjects due to rapid usage of technology, digitization of banking and use of Fintech in various means and ways even surpassing those used in the western worlds;
These developments along with Ecommerce flourishing in India via Amazons, Flipkart and similar online ‘Market Place’ creators or other Inventory based Ecommerce players have resulted in the growing need for appropriate protection of citizens and guidance to players in accordance with a framework that protects all stakeholders; ant harm to the is also barred.
Author: Rohit R Kamath, Vivekanand Education Society’s College of Law
Editor: Kanishka Vaish, Senior Editor, LexLife India.