Data Protection & Privacy Issues in India

Data surrounds us and is generated in virtually everything we do. One type is data that we may voluntarily share, and the second type is the data which is generated literally every time we do something – whether it be travel, order a meal or use transportation. There is no doubt that this data is immensely valuable and several companies are willing to pay for access to this data. Indeed, in this age of universal and virtually free access of internet, data is the new currency. What is even more intriguing that the full potential of the data is not known. As technology progresses, newer applications emerge enhancing the value of the data.

Several questions beg consideration: who does this data belong to? Who can access it? What are the limits, if any, on the exploitation of this data? As in all things technology, the law is paying catch up. Jurists around the world are struggling to marry traditional concepts of the law and the absurdly invasive times we find ourselves in. This position is further complicated by several governments demanding and seeking access to data from its citizens and corporates. On the other hand, what are the limits to privacy? Can data be demanded for the availing of basic services, travel or even government benefits? Does national security override all concerns of privacy?

The debate has now reached new levels. On August 24, 2017, the Supreme Court of India held that the ‘right to privacy’ is a fundamental right guaranteed by Part III of the Constitution of India. This decision will have farreaching ramifications on the laws and regulations. New laws will now be tested on the same parameters on which the laws that infringe upon person liberty are tested under Article 21 of the Constitution of India. The right to privacy is now unequivocally available – the question that still remains outstanding is its contours and limits. That will be examined in another matter, i.e. the Aadhar case, which deals with the mandatory biometric registration of all those seeking access to government services in India.

As on date, India does not have a comprehensive legislation which deals with data protection and privacy. The existing legislations and policies are essentially sectoral in nature. Apart from other sectoral legislations, as of now, the relevant provisions of Information Technology Act, 2000 and the rules thereunder, regulate the collection, process and use of ‘personal information’, and ‘sensitive personal data or information’ by a ‘body corporate’ in India.

The Government is also in the process of formulating a detailed legislation governing data privacy and protection. More concrete efforts in this direction started with group of experts on privacy chaired by Justice A.P. Shah, former Chief Justice, Hon’ble High Court of Delhi, which submitted its detailed report on October 16, 2012. Recently government has appointed an expert committee under chairmanship of Justice Srikrishna, a former Judge of the Supreme Court of India, to (i) to study various issues relating to data protection in India; (ii) to make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill. Accordingly, the committee is expected to submit its report along with the bill by the end of the year 2017.