INTRODUCTION
“Data is the pollution problem of the information age, and protecting privacy is the environmental challenge.” – Bruce Schneier
This has led to global consciousness to protect the privacy of the people. Most countries have implemented specific acts in order to protect the interests of its citizens. Moreover, some countries have entered into an agreement in order to enhance the data protection strategy like the privacy shield between the European Union and United States or the Swiss – US Privacy Shield.
However, India is yet to enact an act for the protection of personal data of its citizens, else it might give rise to serious security risk to an individual or Organization’s confidential information as well as identity.
Recently, the privacy shield program between the European Union and the United States of America was declared as invalid. This has been speculated to cause a good amount of impact not only upon the European – US scene but also on the rest of the world including India. It has caused a certain level of uncertainty regarding business in cross – border data transfers outside EU. After all, in this digital age, it is of utmost importance that the interests of all the participating countries are protected equally as many industries closely conduct business with the European markets and the United States, especially the IT industry.
WHAT IS DATA PRIVACY?
Data has been categorized into two forms: Public Data and Personal Data. Public data refers to the information that can be shared among the public like details of an Organizations, etc.
Personal Data refers to the data that are personal to an individual or organization and can’t be accessed by other persons without any prior permission. These data might include financial and family details, photographs, locations or travel history, and any other characteristics which might be confidential.
Data protection means ensuring important data or information are safe from corruption, loss or any unauthorized use[1].
It has been divided into 3 categories, namely;
1) Traditional Data Protection: Back Up/ Restore, Archiving, RAID & Erasure Coding, Data Retention, etc.
2) Data Security: Encryption, Authentication, Threat Monitoring. Data Loss Prevention, etc.
3) Data Privacy: Legislation, Policies, Data Governance, Global Variations, etc.
THE EU – US PRIVACY SHIELD
Its main objective was to protect the citizens of European Union by mandating the US corporations to operate under the privacy laws of EU while receiving any personal data of any organizations or individuals from the European Union. It imposed strong data protection responsibility upon the companies receiving data, and also restricted access by the US government. Both EU and US had agreed to hold joint review annually in order to oversee that all guidelines are properly implemented. Privacy shield was proposed to help in smooth and safe transferring of data to the companies in USA. However, it was heavily criticized by many Europeans who were skeptical of the proposed privacy shield. They were worried whether their privacy and interest will be properly protected or not. There was a huge demand for easy redressal system and a transparency scheme to make sure that their personal data doesn’t befall into wrong hands.
After a long conflict and the failure to do its supposed purpose, this mechanism of Privacy shield was challenged in the court. This case was Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems (Schrems-II), where, the European Court of Justice (ECJ) delivered a landmark ruling by declaring the privacy shield between the European Union and the United States of America as invalid, though the participants would have to follow the “Standard Contractual Clauses”, equal to the provisions provided under the General Data Protection Regulation (GDPR).
The United States would still commit to ensure that there is no breach in the privacy protections and the U.S Department of Commerce will continue to work closely with the European Commission and European Data Protection Board. Moreover, European Data Protected Board has stated that an enhanced framework will be introduced in the following years that will comply with the European Data Protection laws.
DATA PRIVACY IN INDIA
And under Section 69 of the IT Act, the Central government has the authority to block the online content as well as arrest the culprit. For example, recently there was a ban on Chinese Apps in the country, as per Section 69A[4].
The Article 21 of the Indian Constitution provides the ‘Right to Privacy’. It is regarded as one of the most important rights given to the citizens. It was recognized as a fundamental right with the landmark ruling in the case K.S Puttaswami & another Vs. Union of India. The Supreme Court observed that Information or Data privacy as an aspect of right to privacy and the protection of People’s privacy should be considered as a necessity.
The Court also recognized the “Right to be Forgotten” as an important part of the Article 21 of the Indian Constitution. This refers to the right to restrict, erase, or correct disclosure of personal information on the Internet that is misleading, humiliating, or irrelevant.
Moreover, a committee was constituted by the government in order to draft a statue on data security which will be India’s 1st law regarding safeguards for private data. This statue was termed as Personal Data Protection Bill 2019 (PDP Bill). After its enactment, Section 43A of the IT Act will be repealed. Currently, the draft is undergoing revision by a Joint Parliamentary Committee. According to this Bill, incidents related to cyber security would have to be reported to the Indian Computer Emergency Response Team (“CERT-In”) as per Section 70B of the IT Act. It also specifies the provision to seek compensation from the data processor penalties in case there is any breach of disclosure.
CONCLUSION
[1] “What is Data Protection”, Storage Networking Industry Association (SNIA) < https://www.snia.org/education/what-is-data-protection>
[1] Universal Declaration of Human Rights, 1948.
[1] 1966.
[1] Information Technology Act, 2000.
Author: Shruti Sudha Samantaray, University Law College, Bhubaneswar, Odisha.
Excellent article by a beginner – a student still learning