What Does The Law Say About Data Protection?

Data Protection has emerged to be a leading concern in today’s world due to the rise in the number of cybercrimes. The current Indian legal framework is inadequate in dealing with the threat posed by cyber-crimes. The Supreme Court of India has also recognized the need and importance of legislation that seeks to protect the personal data of the citizens. Based on this report, the Personal Data Protection Bill was tabled in the Parliament. The Bill has not yet become a law. Once passed, it will become the sole law addressing data protection issues in India, replacing Section 43A of the Information Technology Act, which regulates data privacy in India currently. 

The Information Technology Act, 2000

In 2008, Section 43A was inserted in the Information Technology Act along with Section 72A to address the issue of protection of personal data. Section 43A makes a company that collects sensitive personal data and fails to protect the same, thereby causing wrongful gain or loss liable for damages. Sensitive personal data is nothing but sensitive information that may be used to identify a person. For instance, information like password, biometrics, medical records, physical and mental health, financial information, or any other information which relates to a person, and which can be misused against that person.

However, information of an individual that is freely available from a public domain or under the Right to Information Act is not included under sensitive personal data or information. Section 72A spells out the penalty for unauthorised disclosure of such information. Any person who discloses sensitive personal data shall be liable to be imprisoned for a term not exceeding three years or fine up to INR five lakhs or both. 

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The Sensitive Personal Data or Information rules presently regulate data protection in India. They only apply to companies and individuals based in India. The Sensitive Personal Data Information Rules, mandate the following:

1. Rule 3 lays down an illustrative list of information that may be considered as sensitive personal information. It includes information like passwords, credit/ debit card information, biometrics, sexual orientation, medical history, physical and mental health condition. 

2. Rule 4 makes it mandatory for a company to draft a privacy policy and make such policies accessible for the people who are giving their personal information. 

3. Rule 5 and Rule 6 contain certain basic duties and obligations which are to be complied with by the company seeking information.

4. Rule 8 mandates certain reasonable security practices and procedures that all companies are required to adopt. 

Conclusion 

The Sensitive Data Protection Rules have been inadequate in addressing the issue of data protection. Not having a dedicated law aimed at data privacy, is altering India’s image in the world. The Personal Data Protection Bill, 2019 (PDP), as stated earlier, if passed, will become an exclusive law regulating data protection in India.

The PDP seeks to protect not only sensitive personal information but personal information of all kinds. It calls upon companies that collect and determine the purpose of collection of personal information to follow certain safeguards in order to protect the data from being leaked. Among other things, the PDP, stresses on the consent of the individual for the processing and usage of his personal data. If passed, it can go a long way to provide proper data protection mechanisms in India.