Indian and International Framework of Protection of Data and

Privacy Laws

The present legal framework on data privacy in India is limited in nature. Data
Protection refers to the set of privacy laws, policies and procedures that aim to
minimize intrusion into one's privacy caused by the collection, storage and
dissemination of personal data. Personal data generally refers to the information or
data which relate to a person who can be identified from that information or data
whether collected by any Government or any private organization or an agency.
Norms relevant to data protection and privacy are also dispersed across statutes
pertaining to diverse sectors such as taxation and health, leading to the lack of a
coherent regulatory framework.
Advances in information communication technology are dramatically
improving real-time communication and information-sharing. By improving access
to information and facilitating global debate, they foster democratic participation.
By amplifying the voices of human rights defenders and helping to expose abuses,
these powerful technologies offer the promise of improved enjoyment of human
rights. But at the same time it has become clear that these new technologies are
vulnerable to electronic surveillance and interception. Recent discoveries have
revealed how new technologies are being developed covertly, often to facilitate
these practices, with chilling efficiency.
In August 2017, the requirement for a law on the protection of personal data was
first recognized by the Supreme Court of India in Justice K S Puttaswamy v Union
of India. It explicitly recognized an individual’s fundamental right to privacy and
paved the path for a foundational legislation on the protection of personal data. It
was closely followed by the release of the report and draft law by the Committee of
Experts, chaired by Justice B N Srikrishna.
On 27 July 2018, the committee submitted the draft Personal Data Protection Bill,
2018, along with its report titled “A Free and Fair Digital Economy: Protecting
Privacy, Empowering Indians” to the central Government. The passage of the bill
will lead to a shift in the legal framework and replace section 43A of the IT Act
and the SPDI rules issued under it.
The bill imposes restrictions on the cross-border transfer of personal data. This is
achieved by a non-exclusive localization mandate where a data fiduciary is to
ensure the storage of one serving copy of all personal data. Additionally, an
exclusive localization mandate requires that critical personal data shall only be
processed in a server or data center located in India. What constitutes critical
personal data shall be notified by the central government.
Additionally, the bill highlights conditions for cross-border transfer of personal
data that are not sensitive personal data, including the transfer being made subject
to standard contractual clauses or intra-group schemes approved by the authority,
the authority’s approval due to necessity, consent of the data principal, etc.
The bill seeks to establish a regulatory authority for monitoring and enforcing the
provisions of the act. It is the duty of the authority to protect the interests of the
data principals, prevent misuse of personal data, ensure compliance of data
fiduciaries with the provisions of the law and promote awareness of data
protection.

International legal framework

In December 2013, the United Nations General Assembly adopted resolution
68/167, which expressed deep concern at the negative impact that surveillance and
interception of communications may have on human rights. The General Assembly
affirmed that the rights held by people offline must also be protected online, and it
called upon all States to respect and protect the right to privacy in digital
communication. The General Assembly called on all States to review their
procedures, practices and legislation related to communications surveillance,
interception and collection of personal data and emphasized the need for States to
ensure the full and effective implementation of their obligations under international
human rights law.

As General Assembly resolution 68/167 recalled, international human rights law

provides the universal framework against which any interference in individual
privacy rights must be assessed. The International Covenant on Civil and Political
Rights, to date ratified by 167 States, provides that no one shall be subjected to
arbitrary or unlawful interference with his or her privacy, family, home or
correspondence, nor to unlawful attacks on his or her honor and reputation. It
further states that “Everyone has the right to the protection of the law against such
interference or attacks.”
Other international human rights instruments contain similar provisions. While the
right to privacy under international human rights law is not absolute, any instance
of interference must be subject to a careful and critical assessment of its necessity,
legitimacy and proportionality.
APEC Cross border Privacy Rules: (copied from APEC Privacy Framework)
III. Cooperative Development of Cross-border Privacy Rules
46. Member Economies will endeavor to support the development and recognition or acceptance
of organizations' cross-border privacy rules across the APEC region, recognizing that
organizations would still be responsible for complying with the local data protection
requirements, as well as with all applicable laws. Such cross-border privacy rules should adhere
to the APEC Privacy Principles.
47. To give effect to such cross-border privacy rules, Member Economies will endeavor to work
with appropriate stakeholders to develop frameworks or mechanisms for the mutual recognition
or acceptance of such cross-border privacy rules between and among the economies.
48. Member Economies should endeavor to ensure that such cross-border privacy rules and
recognition or acceptance mechanisms facilitate responsible and accountable cross-border data
transfers and effective privacy protections without creating unnecessary barriers to cross-border
information flows, including unnecessary administrative and bureaucratic burdens for businesses
and consumers.

-Vishnu M S
V BBA.LL.B