Professional Documents
Culture Documents
Privacy Laws
The present legal framework on data privacy in India is limited in nature. Data
Protection refers to the set of privacy laws, policies and procedures that aim to
minimize intrusion into one's privacy caused by the collection, storage and
dissemination of personal data. Personal data generally refers to the information or
data which relate to a person who can be identified from that information or data
whether collected by any Government or any private organization or an agency.
Norms relevant to data protection and privacy are also dispersed across statutes
pertaining to diverse sectors such as taxation and health, leading to the lack of a
coherent regulatory framework.
Advances in information communication technology are dramatically
improving real-time communication and information-sharing. By improving access
to information and facilitating global debate, they foster democratic participation.
By amplifying the voices of human rights defenders and helping to expose abuses,
these powerful technologies offer the promise of improved enjoyment of human
rights. But at the same time it has become clear that these new technologies are
vulnerable to electronic surveillance and interception. Recent discoveries have
revealed how new technologies are being developed covertly, often to facilitate
these practices, with chilling efficiency.
In August 2017, the requirement for a law on the protection of personal data was
first recognized by the Supreme Court of India in Justice K S Puttaswamy v Union
of India. It explicitly recognized an individual’s fundamental right to privacy and
paved the path for a foundational legislation on the protection of personal data. It
was closely followed by the release of the report and draft law by the Committee of
Experts, chaired by Justice B N Srikrishna.
On 27 July 2018, the committee submitted the draft Personal Data Protection Bill,
2018, along with its report titled “A Free and Fair Digital Economy: Protecting
Privacy, Empowering Indians” to the central Government. The passage of the bill
will lead to a shift in the legal framework and replace section 43A of the IT Act
and the SPDI rules issued under it.
The bill imposes restrictions on the cross-border transfer of personal data. This is
achieved by a non-exclusive localization mandate where a data fiduciary is to
ensure the storage of one serving copy of all personal data. Additionally, an
exclusive localization mandate requires that critical personal data shall only be
processed in a server or data center located in India. What constitutes critical
personal data shall be notified by the central government.
Additionally, the bill highlights conditions for cross-border transfer of personal
data that are not sensitive personal data, including the transfer being made subject
to standard contractual clauses or intra-group schemes approved by the authority,
the authority’s approval due to necessity, consent of the data principal, etc.
The bill seeks to establish a regulatory authority for monitoring and enforcing the
provisions of the act. It is the duty of the authority to protect the interests of the
data principals, prevent misuse of personal data, ensure compliance of data
fiduciaries with the provisions of the law and promote awareness of data
protection.
-Vishnu M S
V BBA.LL.B