Professional Documents
Culture Documents
SUBMITTED TO:
SUBMITTED BY:
INDEX
INTRODUCTION ................................................................................................................................ 2
1. USA...................................................................................................................................... 5
2. EU ........................................................................................................................................ 5
3. UK ........................................................................................................................................ 6
4. Australia ............................................................................................................................... 7
2. The Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011 .................................................................................. 9
6. Further developments......................................................................................................... 12
CONCLUSION ................................................................................................................................. 13
CYBER LAW PROJECT PAGE |2
INTRODUCTION
With the increase in the number of internet users and the massive amount of personal data
uploaded by these users, it is imperative to provide for protection of such data. Hence, several
countries have come up with their own legal frameworks to provide for the protection of such
data. Protection of such data is also an integral part of Right to Privacy and therefore, having a
legal framework is essential in this era of internet. Therefore, in this project, an attempt has been
made to understand the scope of ambit of data protection laws in India.
The following research questions have been put forth for the project:
The Hypothesis in this project is that “there is a proper framework for protection of data in
India.”
Scope and limitations: In this project, the scope of the term data has been limited to personal
data only. Also, the project focuses more on the legal framework of the law than its application.
CYBER LAW PROJECT PAGE |3
The Collection principle states that the personal data should only be collected in
accordance with law without any deception only in ways that are apparent to or
reasonably discernible by the individual. The principle also suggests that a governmental
entity should only collect the data within its legal authority and with a legitimate purpose.
1
Patrick J, The Adequacy Standard Under Directive 95/46/EC: Does U.S. Data Protection Meet This Standard?
Murray Fordham International Law Journal Volume 21, Issue 3 1997 Article 10.
2
Id.
3
Adrienne D’Luna Directo, Data Protection in India: The Legislation of Self Regulation Northwestern Journal of
International Law & Business Vol. 35, No. 1
4
Planning Commission, Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief
Justice, Delhi High Court) < http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf>
5
Cate, Fred H.; Cullen, Peter; and Mayer-Schonberger, Viktor, Data Protection Principles for the 21st Century
<http://www.repository.law.indiana.edu/facbooks/23>
CYBER LAW PROJECT PAGE |4
The Use principle suggests that the use of personal data should be allowed only after
measuring the degree and likelihood of benefits and harm possible and the measures in
place to guard against such harm. Consent should be required as a protection and such
consent must be clear, used to provide actual choice and when it is provided after being
given the proper information.
The Data Quality Principle states that the personal data should be used only for the
purpose for which it was acquired for and only to the necessary extent.
The Individual Participation Principle states that before using personal data which affects
the legal rights of an individual, such access must be sought from the user.
The Openness Principle suggests that there should be a policy of openness regarding the
processing of the personal data of an individual.
The Security Safeguards Principle states that personal data should be protected by
reasonable security safeguards during the processing and collection of data.
The Accountability Principle states that the person who collects, uses, or otherwise
processes personal data should be a responsible steward of the data and, to that end,
should be accountable towards the following of the aforementioned principles.
The Enforcement Principle states that each country should have adequate framework to
enact the aforementioned principles.
CYBER LAW PROJECT PAGE |5
1. USA
The US regulates its data protection on a sector to sector basis and there is no dedicated law for
data protection in the country.6 The law with respect to data protection is governed by several
state and federal statutes. Depending upon the statute, the laws are enforced either by state or
federal authorities.
2. EU
The EU adopted the EU General Data Protection Regulation in April, 2016. It replaces the Data
Protection Directive 95/46/EC and is aimed at harmonizing data privacy laws across Europe.7
The main purpose of the regulation is to protect and empower all EU citizens data privacy and
the approach towards data privacy.8 The GDPR provides a stricter regime for data protection in
the EU as compared to the previous law.
The aim of EUGDPR is “the protection of natural persons with regard to the processing of
personal data and on the free movement of such data.”9 The scope of the Regulation is limited to
“the processing of personal data wholly or partly by automated means and to the processing
other than by automated means of personal data which form part of a filing system or are
intended to form part of a filing system.”10 The following are the salient features of the act
6
Lisa J Sotto and Aaron P Simpson Hunton & Williams, United States in Data Protection & Privacy In 31
jurisdictions<https://www.huntonprivacyblog.com/wpcontent/uploads/sites/18/2011/04/DDP2015_United_States.pd
f>
7
European Union, GDPR Portal: Site Overview <http://www.eugdpr.org/>
8
European Union, GDPR Portal: Site Overview <http://www.eugdpr.org/>
9
EU General Data Protection Regulation (Regulation (EU) 2016/679)
10
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 2
CYBER LAW PROJECT PAGE |6
On a careful analysis, it is observed that the regulations are detailed framework which cover
most of the issues relating to data protection.
3. UK
The Data protection law in the UK is the Data Protection Act 1998. The DPA implements Data
Protection Directive 95/46/EC which was the law with respect to data protection in EU.17
However, since the aforementioned directive has been repealed, the status of law in UK is not
11
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 4 (1)
12
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 5
13
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 16
14
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 17
15
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 15
16
EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 18
17
UK Data protection Act, 1998
CYBER LAW PROJECT PAGE |7
very clear. The UK voted to leave EU in a referendum. Thus, whether the new GDPR will be
applicable or not in future would depend on the new law to be put in place.18
4. Australia
The legal framework for data protection in Australia is a mixture of state and federal laws. The
following form the complete system:
These laws deal with handling of personal data by different sectors. The APPs19 are as follows:
18
Law Business Research Ltd, Data Protection & Privacy - United Kingdom
<https://gettingthedealthrough.com/area/52/jurisdiction/22/data-protection-privacy-united-kingdom/>
19
<https://www.oaic.gov.au/agencies-and-organisations/guides/app-quick-reference-tool>
CYBER LAW PROJECT PAGE |8
20
Planning Commission, Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief
Justice, Delhi High Court) < http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf>
CYBER LAW PROJECT PAGE |9
21
CRID, First Analysis of the Personal Data protection Law in India JLS/C4/2005/15 <
http://ec.europa.eu/justice/data-protection/document/studies/files/final_report_india_en.pdf>
22
The Information Technology Act, 2000, Section 43A
23
The Information Technology Act, 2000, Section 72
24
The Information Technology Act, 2000, Section 72A
CYBER LAW PROJECT P A G E | 10
Provided that, any information that is freely available or accessible in public domain or
furnished under the Right to Information Act, 2005 or any other law for the time being in
force shall not be regarded as sensitive personal data or information for the purposes of
these rules.”25
Thus, it is observed that the scope and ambit of sensitive personal data is broad enough to
cover almost any information which a user might provide for any purpose.
Rule 4 of the aforementioned rules provide that the person receiving the information
needs to provide privacy policy for handling of or dealing in personal information
including sensitive personal data. The rule also requires the person collecting data to
ensure that the same are available for view by such providers of information who has
provided such information under lawful contract.
Rule 5 provides that the body corporate has to obtain consent before collecting personal
data. The rule also provides that the personal data shall be collected only for a lawful
25
2. The Information Technology (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011, Rule 3
CYBER LAW PROJECT P A G E | 11
purpose and only if it is necessary to collect the same. Also, the information shall be
retained only for the period for which it maybe lawfully used and only for purposes for
which it has been collected. The rule also allows the provider of the information to
withdraw his consent at any time and on such withdrawal of consent, the body corporate
would have to option not to provide the good or service to the user.
Rule 6 requires the body corporate to obtain prior permission of the provider of the
information for disclosure of sensitive personal data or information to any third party.
Further the rule prohibits the body corporate from publishing the personal data and the
third party to further disclose the data to any other person.
Rule 7 provides that the sensitive personal data or information can be transferred to a
person who ensures the same level of data protection that as provided by the rules either
in India or anywhere in the world. The transfer is allowed where the transfer is necessary
for the performance of lawful contract or where such user has consented to transfer of
data.
Rule 8 provides for security practices and procedures which the body corporate should
follow when dealing with personal data.
26
Overview of Data Protection Laws in India
27
First Analysis of the Personal Data Protection Law in India
CYBER LAW PROJECT P A G E | 12
6. Further developments
The Ministry of Electronics and Information Technology (MeitY), Government of India has
constituted a Committee of Experts under the Chairmanship of Justice B N Srikrishna, Former
Judge, Supreme Court of India to study and identify key data protection issues and recommend
methods for addressing the same.31 The Committee will also suggest a Draft Data Protection Bill.
28
Justice K S Puttaswamy Versus Union Of India, Writ Petition (Civil) No 494 Of 2012 (SC)
29
Justice K S Puttaswamy Versus Union Of India, Writ Petition (Civil) No 494 Of 2012 (SC), Para 179
30
Justice K S Puttaswamy Versus Union Of India, Writ Petition (Civil) No 494 Of 2012 (SC), Para 5
31
The Ministry of Electronics and Information Technology, Press Brief on Data Protection Framework for India <
http://www.meity.gov.in/writereaddata/files/Press_Brief_Data_Protection_1Aug17.pdf >
CYBER LAW PROJECT P A G E | 13
CONCLUSION
It has been observed that the data protection regulations in India are structurally similar to what
is present in the EU. However, the Indian law is not as stringent as the EU Law. Thus, we can
conclude that though there is a law for data protection in India, it lacks certain important aspects.
Also, it has been observed that the work for creating a new Data Protection Bill is underway,
and that it would be too soon to comment on the same. However, the researchers suggest that
principles as suggested by the OECD must be incorporated in the bill. Also, it is observed that
after the recent verdict of the Apex Court on Right to Privacy, a more stringent law can be
anticipated.
It is further suggested that each of the following principles are incorporated along with the
reasons for the same:
Thus, the Draft bill must be based on the EU law and these principles.