Privacy of an individual and an organisation is a fundamental right that protects his inner sphere. With the massive data breach by Facebook, the far from over concern about data protection is back in limelight. While there are many questions raised about the fundamental rights of privacy, data protection, etc. can we say its high time we need our own data protection laws and regulations to be established?
The Europeans have devised a data regulation model, GDPR (General Data Protection and Regulation) that aims at harmonizing the data privacy laws in Europe to protect and empower all European citizens’ data privacy. India being a developing nation, we believe has a great opportunity to research, innovate and come up with a new regulatory framework. We do not necessarily have to implement an outdated model to govern data privacy by replicating the laws of other nations but devise policies that are relatable to our nation as a whole.
What GDPR exactly is?
GDPR is a complex data regulatory framework with a huge number of restrictions on processing of data and information. It aims at reshaping the way organisations across Europe approach data privacy. GDPR’s underlying principles stem from the German constitutional court that had created a right to informational self determination in the year 1983.
The primary aim of GDPR is to reshape the way organisations approach data privacy. GDPR applies to all the companies processing and holding personal data of subjects residing in European Union and non compliance on GDPR will levy you 4% fine on your annual turnover.
While Europe has devised a clean regulation term for governance of data protection with GDPR, should India be the next one in line?
Current state of laws with respect to cybersecurity in India
While data protection laws in India are loosely constructed, Information Technology Amended Act, 2008 (ITAA) under Sections 43-A and 72A of the Act. Compensation for failure to protect data (Section 43-A) as an amendment in 2008, which states the liability of a body corporate to compensate in case of negligence in maintaining and securing the “sensitive data.” However, the Act fails to define “sensitive data” and states the same as “personal information as may be prescribed by the Central government.”
Clearly, the data protection laws in India are poorly drafted and application of the same can raise serious questions taking into consideration the current turn of events.
While breach of data privacy is considered to be a serious offence and is punishable under Section 72-A (introduced by an amendment in 2008), which penalises the offender for a three year imprisonment or a maximum fine of Rs 5 lakh, The laws certainly seem to be very vague about personal information and data.
Though a latest draft was introduced in Rajya Sabha in 2014 providing a small definition of “personal information” and vaguely explains the role of a Data Controller, the bill also fails to underline the issue relating to outsourced data and the liabilities of companies outsourcing and hosting the data.
While it is imperative to protect an individual’s privacy and data, we also need to take into consideration that while fundamental rights of an individual may be universal, but the way they are enforced should be different and adaptive as per different jurisdictions. The regulations drafted in India for data protection and privacy should conform to the problems that we, Indians face in our organisations and personal lives and try to devise a solution for the same.
Privacy and protection of an individual’s data is and should be the top priority of the governing bodies and it is high time that we devised regulatory rules for the same. That being said, it is extremely imperative to revise the current state of data protection and privacy laws in India to safeguard personal information and data in a rightful manner. Stronger data protection and governance laws are the need of the hour.