In today's world the people are more concern about their privacy right then ever before, and with this now people are more available on internet and believe to be present on such then to their physical existence. Even the money preserve in the digital form rather than in a physical form as a country had been practicing since the very inception of the civilization.

While considering the individual presence on internet, it is required to protect their data from being pirated and prevent infringement of their privacy. In this regard initially the European Union enacted the Global Data Protection Regulation, to achieve the objective to protect the data of an individual. And in the same line post-Brexit the United Kingdom in 2018, also enacted the Data Protection Bill with the same objective. Both have set high standards for the protection of data, while emphasizing right to privacy of an individual, and stringent obligations.

This article will reflect about the status of the data protection in European Union and in the United Kingdom. Then study the status of the regulation of data protection in India, with reference to its socio-economic condition, diverse population, and rapidly growing digital economy, and analysis whether India needs a unique or sui-generis legislation in the said regards.

Introduction.
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks".[1] The term "data protection" is referring to "personal data", such means, any information relating to an identical or identifiable individual (subject matter).[2]

Protection of data is one of the facets to preserve the privacy of a person concerned. In the digitalized world, the concern of privacy is as high as the coconut on the palm tree. Because all the personal information of a person is available on the internet, and accessing it is as easy as plucking a coconut from a palm tree using rope. Everyone shall have the right to be free from unjustified interference in his or her private and family life.[3]

Prevention of interference in the life of a person is now set to be a global issue, therefore, international organization as European Union takes an initiative to prevent such unlawful interference and in order to achieve such goal it enacted some rules and regulations and entered in some conventions to which other countries are signatory.

For instance, Convention for the Protection of Individuals with regards to Automatic Processing of Personal data. The aim of such convention is to achieve unity among the member countries based on the principle of "rule of law", "human rights" and "fundamental rights". Also, desire to enlarged the safeguards for everyone's rights and freedom which are fundamental in nature particularly the rights in respect of privacy.

From a comparative perspective, this paper will study comparatively about the law on data protection. And try to differentiate between the law of data protection in European Union and in United Kingdom. This paper tries to highlight the circumstances which are prevailing in India, for which India need a sui-generis legislation on the subject of data protection. Also, along with this paper address a question that Why India needs a sui-generis legislation in regards to the protection of data.

Objective of the Article.
What are the circumstances which are problematic for the proper execution of the general data protection law, which can only be satisfied by a sui-generis legislation in India?

Data protection framework in EU/UK:

• General Data Protection Regulation (GDRP): EU:
  The fundamental right to personal data protection should be considered as a promise, that, like a king made to his knights in 1215, in the Magna carta. In this document there was some directions like, they would not be imprisoned or tortured illegally – "nor will go upon him nor send upon him". Also, promises that the "Habeas Corpus", should be renewed which was early merely limited to physical body, now extend to electronic body. According to the new attention paid to the respect for the human body, the inviolability of the person must be reconsidered and reinforced in the electronic dimension.[4]
  
  At every instance when one interacting with data, it requires careful planning to regulate such in order to free flow, and GDRP ensure such, as it is considered as a significant aspect of life. General data protection regulation, is a consequential regulatory development in information policy, which bring personal data in a protective regulatory regime. The GDRP is a data governance framework, in order to increase the use of data in their activities, encourages the companies, who are not data-sensitive, to protect their data and to have a plan for the collection of data, use and to destruction of their data and causes them to realize the utility of data.
  
  The GDRP tells companies to care about the privacy, and caution them form antitrust and foreign corrupt practices, and attempt to put on par with the laws that companies take seriously in the said regard. Along, with this GDRP also prescribes about punishments in violations set by the GDRP.[5] The European Union have a right-based and an omnibus approach to data-protection.
  
  Privacy is a central subject in the European Union, the building of which stand on The Council of Europe's European Charter on Fundamental Rights and European Convention on Human Rights, particularly Article 8 of European Charter of Fundamental Right for "the protection of personal data" and Article 8 of ECHR to "right to respect for private and family life". Such distinction reflects a concern of EU to implement the data protection to implement legislation to protect the personal data and to regularize such through a positive obligation.
  
  Therefore, in 1995, the Data Protection Directive consider an important step in the ongoing project. Along, with this some collateral reformed were derived from the decision from CJEU, in the said context, The Google Spain case[6], wherein the concept of "right to be forgotten" given priority to "the right to privacy" over "free speech and the economic rights" of the information intermediaries, such a "Google Search". Again, in The Schrems I case[7], wherein, in order to awakened the important of cross-border data flow, as well as the difficulties in reconciling such data flows with the fundamental right to privacy, held the EU-US Safe Harbor Agreement invalid.
  
  To regulate activities and ensure the free flow of personal data among the members of European Union, GDRP functions to harmonies the Fundamental Rights and freedom of natural persons by setting some principles[8], and foist certain high standards of protection, including right to be forgotten,[9] right to transparent information,[10] right to access to personal data,[11] right to data portability,[12] right to object,[13] and the right not to be subject to automated decision- making, including profiling.[14]
  
  By all these GDRP referred to the high responsibility of the entities who obligates to controlling and processing data, including data protection by design and default,[15] and punishment for non-compliance.[16] Such expansion of the EU's data protection law have a significant impact in the implementation, as it applicable to many member countries and their companies who are targeting the EU market.[17]
   
• United Kingdom;
  While talking about the inadequacy of the previous data protection act, which found to be incompatible in the recent trends of internet and digital technology, social media and big data. Compliment the new updated data protection law in the UK, which strengths the rights of the people to take back control of their personal data." Elizabeth Denham – Information Commissioner". On 31st January 2020, when the United Kingdom ends its membership as a European member, by voted to leave the EU, in 2016. The Prime Minister of the United Kingdom Boris Johnson speaks of creating a more agile "Global Britain", with strong ties to the other democracies like United States, India, Australia and South Korea.
  
  The General Data Protection Regulation has its direct effect in European Member states from 25th May 2018, which shows that, the GDRP is already part of the UK law. And when then UK leaves the EU, after such, GDRP will be converted into UK law. The Data Protection Act, 2018 does not write the GDRP into this UK law.
  
  The Act of 2018, expands the standards of GDRP to areas of processing which are not yet covered by GDRP. Along with this, for the intelligence services, based on the standards in the modernized Convention 108 of "The Council of Europe Convention for the Protection of Individuals with regards to Automatic Processing of Personal Data, it created a specific data protection regime".
  
  In widely implementing the range of data protection, the Act of 2018 plays a significant role across the United Kingdom. It introduced 4 distinctive regimes of the data protection into the Data Protection Act. And each of them focuses on the regulation of personal data processing for a specific category of data processing, which are as follow:
  • Within the scope of GDRP;
  • Outside the scope of GDRP;
  • By intelligence services; and
  • For the purpose of the law enforcement, by competent authorities.[18]
  The act splits up into seven parts and twenty schedules. Parts comprises with chapters concerned with, introduction of the act, general processing, the GDRP, law enforcement processes, intelligence services processing, the information commissioner, enforcement and lastly the supplementary and final provision.
  
  And the Schedules talks about categories of personal data, exemption from GDRP, accreditation of certification providers, competent authorities, how to apply for GDRP, conditions for sensitive processing, the Information commissioner, and their functions, power of entry and inspection, penalties and review of processing of personal data for the purpose of journalism.

India's Current Data Protection Regime

India as an emerging country it also increases its digital presence by initially using smart phones, using worldwide webs and accessing social media. As a top emerging country along with the management of other areas of governance, India must address the issue concerning the data protection. Data protection, serves to protect the personal data of an individual, because the breach of such leads to violation of his/her right to privacy, since the data protection is part of a person's identity.

As per the statistics published by the International Telecommunication Union, the institution marked the internet uptakes, which has accelerated during the pandemic was 65% of the world population.[19] Such data indicates that more than half of the population of the world access to internet and making their digit profile. Particularly in case of India, where even more than half of the country's population, or even 70& have the access to internet and use social media account.

As India is an emerging country, and is a member of various conventions, it must also address the rising issues related to the data protection while adopting the growing consensus for the data protection in the international community.

• IT Act, 2000.
  This act is considering the first step of the country in the direction to protect the data of an individual from being pirated. This was an original act, and amended multiple times for instance first amended in 2008 then in 2011. This act proceeds with the growth of "electronic commerce", and dealing with the activity whereon a buying and selling of a product is being done, and in order to prevent of data of a consumer from being misused, and other types of cybercrimes, by providing punishment to those who hacked.
  
  By the amendment of 2008, some key additions were introduced, for instance, The definition of communication devices, concept of electronic signature, protection of privacy through data protection, validates the contract formed electronic means, and empower Central Government in regards to the formation of some body which are essential for the proper implementation of the act, these are some key amendments which were introduced by 2008 amendment, along with some other. [20]
  
  In 2011, a new rule was introduced, as it requires as a prerequisite for businesses in India, who are dealing with the collections and disclosure of the data or information of an individual which are sensitive in nature, i.e. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.[21]
   
• Personal Data Protection Bill, 2019.
  The Personal Data Protection Bill, 2019, India's comprehensive data protection bill. The bill is still pending in the house for four years since its introduction, because of the controversy erupted from the very inception of the bill in the Parliament. Allegation were made against the act as it will hamper the Fundamental Right of Privacy of an individual. Bill of 2019, introduced some concepts, as, it identifies certain type of data called "sensitive personal data", in addition to this it includes following rights to the owner or holder; right to confirmation and access [22], right to correction and erasure [23], data portability [24], and the right to be forgotten[25]. Each of these five rights are akin to rights given under General Data Protection Regulation. Like the GDRP, this Indian PDP Bill, 2018 establish a Data Protection Authority of India.
  
  Along, with this, bill introduces an obligation on the part of the controllers, who referred as a data fiduciaries and data processors, must performs while processing users' data. Include the data breach notification to both data authority and the user, and store and record how personal data is collected and after transferring such data to whom it is sent. Also, the appointment of the data protection officer, age verification (wherein to ensure that the personal data of an underage children are not taken, such will be collected only after when the parents are consented to such), and impact assessment, which are designed to check systems and protection of place.
   
• Lacuna in the 2019 Bill.
  Personal Data Protection Bill, 2019 is in line with the GDRP, wherein the subject has "right to restrict" processing his data by a company when the company is not belonging to home country or when such deemed to be unlawful, this is missing in the PDP Bill, 2019. Further, the Bill also does not provide the "right to object"[26], finally, the right concerning profiling and the decision making are also not inserted into the Personal Data Protection Bill, 2019.[27] India experiencing significant economic growth, meanwhile faces economic inequality and lacks of socio-political changes.
  
  The World Bank Group conducted an annual survey on Human Capital Index, wherein India with an average recent value at 0.5 in 2020 even beyond Afghanistan and Albania.[28] There are some factors upon which the organization marked countries position as per their performance, like health, education, citizens economic growth. Also, in regards to the Human Development Index, wherein India stands on 134th position out of 193 countries.[29]
  
  Despite all this India is still perform one step ahead of the US by providing persons "right to privacy" as a fundamental right in its constitution. As the right to privacy is now one of basic need or a quintessential need for a human life, such must be supported by an adequate legislation that adduce the rights effective and realizable.[30]

Why India needs a Sui Generis Legislation?

India genuinely needs a sui generis legislation in regards to the data protection law, because India is a sui generis country in itself in comparison to US and UK and other countries, because India has diverse population, belongs to different society, multiple cultures exist in it, there are distinct socio-economic, cultural and technological landscape. It is not an undeniable fact that India has a Legislation in order to protect the data, and that to in line with the GDRP, from 2000. But that too is not fit sufficient in the Indian context.

As India, is witnessing rapid digital transformation, and old methods of data protection are not fit in a current regime. India too has a unique socio-economic context, wherein it has a vast and diverse population with different levels of education, digital literacy, income and technological knowledge, therefore, it could not be possible that one general legislation is sufficient for any specific subjects.

In the same line, sometimes it is required for the economic development, country needs to balance the right to privacy and the need for the economic development and innovation.[31]

Technological challenges are also one of the factors which require a sui generis legislation, because of the term "digital device", with varies levels of access to the digital services and internet across the nation are not uniform. It is marked that approximately 70% of the population has no connectivity to the internet or has a poor connectivity, or the lack of access to Information and Communication, such are the major factors of digital divide. To fill the gap of this digital divide, the "BharatNet Scheme", was launched with an aim to provide digital connectivity in rural India which has been failed to delivered its objective.[32]

India being a member of United Nations Conference on Trade and Development has a responsibility to implement and formulate the data protection regime as the other members works on. A legislation has been drafted by the Indian Parliament inspired by General Data Protection Regulation, India's Personal Data Protection Bill. But the Indian model of the law is more conducive to the right to privacy of its citizens then the GDRP, such is in compliance of the Justice K.S. Puttaswamy (Retd.) & Anr. Vs. Union of India & Ors.[33]

Now, when we addressing the national concern specifically, the term "data sovereignty", came in the light, wherein the country from which the data originally sourced, have its own body to govern the laws and policies for the collections and processing of the data. And India is among the most vocal opponents in the fight against "data colonialism". [34]

With all this, it can be concluded that, while considering India's distinct cultural, economic and demographic context, India needs a unique set of data protection law, which may be not in line with the globally recognized regulation, namely, GDRP. Additionally, while promoting innovations, safeguarding person's privacy, ensure national security, and to further economic growth, a sui generis legislation is required in respect of the data protection for India, which supposed to be flexible to deal with changing circumstances.

Conclusion
India adopted its data protection law from the Europe. The European structure of the Data Protection Regulation is well structured and uniform in nature safeguarding personal data and ensuring privacy. In European society such regulation is deeply rooted and effectively functioning, even though it sets the global standards. However, in the Indian context it is some how difficult to set a uniform regulation while considering the uniqueness of the India society which is diverse in nature, having diverse population, culture etc.

Though India has its own data protection regulation but such are insufficient in nature to address the diversity which India have. Therefore, there is a compelling circumstance where India needs a sui-generis legislation to deal which its diverse subjects, that to of tailor-made.

Along with this there are some suggestions for a sui-generis legislation in India. India already influenced by EU and UK for the data protection laws, in spite of this, while enacting its municipal legislation in the said regards, legislation must consider its socio-economic and cultural disparities.

In order to Balancing Privacy rights and the Innovations, law should balance the individual privacy and encourage innovations and economic growth. Provisions for Data Sovereignty should be drafted carefully while considering both the national interest and the international business and cross border data flows.

With this it is required that a robust enforcement mechanism should be there for the strong and effective enforcement of the regulation, as such is essential to gain the trust of the citizens in the enforcement mechanism. Also, it is required that such legislation must be flexible in nature and not stringent, which could easily adopt emerging technologies such as AI. Such legislation should look forward, and capable to address both current and future opportunities and challenges.

The World Inside IFSC - GIFT City (grantthornton.in)

References:

1. Weil 1963; Volio 1981; Michael 1994; Feldman 1997; Richardson 2017). Universal Declaration of Human Rights reads, 1948, Art. 12.
2. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, European Treaty Series – No. 108, 1981, Art 2.
3. The Constitution of the Slovak Republic, 1992, Art. 19, sec. 2. Slovak
4. S Rodotà, 'Data Protection as Fundamental Human Right,' in S Gutwirth, Y Poullet, P De Hert, C de Terwangne, and S Nouwt (eds), Reinventing Data Protection? Springer, 2009.
5. Chris jay Hoofnagle, Bart vans der ` Sloot & Frederik Zuiderveen Borgesius The European Union general data protection regulation: what it is and what it means, 10 Feb, 2019
6. Case C-131/12 Google Spain, EU:C:2014:317.
7. 40 Case C-362/14 Schrems, EU:C:2015:650 (Schrems I).
8. GDPR specifies the principle of lawfulness, fairness and transparency; the principle of purpose limitation; the principle of data minimization; the principle of accuracy; the principle of storage limitation; the principle of integrity and confidentiality; and the principle of accountability, 2018, art.5.
9. GDRP, No. 679, 2016, art 17.
10. GDRP, No. 679, 2016, art 12.
11. GDRP, No. 679, 2016, art. 13,14,15 and 19.
12. GDRP, No. 679, 2016, art 20.
13. GDRP, No. 679, 2016, art 21.
14. GDRP, No. 679, 2016, art. 22.
15. GDRP, No. 679, 2016, art 25.
16. GDRP, No. 679, 2016, art 83
17. Mira Burri, Privacy and Data Protection, OXFORD PUBLISHER, 11 June 2022.
18. Information Commissioner's Office, An overview of the Data Protection Act, 2018.
19. International Telecommunication Union Development Sector, Measuring digital development, Facts and Figures 2021.
20. Yogesh Kolekar, "A Review of Information Technology Act, 2000".
21. Press release, PIB Delhi, Ministry of Electronics & IT. The Digital Personal Data Protection Bill 2022, 07 Dec 2022.
22. Personal Data Protection Bill, No. 373 of 2019, art 17 (Ind).
23. Personal Data Protection Bill, No. 373 of 2019, art 18 (Ind).
24. Personal Data Protection Bill, No. 373 of 2019, art 19 (Ind).
25. Personal Data Protection Bill, No. 373 of 2019, art 20 (Ind).
26. Aditi Chaturvedi, GDRP and India: A Comparative Analysis. Centre for Internet & Society, Oct 17, 2017.
27. Ibid.
28. Human Capital Index (HCI) (scale 0-1) – India, 2018. Human Capital Index (HCI) (scale 0-1) - India | Data (worldbank.org)
29. Report of the United Nations Development Programme, 13 March 2024 (EU). https://hdr.undp.org/data-center/country-insights#/ranks
30. Carly Nyst. Two sides of the same coin – the Right to Privacy and Freedom of Expression, Privacy International. 2nd Feb. 2018. Two sides of the same coin – the right to privacy and freedom of expression | Privacy International.
31. Dhruv Rajpoot, Safeguarding Data Privacy: Striking the Balance: An In-Depth Analysis of India's Digital Personal Data Protection Act, 2023. Legal Service India E-Journal. https://www.legalserviceindia.com/legal/article-12940-safeguarding-data-privacy-striking-the-balance-an-in-depth-analysis-of-india-s-digital-personal-data-protection-act-2023.html.
32. Oxfam India, Inequality Report 2022: Digital Divide, Dec 05, 2022. https://www.oxfamindia.org/knowledgehub/workingpaper/india-inequality-report-2022-digital-divide.
33. Dr. Guru Prakash Paswan and Ruchi Singh, India's Digital Protection Bill: A Milestone in Data Protection and Global Competitiveness, mygov.in, Jul 21, 2023. https://blog.mygov.in/editorial/indias-digital-protection-bill-a-milestone-in-data-protection-and-global-competitiveness/
34. Deepak Thakur, Data Sovereignty: Here's how critical it is for India's digital roadmap, Oct. 10, 2022. Data Sovereignty: Here's how critical it is for India's digital roadmap, ET CIO (indiatimes.com).

Written By: Himanshu Tiwari