In June 2020, an online session of a school in Nashik was hacked and the school had to fight flood of obscene comments and threat of rape and murder to students. The RBI in its annual report states an increase of 15% year on year basis, in bank fraud cases with the increase in amount by 73.8%. Convergence of technology has indeed served as a boon to mankind. Living in the modern world, it is indeed not less than a necessity to have an account on prominent social networking websites, to make your purchases online or to have unlimited access to movies and myriad web series. It, resultantly, then becomes inevitable to share data and quickly have access to all the above.

However, in this so-called modern world we often tend to forget the cost sometimes we might have to incur for this. Having the security to shared data as a pre-requisite is disregarded or infact neglected numerous times. And as a consequence, identity theft and other personal security breaches are faced by the user quite more than seldom now. Prior to progressing ahead with the discussion, it is pertinent to understand right to privacy and data protection fundamentally.

Right to privacy and data protection: Meaning

Black's Law Dictionary says that the terms Right to Privacy is a generic term encompassing various rights recognized to be inherent in concept of ordered liberty, and such rights prevent government interference in intimate personal relationships or activities, freedoms of individual to make fundamental choices involving himself, his family, and his relationship with others.

A man has the right to pass through this world, if he wills, without having his picture published, his business enterprises discussed, his successful experiments written for the benefit of others, or his eccentricities commented upon by any means or mode. It is based on the theory that everyone has the right of inviolability of the person as held in UPSC v. R.K Jain. Privacy, in context to present article, would mean having the right to control one's personal data and deciding about its dispensation oneself.

Data protection on the other hand relates to the technical branch whereas, privacy is a legal concern. At present, the right to privacy being regarded as part of fundamental right to life under Article 21 of the Constitution of India by Hon'ble Supreme Court in Justice K.S.Puttaswamy (Retd) vs Union Of India, over-ruling the judgement of Kharak Singh, data protection has a major role to play in order to ensure the said fundamental right to citizens.

Problem analysis and the legal provisions dealing therewith:
Stepping into the century, one is necessitated quite often to provide with personal information in distinct web platforms. However, these platforms have their own distinctive privacy policy. The US based web platforms work on this model as per ECPA (Electronic Communication Privacy Act 1986), whereas the EU internet platforms has different mechanism, it functions via the European Union's General Data Protection Regulation (GDPR).

The central point boils down to trust because no number of technological safeguards can eliminate the central role of trust in ensuring the data privacy, which is often compromised. Data is now an asset to the companies who have built the data economy, yet, we often see the privacy failures in form of data transmutation.

It has so happened that the user provided the credit card details which resulted in huge money transfer to the unknown person or fraud calls being generated based on the recent purchase on an online shopping website. This usually occurs due to data breach. These incidents at times, involve organizations misconfiguring cloud services or failing to implement the proper access controls, such as password requirements for public-facing web services or applications.

The legal framework regulating this in India is the Information Technology Act, 2000. However, there are no provisions in fixing the responsibility of internet service provider and the online website possessing the data, neither any differentiation is laid down amongst the intentional and accidental breach. Another piece of legislation in financial sector is Credit Information Companies Regulation Act, 2005(CICRA).

As per the CICRA, the credit information pertaining to individuals in India have to be collected as per privacy norms enunciated in the CICRA regulation. Having mentioned the laws touching the current problem of discussion, it would be appropriate to conclude that the country lacks meticulous and stringent data protection laws.

Personal Data Protection Bill 2019:

At present, the Data Protection Bill 2019 is pending in Lok Sabha which has been referred to the Standing Committee on 11 December 2019 and the report is awaited. The bill seeks to define personal data and categorizes certain data as sensitive personal data. It has also defined the data fiduciary, as an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations.

The preventive framework of the bill places multifold compliance requirements on the Data Fiduciaries besides making the consent of Data Principal mandatory before processing Data and Sensitive Personal Data. The bill mentions the term 'Critical Personal Data' but doesn't define it.

In contrast to the 2018 version of this bill, the 2019 bill authorizes the Central Government to transfer the 'Critical Personal Data' outside India to a country, any entity or class of entity, or to an International Organization where it deems it permissible and where such transfer in its opinion doesn't prejudices the security and interest of the State, however the consent of data principal is mandatory.

Moreover, the bill also empowers the Central Government to exempt any of its agencies from the compliance of the provisions of the bill in the interest of Sovereignty and Integrity of India, security of the country, friendly relations with foreign states, public order and to prevent incitement of commission of any offence relating to any of the above.

This particular provision has quite often been a subject of debate and is still a matter of discussion amongst the liberalists. Needless to say that such power must necessitate its usage sparingly and that too in a grave and emergent contingency. The representation of the judiciary in the Selection Committee, entrusted with the function of appointment of the Authority responsible for governing and regulating the stakeholders, too has been done away with.

Right to be forgotten: A recent development

Alongside the right to privacy, there is another debate doing rounds for a new right called the right to be forgotten or the right of erasure. The source can be traced back to French jurisprudence right to oblivion or droit à l'oubli. The right was adopted by European Union Data Protection Directive back in 1995. It was stipulated that the member states should give people the guaranteed right to obtain from the 'controller' the rectification, erasure or blocking of data relating to them, the processing of which does not comply with the provisions of the Directive.

The term controller here refers to a natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of processing personal data. Such a provision if implemented in the country can serve as a diminishing factor for heights that cybercrime has achieved today.

The Date Protection Bill 2019, very warmly seem to have accepted the right to be forgotten drawing inspiration from above as the bill is inclusive of right of erasure in case of personal data which is no longer in requirement for the objective for which it was at first processed.

Conclusion:
The race between technological advancements and laws governing them is like that of a hare and a tortoise respectively. The former is always ahead of the latter. Information Technology is a fast evolving sphere. Though, the Right to Privacy has in the 21st century ushered into a Fundamental Right, but until the jurisprudence around it develops, a robust regime of legislation addressing the data protection and privacy violation is the need of the hour.

The Personal Data Protection Bill, 2019 which awaits approval from the Parliament answers the call to a large extent; but the means adopted and the end sought to be achieved look imbalanced. Rule of Law is the hallmark of the democracy which is upheld by independent judiciary. Every piece of legislation must balance the interest of the stakeholders who are likely to get affected by it.

Moreover, such legislation shall continue to match the pace of the technological advancements in this era of digital economy either by way of introduction of amendments by the legislature or by judicial precedents. Lest, the tortoise would always be at the losing end in this race.

The data today as mentioned above can act as capital to many large private companies as well as governments in certain countries. Henceforth, we witness the necessity of protection every now and then which would ensure the right to privacy guaranteed as fundamental right by Hon'ble Supreme Court. Nevertheless, the strict privacy norms by various governmental bodies like Reserve Bank of India, and distinctive government and mass sensitization programs do suggest that India is leaping forward towards comprehensive and strict privacy norms.

Written By: Manishika A. Kaushik, JMFC Traffic, Rajkot
Gautam Singh Deora, 2nd Addl. Civil Judge and JMFC, Modassa