Data Privacy Laws in India and Its Impact on Business

Data Privacy Laws in India are affecting businesses and corporates as well as customers

Article by Ankita Rathi, Edited by Chinmay Jain

Our privacy is invaded every time and everywhere due to the advancements in science and technology. Privacy is something that is an individual as well as a social value. Most of the privacy breaches and invasions and copyrights violations exist in cyberspace though they are invisible. 

Due to many media interventions, it has become very difficult for people to keep information that is confidential or even the anonymity of the conversations and many more things. Piracy is a lucrative business nowadays. However, the laws lag behind the digital revolution.

Data privacy is a part of information technology (IT). It helps the organizations and even the individuals to determine as to which information in the computer system can be shared with the third party. Data is one of the most important asset for the company.

As the economic activity related to data is increasing, many organizations find it essential to use, share, and collect data. In this data economy, the companies which are at the top are Google, Facebook, and Amazon.

Nowadays, every consumer is more aware than ever about the impact of data privacy on their personal lives. The world where we live and function as organizations will always change. Moreover, these changes will always be different every time. 

In this article, I will be dealing with how the two main data privacy laws in India have affected and are affecting business as well as various corporate affairs.

What is Privacy?

Privacy can be different for different people, so it always depends on the person whom I ask what does he or she mean by privacy? 

But there are some features or characteristics of privacy which are included by every person. 

Broadly speaking privacy is “right to freedom from interference and intrusion” and it is also a “right to be let alone”. 

The right of having some amount of control over the activities through which our personal data is being collected and is being used is known as information privacy which is in very much trend due to the increasing number of crimes relating to it.

80 percent of people had to have the same answer about what they think when someone talks about privacy. Most of the time they will talk about the “huge information violations”, “wearable tech”, “social networking” and “targeted advertising miscues”.

If I add the meaning of privacy according to different cultures, then we will have different views. We will have different answers on what are the various rights when it comes to privacy. And we will also have different ideas on the regulation of these rights.

What is Data Privacy?

The practices which give surety about the data shared by the customers are only specifically used for the purpose for which it was collected is called Data Privacy. As we are moving forward, more and more of data is collected, and due to this data privacy has become an important and one of the major issues today. 

As it was mentioned above data privacy is the right of the individuals to have control over their personal information. They have right to know how that information is collected and used. In today’s world, most of the individuals think that the most important issue related to customer protection is Data Privacy. One of the most important factors which contribute to this is the increasing technological sophistication and the type of data collected.

Privacy is the right of every individual to be left alone or the right to freedom from interference and intrusion. For every business organization, data privacy goes past the personal identifiable information (PII) of its customers and employees. 

This information also involves the data which helps the company to operate. This data can be the financial information about the company of how it is spending and investing its money or proprietary research and development data.

Why is Data Privacy Important?

data privacy helps protect your personal data and sensitive information

The capacity to bring in and implement a proper and safe company data privacy policy is getting increasing importance as a measure of trust. 

The safety and privacy of information is becoming more and more complex and difficult by every passing minute because there is so much data that is being stored in companies’ system which can be used in any way possible. 

The development in the technological field is of sophisticated nature because various types of personal data are collected from customers and citizens.

Jurisdictions such as states, federal and international bodies like the EU (European Union) are implementing new regulations for data privacy. Due to the increasing awareness among lawmakers and citizens, these new regulations get passed easily. 

It does not matter whether they are data or technical experts or not. 

It has been observed numerous times that very sensitive data has been breached and due to this, the concern for the procedure to collect the sensitive data and keep it safe is heightened. There are various regulators who can impose heavy fines just to implement their data privacy necessities. 

When regulators and consumers get stressed about protecting their information, than that means jurisdictions will have passed new statutes for data privacy and also the penalties to enforce them.

In fact, there are a lot of rules framed on how businesses need to protect their users’ data in India.

Data Privacy and Information Technological (Amendment) Act 2008
The “Information Technological Act” and “Data Protection” have their own implications with each other. It is pretty clear by the objectives of the act that it aims at the protection and safety of cyber-related matters. 

This Act gives protection against violations in the citizens’ data.

This Act includes various provisions that provide protection against the illegal use of computer systems and the information stored in them. Several provisions are inserted in this Act which are related to “data protection”. 

The new sections which are included in the Act and talk about “data protection” are Sections 43A and 72A.

Section 43A represents a radical change in the law that may have taken place due to the industry’s contention that there was no adequate protection of data in India as compared to Europe and that this was adversely affecting outsourcing. 

Under this provision when a body corporate processing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls and operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby cause wrongful loss and wrongful gain to any body corporate shall be liable to pay damages by way of compensation to the person so affected.

Section 72A provides that –

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three.

This Information Technology Act after being amended in 2008 is seen as a very important step towards reducing the number of crimes in this cyber age. If any service provider leaks or uses in any adverse way any personal information, then he will be facing imprisonment for breaching the contractual responsibility and obligations.

Under the Personal Data (Protection) Bill 2013, Section 2(p) “personal data” means any data which relates to a natural person if that person can, whether directly or indirectly in conjunction with any other data, be identified from it and includes sensitive personal data.

However, if sensitive personal data is being disclosed than the person has to pay damages.

"Businesses have to pay Damages for Disclosing data under Indian Data Privacy Laws."
“Businesses have to pay Damages for Disclosing data under Indian Data Privacy Laws.”

Under the Personal Data (Protection) Bill, 2013, Section 2(x) “sensitive personal data” means personal data as to the data subject’s – 

  1. Biometric Data; 
  2. Deoxyribonucleic acid data; 
  3. Sexual Preferences and practices; 
  4. Medical history and health; 
  5. Political affiliation; 
  6. Commission, or alleged commission, of any offence; 
  7. Ethnicity, religion, race or cast; 
  8. Financial and credit information.

As a matter of fact right of data protection has been now given the same status as other rights. 

In the technological development of the same matter, the main focus is given to analyze the European Union Data Protection Legislation and the Indian Information Technology Amendment Act, 2008. 

This talks are about the corporate use of data like a publication security measure, excess, share, disclosure, and the penalty which is mentioned in the Information Technology Act 2008.

Data Privacy and Corporate Affairs

The relationship between “corporate affairs” and “data privacy” is now turning into a right based approach. 

There are various aspects in which corporate are affected. 

There are 4 things related to data that are very important. 

Those are-

  1. processing of data, 
  2. sharing of data, 
  3. accessing data, and 
  4. disclosure of data. 

The appointment of the data controller or data counselor in the corporate sector has played a very important role. The responsibility of private organizations may change from time to time, such as sometimes they have to share the information and sometimes, they don’t have to share the information. 

So, here comes the conflict. 

Many a times when a consumer sees any online advertisement and wants to access it or buy that product then they usually have to first sign up in the e-commerce platform. Now, the main issue that arises after this is that whether the information we give to that site or company follows the public policy or not.

In this same aspect, if we talk about the banking sector, then the bankers have the duty as well as obligation to keep the information of all his or her clients safe. If they disclose any of the information, then it will lead to the violation of duty of secrecy and confidentiality which the banker owns to his or her client. 

But due to the presence of Right to Information and the concept of public information, as held in the case of Mr. K.J. Doraisamy v. The Assistant General Manager, State Bank of India, and others, the scope of right of privacy of the customers of the banking sector was curtailed.

Lots of terms and conditions relating to personal data and data privacy laws in India

The Securities and Exchange Board of India (SEBI) was established for regulating and properly governing the credit information of various individuals. 

SEBI was established by The Securities and Exchange Board of India Act, 1997. 

By this Act, the government has access to the private-sector data of the individuals who all are present in the securities market. This reactive access is mediated through the Security Exchange Board of India. 

But in the case of unauthorized reactive access, SEBI will only be able to inspect if there are reasonable grounds to believe that a company has been indulging in “insider trading, unfair trade practices, transactions are done in a manner which are harmful to either the investor or intermediary and to any person involve in the securities market” leading to the violation of any of the provision of the Act.

The last segment which comes under the corporate affairs is the Credit Information Companies Regulation Act, 2005 (CICRA). The information relating to the credit details of any individual has to be collected according to the regulations of the CICRA. 

The organizations or individuals who collect this data can be made liable for any possible revelation or changes in the information. A strict framework of guidelines has been created by CICRA pertaining to credit and finances of individuals and companies in India. 

These guidelines were based on the Fair Credit Reporting Act and the Graham Leach Bliley Act. These rules and regulations under CICRA relating to strict data privacy principles have now also been notified by Reserve Bank of India.

Impact of Information Technology Act on Business

Certain sections of act, like Section 69 of the Act have been a major part of criticism. This section gives the power to the Indian Government to intercept, monitor, decrypt and block electronic data traffic.

A partner at Nishith Desai Associates, Mr. Vivek Kathpalia, observed that the earlier IT act gave powers to the government to intercept the data, it did not give the power to decrypt and monitor the digital data. Now the act has ability to monitor and to pursue decryption of communication over computer networks like email and IP telephony.  

This new IT act helps the government to intercept, monitor, and decrypt communications devices, resources, and computer systems. According to this, we can conclude that the government will be able to keep an eye on email systems and corporate networks.

Tracking customers data impedes data privacy

Duggal is of the view that the new act does not have the required amount of checks and balances system to prevent misuse of information. This will surely raise information leakage concerns and corporate undercover activities.

It is said by the new IT act that if any company or organization forgets to implement a well-examined information security and safety procedure then that enterprise will be liable to pay damages to any party which gets affected due to their fault. 

This new act also helps us in understanding the new reasonable security rules, procedures, and practices. According to the Act, these new procedures and policies are made to protect and prevent the sensitive data from being in any danger like someone accessing it without any authority, or someone modifying it or disclosing it. 

The nature of sensitive data is being explained by the Act.

To sum it up, the new IT act tries to capture several aspects dealing with personal data privacy, cyber terrorism, and various other unethical practices.

Impact of Personal Data Protection Bill 2019 on Business

In 2017, July a committee of experts was formed by the Indian Government to look into and precisely study and learn about the issues related to data protection in the country. the retired Supreme Court judge Justice BN Srikrishna led this committee. 

In 2018, after working for at least 1 year the committee submitted a draft of the Personal Data Protection (PDP) Bill. The feedback on this bill was requested by the Ministers, stakeholders, various industry experts and even by the public.

The main objective behind drafting this bill was to legislate the methods for the protection and safety of personal data nationally. This bill aimed at setting up a Data Protection Authority in India. 

The Bill controls the administering of the personal data of the individuals by the government companies situated in India. With the help of this anticipated law, the government of India is aiming for data sovereignty by making it compulsory for a certain class of data to remain inside the Indian borders only.

This Bill is India’s first-ever complete data protection legislation and therefore its impact will be fundamental and strong. The law of data privacy which is already present in the country only puts some specifically limited obligation on the companies. 

Only personal data that is sensitive is being regulated by this act. But with this new law, the companies have to make changes in their operations, they might also need to change their business practices, preciously look into their plans, policies, and strategies. 

They must also look into the methods through which they use data. As data of every company has become so important nowadays that they have looked very closely into this new law.

The changes and impacts which companies faced are to be noted.

New rules for locating data and transferring data across borders

  • The provision of data mirroring has become limited only to sensitive personal data (SPD) and is excluded from the personal data. Data relating to financial, religion, health, biometric and such information must be kept in India itself.
  • But in case of a multinational company or in the case when a foreign service provider is being used, the companies need to fulfill two conditions before transferring the SPD data.
  • Firstly, the consent of the person must be explicit and secondly, the steps involved in the cross-border data transferred should be kept in mind.
  • These two conditions have been removed from the cross-border transfer of personal data.
  • The legislation is of the view that the undefined “sensitive personal data” should be processed only in India. The processing restriction means that no activity related to this data can take place like sharing, analyzing, etc.

Consent and Consent Managers under the New Law

  • This new bill said that an “agreement” will be the foundation stone of the new law. This can be an issue for organizations because there are many things that they do without any approval.
  • The negative aspect of this Bill is that GDPR allows the companies to make a decision whether their actions are fair and within the scope of law.
  • This bill has though reduced the burden of assessing the legitimacy of every step involved in the operations. However, according to Indian Law, most of the processing is done with approval. Some exceptions are employment purposes exemption, “reasonable purposes” exceptions, compliance with laws, etc.
  • The new 2019 Bill confirms that priority will be given to consent by placing it along with the basic principles of processing

Consent Managers under the new law

  • They act like intermediaries whose purpose is to assist the person to give, withdraw, or to manage consent with the data fiduciary. They can also exercise any of their rights under the law.
  • They are data fiduciaries. They work through a network. This network is usable, open, and interoperable.
  • It is however uncertain that the data manager will be allowed by the consent manager to connect with one or all the data fiduciaries. And can whether a data fiduciary can choose one consent manager or a group of managers that a data manager is capable of dealing with.
  • This is similar to something called “account aggregator system for financial data”.

State Access to Anonymous, Non-Personal and Personal Data

Anonymous and non-personal data

  • Another argumentative provision is of the right given to the central government of accessing any non-personal and confidential information by requesting any fiduciary. They can ask for this information for “evidence-based policy” formulation or “better-targeted service delivery”.
  • This a concerning issue because the scope of sensitive data is wide. It can be from statistical data to sensitive business data. And the use of this data without any clarification that whether the corporate interests will be protected or not over the use of this data.

Personal Data

  • A huge exception is given to the government agencies for the reason of national security by the law. This exception is given from any or from all the provisions. This also includes the private companies, from whom also the government can ask for personal data

Significant Compliance Burden

Compliances for protection of data by businesses under Indian law
  • Further changes are likely to occur in this Bill because a committee of parliament has been selected for referring the Bill for consideration. So, before any final form is taken by the law, the changes might occur.
  • In the current form, the Bill suggests that there will be a compliance burden between the companies located in India and all around the world.
  • But even with the compliance burden, it will be taken into account that no compromise is done with the people’s rights.

Wrapping it Up

Different acts and laws have been introduced by countries worldwide as per their own requirements. Some examples of these are “Data Protection Act” 1998 by UK, “Electronic Communications Privacy Act” 1986 by USA, etc. 

Our Constitution has tried well to include the right to privacy but the expansion and growth of it have been completely left with the judiciary. However nowadays instances of data leak into the public domain are on the rise. 

Information Technology Act has dealt with privacy and data protection. The manner in which they have been dealt is however not exhaustive.

Relating to procedures and purpose of the integration of personal data and right to privacy, the IT act needs to set up some more specific and proper standards. 

To properly conclude, we can say that there are some problems which the IT Act is facing. The most significant is protecting information. The Personal Data Protection bill is a landmark in the growth and change of data privacy norms in India. 

But there are some provisions in the Act which are kind of burdensome like provision of restricting cross-border data flows and imposing data localization. 

These provisions might act as restrictions on the growth of information-intensive products and services in India.

It is hoped that when the final law comes out, it will be able to protect the digital and free economy that gives powers to the Indian citizens as well as help businesses thrive and use data analytics to boost their businesses in a non-pervasive manner.

Read Next:

Author Bio: Ankita Rathi is a BBA,LLB(H) student from Symbiosis Law School, Noida and an Intern at WinSavvy. Connect with her on LinkedIn.

Editor Bio: Chinmay Jain is a BA.LLB(H) student from Institute of Law, Nirma University, and an intern at WinSavvy. Connect with him on LinkedIn.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top