Stringent Data Protection Law is the Need of the Hour
demonetisation, the government has initiated a timely and much needed measure to increase digital payment options to weed out black money and corruption from public life. As an integral part of the government’s move to take the country towards a total cashless economy, these measures would change the quality of life of citizens.
One area that demands immediate attention is the need for a strong legal framework for privacy and protection of data shared by the individuals and entities. Legislative reforms are not as quick as technological innovations, and this leads to doubts regarding the enforceability of rights. Hence, simultaneous legislative reforms would be required as part of the digitisation programme.
The legal rights and liabilities arising out of handling of data of individuals and entities require a careful examination. Presently, the IT Act, 2000 and rules thereunder cover the existing framework on privacy and data protection in India. Sections 43A, 69 and 72A of the IT Act embody the law on data protection. In 2014, a bill named, The Personal Data Protection Bill, 2014 was introduced in Parliament which had a limited focus. As these provisions are minimal, the legal framework in the shape of contracts under the Indian Contract Act, 1872, comes to one’s rescue if there is any violation of privacy rights.
With every innovation in technology, an innovation in the art of misuse and fraud, also takes place. India, unlike countries such as the UK, Australia and other European countries, does not have a dedicated Data Protection Law. Though not specifically mentioned in the Indian Constitution, the courtsmayexpandthescopeof fundamental rights to include the right to data protection. Some of the recent decisions of the Supreme Court have expanded the contours of privacy to arrest the increasing assaults on the privacy rights of the citizens. If the courts further expand the scope of the fundamental rights to include privacy and data protection, then the existing framework of law may be insufficient to address the future legal challenges. Hence, a comprehensive Data Protection Law is required for greater legal clarity and safe enforceability of rights by owners of the data. This couldbeachievedthrough a special legislation with the objective of affording protection to the data and information of the natural and legal persons. The focus on implementation of newer areas of innovations may get blurred when included as part of the general laws. Hence, a special law is needed.
The following could be the broad features of such a legal framework:
Personal data must be clearly defined as any lack of clarity could expose the privacy rights to greater risks.
There should be a process of registration of the data and data collectors. This would create a central registry for tracking the flow of information. The authorities could then timely intervene and initiate penal actions against offenders.
A central authority should be constituted for monitoring the collection of information and data, registration of collectors, regulating the collection and dissemination of data and to initiate penal action against offenders.
What constitutes “offence” under law must be clearly delineated. The punishments under this legislation should be made stringent. This will safeguard the interests of the citizens who participate in the space of digitised transactions against the misuse of their data. Knocking at the doors of justice in the ordinary course of time may prove to be expensive and a long drawn affair for them. Hence, prescription of a stringent penal framework with a timebound implementation mechanism will act as a deterrent against misuse.
Penal provisions should be exemplary. Penal provisions of fine, including issuance of disgorgement orders, non-compoundable offences, etc, should form part of such a law. Security measures required by the data collectors and controllers to prevent misuse should be stipulated.
Collection, processing, usage and the grounds of exceptions from the provisions of this law should be clear.
A comprehensive data protection legislation on the above lines will guarantee a sense of safety to the owners of the data.
There is need for a strong legal framework for privacy and protection of data shared by the individuals and entities