We live in a digitalized world, a world where we can access the information of any person, thing, or place within a click. Privacy is a major area of concern, recently the Indian Government banned several Chinese apps, on the pretext of privacy concerns. There were allegations that these apps, which were originated/developed in China, are sending the user’s data, across the globe to China.
This rapid digitalization proves to be a major hurdle for privacy issues. One cannot escape from this internet. Whether a person belongs to any field, the Internet is a must. We cannot even think of a life without the internet. But there are several guidelines to be followed while surfing on the internet, to protect precious data.
Pandemic proved to be a booster for the digitalized world, where online working increased significantly, with the increased number of online users, it also increased the chances for online scams such as stealing of the data and use it for their purpose or to sell that on the dark web and earn a huge profit.
WHAT IS PRIVACY?
Privacy means the disclosure of sensitive personal information of an individual, it is not bounded only to personal information, also any other information, which the individual feels, not to be disclosed in the public domain. It can involve information such as the name, email id, password, details of financial instruments, etc.
LAWS RELATED TO DATA PROTECTION
Currently, we are not having any specific law, which deals with privacy and data protection. However, the Information Technology Act 2000 is serving the purpose, by containing some relevant sections related to the protection of the data.
THE GAZETTE OF INDIA: EXTRAORDINARY
A gazette was released on April 11, 2011, by the ministry of communication and technology. The act was named Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules passed in the year 2011. The term sensitive personal data is being defined under this act. It defines any information which includes financial instruments such as debit/card details or bank account details, password, biometric medical records, sexual orientation, etc.
However, it includes an exception, which states that any information available in the public domain or is freely accessible or if it falls under the ambit of Right to Information Act 2005. Then that data does not fall under the definition of sensitive personal data.
INFORMATION TECHNOLOGY ACT, 2000
The IT act deals with cybercrimes and safety. It involves several sections with deals with online frauds, data breaches and outlines the guidelines to be followed by the corporate bodies while handling the customers/client’s sensitive data.
Apart from defining cybercrime, it also defines the punishment for such offences such as Section 72 of IT Act, 2000. Which states the penalty in case of breach of confidentiality and privacy. It says that any person who is in power or possesses the authority to have the access to confidential data may in form of an electronic record, discloses that information, but without the prior consent of the person, whom personal data is being compromised.
In this situation, the person in power or authority will be subjected to jail, which can be extended up to 2 years, or it will attract a fine which may amount to Rs 1 Lakh maximum, or both will be awarded to the person who committed an offence.
THE PERSONAL DATA PROTECTION BILL, 2019
The personal data protection bill, 2019 includes a total of 98 Sections and 14 Chapters. This act primarily focuses protection of the privacy of an Individual. It broadly covers areas such as the obligations of data fiduciary, restriction on transfer of personal data outside India, etc.
However, in Chapter VIII of the bill, it included an exceptional clause, which states that the provisions will not apply to any government agency, they can process the personal data if it is in the interest of national sovereignty or security of the Nation or for public order (Section 35 sub-clause 1).
Section 35, Sub-clause 2, states that the government agencies are exempted from the provisions of data protection and can process the data, for the prevention of any cognizable offence, which can become a major threat to national integrity, security, Sovereignty, and the maintenance of public order.
CASE LAW – JUSTICE K. S. PUTTASWAMY (RETD.) v. UNION OF INDIA, 2017
- Case Brief – A petition was filed in 2012 for challenging the constitutionality of Aadhaar by a retired High Court Judge KS Puttaswamy. This case is famously known as the Aadhaar judgment. KS Puttaswamy stated that Aadhar is violating the right to privacy.
- Judgement- The Apex court, that is the Supreme Court of India, gave a landmark verdict on 24th August 2017, stating that the Right to privacy is a fundamental right, and it is protected under Article 21 of the constitution with some reasonable restrictions on it. If any state or non-state wants to invade privacy, they have to clear the triple test, which involves the Legitimate aim, Legality, and Proportionality. This judgement overruled the decision given in the MP Sharma vs. Satish Chandra and Kharak Singh vs. State of UP, where it was decided that the right to privacy is not protected by the constitution of India.
RECENT DATA BREACH CASES
- The Aadhaar data breach, which impacted more than 1.1 billion users. This stealing of data leaked information such as the bank details, unique 12-digit Aadhar Number, and their other sensitive personal information. This breach took place in the year 2018.
- Recently in April 2021, the data of Facebook was leaked, which put the user’s data compromised. More than 532 million user’s personal data such as the mobile number and email id were exposed (out of which 6 million were Indian User’s) and were available on a low-level hacking forum.
Data is the new oil for these fraudsters to commit fraud or to do any terrorist activity. It is quite easy for these people to make a fake ID by using any person’s credentials available on different portals, such as the dark web. We have an Information Technology Act, 2000. But it was made in the year 2000.
At that time people were not so tech-savvy and the laws were made accordingly. We are now in the year 2021 and it is required to have a newly updated Information technology act, which covers the broad domains. There is a need of the hour to have a data protection act, which will protect the users from these cyber-crimes and data stealing.
Apart from the legal perspective, a user should be made aware of various cyber-crimes, they should be made aware, they do not fall into any lucrative offers as they are generally baiting, to get the person in the trap to commit fraud.
Author(s) Name: Deepak Kumar Chaurasia (Student, Chandigarh University)
 Section 3, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
 Section 72, THE INFORMATION TECHNOLOGY ACT, 2000, No. 21 OF 2000.
Section 35, THE PERSONAL DATA PROTECTION BILL, 2019, Bill No. 373 of 2019.
 Case Summary: Justice K. S. Puttaswamy (Retd.) vs. Union of India, 2017, available at: https://lawlex.org/lex-bulletin/case-summary-k-s-puttaswamy-retd-v-s-union-of-india-2017/18929 (last accessed on 14 June 2021).
 The 56 Biggest Data Breaches (Updated for 2021), available at: https://www.upguard.com/blog/biggest-data-breaches (last accessed on 14 June 2021).
 533 million Facebook users’ phone numbers and personal data have been leaked online, available at: https://www.businessinsider.in/tech/news/533-million-facebook-users-phone-numbers-and-personal-data-have-been-leaked-online/articleshow/81889315.cms (last accessed on 14 June 2021).