Author: Prateek Chandra, III year of B.B.A.,LL.B from Bennett University.
The particular blog will tends to provide readers about the information regarding data protection & right to privacy and what are the relevant provisions and laws which are available regarding data protection and for the right to privacy. It will further elaborate about the recent laws that are present and what are the major development and drawbacks of these relevant laws available at the present scenario. It will specify what can be done to avoid data stealing and breach of private accounts by taking measures and tends to provide the overall analysis of the digital laws enacted and implemented by the government to address the issue of data protection and right to privacy. Furthermore, it will explain the concepts of what is data stealing and breach of privacy with the help of relevant case studies and case laws and elaborate the recent laws in detail.
Keywords: data protection, data stealing, right to privacy, recent law and judgements, measures
Digital world is coming up with the new platforms in the form of social media and online websites for the purpose of sharing the useful information and data to the mass public. The use of online platforms are rapidly growing by the general public which also have some major threats and challenges. One of the major threat regarding the usage of online platforms is Data stealing and breach of privacy from private accounts nowadays. In Indian Constitution, there are no standalone laws which particulars specify about the Data protection and the laws to secure the general public from data stealing as they are in a mixed form of statues, provisions and rules. However, to curb this particular problem from society, there are laws was implemented to stop the breaching privacy and data stealing like the Information and Technology Act 2000 (Amended in 2008), Personal Data Protection Bill 2019 to put a stop to this major problem. As per section 72 A and 66 E of the IT act, it lays down the punishment for the data stealing of three years in jail with rupees 5 lakh as penalty for the above said offence.
As per constitution, every person has the right to privacy which is guaranteed under Article 21 of the Indian Constitution. Right to privacy have wider interpretations and meaning It includes integrity of a particular person,Under the landmark judgement of the Supreme Court in Justice K.S. Puttaswamy and Anr vs Union of India and Ors case, it was declared that privacy to be a constitutional right. The MEITY (Ministry of Electronics and Information Technology) formed a ten-member committee chaired by retired Supreme Court judge B.N. Srikrishna to make suggestions for a draught Bill on personal data protection.
The Ministry of Electronics and Information Technology (MEITY), Central government, citing its power on September 2020 under Section 69A of IT Act, banned the foreign apps from India as the particular apps collects personal data from the mobile phones which was further shared with overseas countries which can be dangerous for the national security and defence. According to the MEITY notification, these apps were involved in conduct that were damaging to India's sovereignty and integrity, defense, state security, and public order as they were sending massive data from citizens of India to various countries.
A major breach of data privacy happened in the year 2013 with yahoo which impacted almost 3 billion users of yahoo account users. Security questionnaires were also exposed in this case, enhancing the possibility of identity theft. On December 14, 2016, Yahoo exposed the vulnerability while being in talks to sell the company to Verizon. Yahoo guided all affected users to update their account detail and questions and answers in order to re-encrypt them. A survey revealed that users' plain text passwords, card payment data, and financial information had not been stolen. This security breach was believed to be one of the greatest breaches in history, breaching the private accounts of users, leading to a breach of the privacy of the individuals utilizing Yahoo.
Recent laws on Data Protection Law
The Central government by considering the data protection law , proposed the Personal Data Protection Bill in 2019, to tackle data theft and privacy breaches, but some of the provisions remain unnotified indefinitely, resulting in those provisions existing only on paper, and never seeing the light of day in reality.
Moreover, the unreasonable delay imposed by the government in proposing the PDP Bill (Personal Data Protection bill, 2019) and its power to further postpone the entry into force of the PDP Bill by announcing different clauses individually and indefinitely breaches our right to privacy. Enough has already been said about the correlation among due process and delay and how justice deferred is justice denied.
The amended 2019 Bill was opposed by Justice B. N. Srikrishna, the drafter of the current Bill, which, according to him, will transform India into an "Orwellian State". In an interview with the Economic Times, Srikrishna noted that, "The government could at any moment extract private information or government entity data on grounds of sovereign or public order, which will have catastrophic ramifications."
The struggle for a right to privacy has been gradual and steady and one would argue that we have gone a long way since M.P Sharma and Ors. v. Satish Chandra to the Puttaswamy & Ors. v. Union of India and Anr. However, one is left wondering if, in the four years since acknowledging that privacy is a basic right, we might have established a legislation that assists in its successful fulfillment. The fundamental regulatory approach taken in the Personal Data Protection Bill attempts to safeguard customers from uses of data that might be damaging to them. The bill does not, however, name specific detrimental activities. Instead, it makes user consent an integral element of the data protection system. According to Data Protection Rule 3, personal and sensitive information and data of an entity comprises the following elements: passwords; financial details such as credit card or debit card as well as other payment option details; physical, physiological, and mental health status; sexual preference; medical information and history; and bio - metric information.
In order to accomplish so, it specifies that personal data can only be gathered after providing notice and getting consent and such permission must be free, informed, unambiguous, and precise, and there must be procedures that allow users to withdraw it. In addition, additional measures such as time restrictions on data retention and transparency requirements are meant to govern how personal data can be used by data fiduciaries. The law consequently focuses on sufficient disclosure to persons as a strategy for preventing harm to them.
In addition, the law intends to decrease the gap in knowledge regarding the use of personal data between customers and data fiduciaries. It tries to do so by restricting the goals of data processing as well as offering consumers the right to access their personal data and the right to know how it will be used. Users can also amend their personal data kept with data fiduciaries. The bill mandates that data fiduciaries give notice of these rights to customers before acquiring personal data. This notice must disclose, among other things, the reasons for data collection, types of personal data collected, source of collection, individuals with whom such data may be shared, and information concerning grievance resolution.
The law imposes various constraints on data processing. These are predicated on the idea that customers have a limited understanding of how their data is being processed. The bill recommends that data be handled only for defined, clear, and legitimate reasons; that its goal be justifiable; that it be limited to those authorized by users; and that only necessary data be gathered for such purposes. In addition, data storage constraints necessitate that data be removed after the reason for its acquisition has been accomplished. The logic underlying these rules is that preventative controls on personal data are likely to result in improved individual control over the use of one’s personal data and lower the potential for personal damage.
The latest proposal, relying on the version made accessible in December 2019, explicitly states broad security precautions to be consolidated by a data principal (akin to a data controller) and data processor, such as de-identification and data encryption, stages to protect the integrity of data, and steps to avoid misuse, illegal access, modification, disclosure, or destruction of data. Furthermore, the "how" portion of taking such precautionary measures is lacking in the proposed legislation. A Data Protection Authority, envisaged to be constituted under the proposed law, is empowered with the authority to issue or implement rules on practice on standards for safety precautions. As recognized by the Electronics and Information Technology Divisional Council, the Information Systems Security and Privacy Sectional committee may operate as a reference point or current law for collaborating with the security protocols under the prevailing law in India, as when established.
To protect breach of data privacy certain measures can help in reducing and minimize the particular problem with the help of certain measures
Practice minimum data collecting.
Ensure that your policies clarify that only essential information is required. If you buy more than what you need, you increase your risk and maybe place an unfair weight on your security personnel. Minimizing your data collecting might also help you save time and memory. These solutions leverage third-party data to verify users and avoid the need to maintain or communicate user data to your systems.
Involve your users.
Several people acknowledge private issues and are inclined to accept clarification when it relates to how you’re using and preserving data. Acknowledging this, GDPR has made user authorization a crucial part of data use and acquisition. One may be sure to incorporate users' and their consent into your operations by adding privacy issues into your interfaces. For example, providing explicit user notifications describing when data is gathered and why. You should provide users the ability to amend or opt-out of gathering data.
Examine your data
Maintaining data privacy means identifying what data you have, how it is managed, and where it is stored. Your procedures should specify how this information was obtained and acted upon. For example, you need to describe how frequently data is examined and how it is categorized once located. Your confidentiality should specifically describe what procedures are essential for your multiple data privacy levels. Policies should also contain systems for evaluating protections to verify that remedies are properly applied.
In India, the legislation related data protection and right to privacy has been evolved in the recent years and various revisions were also done in the past to curb the above stated problem from the community. There is still need of development in the sphere of digital laws and protection of private information. Although the government have created policies and laws to protect data stealing such IT Act 2000 and Personal Data Protection bill 2019 which still requires big adjustments to get implemented and work correctly for the sake of general people of the society.