Data Protection- the regime in India (Part-I)

In this two part series, we aim to lay down the basis, objectives for data protection laws in India. The first part aims to provide a brief overview of the need for data protection and the genesis of Digital Personal Data Protection Act in India.

The world is full of data. Big data, analytics, and artificial intelligence (AI) have all proliferated, resulting in the development of numerous new information-intensive services as well as the transformation of already established companies.

Data, among other things, adds wealth and economic value. Organisations are finding ways to generate value from data, and frameworks are being developed to better understand the uses and benefits of data.

Owing to the data economy's growing significance and potential for creating value, governments everywhere are realising how important it is to facilitate and control all facets of data, including non-personal and personal data.

Data and its importance

The smallest of decisions one makes is based on some information. Numerous facets of decision-making and business operations demonstrate the value of data. Data contributes to business in the following ways:

·Offers market intelligence and projections to support companies' innovation and diversification. 

·Assists in lowering business risk by guaranteeing prompt and precise decision-making.

·Identifies tasks requiring a lot of time and resources.

·Promotes efficient resource allocation by analysing gaps in various processes. These can be programmed to increase output.

·Enables companies to examine consumer behaviour and create customer retention plans.

Data and its protection

The process of protecting sensitive data from loss, alteration, or corruption is known as data protection.

Data protection is crucial because it shields an individual or an organization's confidential information from identity theft, fraud, hacking, and phishing. Any organization that wishes to function efficiently must put in place a data protection plan to guarantee the security of its information.

Since data is being created and stored at unprecedented rates, data protection is becoming more and more important. Making sure that data can be promptly restored following any corruption or loss constitutes a significant portion of a data protection strategy. Other essential elements of data protection include guaranteeing data privacy and shielding data from compromise.

The three key elements of Data Protection would be[1]:

·Confidentiality: Only authorised operators with the proper authorization can access the data.

Integrity: Every piece of information kept on file by a company is accurate, dependable, and free from unauthorised modifications.

·Availability: The information is kept secure and easily accessible at all times.

·A key role in data protection is played by the laws that govern it.

Personal and Non-Personal Data

Non-personal data is, in the simplest terms, any collection of data that does not include personally identifiable information. This essentially means that using such data, no living person or individual can be identified. Thus evidently, any data that would reveal the identity of an individual would be classified as personal data.

Often, it is difficult to separate personal data from data that generally would contain non-personal data. For instance, large scale general medical data contributes to medical research or data analysis for insurance risk, however, such data is collected from each individual person. Thus, the segregation of data is a significant step that draws the line between using data for commercial/non-commercial benefit and stepping on one’s privacy.

The main categories of Non-Personal Data are–

·Public Non-Personal Data

·Community Non-Personal Data &

·Private Non-Personal Data.

Big Data Analytics and Challenges

Big data and data analytics are the two terms that together make up big data analytics.  It describes data sets that are rapidly expanding in size and contain significant amounts of complex data.  Data analytics is the process of examining data to extract useful information using a variety of methods or instruments.

Analytics is used to solve problems and improve the efficiency of numerous sectors. The development of the Banking, Financial Services, and Insurance (BFSI) sector also depends heavily on analytics. By gathering and evaluating healthcare data from wearable smart devices and Electronic Medical Records (EMR), it is also revolutionising the healthcare industry. This is also playing an important role for preventive healthcare as it aids in the early detection of many diseases.

However large data sets require a lot of storage, a variety of tools and technologies, and a substantial budget to manage and analyse. Businesses face a great deal of difficulty in managing and storing this kind of data because most big data tools gather and analyse data in real-time. Moreover, if the data load grows exponentially, scalability also becomes problematic.

Having said that, the biggest threat to data is breach of security. India ranked second globally in terms of data breaches in 2022[2]. Thus, robust protection is quintessential. Adopting best practices along with strong legal enforcement is the way to effective data protection.

Background of Data Protection in India

The very first effort to protect data can be traced back to an amendment made to the Information Technology Act, 2000 (IT Act), in 2008. The amendment[3] imposed an obligation on companies to safeguard any sensitive personal data and information they own, handle, or deal within a computer resource by putting in place and upholding appropriate security measures. It also levied a fine for noncompliance.  

Subsequently, a rule[4] was enforced in 2011 which specified which laid out minimum requirements for data protection of sensitive personal data, such as the need for businesses to have a privacy policy, to get consent before collecting or transferring sensitive personal data, and to notify people about the recipients of such data.

As the information technology sector rapidly boomed, various sectoral rules and regulations were introduced where remedies and preventive measures were inducted for the purpose of data protection. However, such sporadic development had left loopholes and inconsistencies in the regime of data protection and there as a dire need for a focused law and enforcement.

At this juncture, a landmark judgement changed the course of events. In 2017, the Supreme Court in K.S. Puttuswamy v. Union of India[5] (Puttaswamy Judgement), unanimously upheld the right to privacy as a fundamental freedom guaranteed by the Indian Constitution. The Court decided that the right to privacy was a basic component of liberty, autonomy, and dignity and that it was essential to the freedoms protected by all fundamental rights. This laid the foundation of single statute legislation for protection of data in Inida[6].

As a result of the Puttaswamy Judgement, the first Draft Personal Data Protection Bill was introduced in 2018, which was subsequently tabled before the Rajya Sabha (Upper House of the Parliament). The said bill went for review before the Joint Committee of the Parliament and finally in August 2023, the Parliament passed the Digital Personal Data Protection (DPDP) Act, 2023[7].

The DPDP Act, is aimed at protecting personal data. At the same time, as a country India realizes the importance of data in general and thus in order to enable better targeting of service delivery or formulation of evidence-based policies by the Central Government, the DPDP Act mandates the sharing of non-personal or anonymized data.

For example, to get around the problem of restricted data access within India's AI ecosystem, the National Strategy for Artificial Intelligence[8], considers making some types of government data available for the "public good" and requiring corporations to share aggregated data.

A Committee of Experts was established by the Ministry of Electronics & Information Technology (MeitY) to come up with a Data Governance Framework[9], which essentially lays the principle for regulation of non-personal data, however, the Indian law makers are yet to enact a legislation specifically targeted towards non-personal data.

The second part of this blog will further explore the salient features of the DPDP act.

[1]https://pecb.com/article/why-is-data-protection-important

[2]https://www.cnbctv18.com/technology/india-sufferred-second-highest-data-breaches-in-2022-with-450-million-records-exposed-report-16088781.htm

[3] Ref Section 43A of the IT Act, https://www.indiacode.nic.in/show-data?actid=AC_CEN_45_76_00001_200021_1517807324077&orderno=49#:~:text=%2D%2DWhere%20a%20body%20corporate,gain%20to%20any%20person%2C%20such

[4] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, https://upload.indiacode.nic.in/showfile?actid=AC_CEN_45_76_00001_200021_1517807324077&type=rule&filename=GSR313E_10511(1)_0.pdf

[5] AIR 2017 SC 4161

[6]https://www.lexology.com/library/detail.aspx?g=57720842-f709-4dd4-947b-44c3c6e4ed10

[7] The Digital Personal Data Protection Act, 2023 (No. 22 of 2023), Gazette of India, August 11, 2023, https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%….

[8]https://www.niti.gov.in/sites/default/files/2023-03/National-Strategy-for-Artificial-Intelligence.pdf

[9] Report by the Committee of Experts on Non-Personal Data Governance Framework, https://ourgovdotin.files.wordpress.com/2020/07/kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf