Data privacy legislation

Information Technology Act, 2000

The Information Technology (IT) Act, 2000 stands as the central legislation in India governing e-commerce and addressing cybercrime concerns.

Its inception aimed to boost e-governance, provide legal backing for online transactions, and combat cybercrime. The primary objective of this law is to facilitate legitimate and reliable digital, computer-based, and online activities while minimizing or eliminating instances of cybercrime.

Scope of the Act

The IT Act, 2000 is applicable throughout India and also possesses extraterritorial jurisdiction, implying its applicability to cybercrimes committed outside India's borders. If an Indian system or network is involved, the provisions of the IT Act, 2000 would be enforced, regardless of the offender's geographical location.

Objectives of the Act

• To confer legal status to all operations conducted electronically, whether through data interchange, other electronic communication, or e-commerce, replacing the traditional paper-based manner of communication.
• To validate digital signatures as legal proof of any information or documents requiring legal verification.
• To enable the electronic submission of papers with government departments and agencies.

Salient features of the Act

The salient features of the Act are as follows:

• There are 94 Sections in the Act, organized into 13 Chapters and 4 Schedules.
• Legally validating all smart contracts executed through secure electronic means
• The Act keeps the required security precautions in check and a legal framework for digital signatures using cryptosystem was also added.
• Electronic records have been authenticated.
• There are also provisions for setting up a Cyber Regulations Advisory Committee to advise the Controller and the central government.
• The Act permits senior police officers and other officials to enter any public space and make arrests for offences covered by the Act without a warrant.
• Powers of attorney, negotiable instruments, wills, and other similar documents are not subject to the regulations contained in this Act.
• Finally, this Act outlines the numerous cybercrimes and violations, defines them, and specifies the associated penalties.

The IT Act of 2000 was amended by the IT Amendment Act, 2008. As a result, all types of communication tools and computer resources are now included in the scope and ambit of the IT act 2000.

Data privacy laws that prevent companies from transferring data across borders

In recent years, there has been a significant surge in global data flows and cross-border digital service trade. According to a World Bank report, in 2020, global internet traffic reached around three zettabytes, equivalent to one gigabyte per person per day. This data volume is expected to double in the near future, underscoring the substantial data exchange driving international trade. Cross-border data flows play a pivotal role in enhancing productivity, reducing costs for trading goods, and serving as the primary platform for digital service transactions. The mutually reinforcing relationship between cross-border data flows and international trade is instrumental in propelling global commerce.

In response to these dynamics, the Indian Ministry of Electronics and Information Technology (MeitY) introduced a draft of the Digital Personal Data Protection Bill 2022 for public consultation. This bill seeks to address data privacy concerns and regulate digital personal data processing. The MeitY will hear views from the public until this year.

Draft provisions: The Digital Personal Data Protection Bill 2022

The proposed legislation aims to achieve several objectives:

• Balanced data processing: The bill intends to manage the processing of digital personal data in a manner that respects individuals' rights to safeguard their personal information while allowing lawful data processing for specific purposes.
• Cross-border data transfer: The draft introduces provisions for cross-border data transfers with "certain notified countries and territories." This move is seen as a positive development for tech companies seeking international data exchanges.
• Tech industry advocacy: Industry lobby groups, such as the Asia Internet Coalition, representing major tech companies like Meta, Google, and Amazon, have advocated for relaxed cross-border data transfer regulations to promote innovation and ease of doing business.
• Proportional regulation: The bill emphasizes that cross-border transfer decisions should be based on careful assessments and should ideally be minimally regulated, to encourage unhindered data flows.
• Data use accountability: The draft emphasizes that companies should use the collected data only for the specific purposes for which they obtained it, ensuring greater accountability and transparency in data handling.
• Limited data storage: The bill proposes that data storage should be limited to the duration necessary for the intended purpose, preventing indefinite retention of personal data.
• Penalties for non-compliance: The draft includes penalties for inadequate security safeguards, data breaches, and failure to notify authorities and users of breaches, with fines potentially amounting to millions of dollars.
• Streamlined regulations: The current draft of the bill condenses its provisions to a more concise form, from over 90 clauses to 30 clauses, aiming to strike a balance between regulatory requirements and a conducive business environment.
• National security exemptions: The bill empowers the federal government to exempt state governments from certain provisions in the interest of national security.
• Path to Digital India Act: New Delhi is concurrently working on updating its two-decade-old IT law, which will debut as the Digital India Act. This new legislation aims to modernize the regulatory landscape and address contemporary technology challenges.

India's journey toward comprehensive data protection legislation has witnessed a series of updates and revisions. The withdrawal of earlier versions reflects the government's commitment to align the bill with evolving privacy concerns and the broader legal framework. This legislative progress also aims to strike a balance between data protection, technological innovation, and the facilitation of cross-border data flows for international trade.

Rationale for data protection laws in India

• Pervasive data usage: Daily, millions of Indians engage with numerous applications, inadvertently generating data trails susceptible to misuse for profiling, targeted advertising, and predictive analytics.
• Legal ambiguity: India's legal landscape is characterized by disparate laws across domains, resulting in ambiguity. This fragmentation is a prominent factor contributing to the breach of substantial data volumes. The absence of a consolidated legislation that comprehensively addresses data protection aspects and prescribes appropriate penalties exacerbates this challenge.
• Grievance redressal gaps: Numerous instances reveal inadequate and malfunctioning grievance redressal mechanisms. Swift revitalization and thorough review of these mechanisms are imperative. The enforcement apparatus frequently grapples with implementation hurdles when addressing cases involving data breaches and cybersecurity.
• National data asset: As a sovereign nation, Indian citizens' data is deemed a national asset. Depending on India's security and geopolitical objectives, safeguarding and localizing this asset within national borders might become paramount. This pertains not only to corporate entities but also extends to Non-Governmental Organizations and governmental bodies.
• Adherence to international frameworks and safeguarding citizen rights: Despite India's membership in various international organizations that emphasize data protection mechanisms, such as the United Nations Commission on International Trade, India's commitment to ensuring comprehensive data privacy and protection remains inadequate. Moreover, constitutional provisions under Article 38, which pertain to citizens' overall welfare, highlight the need for stronger data security measures. Additionally, Article 51 of the constitution underscores the state's obligation to foster international peace and security through the promotion of adherence to treaty obligations and international law.

The need for robust data protection legislation in India stems from the complex interplay of modern technology, legal intricacies, and national security imperatives. Establishing a comprehensive legal framework for data protection is essential to address these challenges, ensuring citizens' rights are upheld, businesses operate responsibly, and national interests are safeguarded on the global stage.