Authored By: Dheeraj Kumar Melkani, B.A.LLB (Hons.), Uttaranchal University/Law College
Dehradun
ABSTRACT
“This article talks about how data is been used for various purposes with or without consent of the individuals and shows how much these data protection policies and regulations need to be monitored and amended so that the idea of one’s control over their personal data should be achieved. The security of data which is here referred as data protection is said to be the reflection of privacy as it contains the surety that data which is related to individual’s privacy is protected and secured. The very first need for such regulations were to make someone accountable for the use, abuse and misuse of data, and through these regulations whether we talk about Indian scenario or global scenario the accountability of the organisations and third parties decided, and also through various means the punishment and penalty is imposed. This article also lays emphasis on strict compliance of data protection principles by these organisations and third parties in today’s landscape of complex data-driven world.”
INTRODUCTION
DATA SECURITY AS A REFLECTION OF PRIVACY
Every individual has a right to be informed, prior to or at the time of collection, of the type of personal information collected and what they intend to do with it, collecting and disseminating one’s individual information in the public domain without their consent is legally and morally a crime.
As in the case of recent pandemic – The government states that data related to sensitive medical info has become important to tackle the pandemic. This cannot be suitable method as the state is forcing people to reveal their sensitive medical info so that the proper vaccination/medication can be done. By placing personal symptom reports on social media and various portals such as CoWin (portal for vaccination booking and certification during the time of pandemic) will reveal their present medical condition and people will try their level best to avoid such revelation of their personal medical info and will refuse testing. During those extravagant times, need for such data protection regulations arises as it compulsory for the people’s cooperation in times of hardship and also for the adoption of people friendly data policies.
To Secure such data and to avoid the refusal of people for compliance, whole world relies on various factors to store and encrypt the data. Various methods of securing the cloud, meeting compliance mandates or protecting software for the IoT data. The need for implementation of strong authentication is needed which will mitigate the risk of unauthorized access and data breaches of stored medical or any type of personal or digital information.
The people will only believe in the collected data if the evidence of their processing activities and demonstrating that they have taken the necessary steps to comply with their obligations is been shown to them.
In India compliance with the digital personal data protection act and in EU in order to implement the GDPR, organisations will need to carry out data protection assessments which will ultimately result in the increase in consumer trust.
Alternative method such as ENDPOINT SECURITY PROTECTION can be used to encrypt the individual’s data.
“Endpoint security and protection refers to technologies used to secure and protect devices (such as desktops, laptops, mobile devices, and servers) that connect to an organization’s network. The goal of endpoint security is to prevent unauthorized access, detect and respond to security threats, and ensure the confidentiality, integrity, and availability of sensitive data.”
CONCEPT OF EVOLUTION OF DATA PROTECTION
In order to understand the fundamental principles behind the concept of data protection, it is necessary to first understand what is personal data and the amount of information it can contain in any form. Personal data includes any information that is directly or indirectly related to an individual, including but not limited to names, addresses, telephone numbers, biometric data, gender, religious beliefs, political views.
The EU was the first to regulate such provisions, and EU countries were required to add legislation related to GDPR into their national laws by May 2018. The Indian government introduced the Personal Data Bill in 2019, now known as the Personal Digital Data Protection Act, 2023.
The GDPR protects individuals’ right to the protection of their personal data, as well as the freedom to choose who can collect and who cannot collect their data.
The GDPR provides member states the Protection on the treatment of personal data relating to
- criminal offences or
- the enforcement of criminal penalties,
- as well as the free movement of that data.
This directive safeguards citizens’ fundamental right to protection whenever personal data are used for law enforcement purposes by criminal law enforcement bodies.
In particular, it ensures that the protection of
victims,
witnesses and
suspects of crime, and
facilitates cross-border cooperation against crime and terrorism.
Personal data collection and use should be conducted on a legitimate basis, such as:
Consent
Contractual necessity
Compliance with legal obligation
Protection of vital interests
Without any comprehensive data protection legislation, wherever you are, on-premises or in the cloud the full visibility into how your data is accessed, used and moved around third-party organization cannot be protected.
LEGISLATIVE APPROACH IN INDIA
DIGITAL PERSONAL DATA PROTECTION BILL
India’s Digital Personal Data Protection (DPPD) Bill will cover the processing of personal data within India, whether it is collected online or collected offline and digitised. The bill will also apply to processing of personal data outside India, provided it is for the purpose of offering goods or services within India.
The bill stipulates that consent is only valid if it is given freely, in a specific and informed manner. These requirements are proving difficult to implement in the context of AI applications, particularly when there is no direct connection with the individuals whose data is being processed.
The draft law is the second pass of a comprehensive data protection law in India, following the government’s earlier PDB Bill. The bill is shorter than the PDB Bill, but contains many of the same elements.
The bill further weakens the notion of consent by providing numerous exemptions for the Indian government, some of which may be more reasonable, while others create privacy risks for Indian citizens and raise complex legal issues for companies and organizations working in India.
This appears to be the case for two main reasons.
Section 18(b) leaves it up to the government whether to exempt processing that is necessary for research or archival or for statistical purposes. This is a major departure from existing privacy laws in which processing for research or for statistical purposes is not deemed incompatible if certain conditions are met. If these conditions are met, and the processing is deemed compatible, then no other legal basis is required other than the one that enabled the collection and use of that personal data in the first place. The natural corollary of this departure is that, under the bill, businesses are not allowed to process personal data for the purposes of AI research or statistics under the bill unless the government permits it.
PERSONAL DIGITAL DATA PROTECTION ACT, 2023
The Relationship Between Data Principals and Data Fiduciaries
Data principals have a right to revoke consent at any time. A data fiduciary must ensure that:
the process of withdrawal of consent is as simple as the process of giving consent.
Once consent has been revoked, personal data must be erased (unless there is a legal obligation to retain it)
Data fiduciaries must request any processor to cease processing personal data which has been withdrawn as there are no legal obligations to retain it
The DPDPA-2023 has replaced information security with the right to control an individual’s data privacy, which is confusing and leaves much to be desired.
For example, the media reported in 2012 that retailers were giving shoppers a “pregnancy prediction score” based on their purchases of certain products, even though this information was considered to be protected consumer health data.
DATA PROTECTION BOARD
In contrast to the DPA, the board is not a regulator and has limited powers. It can conduct inquiries and impose penalties for non-compliance. The board has no powers to establish regulations, codes of conduct, or request information to oversee the operations of businesses. Foreign businesses will welcome this change. Most complaints about data localization revolve around costs. They don’t want to pay for technical changes and the technical infrastructure to store their data locally in India. There are also other costs associated with data localization, such as climate emissions costs, duplicate data storage infrastructure, and the cybersecurity risks associated with storing a duplicate copy of information where there was previously one less.
On the other hand, the primary provision on the processing of children’s personal data is included in Section 10 of the DPDPA, which has specific obligations for such data processing.
GLOBAL SCENARIO OF DATA PROTECTION AND CYBER SECURITY
Europe – GDRP
USA – California’s legislation is considered among the most forward thinking with the California Consumer Privacy Act (CCPA)
Brazil – General Data Protection Law
South Africa – Protection of Personal Information Act (POPIA)
In a world where cyber threats are on the rise, this law is essential and timely. It gives consumers the right to have their data accessed, corrected, and deleted, as well as the right to opt-out from data collection, use, and sale. It also places stricter restrictions on data that is sensitive, such as that collected on children, and gives consumers back control of their data. This law ensures that certain entities are required to inform people about how their personal data is being collected and made available to them, which is a step towards a more informed and secure digital community. Protecting personal data is essential in today’s world, especially in a highly personalized digital environment, and this law is a major step towards improving data privacy.
The UK’s Investigatory Powers Act (IPA) (which was introduced in 2018) allows for certain exemptions under national security and defence legislation. For example, bulk processing of personal data by government agencies (for intelligence and law enforcement purposes) is subject to an Investigatory Powers Act. The Secretary of State (Home Minister) issues a warrant for such a measure, which is subject to prior approval by the Judicial Commissioner. The necessity and proportionality of such measures must be established. The retention of data beyond the period of the warrant is limited.
The ultimate goal of data protection is to protect information and data from internal and external risks. It reduces the risk of fraud and compromise and protects individuals.
This bill provides consumers with the right to verify, access and delete personal data from social media platforms, as well as the right to opt out from processing personal data for targeted advertising and selling personal data. Users will also be able to opt out from the use of voice recognition to collect personal data.
The bill expands the definition of “personal information” to include biometric data, as well as data derived from technology such as global positioning system (GPS) coordinates and other mechanisms that directly identify an individual’s specific location within a specified radius.
Precise Geolocation Data does not include content of communications, nor does it include data generated by, or connected to, advanced utility measurement infrastructure systems, or equipment for the use of a utility.
Anti-forensics techniques Identifying steganography Decrypting files Where appropriate, the investigator will need to have the technical and human resources to cope with such restrictions. If necessary, the investigator will also need to be able to obtain passwords to these devices (or decrypt files).
“Today New Jersey is standing up for the privacy rights of its residents by empowering them with the ability to direct and know how their personal information is used,” said Attorney General Matthew J. Platkin.
“Unauthorized access to our personal information is an invasion of privacy and can result in identity theft,” said Senator Troy Singleton.
This law will provide New Jersey consumers with some of the most comprehensive data protection measures in the country and help protect their privacy and interests. It will give consumers a say in how their personal information is shared, particularly by giving them the option to opt out of selling their data.
In April 2023, Sudan-affiliated hackers carried out a DDoS (distributed denial-of-service) attack on Israel’s Independence Day, which caused the website of the Supreme Court to be offline for a few hours. According to Israeli cyber authorities, the attack did not cause any long-term damage to the network. Hackers have been active since January 2023 in Northern Europe, targeting critical infrastructure, and are believed to be religiously motivated.
INDIAN SCENARIO OF DATA PROTECTION AND CYBER SECURITY
The Digital Personal Data Protection (DPDP) Act does not have any restrictions on transferring personal data outside India. This is in contrast to the current international data transfer laws such as the General Data Protection Regulation (GDPR).
The Act does not impose any restrictions on transfers outside India, except for those that are specifically restricted to certain countries. However, there are exceptions for preventing and investigating offences and enforcing legal rights.
The Data Protection Board (DPB) is responsible for monitoring compliance with the Act, and can impose a fine of Rs 200 crore on Fiduciaries for failing to comply with the Act, or Rs 250 crore on them for failing to prevent a data breach. The DPC has been empowered to impose a fine if there is a breach of DPDP Act.
The quantum of penalty imposed has to be as per Schedule – I with a maximum penalty of up to Rs. 250 crores, which may subsequently be revised by the Central Government to up to Rs. 500 crores.
The Data Protection Data Protection Act (DPDP Act) sets out important obligations regarding the processing of children’s personal data. Children are defined as being under 18 years old, and there is no specific sub-category for elderly children or teenagers. Data fiduciaries are prohibited from any processing of children’s data that is likely to have a negative impact on the child’s wellbeing.
CONCLUSION
In 2018, the EU GDPR (Data Protection Regulation) became the most advanced and modern legal provision for the protection of both digital and personal data. This law protects all EU citizens from the effects of third parties or organisations that process their data, regardless of whether it is digital or personal. It has set the standard and has had a major impact on the trends that are currently dominating this sector.
Concludingly there are also ways by which one can protects and ask for their data removal if the business allows such method
- Review the business’s privacy policy
- Provide instructions on how to file your removal request with the business.
- Ensure that the submission of your removal request is made using one of the business’s designated methods (this may differ from the business’s usual contact information used for customer service).
If your request to delete is not being processed according to a business’s designated method, let them know in writing and, if possible, submit your request using another designated method.
REFRENCES
The History of the General Data Protection Regulation, Viewed 09 March 2024, https://www.edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en
What is GDPR, the EU’s new data protection law? Viewed 11 March 2024, https://gdpr.eu/what-is-gdpr/
Data protection adequacy, Viewed 14 March 2024, https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
Data protection and privacy laws | Identification for Development, Viewed 21 March 2024, https://id4d.worldbank.org/guide/data-protection-and-privacy-laws
India’s new data bill is a mixed bag for privacy, Viewed 23 April 2024, https://www.atlanticcouncil.org/blogs/southasiasource/indias-new-data-bill-is-a-mixed-bag-for-privacy/
Get Ready for India’s New Data Privacy Law | Morrison Foerster, Viewed 29 March 2024, https://www.mofo.com/resources/insights/230911-get-ready-for-indias-new-data-privacy-law
Understanding India’s New Data Protection Law, Viewed 02 April 2024, https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624
The Digital Personal Data Protection Bill, 2023, Viewed 07 April 2024, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
Hunton Andrews Kurth LLP, India Passes Digital Personal Data Protection Act | Privacy …, Viewed 12 April 2024, https://www.huntonprivacyblog.com/2023/08/22/india-passes-digital-personal-data-protection-act/
India Passes Long Awaited Privacy Law | WilmerHale, Viewed 15 April 2024, https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20230818-india-passes-long-awaited-privacy-law
Which States Have Consumer Data Privacy Laws? Viewed 18 April 2024, https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/
Implications of India’s New Data Protection Law for U.S., Viewed 20 April 2024, https://www.littler.com/publication-press/publication/implications-indias-new-data-protection-law-us-multinational-employers
California Consumer Privacy Act (CCPA) | State of California … 7269, Viewed 20 April 2024, https://oag.ca.gov/privacy/ccpa
The Digital Personal Data Protection Act of India, Viewed 21 April 2024, https://fpf.org/blog/the-digital-personal-data-protection-act-of-india-explained/
India’s Digital Personal Data Protection Act (DPDPA) Demystified, Viewed 21 April 2024, https://www.forbes.com/sites/forbestechcouncil/2023/11/15/indias-digital-personal-data-protection-act-dpdpa-demystified/
Cite this article as:
Dheeraj Kumar Melkani, “An Analysis Of Use, Abuse And Misuse Of Data: An Examination Of Digital Data Protection Policies”, Vol.5 & Issue 5, Law Audience Journal (e-ISSN: 2581-6705), Pages 617 to 628 (03rd May 2024), available at https://www.lawaudience.com/an-analysis-of-use-abuse-and-misuse-of-data-an-examination-of-digital-data-protection-policies
