An Overview of Data Protection

What is Data Protection?

Data protection is the process or method of safeguarding or protecting important information or personal data from illegal use, corruption, a compromise which may cause loss/harm to the owner of that information or data financially or mentally.

The Principles that should be followed for Data Protection:

  1. Fair and lawful
  2. Specific for its purpose
  3. Be adequate and only for what is needed
  4. Accurate and up to date
  5. Not kept longer than needed
  6. Take into account people’s rights
  7. Kept safe and secure

Need for Data Protection:

Personal data of a person is very sensitive information that should be protected from people like hackers / cyber thieves who may not only stole that information and can also use that sensitive information to cause irregular loss to the bearer of that information.

Nowadays personal information of a person is bought by advertising companies through various companies which collect their information through:-

  1. Social media platforms (Facebook)
  2. Browse history (Google)
  3. Online shopping portals ( Amazon)
  4. Pinterest

So all our likes/dislikes, what we want to buy/sell. What are our preferences related to anything, whatever we are browsing? that information is collected and sold to many advertising companies that use them for their benefit. Forex. Once you search a mobile on Google you will find that particular mobile’s advertisement everywhere on the browser whichever website you will open. so that’s the way how is information is taken through us and used. many websites take our consent for using that information by providing an agreement before there usage where we accept the agreement by pressing the I AGREE on the button without reading the terms and conditions of that agreement. ( like Facebook is a free social media platform but before using it we sign the terms and conditions, no one actually reads the terms just presses I agree to use Facebook)

So the information or data of ours should be protected and shouldn’t reach in hands of faulty persons who may use that data in illegal ways to cause loss or damage to people.

Laws governing data protection in India:-

India is not a party to any convention-related to the protection of personal data like GDPR or the Data Protection Directive. India is a party to international declarations and conventions like the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights(ICCPR), which recognize the right to privacy. India does not have any laws/ legislation on data protection. But the Indian legislature has amended the Information Technology Act (2000) (“IT Act”) to include Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information.

Recent development in laws for Data Protection:

The Government of India had constituted a committee to propose a draft statute on data protection. The committee after research and development and a lot of discussions proposed draft law and the Government of India has issued the Personal Data Protection Bill 2019 (“PDP Bill”) based on the draft proposed by the committee. This will be India’s first law on the protection of personal data and will repeal S. 43A of the IT Act.

Fines in case of Disclosure of Information:-

Section 72A of the IT Act says that fine of up to INR 500,000 can be imposed when there is the disclosure of personal information in breach of a lawful contract or without consent.

In cases of companies disclosing information / personal data, The PDP Bill provides penalties that are linked to worldwide turnover. Further, those penalties can be between  2% or 4% of the worldwide turnover of that company, depending on the type of breach.

Criminal liability in case of disclosure of information:

Section 72A of the IT Act says that a person can be punished for the imprisonment of up to three years when he/she discloses personal information in breach of a lawful contract or without consent. The PDP Bill proposed that there should be imprisonment of three years for re-identifying personal data or sensitive personal data without the consent of the concerned individual who is the owner of that data or information who will suffer damage or loss on the leakage of that sensitive information

Who are liable to pay Compensation?

Section 43A of the IT Act provides that companies which are possessing, dealing or handling any sensitive personal data or information in a computer resource which is owned, controlled or operated by them, then they would be liable to pay damages as compensation to affected persons if there is some negligence in implementing and maintaining minimal security practices and procedures to protect sensitive personal data or information from people that can use that data/information in illegal ways to cause loss or damage to people.

This article is written by Angad Singh student of  4th Year, BBA LL.B at  Jemtec School of Law, Jims Greater Noida.

Also Read: Right to Privacy in India: Evolution and Legal Analytical Study

Law Corner

Leave a Comment