One of the confusions that is prevailing in the domain of Privacy and Data protection is whether the two terms “Privacy Protection” and “Data Protection” are same.
A time has come to distinguish the two concepts since this confusion should not percolate into the Indian Data Protection legislation as and when the Justice Srikrishna Committee comes up with its recommendations.
Let’s put things in the right perspective. “Privacy” is a right that is recognized as a fundamental right of an Indian Citizen. This is a concept that arises from human rights domain. This has nothing to do with data or computers though data can be a means of Privacy breach and therefore relevant to Privacy Protection.
India at present does not have any specific Privacy Protection legislation. In 2006 a draft bill was presented in the Loksabha and it lapsed subsequently. On the other hand ITA 2000 has been present since 17th October 2000 and was strengthened by the amendments of 2008 (effective from 27th October 2009) and it inter-alia protects “Data that is related to Privacy Protection”.
Despite the Puttaswamy judgement, “Privacy Protection” remains an elusive concept since “Privacy is a mental state of a person to experience the feeling of being left alone as he desires” and this cannot be identified and protected by external agencies who handle the “Information Privacy”.
It is for this reason that an individual feels happy to voluntarily share his personal intimate information on his Face book timeline with his friends without feeling loss of privacy but objects to it being viewed by some body else whom he has not authorized.
In such cases it is the “Unauthorized access to personal data” that is considered as Privacy Breach and not the fact that it was first shared with one set of persons.
Data Protection on the other hand relates to efforts to protect data from unauthorized access, modification and access and must be considered different from Privacy Protection irrespective of what kind of data it is. What the Puttaswamy judgment called as “Information Privacy” is within the scope of Data Protection.
“Data” is information in binary form which is generated, processed, stored and transmitted using devices which we call as “Computers” which includes other similar devices such as mobiles and also as per the definition of ITA2000/8 also includes peripherals attached to a computer. There are specific provisions in ITA 2000/8 which protect data. This is the current “Data Protection Law of India”.
ITA 2000/8 distinguishes “Personal Data”, “Sensitive Personal Data” but does not restrict itself to only protecting such “Personal Data”. Protection of Data under ITA 2000/8 extends to a”Any Data” and penalizes any action when data is used maliciously for causing wrongful loss to some person. For example, when some non personal data is deleted without the permission of the owner of the data or the owner of the system holding the data, it is recognized as an offence. If this data had been “personal” or “Sensitive personal”, then also the same law (Section 43 and 66) would be available as a protection of the data.
Thus the Data Protection under ITA 2000/8 is at a level higher than the protection which the data protection laws now being drafted are designed to provide.
We can still debate if we need to augment the “Adjudication” system of dispute resolution with a “Data Commissioner” or “Director CERT-IN” has to be augmented with a “Supervisory Authority”, whether the compensation under Section 43 (which is unlimited) has to be quantified at some terrifying level such as Rs 1000 crores, etc…
….But we cannot say that ITA 2000/8 does not provide data protection.
The Compliance officers under ITA 2000/8 work for ITA 2008 compliance with the Information Security Managers to ensure practice of “Reasonable Security Practice” under Section 43A or “Due Diligence” under Section 79. They are the current “Data Protection Officers” in India.
As compared to this role of a “ITA 2008 compliance officer”, the role of a “Privacy Officer” could be considered as restricted to be a “Watch dog for Privacy Protection of Customer Data processed by a Company”. Under GDPR the role of a DPO is restricted to this aspect where the Data Subject’s Rights are protected in the Data Processing environment.
The proposed Indian Data Protection Act should therefore recognize that what it needs to protect is a sub set of data already being protected under ITA 2000/8 and cannot be in conflict with the provisions of ITA 2000/8. Similarly the role of Data Protection Officers under Indian Data Protection Act (proposed) is a subset of responsibilities of ITA 2008 compliance officials and cannot be in conflict.
Further ITA 2000/8 does not exclude data of citizens of other countries from its jurisdiction when they are processed in India. Hence any adverse impact on such data is also within the provisions of ITA 2000/8. Hence the role of ITA 2008 compliance officers encompass the roles of DPOs as envisaged in EU GDPR or UPDPA or German DPA.
The industry should therefore realize that a “ITA Compliance Official” is having a larger role than the DPOs under the data protection laws both existing and forthcoming including laws such as GDPR or UK DPA.
ITA 2000/8, it will therefore remain the supreme Data Protection law in India atleast for the time being.