Home / Editorial
Constitutional Law
Laws on Data Privacy within and Beyond Borders
« »05-Sep-2023
Introduction
In an increasingly interconnected and digitized world, data has become one of the most valuable commodities. Individuals, businesses, and governments generate and exchange vast amounts of data daily, ranging from personal information to financial transactions and sensitive corporate secrets. With this proliferation of data, the need for robust data privacy laws has never been more critical. Several laws are legislated on domestic and international stances to safeguard the abuse of private information. These laws play a cardinal role in safeguarding individual rights, ensuring cybersecurity, and promoting trust in the digital age.
Major International Privacy Laws
- EU’s General Data Protection Regulation (GDPR):
- The GDPR is a comprehensive data protection and privacy regulation enacted by the European Union (EU) that came into effect on 25.05.2018.
- GDPR applies to all organizations, both within and outside the EU, that process personal data of individuals residing in the EU. It covers a wide range of data processing activities, from online retailers to social media platforms and healthcare providers.
- It is considered to be the Gold Standard for privacy regulation.
- It operates on several fundamental principles, including:
- Lawfulness, Fairness, and Transparency: Data processing must have a legal basis, be conducted fairly, and individuals should be informed about how their data is being used or will be used.
- Disclosure of Purpose: Data should be collected and processed for specific, legitimate purposes and should not be used for anything else.
- Data Minimization: Organizations should collect and retain only that data which is necessary for the intended purpose.
- Storage Limitation: Personal data should not be kept longer than necessary.
- Integrity and Confidentiality: Organizations must implement security measures to protect data from breaches.
- Asia-Pacific Privacy Framework:
- This framework is governed by Asia Pacific Economic Corporation which deals with 9 principles that are Accountability, Prevent Harm, Notice, Choice, Collection Limitation, Use of Personal Information, Integrity of Personal Information, Security Safeguards and Access and Correction.
- California Consumer Privacy Act, 2018 (CCPA):
- Data Privacy in California is dealt with under this act.
- It gives Californian residents more control over their personal information and requires businesses to disclose data collection practices.
Indian Privacy Law
- In Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (2019) a unanimous judgement of 9 judges upheld right to privacy as a Fundamental Right under Article 21 of The Constitution of India.
- The Government of India has recently enacted legislation catering to data privacy by the name of The Digital Personal Data Protection (DPDP) Act, 2023.
- Its key features are:
- The Act applies to the processing of digital personal in India where such data is collected online or offline and is digitized. It will also apply to such processing of data outside India, if it is for offering goods or services in India.
- Processing personal data may be only for a lawful purpose and upon consent of an individual. The consent may not be required for specified legitimate uses such as voluntary sharing of data by an individual.
- Data fiduciaries will have the obligation to maintain the accuracy of data, keep data secure, and delete data after its purpose of use is achieved.
- The Central Government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
- The Central Government needs to establish the Data Protection Board of India to adjudicate upon matters relating to non-compliance of the provisions of the Act.
- The schedule of the Act specifies penalties for various offences where maximum penalty that can be imposed is Rs 250 crore by the Board.
Comparison Between GDPR, CCPA and DPDP:
- Scope and Applicability:
- GDPR: The GDPR has a broad extraterritorial scope, applying to organizations worldwide that process the personal data of EU residents.
- CCPA: The CCPA primarily applies to businesses that collect and process personal information of California residents.
- DPDP:
- It applies to both Indian and foreign entities processing personal data of Indian citizens.
- It includes provisions for data localization, which may require certain categories of data to be stored in India.
- Data Protection Officer (DPO):
- GDPR: It requires the appointment of a Data Protection Officer (DPO) for certain organizations.
- CCPA: It does not mandate the appointment of a DPO.
- DPDP: The act covers the appointment of a Data Protection Officer for certain data processors.
- Cross-Border Data Transfer:
- GDPR: It requires data transfers to countries outside the European Economic Area (EEA) to meet specific adequacy standards or use appropriate safeguards.
- CCPA: It does not specifically regulate cross-border data transfers.
- DPDP: It introduces provisions for cross-border data transfers, including the requirement of data localization for certain types of data.
- Penalties:
- GDPR: It imposes fines of up to €20 million or 4% of global annual turnover, whichever is higher, for serious violations.
- CCPA: It allows for penalties of up to $7,500 per intentional violation.
- DPDP: It consists of penalties for non-compliance including fines and imprisonment.
Conclusion
- In an increasingly digitized world, the importance of safeguarding personal data cannot be overstated.
- The DPDP plays an important role in addressing this critical issue, as it aims to provide comprehensive regulations and safeguards for the handling of personal data.
- Both International laws and India laws were legislated in the light of the sensitivity of personal data.