It is popularly said, “Data is the new oil”. If we want to get into the genesis of this statement, we need to go back in time, when mineral oil was the most lucrative commodity and almost every nation was running for it. Data has replaced oil to become the most valuable commodity in the 21st-century. This is evident from the fact that 5 of the most valuable companies in the world, namely, Amazon, Google, Apple, Microsoft, and Facebook belong to the data sector.

When we observe the two commodities closely, we understand that data and oil are very similar. As crude oil found in the world is unusable in its raw form and needs to be refined and filtered using different processes to produce Petroleum, Diesel, Kerosene, gasoline and the like, similarly, raw information also needs to be processed and analyzed for converting it into different kinds of usable data namely, health information, geolocation information, financial information, browsing information, professional and employment-related information and the like.

Data can be broadly classified into public data and personal data. Public data is that which is accessible to the public at large, such as, Court records, birth records, death records, basic company details. On the other hand, private data is personal to an individual/ organization and cannot freely be disseminated by anybody without the prior permission of the subject. It includes financial details, family details, browsing details, preferences, psychological characteristics, locations and travel history, behavior, abilities, photographs, aptitudes, and the like. It could also be a combination of these features or even inferences drawn from the refined data.

At the moment, India does not have a specific legislation enacted primarily for data protection. India’s regulatory mechanism for data protection and privacy is the Information Technology Act, 2000 (“the IT Act”) and its corresponding Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“the IT Rules”).

In addition to this, personal data is also protected under Article 21 of the Indian Constitution which guarantees to every citizen, the Right to Privacy as a fundamental right¹ . The Supreme Court has held in a number of cases that information about a person and the right to access that information by that person is also covered within the ambit of right to privacy.

Relevant Sections of the IT Act

• Section 43A of the IT Act creates a liability on a body corporate (including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities) which possesses, deals or handles any sensitive personal data or information in a computer resource that it owns, controls or operates to pay damages by way of compensation, to the person affected if there is any wrongful loss or wrongful gain to any person caused because of the negligence in implementing and maintaining reasonable security practices and procedures to protect the information of the person affected.²

• Section 72 A of the IT Act mentions that any person (including an intermediary) who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent of causing or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.³

• IT Rules grant the right to individuals with regards to their sensitive personal information and make it mandatory for any corporate body to publish an online privacy policy. It also provides individuals with the right to access and correct their information and makes it mandatory for a corporate body to obtain consent before disclosing sensitive personal information except in the case of law enforcement, which provides individuals the ability to withdraw consent.

Limitations of the present provisions

• The IT Act was not enacted with the primary intent of providing data protection

• The scope and applicability of the provisions of the IT Act on Data Protection is very narrow

• Provisions of the IT Act fail to specify any specific governmental agency which would govern data protection in India

• The IT Act does not lay out any penalties for data breach except Section 72 A

• The IT Rules apply only to a limited scope of sensitive personal data ⁴

• The IT Rules are applicable only to electronically generated and transmitted information

• The IT Rules do not apply to the government/ state and are only applicable to body corporates when a contractual agreement is not already in place, meaning thereby it can be easily bypassed by entering into a contract.

Therefore, a committee under the leadership of Retd. Justice B N Srikrishna was then constituted to propose a draft statute on data protection. The Government of India has issued the Personal Data Protection Bill 2019 (“the Bill”) based on the recommendations of the committee. This Bill, if successfully passed by both the houses, will be India’s first legislation on the protection of personal data.

In this article, we have discussed three types of personal information and have analyzed the provisions under various legislations that protect them at the moment including the changes that the Bill would bring in.

Health Data: Health data comprises of a variety of information such as a patient’s age, contact information, pathological reports, digital health records, medical history. It has immense value in the healthcare and pharmaceutical sector.

Many of us, use fitness apps/ gadgets like Fibits and the like. Some of us may have searched health information online, or signed up for a free diagnostic check-up or may have claimed health insurance. Each time when we do any of these, we share our sensitive data related to our health with various entities. The IT Rules only protect a limited set of information like physical, physiological and mental health conditions; sexual orientation; medical records, and history, and hence a major part of health data is left uncovered. The compliances under the IT Rules are also limited to obtaining consent before the collection or transfer of private data or publishing a privacy policy.

As the provisions are largely scattered, there are multiple gaps in the existing legal framework. Also, their applicability is restricted to electronically generated and transmitted personal sensitive information. Furthermore, some of the provisions can even be overridden by a contract. Organizations that store or process health data are not under an obligation to inform their users of any data breach, and as a result of this individuals are not even aware in case, their health records have been compromised or used further without their consent. The Bill proposes to cure this lacuna by making a data breach notification mandatory. Further, any data breach then would be punishable with a fine and could also attract an imprisonment of up to five years.

DISHA: Additionally, the Indian Government is planning to implement the Digital Information Security in Healthcare Act ('DISHA') which would be India’s first Health Data specific legislation. It has threefold objectives:

• set up a central-level and a state-level digital health authority

• enforce privacy and security measures for digital health data

• regulate the storage and exchange of electronic health data.

Highlights of DISHA: It proposes to:

• cover all kinds of clinical establishments including diagnostic centers and even individual clinics;

• create a National Electronic Health Authority 'NeHA' at the central level and State Electronic Health Authority ('SeHA’) at the State level. These two will ensure that the compliances as per DISHA are complied with at all levels;

• establish adjudicating authorities at central and state, to investigate complaints regarding the data breach;

• clarify that the actual digital health data will be owned by the individual at all times;

• specify the purposes for which digital health data can be collected, stored, transmitted, or used by a person or entity; and

prescribe stricter privacy and confidentiality rules and the owner of the data must be informed of any breach of the privacy or confidentiality of their digital health data immediately.

Geo-Location Information: Location Information is not covered under the definition of sensitive personal data defined under the IT Rules; hence, any corporate body can disseminate such information to other parties without attracting any liability under the IT Act or IT Rules.

Multiple apps such as like Facebook, Google, Life360 - Family Locator, mSpy, FamiSafe, Spyzie, track our locations on the go. In the absence of any specific provision preventing the dissemination of location information, these apps can easily trade our location information with third parties.

To overcome this, the Bill has proposed a wider definition of personal data that will cover Geo-location information. The Bill has also proposed increased applicability of inclusion of processing of personal data by state/government, companies incorporated in India, and also foreign companies dealing with personal data of individuals in India.

Right to be Forgotten: The Right to be Forgotten is a Right of an individual to have his /her private information removed from public domains like Internet search engines. This concept is only practiced in the European Union and Argentina presently. It is to prevent individuals from getting perpetually stigmatized as a consequence of a specific action performed in the past which is no more relevant in the present.

This principle originated in 2014 when a Spanish national Mario Costeja González sued Google in the European Court of Justice (ECJ). Mario wanted a 1998 newspaper article “which stated something negative about him” removed from the search engine, he requested Google to remove it as it was no more relevant.When Google denied his request, he approached ECJ. The ECJ ruled in his favor and asked Google to delete “inadequate, irrelevant or no longer relevant" newspaper articles from its search results.

The Right to be Forgotten is enshrined under Article 17 and Recitals 65 and 66 of the General Data Protection Rules (“GDPR”). It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”.

As per GDPR, an individual has the right to have his/ her Personal Data erased only under these specific circumstances:

• The personal data is no longer necessary for an organization originally collected or processed.

• The organization has relied on the individual’s consent as the legal justification for processing the data and that individual has withdrawn his/her consent.

• The organization has relied on legitimate interests as its justification for processing an individual’s data but the individual has now objected to the processing, and hence there exists no overriding legitimate interest for the organization to continue with the processing.

• The organization is processing personal data for direct marketing purposes and the individual has objected to it.

• The organization processed an individual’s personal data unlawfully.

• The organization must erase personal data to comply with a legal ruling or obligation.

• The organization has processed a child’s personal data to offer its information society services. ⁵

However, the right to be forgotten can be eclipsed by an organization’s right to process someone’s data in certain exceptional cases, for instance, when the data is used to exercise the right of freedom of expression and information or to comply with a legal ruling or obligation or is necessary for public health purposes and serves in the public interest.

Position in India: There is no right to be forgotten in under the Indian laws at the moment. However, the Hon’ble Supreme Court in the Puttaswamy case (supra) held the right to be forgotten falls within the ambit of with the right to privacy and is an integral part of Article 21 of the Constitution.

The Bill proposes the legislative inclusion of the right to be forgotten. Individuals would then be able to limit, delete, delink, or correct any information about him which is misleading, embarrassing, and irrelevant.

The Bill states that a data subject has a right to prevent the data fiduciary from using such data or information if data disclosure is no longer necessary, the consent to use data has been withdrawn or if data is being used contrary to the provisions of the law.

¹Justice K.S Puttaswami & another Vs. Union of India Writ Petition (CIVIL) NO 494 OF 2012

²Section 43A in The Information Technology Act, 2000

³Section 72A in The Information Technology Act, 2000

⁴Sensitive personal data or information of a person means such personal information which consists of information relating to;— (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise

⁵https://gdpr.eu/right-to-be-forgotten/