The history of data protection goes back 30 years in the world scenario when “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,” was signed by the Council of Europe in Strasbourg, France and thus the European Union formulated a statutory way out to tackle the growing concern on protection of sensitive and personal data. Member countries formulated laws, one example of such a law is The Data Protection Act of the United Kingdom.
It would not be wrong to say that the idea of a specific law to protect data percolated into India a little later if compared to the west but the very essence of the law was embedded into the Constitution of India.
What are data protection laws? Data Protection Laws aim to strike a balance between the amount of information a person or an entity shares and the amount of information that the depositories of information may use for their business. Depositories may include banks or any multinational company or educational institution. These laws ensure that no information regarding the person who shares his information is used, processed and shared in an unfair and unlawful manner which may bring about loss or embarrassment to the victim and wrongful gain to the unauthorized users of such data.
Article 21 of the Constitution of India has made ‘Right to Privacy’ a fundamental right. Thus the personal choice of whether to share or not to share information is above the commercial needs of any organization whether sovereign or non-sovereign. No personal data can be accessed or shared without the consent of the entity to whom such information or data relates to except through due process of law.
However, until recently, the country had no specific Data Protection law resulting in various high profile data theft cases.
The Information Technology Act was a big leap in the right direction. It specifically deals with matters of cyber intellect and misuse of such resources.
As per Sec. 43A Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
The Act also provides a check on any person who might have secured any material information in pursuant of the power conferred to him under this law or any other law in force.
For an act of breach of privacy or confidentiality, a person may undergo an imprisonment for a period up to two years or fine up to one lac or both as per Sec 72.
Further Section 72A provides for Punishment for disclosure of information in breach of lawful contract. The contravention may attract imprisonment up to three years or fine which may be up to Rs. 5 lacs or both.
A giant leap in the right direction happened in year 2011 with the passing of The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (2011). The Rules under the said Act set out procedures to comply with to corporate entities that collect process or store personal data (including sensitive personal information).
Apart from the general Laws, Sectoral Laws also apply and refrains the professionals from sharing sensitive Personal data regarding the Beneficiaries of the services. For instance, the professional ethics of doctor does not allow for disclosure of sensitive information about a patient just as a lawyer is guided by professional codes. Banking laws also provide the guidelines for bankers so as not to disclose personal information of the clients.