A Comparative Analysis Of Data Protection Laws In India And International Countries
This Blog is written by Lisa Coutinho from SVKM’s Pravin Gandhi College of Law, Mumbai. Edited by Uroosa Naireen.
The 21st century is regarded as the information age or the internet age. With the advancement in technology and the internet, data is made easily accessible. Some of the largest countries in the world are data-driven. For example, Ola and Uber are the largest mobility platforms, but own no vehicles; Alibaba is one of the largest retailers having no inventory; Facebook is the largest social media platform, but creates no content. With a humongous amount of information being solicited and disseminated online, a myriad of privacy and data protection concerns have arisen. In 2018, the Department of Justice (DOJ) charged two Chinese hackers for stealing information from 45 tech companies and governmental agencies, including NASA, IBM, and others.  Recently, the US Federal Bureau of Investigation and Cybersecurity also accused the Chinese hackers of trying to steal the coronavirus vaccine research.  Similarly, many other data breaches have occurred in the past. If such high-profile data of government agencies is not safe, then whose is?
Data Protection refers to the means, process or practice of safeguarding the private/personal information/data of individuals during the process of their collection, storage, and dissemination, and to ensure that they themselves are in control of their information. It is the set of privacy laws that aim to ensure minimum intrusion into one’s private life. The term “data protection” was coined in Europe to describe privacy-protective legislation, however, the United States refers to it as data privacy.  Article 12 of the United Declaration of Human Rights (UDHR) protects individuals from any arbitrary interference to his private life, his home, his family, and from any attack to his honor and reputation. Thus, every individual is fundamentally entitled to data and privacy protection as it is their human right.
DATA PROTECTION UNDER THE INDIAN LEGAL FRAMEWORK
Even though the right to privacy is not explicitly or patently granted by the Indian Constitution, the Indian judiciary, through many precedent cases has recognized this right under the fundamental rights enshrined under Article 21 of the Constitution of India. Realizing the paramount importance of Right to Privacy, the Supreme Court through several cases, including Kharak Singh v. State of U. P. AIR 1963 SC 1295; Govind v. State of M.P. AIR 1975 SC 1375; People’s Union of Civil Liberties (PUCL) v. Union of India AIR 1997 SC 568, has declared that the Right to Privacy is an intrinsic, sacred, fundamental and integral component of the Right to Life and Personal Liberty, and a part of the fundamental right enshrined under Part III of the Constitution. Reiterating this decision, the Supreme Court in the landmark Justice K. S. Puttaswamy v. Union of India,  10 S.C.C. 1 judgment also emphasized on the necessity of giving statutory recognition to data protection. 
India does not have any specific legislation dealing with data protection. However, it has adopted various international conventions and declarations like the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognizes the right to privacy. In India, data protection is achieved by provisions maintained under other existing legislations.
The Information Technology Act, 2000 is single legislation which was brought into existence to provide a legal framework for regulating the entire electronic system including e-commerce, emails, electronic transactions, electronic data, and electronic documents. It contains provisions for the prevention of cyber-crimes and unauthorized use or misuse of computers, computer systems, electronic data, by imposing heavy penalties and criminal liability against the offender. Some main provisions dealing with data protection are as follows:
Section 43 provides for penalty and compensation for accessing, downloading, extracting or making copies, disrupting, deleting, destroying, stealing, altering, or causing damage to computer or computer systems, without the prior consent of the individual.
Section 43A provides for compensation for failure or negligence in adopting reasonable security practices and procedures while handling sensitive personal data.
Section 65 provides punishment for tampering with electronic documents.
Section 72 provides penalty for breach of confidentiality and privacy and Section 72A imposes punishment on persons and intermediaries for disclosing unwarranted information by virtue of a lawful agreement.
Thus, the IT Act, 2000 imposes a certain kind of liability and obligation on every person dealing with personal data, to handle such information by adopting reasonable security practices and with care.
Today, 20 years after passing the act, the virtual ecosystem has grown to such an extent that it is involved in every aspect of our lives. However, this act failed to address all the issues. In the year 2008, an amendment was brought to the existing IT Act, 2000. The major highlight was that according to Section 79 the intermediaries would not be held liable for the content or data made available by the third party. However, this protection is not absolute.
In 2011, the Ministry of Communications and Technology notified a set of rules known as the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, whereby it set out rules and procedures to be followed by corporate bodies to ensure reasonable security practices and procedures while handling sensitive information.
According to Section 2(o) of the Copyright Act, computer database and computer programs is protected under the term “literary works”. Apart from the landmark Puttuswamy judgment, this was also upheld in the case of Burlington Home Shopping Pvt. Ltd. v. Rajnish Chibber & Anr. 1995 PTC (15) 278. Also, Section 63B of the Act provides for punishment to persons who knowingly use the infringing copy of the computer program.
The IPC, being a very old statute, does not expressly address data protection breaches. However, the liability for data breaches is gathered from related crimes like theft. For example, Section 403 imposes criminal punishment for dishonest misrepresentation of property, including ‘data’ within the ambit of the word ‘property’.
Following the K. S. Puttaswamy v. Union of India, judgment, a committee of experts chaired by Justice B.N. Srikrishna was set up, which submitted a report and a draft Personal Data Protection Bill, 2018 after examining the issues related to data protection in India. After making necessary changes, The Personal Data Protection Bill, 2019 was introduced in the Parliament in 2019.  The Bill seeks to create a framework to regulate the processing, collection and storage of personal data by protecting the privacy of the individuals. However, the bill has been criticized on the grounds that it fails to provide a clear and detailed roadmap for governance.
It is pertinent to note that despite the existence of the above provisions, India does not have any comprehensive legislation in place. To address the trending issue of privacy and data protection, a comprehensive and separate regulatory framework is needed to monitor every aspect of that area, fill in the lacunas in law and bring in more clarity on the subject.
DATA PROTECTION UNDER FOREIGN LAW
In 2017-18 a 10% increase was seen in the number of countries that enacted data privacy laws covering the public and private sectors and meeting the standards of international agreements. Many countries have also replaced their existing laws. There has been an awakening among countries worldwide, whereby they have started moving towards stronger and globally pervasive laws relating to the trending issue of data privacy. 
The European Union, which is a union of 27 countries, recognizes the Right to Privacy as a fundamental right. Article 8 of the Charter of Fundamental Rights of the European Union specially provides for the protection of personal data. The introduction of the General Data Protection Regulation (GDPR) in May 2018 is a notable change and represents a positive framework in the data protection regimes. It adopts a rights-based approach while dealing with the free movement of personal data with the union. The regulation is comprehensive legislation that seeks to strengthen and protect the privacy rights of the individuals in the member countries. The Regulation is very strict and imposes heavy fines, which prioritizes the affected countries to comply with the terms. The Data Protection Law Enforcement Directive 2018 is an EU legislation, parallel to GDPR which deals with the regulation and processing of personal data used by law enforcement authorities. It controls data that falls outside the ambit of GDPR. Countries like Brazil, Japan, UK, South Korea, Thailand, and many more have incorporated Data Privacy laws similar to the GDPR. This highlights the success of the regulation.
The UK has a dedicated Data Protection Act in place. To implement the GDPR, the UK government enacted the Data Protection Act, 2018 which regulates and controls how private information should be used by business and governmental organizations. It puts a restriction on the collection of data and provides that data should be collected only for lawful purposes. The Act lays down ‘data protection principles’ which must be followed.
The United States of America
The US courts in Olmstead v. United States, 277 U.S. 438 (1928) held that the right to privacy is the right to be left alone. In the case, Justice Louis D. Brandeis stated that this was the most comprehensive rights granted by the maker of the US Constitution. However, similar to India, the US too does not have single principal legislation dealing with data protection. The data is categorized into various groups based on their importance and utility, and each group has been conferred with different degrees of protection. Several federal and state laws regulate consumer privacy and data protection on a sectoral basis. Some of these include the Gramm Leach Bliley Act for the protection of personal data and Non-public Personal Information (NPI) in the banking and finance sector; Health Insurance Portability and Accountability Act (HIPAA) which governs the data in the health insurance sector; Children’s Online Privacy Protection Act (COPPA) which protects the privacy of children below 13 years of age, and regulates the collection of their personal data; Driver’s Privacy Protection Act (DPPA) which protects the individual’s motor vehicle records. Similarly, there are hundreds of other legislations in the US governing the data of each sector. In the year 1974, the US Privacy Act was passed to safeguard the privacy rights of the individual by creating ethical, justifiable, and reasonable standards with regard to data held by the government agencies.
On comparing India with the other developed countries like the UK, the US, and the EU countries, we find that all the developed countries have adopted their personalized strategies for addressing their data privacy issues. Each country has endorsed a separate approach to enact the data protection laws, after considering the utility value in their country. The US has adopted a sectoral approach to make data protection more efficient by regulating the flow on a sector-to-sector basis. However, this patchwork system of legislations may sometimes overlap or contract one another.
When we analyze the Data Protection laws in India and the EU countries, we find a couple of loopholes. The very obvious difference is the absence of a dedicated and comprehensive data protection legislation in India. Even though India does have provisions under the different acts, it lacks efficiency and effectiveness due to the absence of a dedicated and detailed framework to address the issue. As data breach issues have been increasing day by day, the need for dedicated legislation also increases. Moreover, the terms and provisions are very ambiguous. For example, there is no clear demarcation between ‘personal’ and ‘sensitive’ information. Also, the term ‘data’ under the IT Act, 2000 is only restricted to computer-based data. In 2015, in the case of Shreya Singhal v. Union of India AIR 2015 SC 1523, Section 66A of the IT Act was struck down on the grounds that it was vague.
Another issue with the Indian laws is the inadequacy and insufficiency of penalties. The penalties are mostly monetary in nature, which fails to have a deterrent effect. However, when we look at the EU’s GDPR, despite a few loopholes, it is effective as it is concise, and directly addresses the issue at hand. The high fines and stringent punishments help as a deterrent to future offenses.
Data breach and privacy concerns have been constantly on a rise. This calls for the enactment of comprehensive laws regarding the same. After analyzing the laws of India with a few developing countries, we have found out that those countries have comprehensive data protection legislation in place. However, India severely lags behind in this area which hampers its position in the international commercial regime. The Indian laws are inadequate and insufficient in dealing with the plethora of threats associated with personal data, which is a matter of great concern. A nationwide holistic and dedicated legislation is the ‘need of the hour’. Major inspiration can be drawn from the GDPR, which provides to the point and detailed regulations regarding data protection. Stringent penalties should be imposed to provide a better deterrent.
 The Verge, <https://www.theverge.com/2018/12/20/18150275/chinese-hackers-stealing-data-nasa-ibm-charged> accessed 15 July 2020.
 Live mint, <https://www.livemint.com/news/world/us-says-chinese-hackers-trying-to-steal-covid-19-vaccine-work-data-reports-11589252247220.html> accessed 15 July 2020.
 White Paper, < https://www.welivesecurity.com/wp-content/uploads/2018/01/US-data-privacy-legislation-white-paper.pdf> accessed 15 July 2020.
 Right to Privacy and Social Media, <http://rsrr.in/2018/10/27/right-to-privacy-and-social-media/> accessed 26 June 2020.