GS PAPER II: Important aspects of governance, transparency and accountability, e-governance- applications, models, successes, limitations, and potential; citizens charters, transparency & accountability and institutional and other measures.

Why in news?

• Air India said the cyber-attack that compromised the data of millions of passengers from across the world involved personal data registered between August 26, 2011 and February 20, 2021.
• National carrier Air India has notified its passengers of a data breach that occurred in February at the SITA passenger service system.
• The airline said the breach involved data of 45 lakh passengers being leaked.

What is SITA and how is Air India involved?

• SITA is a Switzerland-based technology company specialising in air transport communications and information technology.
• SITA offers services such as passenger processing, reservation systems, etc.
• Air India had entered into a deal with SITA in 2017 to upgrade its IT infrastructure to enable it to join Star Alliance.
• SITA had flagged a cyber-attack it was subjected to in the last week of February and said it led to the leak of personal data of some of the airline’s passengers.

What is data privacy and data protection?

• A right to protect one’s data on online platforms constitutes data privacy.
• Such data could be concerned with either an individual, enterprise or even a government. It also includes personal information provided during biometrics.
• Data Protection refers to the set of privacy laws, policies and procedures that aim to minimise intrusion into one's privacy caused by the collection, storage and dissemination of personal data.
• Personal data refers to the information, which relates to a person and can help to identify him/her from that information whether collected by any Government or any private organization.

What are the data protection laws in India?

• International conventions: India has ratified following conventions which talks about data privacy. Article 12 of the Universal Declaration of Human Rights (UDHR) and Article 17 of the International Covenant on Civil and Political Rights says that no one shall be subjected to arbitrary interference with his privacy or attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference.
• The Constitution of India does not explicitly grant the fundamental right to privacy.
• However, in the landmark case of Justice K S Puttaswamy vs. Union of India, the constitution bench of Supreme Court has held that the Right to Privacy is a fundamental right and is intrinsic part of right to life and personal liberty under Article 21 of the Constitution of India
• Legal framework: Presently, India does not have a comprehensive and specific legislation on data protection, but certain provisions of Information Technology (IT) Act, 2000 deals with issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure; misuse of personal data and violation of contractual terms in respect of personal data.
• Its section 43A says a agency who is possessing, dealing or handling any sensitive personal data and is negligent in maintaining reasonable security practices resulting in wrongful loss or gain to any person, then such agency will held liable to pay damages to the person affected.
• Section 66C – Punishment for identity theft
• Section 66E – Punishment for violation for privacy
• Section 72A -- Disclosure of information, knowingly and intentionally, without the consent of the person concerned is punishable with imprisonment for a term extending to three years and fine extending to Rs 5, 00,000.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

It deals with protection of "Sensitive personal data", which includes information relating to

• Passwords or Financial information such as bank account or payment instrument details
• Physical and mental health conditions
• Medical records, Sexual orientation and Biometric information

Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002; governs issues relating to collection of personal data of patients including issues of consent.

SEBI’s Data Sharing Policy aims to formalise data protection measures to prevent data from misuse.

Personal Data Protection law current status:

• Effort to bring in a Personal Data Protection law has been in the pipeline since 2006.
• An Experts Committee under the chairmanship of Justice N. Srikrishna was constituted by the Ministry of Electronics & Information Technology (MeitY) to put together a draft of data protection law for India.

Some important provisions of the Personal Data Protection Draft bill are

• It provides definition of “personal information”, “Sensitive personal data” and explains the role of a “Data Controller.”
• It has recognized the right to privacy as a fundamental right and protection of personal data as an essential facet of informational privacy.

Bill intents to:

• Protect individual autonomy in relation to their personal data
• Specify where flow and usage of personal data is appropriate
• Specify rights of individuals towards their data
• Create a framework for processing of personal data
• Layout norms for cross-border transfer of personal data
• Ensure accountability of entities processing personal data
• Provide remedies for unauthorized processing of data and procedure for grievance redressal.
• Establish a Data Protection Authority for overseeing processing activities.
• The draft bill kept non-personal data out of its purview, MeitY has set up another committee headed by Kris Gopalakrishnan to provide governance framework to regulate non-personal data.
• Non-personal data is usually held by large commercial entities like cab-aggregators, e-commerce companies etc and anonymised datasets provided to government bodies by large internet companies to assist in policymaking.

Laws that allows Government to interfere with personal data:

• Section 69 of the Information Technology (Amendment) Act 2008 provides that when the Government is satisfied that it is necessary in the interest of:
• Sovereignty or integrity of India
• Defence and security of India
• Friendly relations with foreign States
• Public order or for preventing incitement of any cognizable offence
• Government by order can direct any government agency to intercept, monitor or decrypt any personal information generated, transmitted, received or stored in any computer resource.
• Information Technology (Procedures and Safeguards for Blocking for Access of Information) Rules, 2009 allows government to block access to various websites.

How do the foreign data protection laws regulate data privacy?

• European Union (EU): Right to privacy, consent of an individual and the right to have it rectified form the basis of Article 8 fundamental rights of the European Union. EU’s General Data Protection Regulation 2018 is applicable to all 28 of the European Union members and lays down the liability of data breach on the data controller.
• Japan: Act on the Protection of Personal Information (APPI) makes consent of a data subject essence of the legislation and has been stated as mandatory in case of transmitting data to a third party.
• In Australia -the Privacy Act, 1988 and in Canada – the Personal Information Protection and Electronic Documents Act, 2000 and the Privacy Act, 1985 guarantee data privacy.

Conclusion:

• With India moving towards digitization, a robust and efficient data protection law is required to enhance individual rights by providing full control over their personal data, while ensuring a high level of data protection.

https://indianexpress.com/article/explained/air-india-sita-data-breach-explained-7325501/

https://indianexpress.com/article/india/what-is-india-data-privacy-laws-4811291/