In today’s digital age, a primary point of concern for the individuals is breach of their privacy. Historically, companies have flouted rules and continually breach the privacy of the people. India currently lacks any comprehensive data protection regime which can protect people against such gross violations of their privacy in this digital age.
As of now, India’s data protection regime is primarily governed by the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011. However, these laws miserably fail to protect the interest of the individuals in today’s time. Thus, there is an important need for a comprehensive data protection regime and the Draft Data Protection law seems to a step in the right direction.
The current hallmark of data protection regulation in the world is the European Union’s General Data Protection Regulation (EU GDPR)1 which came into effect on May 25, 2018. Some of the salient rights provided are as follows:
- The right to have personal data minimized.
- The right to have knowledge as to where the data is being stored.
- The right to have access to the data, to correct it.
- The right to be forgotten wherein the data subject has the right to ask the company to delete their personal data permanently.
The “Personal Data Protection Bill, 2018” is on lines with the EU GDPR regulation and enshrines the above mentioned articles. Such rights have far reaching consequences. Though, they cause certain problems for the law enforcement agencies, the benefits far outweigh the cons. The Bill, when implemented, will require the enterprises to revisit their policies regarding data protection and processing, and require them to revisit their IT design and infrastructure to comply with the requirements of the Bill, which may lead to significant costs of doing business in India.
1 The General Data Protection Regulation (EU) 2016/679 («GDPR») is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation with the EU.