Right to Privacy: The Fundamental Right
However, surprisingly WhatsApp operates within the existing legal framework of India’s privacy legislation, therefore, jeopardizing and compromising the privacy of Indians leaving them with little to no respite from data privacy violations. Recently, India marginally moved closer to realizing the Right to Privacy guaranteed under Article 21 of the Constitution with the enactment of the Personal Data Protection Bill, 2019.
Unfortunately, several nuances, procedural and administrative details have not been adequately clarified under the Bill. Therefore, the Bill lacks tooth and nail to fight against rising data breaches and cyber attacks in an increasingly digitized commercial environment amidst the pandemic.
Moreover, the Information Technology Act 2000/2008, suffers from grave shortcomings on the data privacy front. For instance, the IT Act provides for data collection and usage standards but overlooks establishing a framework for data storage techniques, user consent, and data processing standards. In an effort to surmount the shortcomings, the IT Act was amended to include Section 43-A and Section 72-A, which give a right to compensation for improper disclosure of personal information.
Subsequently, additional rules issued by the Information Technology Rules, 2011 impose additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which bear some similarities with the GDPR and the Data Protection Directive, which recognize the right to privacy. However, expectations from the Bill and its Data Protection Authority to be at the standard of G.D.P.R. without any experience is a tall ask.
This lack of a robust data protection regime and regulatory inexperience provides a conducive environment for heightened data breaches and privacy violations. Although the PDP Bill urges the adoption of ‘privacy by design to maintain transparency and accountability regarding its general practices on the processing of personal data, implementing appropriate security safeguards, and implementing procedures and mechanisms to address the grievance of data principals.
Thus, the mere existence of the PDP Bill and Right of Privacy as a Fundamental Right without implementation of an appropriate mechanism and framework has invariably led to a dead letter regime.
Therefore, the light of the mass digitization of businesses followed by an increased dependence on the internet for business and leisure on account of the pandemic necessitates the need to plug the gaps and provide the country with a robust data protection law.