GDPR’s Rights of Data Subjects: A Comparative Study Between the Privacy Laws of India and Nepal

Harshvardhan,

Intern, South Asian Journal of International Law


Introduction


Technological progress combined with several governmental and non-governmental efforts to create a digitalised economy and society has caused extensive data pooling which has endangered the right to privacy. In recent years, both the Government, and corporate organisations have become data miners, collecting information about activities, behaviour and lifestyles of individuals and groups, for their own benefits such as for the purposes of surveillance as well as targeted advertisement and targeted business related activities.

It is strangely a conspiratorial truth of the surveillance society as to how companies and governments dip into the data streams of people’s lives in order to track what they do, what they know, where they go. These activities range from infringements, including WhatsApp sharing one’s name and phone number with Facebook so businesses can advertise their product on one’s screen. Corporate organisations have started treating data as a form of capital and this means that firms hoard, commodify and monetise as much data as they can. This tendency of treating data as an asset to be used to create capital value can be very harmful for the society as it destroys the whole concept of privacy of an individual (Sadowski, 2016).


The Ministry of Home Affairs (India) in 2018, issued an order granting authority to 10 Central Agencies to pry on individual computers and their receipts and transmissions “under power conferred on it by sub-section 1 of Section 69 of the Information Technology Act (21 of 2000), read with Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009”. It has authorised these “security and intelligence agencies” to intercept , monitor and decrypt any “information generated, transmitted, received or stored in any computer resource”. Internal security has been the main excuse of the Government and it's affiliated organisations. This may turn the country into a police state with the politicians and bureaucrats fulfilling their greed of power by exploiting common people (Satpathy, Seth, Gurumurthy, 2018).

In order to secure the privacy laws particularly related to data protection, the European Union (EU) has drafted the General Data Protection Regulation (GDPR). Even though it is a law related to data protection in the EU, it imposes obligations onto organizations anywhere in the world, so long as they target data related to the people in the European Union . The GDPR also levies harsh fines against those who violate privacy and security standards. In order to prevent the businesses and organizations from accessing the personal data of the citizens of the EU, it has created the right to data subjects from Article 12 to 23 under the GDPR. Therefore, there are eight fundamental rights including the Right to Access Personal Data, Right to Rectification, Right to Erasure, Right to Restrict Data Processing, Right to be Notified, Right to Data Portability, Right to Object and the Right to Reject Automated Individual Decision-Making.


There have been instances, when companies had to pay a huge amount because of violation of the GDPR rules. In 2019, Google had to pay a fine of €50,000,000 on account of lack of transparency on the use of the harvested data for advertisement targeting. It didn’t even provide information relating to consent policies to the users and did not give them control over how their personal data is processed. Many more companies had to pay huge amounts of fines on account of breach of personal data.


Currently, companies have been assessing the impact of the EU General Data Protection Regulations (GDPR) on their businesses. This is mainly because of the high administrative fines imposed by the EU on non- compliance with the GDPR rules and regulations. The Indian economy is based more on the service sector which primarily consists of information technology (Lakshmanan, 2019). This sector is more data oriented and thus, it is highly exposed to the EU's radar. The information technology (IT) industry is a significant contributor to the Gross Domestic Product (GDP) of the country and India must do all it can to protect and promote business in this sector. It also has to adhere to the changing regulatory framework globally. India will have to assess its preparedness and make convincing changes to retain the status of a dependable processing destination. Therefore, India as well as Nepal needs to strike a balanced approach towards the privacy rights of the citizens and the data needs of the company.


Right to Privacy in India: A Recent Development


The right to privacy in India has developed through a series of judicial decisions. Over the years, inconsistency from two early judgements created a divergence of opinion on whether the right to privacy was a fundamental right or not. But this was settled by the Supreme Court of India in the case of Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1. The Hon’ble Supreme court has declared the right to privacy as a fundamental right protected under Part III of the Constitution of India. While pronouncing this judgement, the Supreme Court of India asked the Central Government to set robust data protection rules to ensure that no individual's right to privacy is infringed. Therefore, in adherence to the order, the Government of India appointed a Committee of Experts on a Data Protection Framework for India, or Data Protection Committee (DPC), under the Chairmanship of Justice B.N. Srikrishna, to study issues related to data protection in India (Srikrishna, 2018). Although the committee submitted its report and proposed a comprehensive law on data protection, it failed to weigh the economic costs and benefits of implementing a GDPR-modelled law in India. However, keeping all the suggestions and views in mind, the Government of India proposed the Personal Data Protection Bill (hereinafter referred to as the Bill). This Bill incorporates many elements of the EU’s GDPR. These include requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected. In addition, it includes data localization requirements and the appointment of data protection officers within firms. If enacted, the Bill will provide a comprehensive, cross-sectoral privacy and data protection framework for India.


The bill has been largely modelled after the GDPR and several similarities can be found including the following:





However, the provisions of the Bill differ from the GDPR in some respects including the provision of criminal penalties for harms arising from the violation of the bill, and the proposal to treat the relationship between a data processor and its consumer as a “fiduciary” relationship. Even though these provisions would increase data protection obligations significantly, the Bill would enforce economy wide changes to the data collection and management practices of Indian businesses. Clause 1(3) of the Bill states that it will apply to foreign business providers if they process data in connection to any business in India, have any “systematic activity of offering goods and services to Indian data principals,” or if the processing requires the profiling of data principals within the territory of India (Burman, 2019).


The EU had a pre existing privacy framework (the 1995 Data Protection Directive) and therefore, had the experience on the economic changes it could make to the region (European Parliament, 1995). On the other hand, India never had a data protection law and is unaware of the economic consequences of the same. Furthermore, a systematic economic analysis of the proposed bill has not been conducted yet to provide an accurate analysis of its overall impact within India (Parsheera, 2018). Emerging economies like India that are considering such proposals need to carefully evaluate all the aspects of implementing a privacy law on the economy, specifically the information technology industry.

The GDPR has provided the right to protection of personal data for a while. India still does not have a cross-sectoral law on data protection. The Information Technology Act, 2000 primarily deals with issues such as cybercrimes and the liability of internet intermediaries, such as social media platforms, though it does possess some requirements regarding the protection of personal data. Section 43A of the Information Technology Act provides for compensation for damages caused by failure to maintain reasonable security practices to protect sensitive personal data. While declaring the right to privacy a fundamental right, the Supreme Court of India observed that informational privacy to be a subset of right to privacy, and noted that privacy includes the right to protect individual identity. This essentially meant that the country needs an effective legal framework for the protection of privacy of an individual and India needs a more comprehensive approach to international privacy.


Right to Privacy in Nepal


Article 28 of the Constitution of Nepal has declared the right to privacy and protection of information as a fundamental right. Although privacy was protected in some way under the Criminal Code, the Individual Privacy Act 2018 (Privacy Act) was introduced with the purpose of giving effect to the Constitutional right. Section 12 of the Privacy Act regulates unauthorized and haphazard data collection. It is mandatory to take consent before the collection of private information and the data can only be used for the purpose for which consent was taken.


The Privacy Act does not allow the storage, collection, preservation, analysis, procession or publication of data without the approval of an authorised person. However, the information can be used for research purposes with the permission of the related person. Moreover, all the aspects related to data collection including the nature and purpose of data collected, the method of information collected, the subject matter of the information needs to be disclosed to the concerned person beforehand. The Privacy Act has also restricted the government and public entities from handing over personal data to anyone without the consent of the concerned person. Therefore, the public entities are responsible to protect and preserve the data they control. Violation of the Privacy Act is treated as a criminal offence for which criminal proceedings can be initiated, either as a private criminal case or a state party criminal case.


The Criminal Code in Nepal also deals with the laws relating to violation of privacy. The provision of the Criminal Code has criminalised certain conduct such as the unauthorised tapping of voice conversations, breaches of confidentiality, taking and editing photos of a person without consent, breaches of private information in electronic media, unauthorised searches of body or belongings of a person, and trespassing (One Trust Data Guidance, 2019). But, there has been an overlap of the Privacy Act and Criminal Code in Nepal. The Criminal Code states that there should be specific punishment for each offence, whereas the Privacy Act states that violations in general will result in punishment of up to NPR 30,000. Secondly, the Criminal Code states that all offences provisioned therein are to be filed as private party cases, whereas the Privacy Act states that offences such as a body search without a warrant, and taking a photograph without consent, are to be prosecuted by the State. These issues will create ambiguities in filing of cases and in seeking specific remedies for violations under the Privacy Act.

There are certain important aspects related to data protection and privacy which the Privacy Act has failed to address. There is no scope for wider interpretation of ‘personal data’ and it only incorporates specific forms of data. For example, while an email address is considered to be personal data, the internet protocol (IP) address or website is not considered to be personal information if ‘personal data’ is interpreted in a strict sense. Moreover, the Privacy Act lacks to define some important concepts of data protection such as ‘controller’ and ‘processor’. This adds difficulty when judges interpret these terms in their own manner. This will also lead to difficulty in data management and related liabilities for breaches in practice. The government of Nepal needs to clarify and remove these ambiguities in the Privacy Act. This will help the country to make way for better implementation of privacy and data protection for individuals in Nepal.


Both India and Nepal can deal with their loopholes by taking a few steps. Indian Privacy Bill has largely been drafted on the GDPR pattern. However, due to the changed business and economic environment in the EU and India, India needs to assess its economic impact and should also discuss with the industries or government organisations using or collecting individual data. On the other hand, Nepalese Privacy law can significantly be improved if it removes it’s overlapping provisions and remodel its Privacy law on the GDPR pattern.


Comparison between Nepalese and Indian Privacy Act


The sole intention of the Indian Privacy Bill and the Nepalese Privacy law is to protect personal information of an individual. The GDPR defines personal data as information relating to an identified and identifiable individual. The GDPR lists categories of data to help identify the individual, such as name, identification number, location data, online profile and other unique aspects such as the mental, physical, physiological, genetic, mental, economic, cultural or social identity of the natural person. However, the definition of “personal information” in Nepal is relatively restrictive compared to the approach of GDPR as it specifies certain types of personal information without room for wider interpretation. But, since the PDP Bill of India has largely been modelled after the GDPR, it gives a much wider scope of interpretation and will include the changing dimensions of personal information with time.


There are certain ambiguities in the Privacy laws of Nepal in relation to the overlapping of offences and punishments for it in the Privacy Act and the Criminal Code Provisions. Moreover, there is one fundamental difference between the Indian and Nepalese Privacy laws. India recognised the right to privacy as a fundamental right in 2017 and does not have a codified law for the protection of privacy and data of an individual uptill now. The PDP Bill has been largely modelled after the GDPR and its implication on individual privacy and economy of the country is unknown. On the other hand, Nepal already has a codified law for data protection but it lacks to cover significant terms and dimensions of data technology in the Privacy Act.

Conclusion


The tight to data subject is a very comprehensive law for the regulation of data protection of the citizens of the EU. All the 8 fundamental rights of data subjects are sufficient to ensure that individual’s privacy and data is protected from any breach. However, it is pertinent to note that neither India nor Nepal can implement these rights without any prior introspection of the same. Nepal does not have a comprehensive data protection law and lacks very essential provisions and suffers from ambiguity. On the other hand, Indian privacy laws are still under development. Even though it can be seen as influenced by the GDPR’s right to data subjects, the circumstances from the economic point of view would be very different from the EU. Every country has their own specific design of economies and any wrong choices is likely to have a significant impact on India’s economy. A GDPR-modelled data protection law could impact certain sectors of the Indian economy and thus, a careful economic analysis of the data protection bill needs to be done before implementation.


References


Bailey, Rishab and Parsheera, Smriti. "Data Localisation in India: Questioning the Means and Ends". NIPFP Working Paper Series No. 242. [online]. 31 October 2018. [09 January 2021]. Available from: <https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf>.


Bhattarai, Dev. “Nepal’s Unending Political Instability”. The Diplomat. [online]. 26 July 2016. [06 January 2021]. <Available from: <https://thediplomat.com/2016/07/nepals-unending-political-instability/>.


Burman, Anirudh. “Will a GDPR-Style Data Protection Law Work For India?”. Carnegie India [online]. 15 May 2019. [07 January 2021]. <https://carnegieindia.org/2019/05/15/will-gdpr-style-data-protection-law-work-for-india-pub-79113>.


Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Pub. L. No. Official Journal L 281, 0031. 1995.


Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. Supreme Court Cases. Volume 10, p. 1. 2017.


Lakhmanan, Remya. "Service Sector in India: A Paradigm Shift”. Invest India. [online]. 16 May 2019. [06 January 2021]. Available from: <https://www.investindia.gov.in/team-india-blogs/service-sector-india-paradigm-shift>.


Neupane, Anjan and Karki, Saurav. "Nepal: An Introduction to the Individual Privacy Act 2018". One Trust Data Guidance. [online]. January 2019. [09 January 2021]. Available from: <https://www.dataguidance.com/opinion/nepal-introduction-individual-privacy-act-2018>.


Sadowski, Jathan. “Companies are Making Money from our Personal Data-but at what Cost?”. The Guardian. [online]. 31 August 2016. [06 January 2021]. Available from: <https://www.theguardian.com/technology/2016/aug/31/personal-data-corporate-use-google-amazon>.


Srikrishna, Justice B.N. “Report of the Committee of Experts under the Chairmanship of Justice B N Srikrishna”. Ministry of Electronics and Information Technology. [online]. 2018. [06 January 2021]. Available from: <https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf>.


Tathagata, Satpathy et al. “Are India’s laws on surveillance a threat to privacy?”. The Hindu. [online]. 28 December 2018. [06 January 2021]. Available from: <https://www.thehindu.com/opinion/op-ed/are-indias-laws-on-surveillance-a-threat-to-privacy/article25844250.ece>.


The Information Technology Act. India Code. 2000.


The Personal Data Protection Bill. Bill No. 373 of 2019: PRS. 2019.


The Privacy Act (2075). Law Commission of Nepal. 2018.


United Nations Conference on Trade and Development. National Services Policy Review: Nepal. [online]. 2011. United Nations: New York. [09 January 2021]. Available from: <https://unctad.org/system/files/official-document/ditctncd20103_en.pdf>.



Image Credit: https://kirkpatrickprice.com/video/gdpr-fundamentals-data-subject-rights/.


We are happy to announce that the South Asian Journal of International Law, an Academic venture by Internationalism, is featured in the Top 100 Legal Blogs of India list, by Feedspot.


The link has been provided below:

https://blog.feedspot.com/indian_law_blogs/





southasianjournal.org

©2020 by Internationalism™ C/O AbhiGlobal Legal Research & Media LLP.