What is Data Security?

Data security means the arrangement of protection laws, strategies, and methods that expect to limit interruption into one's privacy brought about by the assortment, and storage of individual information by and large alludes to the data or information which identifies with an individual who can be distinguished from that data or information whether gathered by any administration or any private association or an office.

The Personal Data Protection Bill 2019:

The Personal Data Protection Bill 2019 (“Bill”) has been introduced by Lok Sabha on December 2019.

The Bill provides and promotes ideas of assent, reason impediment, storage constraint, and information minimization. It also sets down commitments on organizations gathering individual (information trustee) information which is needed for a particular reason and with the express assent of the person. It enumerates rights to the person to obtain individual information, rectify incorrect information, delete information, update the information, port the information to different guardians, and the option to confine or forestall the exposure of individual information.

The Bill requires the production of an autonomous Controller Data Protection Authority, which will manage appraisals and reviews and definition making. Each organization shall have a Data Protection Officer (DPO) who can contact the DPA for examining and/or complaint redressal.

Punishments for contradicting certain arrangements of the demonstration is punishable with a fine of Rs. 15 Crore or 4% of the yearly turnover of the fiduciary, whichever is higher, and the inability to lead an information review is punishable with a fine of Rs. 5 Crore or 2% of the yearly turnover of the guardian, whichever is higher.

The Information and Technology Act, 2000:

The (Indian) Information Technology Act, 2000 (“Act”) arrangements with the issues identifying with an installment of remuneration (Civil) and discipline (Criminal) if there should arise an occurrence of unjust exposure and abuse of individual information and infringement of authoritative terms in regard of individual information.

Under section 43A of the (Indian) Information Act, 2000, a body corporate who is having, managing, or dealing with any delicate individual information or data, and is careless in executing and keeping up sensible security works on bringing about unfair misfortune or unjust addition to any individual, shall be held obligated to pay damages to the individual so affected.

Recent actions Taken by Ministry of Electronics and Information Technology (“MEITY”):

On September 2, 2020, on account of emerging threats, the MEITY and the Government of India, invoking its power under 69A of the Information Technology Act read with Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009, imposed a ban on 118 mobile applications. The ban was said to have been imposed as the applications raised serious threats and concerns due to collection and sharing of personal data and information of the users. The MEITY had gotten numerous objections from different sources including a few reports about abuse of some versatile applications accessible on Android and iOS stages for taking and clandestinely sending clients' information in an unapproved way to workers who have areas outside India. Thus, this attempt to ban the applications was exercised in the interest of sovereignty and integrity of India, defence of India and to maintain the security of the State. This move by MEITY was to protect the interests of crores of Indian web clients, and several users across the nation. Resultantly, the gathering of the information by the banned applications, its mining and profiling by components were antagonistic to public safety and protection of India, which at last encroaches upon the power and respectability of India, and involved exceptionally profound and prompt concern that required crisis measures.

In the recent case of Balu Gopalakrishnan v. State of Kerala, the Kerala High Court gave a break request guiding the execution of defending measures to ensure the secrecy of information gathered on patients or people diagnosed of Coronavirus. A bunch of five petitions were documented according to an agreement entered into by the Public authority of Kerala with Sprinklr Inc., an USA based programming organization, for making an online information stage for information examination of clinical/wellbeing information corresponding to Coronavirus. The petitions asserted that the agreement did not have any defence against the unapproved abuse of wellbeing information gathered by Sprinklr, for the benefit of the Province of Kerala. The Court focused on the earnestness under the current conditions to secure the classification of individual information to stay away from an "information plague." Considering such conditions, the Court guided the State to anonymise all the individual information hitherto gathered regarding Coronavirus prior to moving it to Sprinklr, or any outsider specialist organization. Further, it directed that any future assortment of information should be founded on standards of educated assent where each individual shall be educated about the registration of such information by outsiders. The Court additionally denied Sprinklr from submitting any demonstration in breach of privacy of the information and coordinated Sprinklr to endow all the remaining Coronavirus related information back to the State Government.

WhatsApp’s new Privacy Policy: 

In December 2020, WhatsApp announced that they will share users’ data with their parent company Facebook and with its other entities like Instagram, as part of their new privacy policy. However, this announcement was criticised by the users, because if implemented, it would attract various privacy issues. In lieu of the criticism received, they further updated their policy and mentioned that no one can peruse your messages or hear your calls with your companions, family, and associates on the application. WhatsApp has no real way to consider this, as these are generally start to finish encoded discussions or often termed as “end-to-end encryptions”. After the new update the data which is being shared with WhatsApp’s parent company i.e. Facebook will be Metadata. Metadata includes IP address, device name, model name, location and many other device information and does not include calls and messages. The update had to be made by February 8 and was subsequently delayed till May 15 that has effectively brought sufficient criticism for WhatsApp as it is changing the manner in which it shares client information through its foundation.

What actions Indian Government is Taking?

According to the source, the government authority is worried about the 'administrative vacuum' regarding privacy security in India as there is no information assurance law as of now. A bill for a privacy information assurance law in the Parliament is being discussed, yet it is probably going to take some time under the steady gaze of turning into a law. The Ministry of Information and Technology said that, they are in contact with WhatsApp’s authorities and has asked questions pertaining to the reason for such change in privacy policy and its impact on its users.

Recommendations and Conclusion:

A few recommendations to improve the data privacy policy are that the companies should have a data protection software which ensures the safety of the data of customers, regular risks check should be done by companies for prevention of data breach. Another integral recommendation would be to create awareness about the importance of data privacy and how to prevent data breach.

In the modern era of technological advancements, revealing any technological data or information may greatly impact the users. It is pertinent for the associations, organisations and individuals to ensure and assure adequate data/information storage steps have been initiated. Further, the data protection guideline has achieved a milestone and will keep on creating as society keeps on moving to manage the modern age. The excursion towards data protection has potential to boom and associations/organisation shall maintain a steady path should in order to secure the personal information, extend their endeavours, and guarantee that advancements are adhered to, in consonance with the latest guidance from the State’s Information Assurance Controller.

~Authored by Vardhan Gupta