October 1, 2023


Advocacy. Mediation. Success.

Preserving Personal Data – A comparison of Data Privacy Laws in India and the Western World

Personal Data Privacy
Graphic Credits &#8211 Pawel Olek

The phrase ‘personal data’ usually means any facts relating to an specific by way of which these specific is straight or indirectly identifiable. This info can hence be similar to a person’s bodily, psychological, financial, cultural, or any other id through which the individual can be identified in the social entire world. Technological improvement has viewed an unparalleled and frequent upward spike due to the fact the arrival of the online age. Several of these systems will need to be fed with authentic facts to purpose effectively. For that reason, there has been an enhance in the want and thereby, need for information in the market place. This has led firms and other stakeholders to gather, keep, transfer, share, and use huge amounts of details in recent instances. This gave increase to what we now know as massive facts. This only improves each and every day with the boost in new end users becoming a member of the world-wide-web regime and availing of web services in several kinds.

Though the online age appears utopian due to the benefit it presents to the human race, we have now understood that there are also darker elements to it. This realization is what has sparked human desire in the notion of ‘data privacy’. As people notice the various shortcomings and stability worries linked with sharing of info, specifically when finished through an online medium (as it can be reported to be far more perilous than the offline details collection endeavors because of to its spontaneity, lesser recognition in general public and unregulated mother nature), the collective will need of people today, companies, and nations, for ensuring privacy and protection of personalized details has acquired momentum.

Preserving Individual Info

1 result of this realization could be viewed in the Indian government’s the latest determination to ban hundreds of laptop or computer or mobile cell phone programs that it identified to be amassing, sharing, and working with shopper information in a manner that could demonstrate to be a danger to citizens’ and nationwide stability of India. This transfer of the Indian govt can be found as a useful extension of the Indian Supreme Court’s determination in the situation of Justice K.S. Puttaswamy vs Union of India, recognizing and affirming a person’s ‘right to privacy’ as a elementary suitable assured underneath Report 21 of the Structure of India.

The Ideal to Privateness encompasses in by itself the privateness concerning one’s private info shared across any media or system. This determination as well as a general realization on part of Indian students and federal government that the existing legal regime [Information Technology Act, 2000, Indian Penal Code, 1860, etc.] is carrying out minimal to prevent data breaches and so, secure and assure info privacy to its citizens, led to the formulation and tabling of the Personalized Information Protection Monthly bill (PGPB), 2019 in the Indian Parliament by the Ministry of Electronics and Data Technology. This PGPB was then handed above to a Joint Parliamentary Committee for examination by authorities and stakeholders. On 16 December 2021, the Committee report and finalized Knowledge Safety Monthly bill, 2021 was posted. The Monthly bill is however pending just before the Parliament of India.

Details Privacy Legal guidelines in India

At existing, the Data Technological innovation Act, 2000 (as amended by the Information and facts Technology  Modification Act, 2008) read through with the Facts Technological innovation Guidelines are at the forefront of what can be pursued as India’s information privacy or protection routine as they principally offer with digital commerce and cybercrime in India. As a result, it does not include offline info transactions. The 2008 Amendment was major as it introduced Section 43A to the Act and tried to fill the gap in defense and provisions necessary for the protection of an individual’s electronically provided delicate individual facts. The section tends to make any corporate overall body dealing with sensitive individual data or information and facts dependable for its defense of it. It holds the company overall body liable to fork out damages to the influenced individual(s) in situations of carelessness in retaining fair stability to guard concerned information resulting in wrongful decline or wrongful attain to any particular person.

Therefore, it is a provision aimed at rising individual information security. Further more, Sections 72 and 72A improve this position by delivering “the punishment for any person who has secured obtain to talked about knowledge or facts in pursuance of any of the powers conferred below the IT Act Guidelines or Regulations and discloses it to any other individual devoid of the consent of the person concerned” and “the punishment for disclosure of information and facts in breach of lawful contract”, respectively. The punishments constitute large fines and imprisonment for up to a few decades. It can be witnessed as a result of these provisions that the Act is restricted in its scope as it only applies to corporate entities involved in collecting automatic processing of ‘sensitive individual facts and information&#8217 through ‘computer resource’ and the sufferer people of details breaches can just take motion in relation to minimal provisions.

Nevertheless, the Act broadens its scope as it is produced extraterritorial in its application by Segment 75 tends to make its provisions applicable to “an offense/ contravention dedicated exterior India by any man or woman if the conduct constituting an offense requires a laptop/ laptop or computer network positioned in India.” On the other hand, the effectiveness of the Act at the extraterritorial level are not able to be stated to be significant owing to jurisdictional limitations. The existing knowledge privateness state of affairs in India is, as a result, clearly non-exhaustible and limited in its coverage. The new-age Details Safety Invoice, 2021 seeks to improve India’s placement on this entrance by introducing a purchaser-oriented knowledge privacy law. India is further focusing on limiting cross-border details transfers and on formulating a info localization plan.

Laws in the Western Environment

Personal Data Privacy

The predicament in the European Union (EU) and the Usa vary from that in India. The EU has the most detailed info privateness and stability regulation in the planet in the variety of the Standard Facts Security Regulation (GDPR). It is the EU’s central legislation that emerged right after a have to have for uniformity and updating of outdated provisions was felt underneath the earlier present regime, namely, the Details Safety Directive (DPD). The GDPR is shopper-oriented and finds its foundation in the “Privacy by Design” university of considered as enshrined by it underneath Write-up 25. It introduced all the members of the EU at par and in arrangement with each individual other with regards to data privateness and safety requirements to defend their citizen’s data and is perfectly-drafted. It is viewed as a primary framework by most nations in get to build their personal knowledge legislation. The data privateness routine in the Usa is unique from this as it lacks a central federal information privacy and stability law. The details privacy entrance at the federal amount in the US is at this time held by various business or age-focused vertical legislations namely, the US Privateness Act of 1974, the Overall health Coverage Portability and Accountability Act (HIPAA), 1996, the Children’s On the web Privacy Security Act (COPPA), the Gramm-Leach-Bliley Act (GLBA), etcetera. These legislations deficiency the appropriate coverage and update in provisions demanded for ensuring comprehensive data privacy in the web era.

Although the US has no federal legislation to control online-centered functions, tries are getting manufactured in the US at condition-level to deliver into power state degree, new-technology consumer-oriented info privateness, and safety rules. One this kind of case in point is the California Purchaser Privateness Act (CCPA) focusing on making sure the people&#8217 info privacy on the net. The states of Maine and Nevada have also executed point out-degree knowledge privateness laws together with California.

Other states have followed match by introducing costs pertaining to information privacy. These are the Massachusetts Information Privacy Law, New York Privacy Act, Hawaii Consumer Privateness Security Act, Maryland Online Consumer Defense Act, and North Dakota’s HB 1485. Initiatives are also staying created to introduce a federal data privateness law in the US. This is evident from modern proposals in this regard- Setting an American Framework to Make sure Knowledge Access, Transparency, and Accountability (Safe and sound Data) Act (S.2499), Client Knowledge Privacy and Safety Act of 2021 (S.1494), and the Online Privacy Act of 2019 proposed by Congresswoman Eshoo.

Comparison of Facts Privateness Laws of India with the Western Environment


All a few international locations- India, the EU, and the United states of america are moving toward consumer-oriented knowledge privacy and security routine. India’s Data Security Bill, 2021 is mainly primarily based on the European Union’s Common Info Defense Regulation (GDPR) framework, which in turn is in line with the “Privacy by Design” school of believed prevalent in the United states. The Indian Bill goes a action further by attempting to develop unique laws customized to India’s developing want for information privacy and safety as one of the premier client marketplaces in the globe. It encompasses not just particular but also non-community private information and facts (NPI) within just its scope, as up-to-date until 2021. This technique can be initially observed in USA’s Gramm-Leach-Bliley Act (GLBA) which guards any “information collected about an particular person in link with offering a money product or service or provider unless of course that info is in any other case publicly available”. This sort of information is what is commonly referred to as non-community individual information (NPI).

In the US, a shopper can choose out of their NPI being shared with a “non-affiliated” third bash. The GDPR too, in its general tactic, takes a similar see.  Nonetheless, the customer versatility and alternative offered by these legislations might differ. For case in point, under GLBA, the people can’t handle or prohibit the sharing of their NPI with businesses that are affiliated with the banking or insurance plan enterprise that they are sharing their NPI. This may possibly put the buyers in a restricted spot pertaining to sharing their NPI with the anxious company as they are remaining with only two choices- both to avail of the products and services of the worried company or not. In today’s period of consumer-helpful markets and purchaser-oriented privateness laws, GLBA’s absence of versatility and room for consumer alternative can be explained to be losing on this entrance. Indian and the EU, both equally authorized regimes protect non-anonymized details. 

The CCPA, California condition regulation in the US embodies several exceptional capabilities these types of as the ‘data subject matter obtain request (DSAR)’, the ‘right to delete’, ‘right to sue’ to victims of a info breach (constrained appropriate), and so forth. The GDPR and the impending Indian regime, each deliver for authorized cure for any worried particular person to instantly sue a processor for damages. By advantage of these, any covered business (less than CCPA) are unable to offer particular facts with no prior net detect with regards to these kinds of sale and enough chance to decide-out of the info topic(s). A related provision has been witnessed in the proposed Indian Info Safety Bill, 2021. The Indian Bill has taken a preventive strategy and defines in detail the data that needs to be exhibited at the commencement of details selection to get hold of consent, ahead of sharing information with other get-togethers and in celebration of a knowledge breach.

The principle of notification of data breach to the involved client or information topic or information principal can be found in all three areas. The CCPA more presents a really broad definition of private facts and hence, takes a in the same way expansive watch as that of the EU’s GDPR. The CCPA also delivers a extended checklist of identifiers that it considers as a details subject’s personalized details. This also is very similar to GDPR’s viewpoint as GDPR has particularly talked about many this sort of identifiers to reduce confusion in the EU market place. The Indian Information Security Bill, 2021 also looks to follow this line.

Nevertheless, the ‘probabilistic identifiers’ (or quasi-PII) are a unique feature released by the CCPA. The CCPA also provides a knowledge stability clause, although imprecise, by inquiring companies to “implement and sustain reasonable safety procedures”. There is hope for development in this regard by retaining the Centre of World-wide-web Security’s Top 20 controls and the NIST Critical Infrastructure Stability (CIS) Framework at the foundation of such growth. Yet another attribute in the US proposed state costs is consumers’ proper to sue for any violation of regulation without the need of struggling a loss of funds or house as a final result of the violation, one thing missing from the present-day Indian legislation as remaining liable under Indian law currently necessitates a wrongful loss or wrongful achieve to consider put from an alleged facts breach. 

The US proposed condition legal guidelines also communicate about fully limiting sites from non-consensual passing on of any customer’s details to third events, and imposing the function of data fiduciary on all businesses and thus, holding them to be lawfully liable for all customer knowledge that they maintain. Identical provisions can be viewed in India’s Info Security Invoice, 2021. Even under GDPR, the info controller is held finally responsible for the stability and processing of the knowledge. The legal responsibility is also put on the cloud service provider beneath Short article 5 of GDPR to guard the safety of data presented to it by the info controller. This qualified prospects to yet another similarity between the Indian and US regulation as they use the terms ‘data fiduciary’ and ‘consumers’ or ‘data principals’ which are comparable to the EU’s ‘data controller’ and ‘data subject’. The US Monthly bill and regulations, EU&#8217s GDPR, and the Indian Facts Protection Bill, 2021 also all offer for the ideal of affirmation and entry to information and facts, the proper of correction and erasure, and the ideal to be neglected. Even so, the intensity and scope of their software may possibly vary from location to area. The similar is the situation with grievance redressal and penalties throughout these jurisdictions.


The comparison of knowledge privacy laws of the 3 locations- India, the EU, and the United states has led to the subsequent observations. A single, the common trend of applied and approaching data privacy regimes in these places are very similar to 1 an additional and have the ‘Privacy by Design’ theory at its base with its advocacy for customer-oriented details guidelines and assortment of the minimum needed and necessary information from information topics and deletion of these types of on completion of the goal for which it was gathered for. 

The major dissimilarity in the basic scenario of the 3 areas can be seen in their existing scenario, that is, in the guidelines in power at the existing working day in these locations. Though the EU has carried out a central full-fledged details privateness legislation, India lacks at the rear of with its central legislation with minimal info privateness provisions with constrained scope. The US falls even further at the rear of as regards the implementation of data privateness legislation giving for the safety of individual facts as regards the net of factors. Even so, it can be explained that India and United states of america are at par in their initiatives of generating a sturdy and efficient knowledge privacy regime with the introduction of associated bills in their parliament. But at existing, only the EU can be reported to have a information privateness legislation in entire strength and capable of guarding the citizens’ passions. The regimes also differ in the applicability of their legislation. Whilst the EU and Indian rules, presently in power, are extraterritorial in their application, US law lacks this aspect.

Lastly, it can be safely and securely assumed that the future knowledge privacy law regime in all a few locations will be equivalent in the feeling that they will boost concepts and provisions such as Privateness by design, transparency, security safeguards, company duty, notification of knowledge breaches within just a reasonable time as quickly as possible, appointment of Data Protection Officers to advise companies, Data Security Impact Assessments, details audits, etc. 

With this reported, we have significant hopes for the Indian Facts Security Invoice, 2021 as it improves highly on the formerly suggested Personalized Details Security Invoice, 2019, and is still undergoing debates in the parliament. It also goes a phase even further by attempting to be unique laws customized to India’s escalating have to have for knowledge privateness and stability as a single of the largest shopper marketplaces in the environment.

The article Preserving Particular Facts &#8211 A comparison of Knowledge Privateness Legal guidelines in India and the Western Earth appeared initial on KnowLaw.