The process of safeguarding crucial information from corruption, compromise or loss is called data protection. Every Individual’s Data should not be allowed normally to be circulated without his consent as it may expose to risks and threats from unwanted quarters.
Why Data Protection is required
Some instances of data privacy violations have led to increased monitoring for preventing compromise of personally identifiable and sensitive information.
A recent case where a researcher linked to Cambridge Analytica (CA), a political consulting firm had accessed details of 50 million Facebook users; this data was shared with CA that used online data to reach voters with personalized messages on social media for 2016 US elections.
TRAI of India suggests that breaches may take place in-spite of adoption of best practices or necessary measures taken by data controllers.
What is Personal Data?
Personal Data includes an individual's name to his/her location to an online identifier like IP address, cookies that can track web activity. An individual's physiological, genetic, physical, mental, economic, cultural or social identity is personal data that should be protected.
The individual wants that if a data collector wishes to use this data it should obtain consent in a clear and accessible way. The agreement should be specific and clearly articulated in the language that people can understand. The more the data is shared; the individual is more exposed to number of risks.
Data Privacy and its Importance
It relates to how a piece of information should be handled based on its importance. For instance, when you open a new bank account you will probably be asked to share a lot of personal information beyond your name.
In today’s digital age, we apply the concept of data privacy to personal information, known as personally identifiable information and personal health information. This includes health and medical records, Social Security numbers, financial data, including bank account and credit card numbers and even some basic yet sensitive information, such as full names, full addresses and birthdates.
Data privacy goes beyond the PII for a business, it also includes the information that helps the company to operate, whether it is proprietary research and development data or financial information that shows how it is spending and investing its money.
Data privacy is very important as more of our data becomes digitized, and we share information online.
GDPR in EU: To Protect Data Privacy
What is the GDPR?
General Data Protection Regulation is a Europe-wide law for Data protection. GDPR was approved by the EU Parliament on 14 April 2016 and has become effective from 25 May 2018. GDPR is the most important change in the data privacy regulation in 20 years.
Why it is created?
GDPR sets guidelines for the collection and processing of data within the European Union (EU). GDPR give an individual the right to find out where, whether, and for what purpose their personal data is being processed.
It was designed to merge various data privacy laws across Europe, for empowering all citizens’ data privacy and to reshape the way organizations approach data privacy.
Until its implementation, Data Protection regulations in EU were not that stringent. Key features are:
• Justify the Data Use: Individuals can erase their personal data or not allow further, including potentially halting third parties from processing the data. They can also choose to move their data and can reject it processed for direct marketing purposes. The companies will have to justify why they want to know it.
• Extended Reach: GDPR now covers all organizations offering goods and services and organizations that monitor the (online) behavior. This extended reach covers majority of the organizations and is more effective.
• Real Reputational Risk: The enforcement actions more frequent and hence will be brought to light sooner, so risk of reputational damage will become more real and visible.
• Hefty Fines: Companies that violate the new rules can be fined up to 4 percent of their annual global turnover. Hence, its implementation within organizations is more effective.
TRAI: Protect Personal Data in India
• (TRAI) Telecommunication Authority of India has recommended measures for protecting Data Privacy of the individuals; the Constitution of Data Protection Authority of India may soon come to existence.
• Srikrishna Committee has to submit report on data privacy; this may become the ground to frame the tough law. TRAI is of the view that private as well as government entities collect the data; therefore, the framework should be applicable to both the government and private entities.
• TRAI recommended that there must be a recognition why data controllers may collect and process personal data, it should be subject to various conditions and obligations, like securing consent of the individual and using the data only for identified purposes.
• The Authority recommended that all the entities in the digital eco-system that control or process the data, should be restricted from using metadata to identify the individual users.
• For this purpose, government should notify the policy framework for regulation of Devices, Browsers, Operating Systems, and Applications.
• It further recommends that to ensure sufficient choices to the users of digital services, level of details in the consent mechanism should be in-built by the service providers.
• A framework based on the Electronic Consent Framework developed by MEITY and the master direction for data fiduciary issued by Reserve Bank of India should be notified for the telecommunication sector also.
• For the privacy of users, National Policy for encryption of personal data that is generated and collected in the digital system should be notified by the Government.
• For security of the personal data and privacy of consumers, data should be encrypted during the motion as well as storage in the digital ecosystem.
• Decryption permitted on a need basis by authorized entities to consent of the consumer or as per the law.
Constraints to Protect in India
• India has no Data Protection Authority
• Supreme Court raised questions about the steps taken by the Government to protect privacy of Data
• The Report on Data Protection by Srikrishna Committee is delayed
• Still not clear whether the Government would make a tough law like GDPR or it will have loopholes that may allow the service providers to escape
By: Aishwarya Sharma
Posted By - Assistant Editor