The concept of data breach is not on priority radar of India. The low internet access, low literacy levels, rampant violation of citizen’s fundamental rights and disregard for human rights are some of the attributions that put technology related human rights on the back burner. The western countries who are dependent on technology, have devised important laws such as the General Data Protection Regulation (GDPR). This gives India the time to align itself with the law before it comes to India and it will also help our country to avoid causing irrevocable damage to citizen safety through breach of personal digital data. GDPR is a regulation or a law that is global in nature. Its implementation (directive) will vary with each country. A variant of GDPR is expected to be applicable in India in the near future.
In the context of data protection and breach, there are three aspects – data owner, data controller and data processor. The data owners are the individuals to whom the personal details and information belongs. The data controllers are organizations who collect individual data and maintain the reservoir of population data. Data is collected through the Cloud Computing system and the controllers are Cloud Computing Service Providers. The data processors are third party to whom the controllers sell the data. If done ethically, the controller will intimate the owner about the data transaction. According to the GDPR, the owner has complete rights over his / her data and can withdraw the consent to make personal data public. The owner of the data also has the authority to delete the public data that is handed over to the processor.
Currently India has Information Technology Act (2000 and 2011) that blanket-covers cyber abuse and crime. GDPR lends additional protection that the I.T. Act does not cover. GDPR confers rights to the individual whose data is being processed for electronic commerce. I.T. Act does not identify the data owner as much as it gives emphasis to the type of data that is vulnerable to violation. GDPR is based on the principles of data integrity, protection from unlawful processing, accountability, fairness and transparency. The design of the I.T. Act is not rooted in human rights because it does not factor in the concept of consent of the data owner for data use in a way that GDPR does. There are provisions in the GDR for security of data processing, appointing a data security officer, conducting privacy impact assessment, maintenance of records of processing that the I.T. Act does not have. For more detailed understanding of the two laws, read ‘GDPR and India’ by Aditi Chaturvedi (The Centre for Internet and Society, India).
Until a variant law of GDPR is effective in India, as citizens, we must ensure we keep our data safe by restricting its access to the Cloud Computing and being careful during online interactions and transactions. The Centre for Social Research has been a strong advocate for online safety. Dr. Ranjana Kumari is on the Safety Advisory Board of Facebook, Twitter and Ola Cabs, and has been chosen to be on the panel of Australia’s ‘Officer of the Commissioner of ESafety’ as an inspiring woman who combated cyber abuse. As part of our #SocialSurfing and #TweeSurfing initiatives, The Centre for Social Research in the last three years travelled across the country in over 300 colleges, in 81 cities (29 States and Union Territories), to talk to the Indian youth about online safety and using social media for social change.