GDPR’s Rights of Data Subjects: Comparing Indian & Nepalese Privacy Laws



Technological progress combined with several governmental and non-governmental efforts to create a digitalised economy and society has caused extensive data pooling which has endangered the right to privacy. In recent years, both the Government, and corporate organisations have become data miners, collecting information about activities, behaviour and lifestyles of individuals and groups, for their own benefits such as for the purposes of surveillance as well as targeted advertisement and targeted business related activities.

It is strangely a conspiratorial truth of the surveillance society as to how companies and governments dip into the data streams of people’s lives in order to track what they do, what they know, where they go. These activities range from infringements, including WhatsApp sharing one’s name and phone number with Facebook so businesses can advertise their product on one’s screen. Corporate organisations have started treating data as a form of capital and this means that firms hoard, commodify and monetise as much data as they can. This tendency of treating data as an asset to be used to create capital value can be very harmful for the society as it destroys the whole concept of privacy of an individual (Sadowski, 2016).

The Ministry of Home Affairs (India) in 2018, issued an order granting authority to 10 Central Agencies to pry on individual computers and their receipts and transmissions “under power conferred on it by sub-section 1 of Section 69 of the Information Technology Act (21 of 2000), read with Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009”. It has authorised these “security and intelligence agencies” to intercept , monitor and decrypt any “information generated, transmitted, received or stored in any computer resource”. Internal security has been the main excuse of the Government and it's affiliated organisations. This may turn the country into a police state with the politicians and bureaucrats fulfilling their greed of power by exploiting common people (Satpathy, Seth, Gurumurthy, 2018).

In order to secure the privacy laws particularly related to data protection, the European Union (EU) has drafted the General Data Protection Regulation (GDPR). Even though it is a law related to data protection in the EU, it imposes obligations onto organizations anywhere in the world, so long as they target data related to the people in the European Union . The GDPR also levies harsh fines against those who violate privacy and security standards. In order to prevent the businesses and organizations from accessing the personal data of the citizens of the EU, it has created the right to data subjects from Article 12 to 23 under the GDPR. Therefore, there are eight fundamental rights including the Right to Access Personal Data, Right to Rectification, Right to Erasure, Right to Restrict Data Processing, Right to be Notified, Right to Data Portability, Right to Object and the Right to Reject Automated Individual Decision-Making.

There have been instances, when companies had to pay a huge amount because of violation of the GDPR rules. In 2019, Google had to pay a fine of €50,000,000 on account of lack of transparency on the use of the harvested data for advertisement targeting. It didn’t even provide information relating to consent policies to the users and did not give them control over how their personal data is processed. Many more companies had to pay huge amounts of fines on account of breach of personal data.

Currently, companies have been assessing the impact of the EU General Data Protection Regulations (GDPR) on their businesses. This is mainly because of the high administrative fines imposed by the EU on non- compliance with the GDPR rules and regulations. The Indian economy is based more on the service sector which primarily consists of information technology (Lakshmanan, 2019). This sector is more data oriented and thus, it is highly exposed to the EU's radar. The information technology (IT) industry is a significant contributor to the Gross Domestic Product (GDP) of the country and India must do all it can to protect and promote business in this sector. It also has to adhere to the changing regulatory framework globally. India will have to assess its preparedness and make convincing changes to retain the status of a dependable processing destination. Therefore, India as well as Nepal needs to strike a balanced approach towards the privacy rights of the citizens and the data needs of the company.

Right to Privacy in India: A Recent Development

The right to privacy in India has developed through a series of judicial decisions. Over the years, inconsistency from two early judgements created a divergence of opinion on whether the right to privacy was a fundamental right or not. But this was settled by the Supreme Court of India in the case of Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1. The Hon’ble Supreme court has declared the right to privacy as a fundamental right protected under Part III of the Constitution of India. While pronouncing this judgement, the Supreme Court of India asked the Central Government to set robust data protection rules to ensure that no individual's right to privacy is infringed. Therefore, in adherence to the order, the Government of India appointed a Committee of Experts on a Data Protection Framework for India, or Data Protection Committee (DPC), under the Chairmanship of Justice B.N. Srikrishna, to study issues related to data protection in India (Srikrishna, 2018). Although the committee submitted its report and proposed a comprehensive law on data protection, it failed to weigh the economic costs and benefits of implementing a GDPR-modelled law in India. However, keeping all the suggestions and views in mind, the Government of India proposed the Personal Data Protection Bill (hereinafter referred to as the Bill). This Bill incorporates many elements of the EU’s GDPR. These include requirements for notice and prior consent for the use of individual data, limitations on the purposes for which data can be processed by companies, and restrictions to ensure that only data necessary for providing a service to the individual in question is collected. In addition, it includes data localization requirements and the appointment of data protection officers within firms. If enacted, the Bill will provide a comprehensive, cross-sectoral privacy and data protection framework for India.

The bill has been largely modelled after the GDPR and several similarities can be found including the following:

However, the provisions of the Bill differ from the GDPR in some respects including the provision of criminal penalties for harms arising from the violation of the bill, and the proposal to treat the relationship between a data processor and its consumer as a “fiduciary” relationship. Even though these provisions would increase data protection obligations significantly, the Bill would enforce economy wide changes to the data collection and management practices of Indian businesses. Clause 1(3) of the Bill states that it will apply to foreign business providers if they process data in connection to any business in India, have any “systematic activity of offering goods and services to Indian data principals,” or if the processing requires the profiling of data principals within the territory of India (Burman, 2019).

The EU had a pre existing privacy framework (the 1995 Data Protection Directive) and therefore, had the experience on the economic changes it could make to the region (European Parliament, 1995). On the other hand, India never had a data protection law and is unaware of the economic consequences of the same. Furthermore, a systematic economic analysis of the proposed bill has not been conducted yet to provide an accurate analysis of its overall impact within India (Parsheera, 2018). Emerging economies like India that are considering such proposals need to carefully evaluate all the aspects of implementing a privacy law on the economy, specifically the information technology industry.

The GDPR has provided the right to protection of personal data for a while. India still does not have a cross-sectoral law on data protection. The Information Technology Act, 2000 primarily deals with issues such as cybercrimes and the liability of internet intermediaries, such as social media platforms, though it does possess some requirements regarding the protection of personal data. Section 43A of the Information Technology Act provides for compensation for damages caused by failure to maintain reasonable security practices to protect sensitive personal data. While declaring the right to privacy a fundamental right, the Supreme Court of India observed that informational privacy to be a subset of right to privacy, and noted that privacy includes the right to protect individual identity. This essentially meant that the country needs an effective legal framework for the protection of privacy of an individual and India needs a more comprehensive approach to international privacy.

Right to Privacy in Nepal