Analysis of Data Protection and Privacy Laws in India and U.K.

By:- Chaitanya Anil Yadav

  1. Data Protection and Privacy Law

According to Yves Poullet, more than 1.5 billion people use the internet and email nowadays, owing to the fast expansion of information technology and the population of internet users. Information technology will be increasingly utilised to acquire personal information, having both positive and negative effects for individuals (Dinev and Hart, 2006). The internet has provided us with several benefits while also putting our privacy in danger. On the internet, our information is disseminated widely. When you conduct online shopping, for example, you may be concerned about whether they retain your personal information and credit card data for any other reason or whether giving the information is secure. Are you perplexed as to why you are being bombarded with spam? Have you heard on the news that a bank’s network was hacked, and credit card and customer information was stolen? When we go online, there are possible privacy dangers and hazards. We need to be aware of these threats and risks, and we need to improve our privacy self-protection knowledge. Data security has always been a priority. It’s why individuals secure their file cabinets with locks and hire safe deposit boxes at their institutions. Data privacy is becoming increasingly important as more of our data is digital and we share more information online. A single corporation may have the personal information of millions of clients—information that must be kept hidden for consumers’ identities to remain safe and secure, and the company’s reputation to remain unblemished. However, data security isn’t simply a commercial problem. When it comes to data privacy, you, as an individual, have a lot on the line.

  1. History of Data Protection and Privacy Law.

Data privacy laws have existed for far longer than you may recall. Find out how data privacy regulations have evolved in the contemporary era as the GDPR approaches implementation. The General Data Protection Regulation (GDPR) will become fully operational. It is by no means the first data privacy law, and while it is the most comprehensive piece of regulations on the subject to date, it is unlikely to be the last. Let’s take a look back at the many current data privacy regulations that have been established over the years as the GDPR gets closer. The First Modern Data Privacy Laws were enacted in the 1970s. In response to worries about computer breakthroughs and privacy in the processing of personal data, the first contemporary data privacy regulation was enacted in Hesse, Germany. The Data Act, enacted in 1973, was the first national privacy law, criminalising data theft and granting data subjects access to their information.

Learn more about Information Security, Privacy and Data Protection Laws with Enhelion’s Online Law firm certified Course! 

In Germany, the right to informational self-determination was established in 1983.

The German Federal Constitutional Court concluded in a landmark decision concerning the intrusive nature of a national census survey that people had a basic human right to self-determination over their data. Individuals should be safeguarded from the unrestricted acquisition, storage, use, and disclosure of their data, according to the judgement. In 1995 – The EU Data Protection Directive is enacted. The European Union enacted the Data Protection Directive, which imposed minimum standards of personal data protection on member states and protected individuals’ rights regarding the movement of personal data between EU member states as computer technology advanced and the free flow of information became more widespread. Individuals have access rights, as well as access to supervisory agencies, and data may be moved outside of the EU as long as “an acceptable degree of protection” was provided. However, each EU member state executed the legislation differently, resulting in some nations having weaker rules and supervision.

The Safe Harbor Accord was signed in the year 2000. This was a collection of principles intended to reconcile the disparities in data privacy regulations between the US and the EU to improve information flow between the two areas. They were eventually declared unlawful by the European Court of Justice in 2015 because US intelligence services had unlimited access to EU persons’ data under US law. The EU-US Privacy Shield was implemented in 2016 to replace Safe Harbor, but its future is uncertain.2016 is the year of the General Data Protection Regulation (GDPR).

Learn more about Information Security, Privacy and Data Protection Laws with Enhelion’s Online Law firm certified Course! 

Organizations all around the globe have been granted a two-year head start to upgrade security measures and processes in readiness for the most comprehensive set of data protection regulations yet. The legislation includes a right to be forgotten for data subjects, affirmative permission, thorough and timely data breach notifications, simple language for terms of service agreements, and sanctions of up to 4% of an organization’s total worldwide annual turnover if found in violation.

  1. Data Protection and Privacy Law in India.

After more than two years of heated discussion, the Indian government finally tabled the Personal Data Protection Bill in Parliament on December 11, 2019. Rather than pressing for speedy passage of this highly important law, India’s information technology minister, Ravi Shankar Prasad, sent it to a joint parliamentary committee for review. After the committee issues its report on the law, it will be considered in the Indian Parliament in 2020, with the ruling coalition certain to win a large majority in both chambers. As India attempts to establish a comprehensive data governance framework, this law has far-reaching consequences for practically every firm trying to do business in India. India has a unique capacity to exert pressure over multinational digital firms and impact global policy due to its population size, gross domestic product, and the flood of new internet users.

During the proceedings in the K.S. Puttaswamy vs. Union of India (2017) “right to privacy” case, the narrative around data protection in India reached a peak. A nine-judge bench of the Supreme Court of India affirmed the right to privacy as a fundamental right in a landmark decision. The Indian government formed an expert group to develop India’s data protection policy throughout the case. The committee presented a draught Personal Data Protection Bill and an accompanying report, titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians,” after a public consultation on a white paper. Many of the consent-related clauses of India’s data protection law seem eerily similar to the General Data Protection Regulation of the European Union (GDPR). To acquire personal data, companies defined as data fiduciaries must get agreement from the persons whose data is in concern, according to the new Indian bill. Data fiduciaries are defined as any business that determines the “purpose and methods of processing personal data,” a broad description that may include everything from ride-hailing applications to social media platforms to data brokers that purchase and sell consumer data.

Learn more about Information Security, Privacy and Data Protection Laws with Enhelion’s Online Law firm certified Course! 

These safeguards show that the Indian government is concerned with both protecting the rights of Indian data subjects and reducing the massive power disparity that now exists between major technology companies and ordinary Indian people when it comes to data collecting. However, it remains to be seen how that connection will play out between individuals and the government, not only between companies and individuals. For example, when government organs judge data collection and usage relevant to state operations, the various loosely stated exclusions on data legislation might permit types of monitoring. To allow data to be copied into a country, the destination country must provide enough privacy protections for the data and not prevent Indian law enforcement from accessing it. India isn’t unfamiliar with the need for localised data storage. Rather, they would be used to enhance existing policies. The Reserve Bank of India’s (India’s central bank) mandate for local storage of payment data is the most significant of the existing safeguards. Attempts have been made by major technology companies such as WhatsApp Pay, Google Pay, Mastercard, and other payment providers to comply with the new Reserve Bank rule. Finally, the government made care to include Section 91, which states that the government maintains the right to interpret any rules for the benefit of India’s digital economy as long as it does not entail the use of personally identifiable information. The government can also order data collectors to provide up anonymized personal information or other “non-personal data” for “evidence-based policy-making,” according to Section 91(2). There hasn’t been much clarification on what it would entail.

  • Information Technology Act, 2000: It provides for safeguards against certain breaches about data from computer systems. It contains provisions to prevent the unauthorized use of computers, computer systems and data stored therein.
  • Personal Data Protection Bill 2019: The Supreme Court maintained the right to privacy as a fundamental right in the landmark decision of K.S. Puttaswamy v. Union of India 2017 after which the Union government had appointed Justice B.N. Srikrishna Committee for proposing skeletal legislation in the discipline of data protection. The Committee came up with its report and draft legislation in the form of the Personal Data Protection Bill, 2018. In 2019, Parliament again revised the Bill and much deviation from the 2018 Bill was evident. The new Bill was named as Personal Data Protection Bill, 2019. The purpose of this Bill is to provide for the protection of privacy of individuals relating to their Data and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual.

Data Protection and Privacy Law in the U.K.

The Data Protection Bill was enacted in May of 2018, and before that, the United Kingdom regulated the Data Protection Act or DPA 1998, which was enacted with the adoption of the Data Protection Directive into national law on March 1, 2000. The Privacy and Electronic Communications Regulations (PECR) 2003 play a role in company operations, and modifications to the regulation of direct marketing have been enacted. According to assignment help UK experts, it includes the processing of location and traffic data, as well as the use of cookies and other similar technologies. The European Commission has suggested a draught Regulation on Privacy and Electronic Communications to replace the existing ePrivacy Directive (Raul, 2018). The regulation is supplemented by the ePrivacy Regulation, which has direct implications for all Member States, including the UK. Its goal is to offer marketing guidelines based on cookies from websites to industry-specific regulations. The ePrivacy rules need to be updated, and these are the modifications that must be made. It necessitates a clear and affirmative action to grant permission to cookies. It tries to encourage the burden of shifting and seeks agreement from website browsers to utilise cookies.

Learn more about Information Security, Privacy and Data Protection Laws with Enhelion’s Online Law firm certified Course! 

The Act is divided into seven sections. Section 1 explains them in detail. This Act regulates the handling of personal information. The GDPR governs the majority of personal data processing. Part 2 adds to the GDPR (see Chapter 2) by imposing a substantially comparable rule on some forms of processing that are not covered by the GDPR (see Chapter 3). Part 3 implements the Law Enforcement Directive and establishes provisions for the processing of personal data by competent bodies for law enforcement purposes. Part 4 deals with the intelligence services’ handling of personal information. Part 5 specifies the role of the Information Commissioner. Part 6 outlines the procedures for enforcing data protection regulations. Part 7 contains supplemental provisions, including information regarding how this Act applies to the Crown and Parliament.

The Act creates new offences such as intentionally or carelessly collecting or revealing personal data without the data controller’s consent, procuring such disclosure, or keeping data obtained without consent. It would also be illegal to sell or offer to sell personal data that had been intentionally or recklessly collected or exposed. In essence, the Act implements the EU Legislation Enforcement Directive, it applies those portions of the GDPR that “must be decided by Member State law,” and it provides a framework comparable to the GDPR for the processing of personal data that is not covered by the GDPR. This includes the processing of personal data stored in unstructured form by public authorities, as well as the processing of intelligence services, immigration services, and personal data held in unstructured form by public authorities.

The GDPR will be integrated directly into domestic law once the UK quits the European Union under section 3 of the European Union (Withdrawal) Act 2018.

Learn more about Information Security, Privacy and Data Protection Laws with Enhelion’s Online Law firm certified Course! 

The Information Commissioner’s Office’s enforcement of the Act is aided by the Data Protection (Charges and Information) Regulations 2018, which impose a data protection fee on UK data controllers. Some companies and non-profits’ internal core objectives (staff or members, marketing and accounting), home affairs, some public reasons, and non-automated processes were all exempted from the fee. The registration enforcement system was shifted from criminal to civil monetary penalties under the 2018 Act.

The Data Protection Act of 2018 is an update to the Data Protection Act of 1998, emphasising the need for companies to be more responsible with information and enhancing confidentiality. The latter amendment also operates in combination with the GDPR, which was not the case with the Data Protection Act of 1998. The following are the major changes from the Data Protection Act (1998) to the Data Protection Act (2018) The Data Protection Act’s right to erasure exclusions are being regulated in line with the GDPR. The enforced Regulations of May 25, 2018, were going to be applied to the Member States and would continue to be directly applicable in the United Kingdom. The Queen’s address in 2017 reiterated that the United Kingdom will remain an EU member state, and the Regulations will take force, with the Government intending to propose legislation to implement the Regulation. There is a bill that is expected to pass after the Brexit period. The law is about the requirements for implementing the proposed Data Protection Bill’s Regulation. The New Data Protection Bill draught was expected to be released in 2017, and the UK government would be reforming the data protection legislation based on the Regulations.


Data is a vital resource in the digital era that should not be left uncontrolled. In this environment, India’s time for a strong data protection regime has arrived. The Personal Data Protection Bill, 2019, has to be amended as soon as possible. It has to be rewritten to ensure that it emphasises user privacy while focusing on user rights. To enforce these rights, a privacy commission would need to be formed. The government would also have to protect people’s privacy while bolstering their access to information. Furthermore, technology advances achieved in the previous two to three years must be addressed, as they have the potential to flip the world upside down. It’s like wielding a two-edged blade. While it protects Indians’ personal data by giving them data primary righto grants the central government exemptions that are contrary to the principles of processing personal data.When necessary, the government can process even sensitive personal data without the data principals’ explicit agreement. So, while following the foreign legislation of the United Kingdom or the United States in its entirety would not be a viable solution, a comprehensive data protection law is the need of the hour in India. Distinct types of data should be divided into different categories, and different levels of security should be offered to different types of data. However, this should be incorporated in a single act. India’s strategic goal is likely to be in ensuring that it fulfils its constitutional obligation to its people, prioritising citizen rights and economic well-being over purely commercial or bureaucratic objectives. However, it is unclear if this goal is met, owing to concerns about exclusions in the wording of the Personal Data Protection Bill. It remains to be seen if the policymaking pendulum swings in the correct direction when the Joint Parliamentary Committee begins debates on the bill draught.

Learn more about Information Security, Privacy and Data Protection Laws with Enhelion’s Online Law firm certified Course!