Data Protection, Privacy and the Law: Is India Ready Yet?

[Ali Waris Rao is an in-house legal counsel at Hindalco Industries Ltd., Aditya Birla Group. The views expressed are personal]

The debate surrounding big data, privacy and security in India has gained considerable traction. One may ask how the legal and regulatory framework in India surrounding big data, surveillance, internet of things (IoT – Tech 5.0), cybersecurity and privacy balance the pre-requisites of protecting the privacy of its citizens on one hand and, at the same time, foster novel inventions and effective developments on the other. The answer to the above question is not straightforward.

In the 21^st century, data appears to be the new coinage. Given the varied uses to which data can be put, there is no doubt about the fact that it is an extremely valuable commodity. Although the law in India seems to be attempting to address various nuances concerning data protection and privacy, certain questions regarding the proposed personal data protection legislation arise in the context of privacy related damage and probable misuse, if any.

Personal Data Protection & Privacy

Before delving into the details of the Personal Data Protection Bill, 2019 that is presently being discussed at length in a joint parliamentary committee, it is relevant to note that the Supreme Court of India through its judgment in Justice K S Puttaswamy (Retd.) v. Union of India held that the right to privacy is a fundamental right that essentially emanates from the right to life and personal liberty under Article 21 of the Constitution of India. Interestingly, by way of the aforesaid judgment, the Supreme Court also noted that “…privacy of personal data and facts is an essential aspect of the right to privacy […]. Apart from declaring that privacy is a fundamental right, the Court also acknowledged ‘informational privacy’ to be a subset of the right to privacy.

Be that as it may, the aforementioned privacy judgment of the Supreme Court may entail wider implications insofar as the law governing data protection and privacy in India is concerned. The proposed Bill and the extant laws will now entail going through the strictures or frameworks concerning life and personal liberty of the citizens, as enumerated under Article 21 of the Constitution of India.

Consequent to the aforesaid privacy judgment, an expert committee led by Justice B.N Srikrishna was established to scrutinize the feasibility of a new law concerning data protection and privacy in India, including its contours or limits. According to the ‘Statement of Object and Reasons’ of the Bill, the same is based on the endorsements of the expert committee’s report and the comments received from numerous stakeholders involved in the process.

At the outset, one may note that privacy as a concept is neither absolute nor unfettered, and there is no ‘one size fits all approach’. However, trying to define privacy is a herculean task for the simple reason that the term may signify different things to different people. Regrettably, it remains a challenge to ensure that the legal framework and the intent thereof concerning the Bill satisfies the needs and requirements of every entity – be it the Government, corporates or NGOs (including citizens). In all, it appears to be a challenge to effectively harmonize the clash between the privacy of one entity vis à vis the security of the other entity.

At this juncture, it is imperative to note the extant legislation (other than the Bill) or policies surrounding data protection and privacy in India. Apart from the regional legislation concerning data protection and privacy, the personal data of citizens in India is also protected through concomitantsafeguards developed by the courts, especially the Supreme Court under the common law doctrine(s), rules of equity and the principle of breach of confidence.

The extant legislation is primarily regional in nature that includes the relevant provisions of the Information Technology Act, 2000 and the applicable rules framed thereunder, the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016, and the like.  Moreover, numerous entities in highly regulated sectors such as banking and financial services and  telecommunications are also amenable to information technology and confidentiality obligations arising under regional or local laws for the purposes of storing or utilizing the clientele’s personal and confidential data or information for stipulated purposes only.

Yet, at this stage, at least two questions beg innumerable consideration(s). At the outset, what measures ought to be taken to duly protect the personal and confidential data of the citizens until the time the Bill is enforced as a law? Is regional legislation apposite to address the same? Next, is there a requirement to legislate and enforce a distinct – an all-encompassing law – concerning surveillance or legislate distinct regional and local laws with respect to the same?

To my mind, it appears that we are currently functioning in a legal vacuuminsofar as surveillance is concerned in India. As regards surveillance law, India does not address the issue of surveillance appositely as there is no (principal) surveillance law – matters concerning national interest and security have been laid out simply by the executive in exercise of its executive functions that do not provide for a legal framework or basis. Hence, a legislation governing not only data protection and privacy in India, but also necessitating the Union  Government to obey the prescribed data protection (including surveillance) rules, warrants urgent necessity.

From the above, it necessarily appears that an all-inclusive legislation governing and regulating the storage, process and distribution of personal and sensitive data is a pressing priority. At present, there is no single (and an all-inclusive) legislation that governs and regulates the storage and distribution of personal and sensitive data and information in India.

The Bill & the Way Forward

The Bill has sought to address various issues surrounding the collection, process and utilization of personal and sensitive data and information by numerous entities in India. Rather interestingly, the Bill seeks to suggest a pre-emptive approach or system that hinges onto excessive state involvement and supposedly fortifies the Government. As a result, it may lead to a probable upsurge in compliance related costs for corporates or other entities spanning numerous sectors and thereby leading to disturbing watering-down of the data privacy in relation to the Government.

Further, the Bill intends to safeguard the privacy of the Indian citizens by establishing a pre-emptive system that controls how entities collect, process and utilize personal or sensitive data and information, rather than protecting the citizen’s privacy due to the resulting damage being caused by the perpetual infringement of the aforementioned privacy.   

Besides, the proposed Bill is problematic and questionable when it comes to the fortification of the citizen’s privacy, as the Bill considerably reinforces the Government’s part in the digital space and consequently leads to increasing surveillance and watering-down of the property rights in India without ensuring apposite counterbalance. In this regard, it is likely that India as a digital economy may observe disastrous outcomes concerning novelty in the digital space, by brushing aside the intended object and purpose of protecting data privacy in India.

As a matter of fact, recently, the Jio-Facebook deal wherein Facebook acquired a 9.99% stake in Reliance Jio platforms appears to be worrisome in the context of data privacy. Both the conglomerates now have entry to copious amounts of personal data and information of numerous citizens of India. What it means is that pending the enactment of the Bill into a legislation, the collection, process and utilization of personal and sensitive data and information by the aforesaid conglomerates would be subject to their privacy policies in India.

Nevertheless, worryingly, the users have not been provided with adequate information as to why or what plans the entity has to do with the personal data and information being sought or collected. Moreover, the terms – ‘data policy’ or ‘privacy policy’  concerning the privacy and data policy of the entity – remain elusive in their precise meaning.

If one were to study Facebook’s privacy and data policy, it sets forth distinct data distribution arrangements not only with its users, but also with third-party partners, albeit, restricted to stipulated purposes only.  Popular Facebook products such as Instagram and Messenger are disseminating significant amounts of data considerably among its popular products. Meanwhile, WhatsApp – a popular cross platform messaging and VoIP service application acquired by Facebook in the year 2014 – already shares extant systems, processes, technology and apposite infrastructure with a view to provide its users a stable and reliable experience across its business eco-system.

This exemplifies concerns regarding the Jio-Facebook deal, amongst others, for the reason that India does not have a data protection regime. In the absence of a legal and regulatory framework concerning data protection and privacy in India, it is hard can stop the two conglomerates and others – beyond the realm of morality, values and ethics – to persuade them to stop the collection, process and utilization of personal and sensitive data and information of its users. Hence, it is desirable that the Government duly implement, as soon as practicable and keeping in mind the interest of all stakeholders, the Bill (at the earliest) in order to protect privacy considerations.

– Ali Waris Rao