Namaste from India!

It has been an action-packed couple of weeks here in India on the privacy front.

Reflecting on the recent incidents and developments here, three key themes emerged.

The first theme is surveillance. We woke up a few days ago to find the country rocked by claims of snooping on key journalists, political leaders and activists by the Pegasus spyware, the tentacles of which spread far beyond our shores. This has brought to the forefront an issue oft-discussed in the country — that of surveillance and the urgent need for reforms to prevent misuse of surveillance, especially by intelligence agencies.

Other developments augment this concern. For example, a revised set of draft rules for drones was released a few days ago where not only is the word “privacy” completely missing, but it also allows government access to drone data at all times. Similarly, the proposed draft eCommerce rules allow government agencies to demand access from any entity under its scope to data under the organization’s control or possession.

The second theme is around India’s much awaited Personal Data Protection Bill and how the country steadfastly marches ahead with the proposed law either being an “ominous absence” or an “assumed presence.”

What I mean by “ominous absence” is that some developments seem to conveniently ignore the need for data protection to be a core aspect of their data fabric.

For example, FASTags — prepaid, rechargeable RFID tags that can be affixed to vehicles and connected to a user’s bank account or wallet — are being rapidly rolled out across India with complete silence on what data is being collected, where and how it is being stored, who has access to it and how it would be governed. A DNA bill is scheduled to be introduced in the current session of Parliament. It has been criticized for gaps on the privacy front as well.

On the other hand, it is heartening to note several developments in accord with the anticipated law, like the law has an “assumed presence.”

WhatsApp announced it would not rollout its new privacy notice in India until the PDPB is passed. Two journalists sued Air India, India’s National Airline, for leaking their personal data stored with SITA, a processor for several large airlines. While this development may not garner attention in many countries, it is a big deal here where these actions are rare. The Madras High Court (in the southern state of Tamil Nadu) noted last week an accused person who has been acquitted is entitled to have their name redacted from all court orders. Similar orders have been issued in the past by the High Courts of Delhi and Karnataka.

The third theme centers on the controversial data localization aspect. In 2018, India’s banking regulator, the Reserve Bank of India, passed a rule mandating payment data be kept in the country. In one of its first hard-hitting actions for noncompliance with this requirement, the RBI last week stopped MasterCard from doing further business in India. While similar actions have been taken against American Express and Diner’s Club in the past, the MasterCard decree is significant considering it holds a significant share of the Indian market.

Amid all this, where are we on India’s PDPB?

As some readers may recall, the bill was introduced in the Indian Parliament in December 2019 and sent to a joint parliamentary committee for review. The JPC was to submit its report to Parliament a couple of sessions ago but was granted extensions. As things stand now, the speaker of the parliament has indicated no further extensions would be given, and the report would have to be submitted in the current session. Meanwhile, the chairperson of the JPC and four other members have become ministers in the recent ministerial reshuffle. Where that leaves the JPC report and, consequently, the PDPB is anybody’s guess.

All in all, interesting and busy times for privacy in a country where 1.2 billion people’s personal data is at stake.