Hello and Namaste from India!
I am still catching up on all the goings-on from the IAPP Global Privacy Summit 2022 in Washington, D.C., two weeks ago. And, I must confess, for a short while was indulging in a bit of self-pity for having missed all the excitement and energy of an in-person conference. But I have the IAPP Asia Summit to look forward to in July.
In any case, given the pace at which developments take place in my corner of the world, where does one have the time for inconsequential indulgences?
While a lot is going on in every part of Asia, I will stick to the news and excitement from India.
There are two aspects I would like to focus on: the first being developments related to laws and policy and the second being seemingly unconnected incidents that have a significant impact for data privacy and protection.
IT Act being revised
Union Minister of State for Electronics and IT Rajeev Chandrasekhar recently announced that India’s 20-year-old Information Technology Act would be revised to keep pace with the times and accommodate the need for citizen’s right to privacy.
It should also be noted that this is a different legislation from India’s perpetually round-the-corner Data Protection Act. In the absence of a Personal Data Protection and Privacy law, the sole legal framework for privacy in India today is Section 43A and the Rules thereunder in the IT Act which address a few requirements of privacy.
Criminal Procedure (Identification) Act 2022 challenged
The Criminal Procedure (Identification) Act 2022 that was passed 18 April has been challenged via a Public Interest Litigation filed in the Delhi High Court.
The basic contention is that the act enabled law enforcement to collect personal data like finger, palm-print, and footprint impressions, photographs, iris and retina scans, physical and biological samples, as well as behavioral attributes like signatures, handwriting and the like from a large section of people including prisoners, arrested persons and detainees in the course of investigation and persons in protection homes. The earlier law limited the data that could be collected only to fingerprints, footprints and photographs.
The Delhi High court asked the government to respond within six weeks.
Non-Personal Data Framework to be released
Minister for Communications and IT Ashwini Vaishnaw announced 25 April that the much-awaited revised Non-Personal Data Framework, now called the National Data Framework, would be released in 10 days.
This is critical to support the government’s ambitious plans of setting up Public Digital Platforms in various spheres applications can be built upon. This would be further supported by the "India Data Accessibility and Use Policy 2022," a draft of which was released in February, which aims to enhance access, quality and use of data by various players.
I view all of the above as various critical components in powering the "Digital India" vision.
The ‘Oops!’ incidents
Meanwhile, two incidents in the recent past stood out for the news and controversy they seem to have generated, although, I would like to believe the consequences were unintended. These go to highlight how this part of the world has a long way to go in terms of really understanding what data privacy is all about.
Electric scooter company Ola Electric posted personal data of one of its users involved in an accident on social media. In an effort to clarify what really happened, the company revealed telematics data about the user, as well as the fact that such data was being captured without appropriate consent.
The Tata Group, one of India’s largest conglomerates, recently launched its much-awaited "super app" that aggregates the various offerings across the group. Users soon started discovering data that they had submitted to one entity in the group being used by another entity for other purposes, such as to make an offering. This "re-purposing" of data and that data sharing was taking place — all without consent from the user — has created a fresh controversy.
Amid all of this, Google Playstore announced the tightening of privacy measures for all Android apps with a deadline of 20 July 2022 for compliance. In a country where more than 85% of mobile phones are Android and with more than 150,ooo mobile apps published without privacy on their radar, hopefully, this development doesn’t catch people napping.
So, all ye privacy pros, many things to keep you on your toes!