Dear friends,

Hope the New Year has started off well for everyone! Let’s dive in straight to some updates.

The Indian Supreme court recently asked the government to respond within six weeks on pleas challenging a recent home ministry notification that allowed 10 agencies to legally request for surveillance under Section 69 of IT (Amendment) Act, 2008. These agencies are already authorized for lawful interception under the Telegraph Act, 1985. As per lawful process, requests for monitoring and surveillance by agencies are signed by Home Secretary (central and state governments), and there’s an oversight committee that meets from time to time. With a high volume of requests to be approved by the Home Secretary, it doesn’t really leave much scope for application of mind in each and every case before signing such requests. The Supreme Court in its Aadhaar and privacy (Puttaswamy) judgments has highlighted the need for surveillance reforms with external oversight (preferably judicial) for surveillance matters. The pleas also argue on the unconstitutionality of the surveillance process post-Aadhaar and Puttaswamy judgments and the need to build in privacy safeguards.

The Aadhaar amendment bill and DNA profiling bill have each passed in the lower house (Lok Sabha) but pending the upper house (Rajya Sabha) vote in the last parliamentary session. Privacy is a sticking point in both these bills, too. On the draft data protection bill, the government may give a nod soon. But whether a draft bill will be tabled in the last parliamentary session of the current government (starting at end of this month) is not yet known. If not in the next session, it will only be tabled post formation of the next government.

In the past two weeks, there have been numerous government-, industry- and civil-society-led consultations on draft intermediary guidelines issued by the Ministry of Electronics and Information Technology. Media organizations have reported that through the draft rules, the Indian government is asking organizations like WhatsApp to break end-to-end encryption. The government has clarified they aren’t asking companies to break any sort of encryption; they do want companies to ensure the traceability of the origin of a message. Comments are invited on the draft until the end of this month.

The Indian IT-BPM industry is keenly observing the Brexit proceedings mixed with caution and concern on trans-border data flows, post-29 March. Businesses hope to have answers soon to help them better plan in case of no-deal Brexit.

A few airports in India might pilot biometric authentication, such as facial recognition, to facilitate an easy transition. This has also raised concern among privacy advocates on tracking movement of individuals with no opt-out provisions. Let’s watch how this unfolds.

From Singapore, the Personal Data Protection Commission has issued fine of S$750,000 on IHiS and S$250,000 on SingHealth for not adhering to data protection obligations under Singapore’s Personal Data Protection Act that led to the breach in July. This is the largest fine ever imposed in Singapore on data protection grounds. The jury is divided on whether severe fines act as a deterrent enough for companies to exhaustively focus on maturing data protection and cybersecurity practices. India’s draft data protection bill also proposes heavy fines for noncompliance, which a lot of startups have opposed as a business killer. Perhaps cyber insurance has a place here.

Privacy as a subject hasn’t garnered much attention before in the history of mankind. We need to grab on to the momentum built for privacy reforms in a data-led world. In the same breath, I look forward to Data Privacy Day, when all of us will celebrate enthusiastically. Tell us your plans and activities for Data Privacy Day celebrations, and we’ll carry your efforts in our publications. Also, I look forward to meeting you at the CPDP conference in Brussels, Belgium, in two weeks.

Namaste!
Rahul Sharma