In 2017, the Supreme Court of India pronounced a landmark judgment declaring the right to privacy as a fundamental right under the framework of the right to life (Article 21) as per our Constitution. However, a standalone and comprehensive privacy law does not exist in India. Currently, the Information Technology Act 2000 read with supplementary Rules, acts as the legal cornerstone to ensure the protection of personal information.
Lawmakers and regulators progressively recognize the importance of data for economic and technological growth. Hence, 2021 witnessed key developments in the data privacy and personal data protection space across various sectors.
In terms of legislation, the Joint Parliamentary Committee's report on the proposed data protection law has given the Data Protection Bill of 2021 a new tone and tenure. The Reserve Bank of India developed restrictions for payment aggregators and lending applications, while the Bureau of Indian Guidelines formulated data privacy standards as an assurance framework for enterprises. The central government also pushed out due-diligence rules for internet intermediaries to regulate.
What was 2021 about from a privacy and personal data protection vantage point?
These developments result from the meteoric adoption of technology, powered by enormous data sharing networks created by private and public entities. These networks depend on the personal data of individuals. In the absence of adequate privacy safeguards, there is a risk that personal data may be subjected to unauthorized access.
Data Protection Bill 2021
The JPC's report paved the way for India's data privacy and protection legal regime. The bill is yet to be tabled in the Parliament. However, a key point of discussion is that the bill in its current form proposes deviations from its earlier two predecessors (2018 and 2019 drafts).
A noteworthy change is in the form of exemptions extended to government agencies with respect to data processing. This exemption may be examined in the light of the recent Supreme Court judgment in the Pegasus spyware case, which involves allegations against the central government for conducting surveillance on Indian citizens. The Hon'ble Court constituted a committee to assess the violation of the right to privacy and make recommendations on the current surveillance laws to boost data protection practices. Hence, a prudent approach would be to consider bringing government agencies under the umbrella of DPB to ensure individual privacy and enhance cybersecurity.
Under the latest draft, the DPB seeks to regulate the collection, storage, transfer and use of personal data. In addition, it extends the provision to foreign-based entities in case Indians are subjected to their data processing activities.
The bill's main tenets include: Individual consent, data breach notification, transparency (prior notice and privacy policy describing data processing practices), purpose-based processing, technical security, and rights of individuals who part away with personal data such as name and email ID, or sensitive personal data such as a social security number. Individuals would have more control over the processing of their data with these rights, as they would be able to remove, correct and access their data easily.
In August 2021, jurisprudence in privacy rights management was formulated. The Madras High Court dismissed a petitioner's right to be forgotten, seeking to have his criminal and court records expunged following his acquittal from the case. The court issued the dismissal because the fulfillment of a task in public interest trumped the individual's right to privacy. The court further stated that these rights would be more effectively implemented after India passed a data privacy law.
Several requirements set forth by the JPC's report and revised DPB are worth ruminating over. Take, for instance, the data localization norms applicable to sensitive personal data and critical personal data (yet to be defined by the central government). The flow of data from India to a country abroad would be restricted.
These norms are perhaps a manifestation of India's economic, national security and data protection concerns. Data of Indians is to be stored primarily in India and may be transferred if the individual provides consent, a contract duly approved by the DPA is in place, or the receiving entity can demonstrate compliance with applicable data protection laws. The receiving entity could also implement adequate technical (e.g., encryption and access control) and administrative (e.g., privacy policy and breach management process) safeguards for validating such data transfers.
The glaring concerns with localization norms are the costs and technical capabilities required to segregate data and create a single point of failure, as data would have to be stored only in a server-based in India, as opposed to the conventional practice of utilizing distributed servers across various jurisdictions.
The bill relies heavily on consent as a parameter for processing data, mandating organizations to enable individuals to put in place a consent manager platform to gain, withdraw, review, and manage consent in an accessible, transparent, and interoperable manner. Though the idea seems novel, it falls in uncharted waters.
As we await the passage of this bill in the Parliament, we can deduce that it requires organizations to revamp their operational practices in relation to data-related processes and embed privacy within their business procedures.
Banking and finance
Building on the privacy principle of data minimization, wherein only those data elements are to be collected and stored that are aligned for processing; the RBI released "Guidelines on Regulation of Payment Aggregators and Payment Gateways." These guidelines seek to restrict payment aggregators who facilitate payments between users and merchants using electronic/online payment modes from storing cards and associated data (e.g., card number and CVV).
RBI also recognized the growing dearth of data security and privacy in the digital lending sector. Since there has been an exponential penetration of digital lending applications, RBI formulated a working group to assess the maturity of privacy practices implemented and recommended that data should only be stored in Indian servers.
The scope of the assessment would include transparency of data processing activities, whether a privacy notice or policy is in place, consent mechanism, and rights management to help users amend or delete their data. The working group would also study the breach of purpose limitation requirements, as often customers' data is used to harass them.
Bureau of Indian Standards on data privacy
IS 17428 is the latest standard issued by BIS to govern data privacy assurance practices of organizations. This standard will provide a framework to establish, implement, maintain and update data privacy management practices. The standard has two parts to it. The first provides for technical and administrative requirements to protect the privacy of personal and sensitive data right when designing a product or service that would involve the collection of an individual's data. The second part enumerates certain guidelines to augment the implementation of the requirements in the first part of the standard.
While the first part is mandatory to ensure compliance with the standard, the second part is merely a suggestion. Since India does not have a comprehensive data privacy law, it would be noteworthy to read this standard in conjunction with the compliance requirements under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to develop secure data privacy practices as per standards such as IS0 27001.
The grey area here is the lack of guidance on whether implementing the latest standard would be sufficient to comply with SPDI Rules. Therefore, organizations would be obligated to implement IS 17428 and treat it as a reference point to comply with SPDI Rules and the upcoming data protection law.
Communications
In attempting to balance privacy rights on the weighing scale of national security and public order, the Ministry of Electronics and Information Technology codified Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules provide due diligence requirements, and the idea is to identify the first originator of any information transmitted over social media and messaging platforms. However, this requirement does not extend to the contents of electronic messages. Currently, this traceability requirement is being reviewed by the Delhi High Court to adjudicate its constitutionality vis-à-vis the right to privacy. Although the government has clarified that it has no intentions of violating the right to privacy, it remains to be seen if the extent of mandated disclosures would impinge on the actual contents of the messages being communicated, as the basis for tracking is State sovereignty and security.
Technology and finance writer Byrne Hobart famously remarked that "the whole point of communicating is to violate your own privacy in a controlled way." Perhaps these words have inspired WhatsApp, currently under legal scrutiny for the terms of an amended privacy policy. According to the policy, users can "opt-in" to share data with Facebook to continue using WhatsApp services. The Competition Commission of India launched an investigation into the potential impact of WhatsApp's new rules on the Indian market. The main concern is that the opt-in violates the essential characteristics of legitimate consent (transparent, withdrawable and free of consequences such as denial of services).
The road ahead
Regulators, legislators, the judiciary and industry can expect 2022 to be a busy year. It's been more than three years since the EU General Data Protection Regulation went into effect, and India is on the verge of following the EU's lead and streamlining its data protection regulations, even though there are reports on a possible re-draft of the bill. The interplay of sector-specific regulations and a general law on data protection would possibly trigger deliberations and actions on a wide array of privacy concerns. Moreover, with the rapid adoption of cutting-edge technologies such as blockchain and AI, it would be a worthy endeavor to track and study how the current bunch of regulations would be applied to frameworks based on decentralization and anonymization. Meanwhile, organizations should consider conducting periodic audits and assessments of their privacy procedures to better visualize the types of data they collect, its flow within the company, storage timelines and locations, and initiate remediation steps to close any gaps they observe.
Photo by Srikanth D on Unsplash