Business Laws

Data protection: Worst of both worlds?

| Updated on December 27, 2020

Our regulatory response is torn between need to ensure ‘user privacy’ and urge to be a ‘nanny state’

RAMESH VAIDYANATHAN

With over 743 million internet subscribers, India is the second largest online market in the world. Also, the world’s highest data usage per smartphone — 9.8GB a month in 2019 — is in India. The government’s flagship programme, Digital India, looks to build a digitally empowered society.

Rightly, in this age of big data, many government initiatives embrace digitisation. We have the world’s largest biometric ID system (Aadhaar) that has unwittingly become a mandatory requirement for pretty much everything under the sun. The contact tracing app, Aarogya Setu, rolled out in April, may soon become mandatory, generating concerns around user privacy and data security.

The next hot item seems to be facial recognition technology with both governments and businesses grabbing it — be it for policing, authentication of voters or regulating entry and exit of people at public places.

Collection of personal data, which is happening on an unprecedented scale, is governed by an archaic framework: the Information Technology Act, 2000 (IT Act) and The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

These set out minimal data protection safeguards to be implemented by private parties for collection, storage, use and transfer of personal data and sensitive personal data. Businesses providing storage, transmission and other services such as telecom and internet service providers, search engines and online markets must comply with data protection and due diligence standards as required for an intermediary under the IT Act. The Act also covers publishing website terms and conditions and privacy policies. It also prohibiting users from sharing hateful or obscene information.

Right to privacy: The holy grail

In the landmark Puttaswamy case in 2017, the Supreme Court ruled that the right to privacy is a fundamental right, though subject to reasonable restrictions under law. It also recognised that informational privacy in the digital age is a facet of the right to privacy and highlighted the need for a robust data protection law.

Shortly after, the Personal Data Protection Bill, 2019 (Bill), a comprehensive law dealing with data protection and privacy modelled on European Union’s General Data Protection Regulation (GDPR), was brought in, which is now being reviewed by a parliamentary panel. With the Bill expected to become law soon, India appears to be inching towards a robust data protection framework. The Bill proposes the setting up of a Data Protection Authority of India, vested with wide-ranging powers, from issuing directions, enforcing compliance, conducting inquiries and investigations of data fiduciaries, to protect the interests of data principals (user).

Multiple regulations

Besides the Bill, data regulation seems to be a recurring theme in other regulations or proposed laws. The Consumer Protection Act, 2019 includes ‘sharing of personal data given in confidence by a consumer’ as an unfair trade practice, except when mandated under law. Further, the proposed e-commerce policy plans to include provisions on data protection and data localisation, apart from setting up an e-commerce regulator.

Whether the e-commerce regulator also gets powers to regulate data protection aspects of e-commerce entities remains to be seen.

There are multiple sectoral regulations addressing data privacy and data protection in sectors such as telecom, health and medicine. Businesses in the banking and financial sector have to comply with data protection norms laid down by the Reserve Bank of India (RBI). The RBI is said to have sought exemption from this, citing its role as the operator of payment systems.

Regulation of non-personal data

As if the regulatory overreach for personal data without a solid foundation in place was not enough, the Ministry of Electronics and Information Technology published the first draft of a Non-Personal Data Governance Framework for India for public consultation in July 2020. Non-personal data simply means any data that is not related to an identified or identifiable person. So it covers anonymised data about our health, cropping patterns, weather data or traffic or any such data culled out from datasets collected and maintained by public and private companies in a particular line of business.

The draft, thus, bats for a new regulatory framework for non-personal data, treating data as an economic good and a national resource.

Flawed approach

This is a flawed approach as it fails to factor in the incentives for business as well as the risks to the user. For instance, businesses invest in innovating around data analysis and maintaining data sets of its customer preferences for their growth and such innovations are typically considered their intellectual property rights.

Also, ‘anonymised data’ itself is controversial, what with advanced tech tools available to de-anonymise all kinds of data and identify the user.

Big Brother at play

While a strong data protection law is key to protecting individual privacy and fostering the growth of the digital economy, the looming worry is a combination of regulatory overlap and overreach across sectors and legislations. The Bill has also been rightly criticised for the overarching role of the data regulator, effectively reducing user privacy to a paper right.

For instance, the Central government can permit the processing of personal data without consent for performance of its state functions, compliance of law, etc. or exempt any government agency from the purview of the law in the interest of sovereignty and integrity, security of the State, public order, friendly relations with foreign states, etc.

This is virtually a carte-blanche to the state without even minimal safeguards or rights to the user and a marked departure from the three-fold requirement for a privacy law stipulated by the Supreme Court in its privacy judgement, i.e., (a) the law must justify the encroachment on privacy; (b) the nature and content of the law must be reasonable and a guarantee against arbitrary state action; and (c) pass the test of proportionality. Besides short-changing user privacy, this may result in increased regulatory confusion and compliance costs for businesses.

(The authors are Managing Partner and Partner, respectively, at Advaya Legal, a Mumbai-based law firm)

Published on December 27, 2020

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor