The past couple of years have been very exciting for data privacy enthusiasts in India. Beginning with the pronouncement of the judgement in the case of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. by the Supreme Court of India, which has enunciated the Right to Privacy as a fundamental right falling under Article 21 which guarantees Protection Of Life And Personal Liberty under the aegis of the Indian Constitution to the introduction of the Personal Data Protection Bill, 2018 and the revision of the same following the comments from the stakeholders and the public to the Personal Data Protection Bill, 2019 (hereinafter PDP Bill). As a growing technology-based economy and a country with one of the highest per capita consumption of the internet, it is safe to say that the introduction of the privacy charter in the Indian legal sphere will be game changing.
The current legal framework in India pertaining to technology laws and data privacy is derived from the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Personal Data Rules). Although, the IT Act does its fair bit to protect the rights of the citizens in the virtual sphere as well as redress any damages or injuries faced by them through misutilisation of technology, it does not adequately address the multifaceted spectrum of issues and precautions pertaining to Personal Data and does not address the right to data privacy of individuals at all.
In an effort to understand why this is problematic let us examine the fairly recent decision by the Ministry of Information Technology (MeitY), which by invoking it's powers under section 69A of the IT Act read with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009 and in view of the emergent nature of threats as well as the rise of tensions on the Indo-Chinese borders, decided to ban 59 mobile applications or apps of Chinese origin.
A press release by the Government dated June 29, 2020 states that the decision was taken after information was received suggesting that these apps were engaged in activities prejudicial to the sovereignty and integrity of India. This was followed by the decision to ban another 47 apps on July 27, 2020 which were functioning as clones of the previously banned apps and another 118 apps being banned on September 02, 2020. To someone who is new to the privacy debate, this may sound like a triumph of the Indian Government, to us who have been interacting in this sphere, this confirmed our worst fears- the Indian cyberspace is at the mercy of the world and our citizens have no legal and quantifiable protection against the collection, processing and potential weaponisation of their Personal Data. The Personal Data Rules introduce the concept of Personal Data however, they fail to provide cohesive instructions pertaining to the handling of data or the specific responsibilities of all entities and stakeholders such as organizations collecting Personal Data, the intermediaries or third-parties involved in the processing or storage of Personal Data. One of the most crucial issues under the current legal framework is that foreign entities not registered under Indian law are allowed to collect, store and process sensitive personal data. This is problematic on two accounts (i) no verification of entities collecting personal data of citizens can be carried out as there may not be a certifiable way to do so thereby increasing the risk of misappropriation of the Personal Data and (ii) in case of any misappropriation of the Personal Data, there is no way to seek adequate redressal since the entities are not registered under India laws and therefore the exercising of jurisdiction on the relevant matter by a competent court may be a lengthy and tiresome process.
This is an oversight which has allowed various foreign entities to not only constantly collect, store and process Personal Data of Indian citizens but also enter into valid and binding contracts with them such through the Privacy Policies and Terms and Conditions of Use (both being applicable and enforceable legal instruments under law) of websites and devices alike. Thus, permeating the legal sanctity of these legal instruments with enforceability and jurisdictional issues.
This is where the need for an appropriate legal framework safeguarding data privacy becomes crucial. The Personal Data of Indian citizens must be treated with the same importance as the tangible national resources of the country, the inability of the Government to exercise control over the Personal Data of its citizens may not only cause undue and unauthorized exploitation of the same but also endanger the national security and sovereignty of the nation.
The PDP Bill strives to provide the necessary legal framework pertaining to various stakeholders involved in the handling of sensitive personal data or information. It imbibes in its structure the rights and duties of entities collecting personal data, the person providing such Personal Data (while making adequate provisions for Personal Data of children) as well as the manner in which the transfer of Personal Data shall be done either within the country or outside the territory of India. The PDP Bill also carves out penalties for the contravention of its provision as well as offences pertaining to misappropriation of Personal Data.
Further, two crucial points which the PDP Bill addresses are the obligations of Significant Data Fiduciaries which are entities processing high volumes of Personal Data, thereby ensuring to imbue the legislation with the necessary checks and balances and the introduction of the Right to be Forgotten, which is an indispensable extension of the Right to Privacy through various mechanisms like anonymization and de-identification of Personal Data. However, these mechanisms from a technical standpoint of safeguarding an individual's Right to Privacy are not enough. For the Right to be forgotten to be upheld in a true sense, the organisations must configure their internal technical framework to not just randomise the data through protocols like anonymization and de-identification but to in fact unlearn and forget the data points which are associated with the individual. The true meaning of "The Right to be Forgotten" should be to enable a Clean-Slate Protocol in the most nuanced sense, with no data being left behind for revival, as and when necessary. The organisations, however, may for record-keeping purposes store the entire set of data in compliance with data retention regulations, if any but they must work towards ensuring that the learnt recommendation model unlearns these data points belonging to any person who may elect to exercise their right to be forgotten.
However, the shortcomings of the PDP Bill lie in the unfettered power it provides to the Government to circumvent an individual's Right to Privacy. This is in direct contrast to the solidified presence and unaltering characteristics of Fundamental Rights. Therefore, it is critical that a legislation, aimed at providing safeguards and structure to the Fundamental Right to Privacy does not empower the Government to disperse the same at its own justification, an action which will not only be ultra vires the legislative arm of the county but also defeat the very purpose of the law, given the impermeability of the Constitutional and Fundamental Right to Life and Liberty under the aegis of which the Right to Privacy has been envisaged.
While it is clear that India's overdue appointment with Data Privacy has a few more hours until it begins, nothing stops its citizens and its corporations to undertake self-governance pertaining to the practices involving the safeguarding of the Right to Privacy which has been guaranteed by the Constitution of India, a charter of the people, for the people and by the people.
Views are personal.
(Author is a Practicing Lawyer at Mumbai)