Ali Waris Rao
Hackers utilize the data for generating wealth illegally; Corporates for generating wealth legally and the Government for keeping threats at bay and/or surveillance. There is no doubt that data is a valuable commodity. Though, the law seems to be trying to address various nuances concerning data protection and privacy questions over privacy-related damage and probable misuse abound.
Personal Data Protection & Privacy
Before delving into the niceties of the Personal Data Protection Bill, 2019 (Bill) it is relevant to note that the Supreme Court of India (SC) vide its judgment dated August 24, 2017 held that the right to privacy is a fundamental right. Interestingly, the SC also noted that
privacy of personal data and facts is an essential aspect of the right to privacy[
]. Apart from declaring that privacy is a fundamental right, the SC also acknowledged Informational Privacy to be a subset of the right to privacy.
This privacy judgment may entail wider implications insofar as the law governing data protection and privacy is concerned. The proposed Bill and the extant laws will now entail going through the strictures and/or frameworks concerning life and personal liberty of the citizens, as enumerated under Article 21 of the Constitution of India.
Consequent to the aforesaid privacy judgment rendered by the SC, an expert committee was led by Justice B.N Srikrishna to scrutinize the feasibility of a new law concerning data protection and privacy regarding its contours and limits surrounding the same.
Privacy as a concept is not absolute or unfettered and there is no one size fits all approach. It remains a challenge to ensure that the Bill satisfies the needs and requirements of every entity.
At this juncture, it is imperative to understand the extant legislations (other than the Bill) and/or policies surrounding data protection and privacy. Apart from the regional legislations concerning data protection and privacy, the personal data of citizens is also protected via concomitant safeguards developed by the Courts.
The extant legislations are primarily regional in nature, but not limited to, the applicable provisions of the Information Technology Act, 2000 and the relevant rules framed thereunder, the Aadhaar (Targeted Delivery of Financial and Other Subsidies Act) 2016, and the like.
Moreover, numerous entities in highly regulated sectors such as banking and financial services, telecommunications space are also amenable to information technology and confidentiality obligations.
Yet, two questions beg innumerable consideration(s). What measures ought to be taken to duly protect the personal and confidential data of the citizens till the time the Bill is enforced as a law are regional legislations apposite to address the same? Is there a requirement to legislate and enforce a distinct – an all-encompassing law concerning surveillance?
It appears that we are currently functioning in a legal vacuum. India does not address the issue of surveillance appositely as there is no (principal) surveillance law. Matters concerning national interest and security have been laid out simply by the Executive.
Hence, a legislation governing not only data protection and privacy but, also necessitating the Union / Government to obey the prescribed data protection (including surveillance) rules warrants urgent necessity.
The Bill & The Way Forward
The Bill has tried to address various issues surrounding the collection, process and utilization of personal and sensitive data by numerous entities. It seeks to suggest a pre-emptive approach that hinges onto excessive governmental involvement and supposedly fortifies the Government. As a result, it may lead to a probable upsurge in compliance-related costs for Corporates or other entities thereby leading to disturbing watering-down of the data privacy in relation to the Government.
Further, the Bill intends to safeguard the privacy of the citizens by establishing a pre-emptive system that controls how entities collect, process and utilize personal or sensitive data, rather than protecting the citizens privacy due to the resulting damage being caused by the perpetual infringement of the aforementioned privacy.
Besides, the proposed Bill is problematic when it comes to the fortification of the citizens privacy as it considerably reinforces the Governments part in the digital space and consequently leads to increasing surveillance. In this regard, it is likely that India as a digital economy may observe disastrous outcomes concerning novelty in the digital space.
The Jio-Facebook deal wherein Facebook acquired a 9.99% stake in Jio platforms appears to be troublesome. Both the Conglomerates now have entry to copious amounts of personal data. Pending the enactment of the Bill into a legislation, the collection of personal data would be subject to their privacy policies.
Nevertheless, what is worrisome is that the users have not been provided with adequate information as to why or what plans the entity has regarding their personal data, and I dont think most users understand the meaning of the terms Data Policy or Privacy Policy.
If one were to study Facebooks privacy and data policy, it sets forth distinct data distribution arrangements not only with its users but, also third-party partners. Popular Facebook products like Instagram and Messenger are (behind-the-scenes) disseminating significant amounts of data. Meanwhile, WhatsApp acquired by Facebook in 2014 already shares extant systems, processes, technology and apposite infrastructure with a view to provide its users a stable and reliable experience across its business eco-system.
This exemplifies my worried state concerning the Jio-Facebook deal, amongst others, as India does not have a data protection regime. In this absence nobody can stop the two Conglomerates beyond their morals, values and ethics to stop the collection & dissemination of personal data. Of course, one can drag them to the Court(s) of law but, sans any legal or regulatory framework in place, things might get out of hand. Hence, it is desirable to implement the Bill at the earliest in order to safeguard our privacy we so badly deserve.
Ali Waris Rao is an in-house legal counsel at Hindalco Industries Ltd., Aditya Birla Group. The views expressed are personal and have no bearing on the firm he represents or on Qrius