The Scenario

The use of the internet for social media, communication, business, and e-commerce over the past years has become all-pervasive. While this has augmented many facets of our daily life, concurrently the advancement in technology has ushered multitudes of unforeseen challenges, the key being the rising threat to personal privacy in the online ecosystem.

Even though the internet and its services have been around for a while, the real dangers to privacy did not emerge until recent years due to the increased use of novel and advanced technologies. Resultantly, across the globe, concerns on privacy intrusion has significantly increased as new adaptations and forms of personal information such as social credentials, banking details, travel history, unique identifiers like biometrics etc. are now extensively available online.

The most common instance of storage and distribution of personal data is – search history. Have you ever noticed how after searching for a product or service on Google, Amazon, Flipkart, E-bay etc. you immediately start seeing adds for the same? Conspiracy Theorists would have you believe that it is Big Brother spying on you. However, the reality is actually much more sinister. No, you are not being spied upon and there is no Big Brother. Once you search for something on these websites, they ‘accept’ your request and send you the data you want. Then they turn around, open their giant metal cabinets, and catalogue and store your search. After you leave, they want you to come back, because more traffic means more money. So, they dive into giant metal cabinet, locate your search history, and share it with different apps and websites, they have partnered with, to try and lure you back.

All this leads to some simple conclusions:

1. Various websites all across the internet are tracking your movements.
2. This movement data is being sold, transferred, and/or shared with other websites and third party services.

Known as data brokers, these companies collect, analyse, and package a user’s sensitive personal information and sell it as a commodity not only to each other or advertisers but sometimes even to governments. And often all of this happens without the user’s direct knowledge.

Now, most of these data brokers participate in benign consumer marketing, which has been going on for years. What changed, however, is the volume and nature of the data being mined through the internet via a user’s personal computers, laptops, mobile devices, smart home accessories etc. This has directly fuelled a multi-billion dollar industry that operates in the shadows with virtually no oversight.

Existing Legislation

Many countries have introduced complex and exhaustive legal frameworks such as the Data Protection Act, 1998 of the UK, the Electronic Communications Privacy Act, 1986 of the USA, and more recently, the immensely exhaustive framework of General Data Protection Regulation (‘GDPR’), 2018 enacted by the EU, to prevent the misuse of personal private data by the entities which collect them.

India has handled these cyber challenges through the Information Technology Act, 2008 (‘IT Act’), which was built with e-commerce as focus, not cyber privacy. Although not exhaustive, the IT Act does provide some remedies to the Indian populace, if their privacy was invaded through the cyber-space by enabling:

1. Compensation for failure to protect data by a data centre/data broker (Section 43(A));
2. imprisonment of up to three (3) years and/or fine of two (2) lakh rupees if found guilty of violating the privacy of another through electronic means, i.e., capturing, publishing or transmitting images of another which are private in nature (Section 66(E));
3. imprisonment of up to two (2) years and/or fine of one (1) lakh rupees if someone is found guilty of disclosing the content of any database to which they have secure access to someone who does not have secure access (Section 72);
4. imprisonment of up to three (3) years and/or fine of five (5) lakh rupees if someone is found guilty of disclosing personal information of another which was obtained while having secure access under a lawful contract with the intent of causing harm or loss to the person or for their own gain (Section 72(A));

In today’s day and time where multiple projects such as Aadhaar, National Intelligence Grid, Central Monitoring System etc. have been implemented by the Government without effective governing bodies, or answerable superiors, coupled with the notion of potentially unregulated access to personal information of private individuals, it is necessary for the Indian Legislation to realize that a comprehensive and exhaustive framework for the protection and regulation of Cyber Privacy is the need of the hour.

The Personal Data Protection Bill 2019 – India’s Solution

In this regard and after the landmark judgment by the Supreme Court of India in 2017 in the case of “Justice K.S. Puttaswamy (Retd.) vs. Union of India” announcing that the right to privacy is a constitutional right, the Ministry of Electronics and Information Technology set-up a committee to closely study the issues around data protection, especially in the Indian context. Chaired by the retired Supreme Court Judge Justice B. N. Srikrishna, the committee submitted a draft of the Personal Data Protection Bill (‘the bill’) in July 2018. It was revised and re-written by the administration of Prime Minister Narendra Modi in 2019, placed before the Cabinet Ministry and was approved on 4^th of December 2019. Now, on 11^th of December 2019 it was introduced in the Lok Sabha and has been referred to a standing committee whose report is due by the Last week of the Budget Session, 2020.

The bill defines categories of sensitive personal data, critical data and general data which are to be protected and seeks to establish a Data Protection Authority to carry out and enforce its provisions. The primary highlights of the bill are –

1. companies in the “data fiduciary” role should obtain informed consent from individuals before processing their sensitive personal data;
2. personal data of the Indian populace should be stored on servers located within India. Non-compliance of these two provisions by a data fiduciary could lead to a penalty of either Rs. 15 Crore or 4% of their annual turnover, whichever is higher; and
3. allow the citizens to withdraw consent and prevent disclosure of their private personal data. The consequence of processing personal data which has been withdrawn by the citizen would carry a prison sentence of up to three (3) years with additional penalties;
4. companies in the “data fiduciary” role should conduct periodic data audits. If a “data fiduciary” does not comply then it would face a penalty of either Rs. 5 Crore or 2% of its annual turnover, whichever is higher;

At first blush, the bill appears to be all good news. It is meant to improve the handling of data and data privacy outcomes in a way that is similar to the GDPR. But the two differ in at least two key areas.

1. Firstly, if the Indian Government seeks access to the data of its populace for keeping the security of the state, keeping public order, protecting sovereignty and integrity of India, or maintaining friendly relations with foreign states then the bill would grant unfettered access to the Indian Government, even compelling private companies to do the same. It would include data such as fingerprint and iris scans which are a part of the Aadhaar system, detailed surveys of individuals and households receiving government benefits, the internet search and browsing history of individuals etc
2. Equally concerning is the powers granted to the Central Government for handing out exemptions to its agencies by claiming anything mentioned above. This leads to further dilution of and lack of control and oversight over the use and exposure of private personal data.

Therefore, in effect, there exists a backdoor to all online accounts of the Indian populace which could be opened with relatively minimal effort providing the Indian Government with unprecedented access to the personal and private data of the Indian populace.

Justice (Retd.) B.N. Sri Krishna stated that the bill he had proposed and drafted would have been equally applicable to the government as it was to the private citizens. The bills dilution has created an uneven and biased playing field which will only serve to raise questions and foster concerns in the stakeholders. It also opens up a world of possibilities of misuse of data by the Indian Government, its ancillary bodies and any third party contractors appointed by it.

Bibliography:

1. Image Credits – https://blog.v-comply.com/need-for-grc-and-gdpr/
2. https://www.nytimes.com/2019/12/10/technology/on-data-privacy-india-charts-its-own-path.html
3. https://www.wired.com/story/opinion-indias-data-protection-bill-threatens-global-cybersecurity/
4. https://hbr.org/2019/12/how-india-plans-to-protect-consumer-data
5. https://www.cpomagazine.com/data-protection/new-india-data-protection-bill-may-give-government-unlimited-access-to-citizen-data/
6. https://www.prsindia.org/billtrack/personal-data-protection-bill-2019
7. https://www.eff.org/deeplinks/2017/08/indias-supreme-court-upholds-right-privacy-fundamental-right-and-its-about-time
8. https://www.bbc.com/news/world-asia-india-41033954
9. https://www.medianama.com/2020/01/223-personal-data-protection-bill-2019/
10. https://www.medianama.com/wp-content/uploads/Personal-Data-Protection-Bill-2019.pdf
11. https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
12. https://en.wikipedia.org/wiki/Personal_Data_Protection_Bill_2019#cite_note-:0-1
13. https://cysinfo.com/indian-cyber-space-privacy-legal-perspective/
14. http://www.mondaq.com/india/privacy-protection/257328/an-overview-of-cyber-laws-vs-cyber-crimes-in-indian-perspective
15. https://thewire.in/economy/right-to-privacy-data-protection
16. https://thewire.in/tech/committee-data-protection-framework
17. https://factordaily.com/india-data-protection-srikrishna-committee/
18. https://www.livelaw.in/data-protection-india/

Author