India’s Data Privacy Framework: What we can decide, we can undecide
By Zisha Rizvi.
But stare decisis teaches that we should exercise that authority sparingly.
“In this world, with great power there must also come—great responsibility”
Cf. S. Lee and S. Ditko, Amazing Fantasy No. 15: “Spider-Man,” p. 13 (1962) Kagan, J. , Kimble vs Marvel, US Supreme Court
The fate of India’s proposed Personal Data Protection (PDP) Bill came to the crossroads of accountability, policymaking and doing business with ease. Alas, the Bill never saw the light of the day.
On 3rd August 2022, Government of India withdrew the Personal Data Protection (PDP) Bill - a decision that has stirred a resh discourse around data protection and the right to privacy. For the novice, India’s proposed PDP legislation was years in the making. When 81 amendments to an already 99 clause bill were proposed by the Joint Parliamentary Committee (JPC) and the stakeholders, the Government deemed it fit to scrap the bill and start over from scratch. Only time will tell whether this was the best move or not. For now, we must reassess where we are with regards to data protection legislation in India.
Let us start by understanding what is ‘personal data’?
Personal Data is any information that identifies, describes or relates to a natural person and can include amongst other things, name of a person or an online identifier like email address or IP address. Personal Information must not be confused with confidential information.
While this may seem like a straightforward definition of Personal Information, there are many nuances surrounding Personal Information. For instance, some types of data if leaked, may be misused or potentially cause harm to the concerned individual, like the sexual orientation of an individual. Such types of data are classified as ‘sensitive personal data’ under major data privacy legislations.
An individual or a household may be identified directly through its personal information like in the case of a person’s name or address. In other cases, an individual can be indirectly identified if different sets of data are used together. Broadly, information like ethnicity, race, sexual orientation, criminal proceedings, health information will fall into this category. The latter creates a complex problem because it means that general data which may be viewed as ‘non-personal information’ may be used in different combinations to find personal information. For example, early research by Arvind Narayanan and Vitaly Shmatikov at University of Texas at Austin where they worked on de-anonymizing Netflix data showed that such data when combined with other data sets, such as timestamps with public information from the Internet Movie Database (IMDb), could reveal personal movie choices.
Why is there a need for any data privacy law at all?
There was once a point when a US Congressperson stated that controlling the internet was like nailing jello to the wall. However, today’s reality is a paradigm shift from that perspective. The cyberspace landscape is changing globally and free flow of data is not a reality anymore. Today, there are new sets of national legislations stemming from economic and security concerns that have led to a growing fragmentation of the internet. Therefore, nations must do more to keep pace with this changing reality and key concepts like ‘data localization’, ‘digital trade agreements’, and the right to ‘data privacy’ have to be addressed more openly at the policy making level. India, with a growing offshore market and a humongous consumer base cannot afford to be oblivious.
Now to understand in simpler terms what does data privacy mean, let us look at a 2019 case study. To understand the case study, consider an instance where you may have had a discussion and then subsequently observed relevant ads popping up on your social media pages. Whether or not this has actually happened to you, it’s a common experience of many and should help you relate to the central theme of the case study.
CASE STUDY: LA LIGA
La Liga, the Spanish football league, has its own app, available in both android and iOS versions. It was alleged that the android version of the app came with a bonus feature - it allowed the microphone of the user’s mobile phone to turn on during live matches in order to listen to a special audio signal during televised matches. La Liga argued that this was because they wanted to cross reference the audio linking with location data to figure out what restaurants or pubs were broadcasting the match without paying a license fee. La Liga further argued that they lost almost 170M USD annually to piracy and needed a mechanism to curb the problem.
The Spanish Data Privacy Authority found that La Liga failed to obtain proper ‘consent’ from the users and therefore fined La Liga 250,000 Euros.
The above case study precisely addresses the power that ‘control’ over data affords to the ‘controller’. The reason there is a growing discussion on concepts like data privacy, consent, control, processing and accountability of data is because in today’s world it is this data that can be used to help mold consumer behavior, influence political discourse and so much more. Data is the new oil and businesses increasingly understand this, so do governments, and so should individuals.
What is the current privacy landscape in India?
Most companies doing business in India that have global operations understand the extra territorial reach of the GDPR and its implications. This means on the face of it, most companies process personal data responsibly.
Even for such companies though, we must ask whose data is being processed responsibly? GDPR is applicable to EU subjects. This means that data of Indian citizens does not necessarily get processed the same way. Other companies (barring specific sectors) that lack global operations but do still handle personal data of Indian subjects possibly may not fall under any regulatory net at present.
India has recognized the right to privacy as a fundamental right, which means that the right to privacy has constitutional protection. In simpler terms, one can approach the higher judiciary under Article 126 and 226 in case of a violation of this fundamental right. However, in the absence of any well-defined legislation, the judiciary is left to apply principles of natural justice, rule of law and precedents. Even then, the fate of such complainants will be determined on a case to case basis. There is no shame in admitting that in a high population country like India, the judiciary is clearly overburdened and understaffed for this task. Therefore, the need is pressing some form of unified data protection legislation.
That said, there is no complete lacunae when it comes to data protection in India. There are examples of sectoral regulations and the Criminal Procedure Code (CrPC), which do govern the data protection to some degree. However, an analysis of these bring to light some inherent problems.
For example, specific sections of the IT law apply to only corporates, which means that the government’s use of an individual’s personal data is still not regulated.
On the other hand, the CrPC has different processes of accountability for private and public players. This brings us to Schrems II. Clearly, the wide-ranging rights of access and control by Indian authorities does not pass the standards set out in Schrems II.
What went wrong with the proposed PDP Bill?
There is not a single direct answer to this question. However, the most logical interpretation of the entire fiasco would seem to revolve around the words ‘accountability’, ‘data localization’ and ‘enforcement mechanism’. If we look closely at the different models adopted by the major players - the EU and the US - there seems to be one striking dissimilarity. This is with regards to self-regulation and rights of the government authorities.
This issue was also discussed in the White Paper Of The Committee Of Experts On A Data Protection Framework For India, which looked at the different models of enforcement currently in play. It summed up three models: (i) self-regulation model, (ii) command and control model, and (iii) co-regulation model. The paper advocated for a co-regulation model. But the issues were deeper in terms of the added regulatory burden and the cost of doing business in India. In a way the government has taken a step back because it is mindful of the impact a PDP legislation will have on businesses. There is no denying that some major offshore centers have sprung up in India and are catering to global businesses at a fraction of the cost. Bringing in a robust system while pacifying the needs of Indian data subjects would likely have a significant economic impact. At the same time, it would reduce the autonomy of the authorities.
Way forward
No matter which way this goes, the underlying principle is that the compliance burden on businesses will be huge, particularly with higher costs, which will likely hit start-ups the hardest. So withdrawing the Bill in totality can also be seen as a tactical move by the authorities to wipe the slate clean. Experts say that the recommendations of the JPC may now result in two separate legislations being created, one that overhauls the existing IT laws by bringing in a Digital Trade Act and a second one that addresses the regulation of data privacy. From the lens of businesses operating in India, there may be a short sigh of relief and an opportunity to work on some degree of self-regulation, in order to not end up on the wrong side of the law, once (and if) the new laws do come into effect.
Morae has been supporting global businesses and their compliance functions, specifically with regards to data privacy laws compliance across North America, Europe and Asia. If you operate a business in India and wish to understand more about how to maintain global best practices with regards to data privacy, get in touch with us.
Update: India has recently introduced the revised PDP Bill, watch this space for insights into the new law.
References
Articles and News
1. Why anonymous data sometimes isn‘t, (Bruce Schneier) (12 December 2017, the Wired)
2. Court upholds Spanish football league’s GDPR fine (Bethan John) (09 May 2022, Global Data Review)
3. India Is Moving To Replace Two Decade Old IT Act With New Digital India Act (Viiraj Gaur) (11 April 2022, the Quint)
Case law
4. Kimble v. Marvel Entertainment, LLC, 576 U.S. 446
5. Justice K. S. Puttuswamy (Retd.) and Anr. vs Union Of India And Ors. ((2017) 10 SCC 1)
6. Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (C-311/18) (Schrems II)
Statues
7. Information Technology Act 2008, Section 43, The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021
8. General Data Protection Regulation (EU GDPR) Regulation (EU) 2016/679
Reports and Papers
9. India Justice Report by Tata Trusts (2020) (available here)
10. White Paper on Data Privacy in India by the Ministry of Electronics and Information Technology (available at https://www.meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_171127_final_v2.pdf) (Page 34, 3.2)
About the Author
Zisha is an Associate Manager in the Legal Managed Services Group at Morae. She works closely alongside Morae’s clients in the corporate legal departments, largely focusing on commercial contracts advisory and policy making.
