DATA PRIVACY IN INDIA: THROUGH THE LENS OF TECH GIANTS

This article has been authored by Kudrat Mann and Utkarsh Sharma, second year students at Dr. B.R. Ambedkar National Law University, Sonipat, Haryana.

Introduction

The closer we move towards advances in the field of electronic communication, the greater the threat to individual privacy becomes. The vulnerability of personal data also increases with increasing consumer statistics of online communication mediums.

Data has essentially become a tool for winning power battles across the world. Access to data is equivalent to access to political and defense secrets of a country sans cross-boundary disputes. This might lead to a neo-acquisition via cyber means. It is a mere oxymoron if one states that the content which is on tech platforms can be secured in light of the monopoly of data fiduciaries in processing personal information to customize their services at the cost of the breach of the privacy of the individual. The biggest stakeholders (except the citizens and the state) vis-à-vis data protection are the tech giants like WhatsApp and Facebook which came under the spotlight recently due to the update of WhatsApp’s privacy policy. This article attempts to analyse the said update from the point of tech giants and how they threaten user privacy.

Why Data Privacy is the talk of the town?

WhatsApp, a California based tech giant (with its parent company Facebook) has become the cause célèbre when the tech giant asked consent to update its privacy policy update to take metadata of the user device and share the information of business accounts on WhatsApp to Facebook and third parties to display targeted ads to the users. The above-mentioned consent is merely obligatory and users have no actual choice but to agree with the new terms and conditions failing which they will have to leave the platform after 15th May 2021.The app has confirmed that upon the user’s acceptance of the said update, the tech giant will be able to share user details like phone numbers and transaction data. With India being the largest consumer of WhatsApp with a userbase of 400 million, this shift in policy will invoke major effects on both India and WhatsApp. It is interesting to note that the aforesaid privacy policy is applicable everywhere except Europe, because of the stringent rules of General Data Protection Regulations of Europe.

Indian Legislation & Judicial Response towards Data Privacy

The aforementioned update in the privacy policy of WhatsApp makes it evident that tech giants play such moves for their business and to achieve profit-oriented goals at the cost of breach of data privacy of millions of global users who may be residing in countries data protection laws are not stringent. India is one of those states where there are no dedicated data protection laws till date. Few sections like Section 43A and Section 79 of Information Technology Act 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 govern data privacy in a limited scope as it only deals with protection of "Sensitive personal data or information of a person", which includes such personal information which consists of information relating to passwords, financial information, physical, physiological and mental health condition, Sexual orientation, Medical records and history, Biometric information.

The right to privacy has got its present status as a fundamental right after being long scrutinised and neglected by the judiciary in a series of judicial decisions since Independence. In the case of MP Sharma & others v. Satish Chandra the Apex Court held that the drafters of the Constitution did not intend to subject the power of search and seizure to the fundamental right of privacy. The Court opined that the language in the Indian Constitution is not similar to the fourth amendment of the U.S. Constitution and hence questioned the existence of the very right of privacy as a fundamental right.

In the case of Kharak Singh vs The State of U. P. & Others theSupreme Court upheld the clauses of the Police regulation except for the night domiciliary visits on the ground that the right to privacy is not a fundamental right guaranteed by the Constitution.

It was only in the case of Justice K.S. Puttaswamy (Retd) vs Union of India in 2017, where the Apex Court recognised the right to privacy as a fundamental right of the Constitution. The Court accorded individuals the right to privacy under Article 21 and as part of the freedoms guaranteed under Part III of the Constitution. This judgement acted as a catalyst in legislative attempts towards data privacy. A Committee was formed under Justice B.N. Srikrishna to devise a stringent legal framework on data privacy which further gave shape to the Data Protection Bill 2018.

The Data Protection Bill 2018 which is under consideration of the Joint Parliamentary Committee (JPC) deals with the provisions of personal data, sensitive personal data and critical data. This Bill shall govern the personal data by government, private entities and entities which are incorporated overseas. The Bill shall regulate the cross-border storage of data in which the data fiduciaries shall have to keep a serving copy of all personal data in a server located in India which can be broadly termed as data localization. The critical personal data as stated by the Central Government shall only be kept in the territory of India. The Bill also has provisions regarding the Data Protection Authority which can levy penalties on data breach which can attract a penalty of two per cent of the turnover worldwide of the previous financial year and five crore rupees.

Data Localisation- Immunity to Cross Border Transfer &- Impediment to Tech Giants

The concept of data localization is a celebrated concept of recent times as the states are looking for the security of personal data of their citizens and are planning to restrict the storage of data of the populace in foreign states. The Reserve Bank of India on similar lines introduced the concept through the guidelines of Storage of Payment system Data which directed all payment service providers to ensure that data relating to their payment systems should be stored in the jurisdiction of India. The Data Protection Bill 2018 also sheds light on the provisions of data localization especially in the aspect of cross border transfer of personal data. Critical personal data is the most prominent aspect to emphasize data localization in India.

The data localization shall help the state in securing personal data of the citizens which is also their fundamental right after the landmark judgement of 2017. The author believes that the said provision shall help in evading the circumstances of influencing the voters through social media in a particular state from foreign think tanks and research centers by collecting electoral behaviour of the voters which in turn shall protect the truest essence of democracy. The aforesaid provision shall also help the law enforcement agencies and cybersecurity cells in tracking and identifying the offenders. However, this provision will also face challenges of building infrastructure, financing and a skilled workforce to establish data storage centers.

The above-mentioned provision has several benefits in implementation particularly in the interest of the masses but simultaneously there are some genuine concerns on the side of tech giants. The major concern of the tech giants is that it will emphasize on a protectionist policy among the states and create a domino effect which shall further affect the ease of doing business, infrastructure as well as the financial and technological burden on them. Another major criticism of this provision is that it gives the state access to the data of the users which can be misused if the cybersecurity system of the state is weak which will further create a sense of apprehension among the user base of that particular state.

Way Forward & Conclusion

The Data Protection legislation is undoubtedly the need of the hour especially when the tech giants are getting access to the important information of individuals to such a large extent. There needs to be a consensus between the legislation of the state and the privacy policy of the tech platforms. The General Data Protection Regulation in Europe has now become a model regulation framework in drafting legislation on data privacy as it regulates the clauses of the privacy policy to a decent extent which was evident in its outcome in the recent case of WhatsApp privacy policy update. The tech giants should also frame their privacy policy in accordance with the user base in different countries along with the legislation on data privacy in different states. Tech giants should also understand that they should give states like India a preference in framing policy update because it is a hotspot for major tech companies and can affect the business of such companies because of its concern about the privacy of the user. Data Localization is a golden path for privacy issues but the legislation on the same should be formed only after maintaining the balance between the interest of the tech platforms, other stakeholders and the security of the masses.