ARTICLE
16 July 2021
Mondaq Thought Leadership Award Winner

Privacy In India: Data Protection Bill And OTT Regulations

SO
S&A Law Offices

Contributor

S&A Law Offices is a full-service law firm comprising experienced, well-recognized and accomplished professionals. S&A Law Offices aims to provide its clients (both domestic and international) with top-quality counsel and legal insights, which combines the Firm's innovative approach with comprehensive expertise across industries and a broad spectrum of modalities. Being a full-service law firm, we take pride in having the capability of providing impeccable legal solutions across various practice areas and industries and makes an endeavor to provide a 360 degree legal solution. With registered office at Gurugram and other strategically located offices in New Delhi, Mumbai, and Bengaluru, along with associate offices across India, S&A is fully equipped to provide legal services on a pan-India basis.
Ban of mobile applications on the ground of data protection raises a grave question - Does our country have stronger laws related to data protection? In this era, data is so important that a...
India Privacy

 Ban of mobile applications on the ground of data  protection raises a grave question - Does our country  have stronger laws related to data protection? In this  era, data is so important that a country can wage war  against another for same; the war so waged is called  Cyberwarfare. But does our country have data  protection laws that are strong enough to protect our  country's data from being misused or transmitted to  any other country?The current Information Technology  Act, 2000, already needs major amendments due to  the ever-developing sector, and to protect the personal  data of the citizens of this country, there is an exigent  need for a legislation protecting the same. The Personal  Data Protection Bill was introduced in 2018 but in 2019  it was re-introduced with changes as Personal Data  Protection Bill, 2019.

PRESENT LAWS

Presently India has a bunch of laws and regulations but  there is no specific regulation that deals with the  protection of data laws in India. India has the  Information Technology Act, 2000, and Information  Technology (Reasonable Security Practices and  Procedures and Sensitive Personal Data or Information)  Rules, 2011 under which sections 43A and 72A of the  Act are related to data protection. Section 43A talks  about compensation on the failure to protect data  while section 72A deals with punishment for disclosure  of information in breach of lawful content. Under  Section 72A imprisonment is for a term which may  extend to three years or with fine which may extend to  Rupees Five Lakh or both. The Information Technology  Rules, 2011 protect the personal information and  sensitive personal information for which a corporate  body needs to obtain consent before disclosing  information. But there is no law or regulation which  covers data protection in India and in the present postpandemic situation, differences with other countries  have arisen making it imperative for India to have data  protection.

PERSONAL DATA PROTECTION BILL, 2019

The Personal Data Protection Bill, 2019, in which major  changes were made from the Personal Data Protection  Bill, 2018, aims to protect its citizens' personal and  sensitive information making it an obligation on the  data fiduciary or data processor from the misusing  data. This bill applies to companies processing personal  data which are government companies incorporated  in India and foreign companies dealing with personal  data of individuals in India and these are called as Data  Fiduciaries. As per Section 3(13) of 2019 bill, data  fiduciary means any person, including the state, a  company, any juristic entity or any individual who  alone or in conjunction with others, determines the  purpose and means of processing data. As per the bill,  this fiduciary has the obligation that the data will be  processed fairly and reasonably and will ensure the  privacy of the individual1  whose personal information  is being processed also known as the data principal. A  data fiduciary needs to give data principal notice of  data collected or processed2 , the data fiduciary cannot  retain any personal data beyond the period necessary.  It can retain data for longer time only if the condition  has been taken from the data principal. It is the  obligation of the data fiduciary to take necessary  consent from the data principal at the commencement  of its processing3 .   

As per sections 12, 13, and 14 of the 2019 bill, the data  can be processed without the consent also but only in  a limited manner as per provision of the bill. The data  fiduciary is also obligated for implementation of  security to safeguard the data and instituting grievance  redressal. The bill also discusses rights of data principal  like obtaining confirmation on data that has been  processed, the data principal will have the right to  access the information in one place, can seek correction,  can transfer personal data to any other fiduciary and  can also restrict continuing disclosure of data by the fiduciary4 .   The bill assures transparency as well as the  accountability of the data fiduciary.

 The bill has provisions of transparency and  accountability whereby data fiduciary is obligated to  maintain transparency in processing the data,  implementing security safeguards, reporting of data  breach, maintenance of records, audit, appointment of  Data Protection Officer and have in place a grievance  redressal mechanism. The bill has provision of transfer  of data outside India to an entity or organization where  the central government has allowed such transfer of  data by the data fiduciary only on a condition to the  consent of data fiduciary and conditions mentioned in  Section 34 i.e., in case of health service or emergency  service. But the central government can exempt any of  its agencies from the provisions of the bill in the interest  of the security of the state, public order, sovereignty  and integrity of India and friendly relations with foreign  states, and for preventing incitement to the commission  of any cognizable offence. Processing of personal data  is also exempted from provisions of the bill for certain  other purposes for prevention, investigation, or  prosecution of any offence, or personal, domestic, or  journalistic purposes5 .

The bill has a provision of penalty that contravenes  with the bill as for processing or transferring personal  data in violation of the bill is punishable with a fine of  Rs 15 crore or 4% of the annual turnover of the fiduciary,  whichever is higher, and on failure to conduct a data  audit, punishable with a fine of five crore rupees or 2%  of the annual turnover of the fiduciary, whichever is  higher. Re-identification and processing of deidentified personal data without the consent of data  principal are punishable with imprisonment up to  three years, or fine, or both.6 For better enforcement, a  data protection authority and appellate tribunal will be  set up for safeguarding the right of data principals. As  per the bill, section 43 A and section 87(2)(ob) of the  Information Technology Act, 2000 shall be omitted.

APPLICABILITY OF DATA PROTECTION BILL,  2019 IN THE PRESENT SCENARIO

The important question that arises today is whether  the 2019 bill will be impactful in a situation like the present where the data stored is being processed or  transmitted to another country impacting the security  and privacy of the country. The 2019 bill has provision  under section 33 and 34 to regulate such a situation  where data fiduciary transmits the data to another  country. If the data fiduciary knowingly contravenes  the provision of the bill it will be liable for a penalty  which may extend to Rupees Fifteen Crores or Four  Percent of the worldwide turnover of the preceding  financial year whichever is higher. In the present era,  there have been seen multiple violations of data by the  social media intermediaries and the bill strives to cover  them as well. The bill defines social media intermediaries  to include the same and all such intermediaries which  have users above a notified threshold and whose  actions can impact electoral democracy or public  order, have obligations to provide a voluntary user  verification mechanism for users in India. The data bill  has covered the major problems faced in the pandemic  like storing of data without data principal knowing that  its data is being stored or processed by the data  fiduciary. The data bill covers significant problems the  country faces in the present scenario as the data  violation can be by any so keeping open the definition  of data fiduciary the bill has tried to cover maximum  entities or organisations.

OTT REGULATIONS

The Information Technology (Guidelines for  Intermediaries and Digital Media Ethics Code) Rules of  20217  have been enacted by the Central Government  under the powers conferred to it by Sections 69 A (2),  79 (2) (c) and 87 of the Information Technology Act,  with harmonization with the Ministry of Electronics  and Information Technology and the Ministry of  Information and Broadcasting. The formulation of  these Rules is in response to the growing criticism  against the government, while it recognizes the right  to criticize and disagree as an essential element of this  country's democracy. The government in its press  release8  has expressed the view that there have been  widespread concerns about issues relating to digital  contents both on digital media and OTT platforms or  certification. A number of PILs as well as other cases  against OTT platforms were also filed before various  High Courts of the country and before the Supreme Court of India, calling for regulation of content that  was being aired through the OTT platforms. While the  objective of the Rules was to provide a robust complaint  mechanism for social media and OTT platform users to  address their grievances, the outcome of these is yet to  be seen.

The Rules emphasize the need of social media  intermediaries and online content providers to strictly  comply with the Constitution and domestic laws of  India and also to instil a sense of accountability against  misuse and abuse by social media users and is the first  of its kind to bring social media use under the regulatory  framework of the Information Technology Act. There  have been numerous controversies where the creators  either pre-emptively removed the entire episode or  deleted a few scenes, based on political malice ("The  John Oliver Show", "Patriot Act", "Madam Secretary") or  invited confrontations because of religious backfiring  ("Tanishq", "A Suitable Boy")

In September 2020, OTTs, including Disney+Hotstar,  Amazon Prime Video and Netflix, delivered a selfregulatory code named, "Universal Self-Regulation  Code for Online Curated Content Providers", however it  couldn't gather government support.

The solid rights contention against censorship, which  frequently comes in the semblance of regulation, is  that the substance is on-demand, where watchers have  the option to pay and in this manner pick what they  want to watch. On the other hand, the contentions  against self-regulation are that the OTT platforms need  lucidity with regards to specifying all manners of  regulation and that nobody ought to be a judge in  their own cause (there being an irreconcilable situation  and a conflict of interest of OTTs with the complainants).

All things considered, there is no solid argument that  after censorship or possible certification or even  regulation, there would not be resistance to it. For  example, movies like 'Padmaavat' and 'Udta Punjab'  had pulled in significant discussions and controversies  even after they were certified by the CBFC. Even  'Tandav', a web series which aired over Amazon Prime  Video, ran into controversy and the I & B Ministry  summoned Amazon Prime officials and the makers  thanked the Ministry for "guidance and support" while  deleting the dubious scenes. This apparently set a  perilous point of reference for the content makers on  OTT platforms as in spite of not being legally bound to  do so, OTTs have been self-censoring their content.  Envision what might unfurl when they would be  lawfully bound to this, with the government sitting on  their terrace!

In Shreya Singhal v. Union of India9 , the Supreme Court  ruled that "online user-generated content cannot be  censored until there is a direct incitement to violence", but  delegated the question of on-demand content, like  that provided by OTTs, to the IT Act.

In Life Insurance Corporation of India v. Prof. Manubhai D.  Shah10, as Doordarshan refused to broadcast "Beyond  Genocide", a documentary on the Bhopal gas tragedy,  the Hon'ble Supreme Court of India agreed with the  ruling of the hon'ble High Court's ruling that stopping  the broadcast would restrain freedom of speech and  expression.

Yet again, in  Bobby Art International & Ors. v. Om Pal  Singh Hoon & Ors.11, the Supreme Court held that "the  producers' right to freedom of expression could not be  restricted".

Reiterating  K.A. Abbas v. Union of India12, wherein M.  Hidayatullah, C.J., held that, "the standards that we set  for our censors must make a substantial allowance in  favour of freedom thus leaving a vast area for creative art  to interpret life and society with some of its foibles along  with what is good", the Supreme Court in Bobby Art held  that films dealing with socially relevant themes  must be subjected to the least censorship.

Indian courts, more often than not, have taken a stance  in favour of free speech, which is the second greatest  constitutional right after right to life and personal  liberty. The Karnataka High Court in  Padmanabh  Shankar v. Union Of India13 (2019) rightly pointed out  that "content aired over OTT platforms are not public  exhibitions and should not be censored on the reasoning  as absurd as 'social interests matter over individual  freedom' (See K.A. Abbas case).

Censorship in the semblance of regulation, which the  Rules are set to do, will debilitate political suppositions  and innovativeness. This may prompt the creation of  limited perspective content that we for the most part  see on TV or in theatres. The regulation will likewise  chillingly affect free speech as makers would now forgo  portraying scenes drawing in attention and  controversies even in an equal world.

A self-regulatory body may be more beneficial as the  crowd will have the choice to watch assorted types of  artistic presentations as opposed to being fed  propaganda through conservative portrayals and  limited views. In any case, OTTs ought to give proper  disclaimers and age verification mechanisms for  specific kinds of content.

Footnotes

1 Section 5 of Personal Data Protection Bill,2019

2 Section 7 of Personal Data Protection Bill,2019

3 Section 11 of Personal Data Protection Bill,2019

4 Section 20 of Personal Data Protection Bill,2019

5 https://www.prsindia.org/billtrack/personal-data-protection-bill-2019 (last visited on 25.03.2021)

6 Supra note

7 https://www.livelaw.in/pdf_upload/it-rules-2021--389746.pdf (last visited on 25.03.2021)

8 https://www.pib.gov.in/PressReleseDetail.aspx?PRID=1700766 (last visited on 25.03.2021)

9 Shreya Singhal vs. Union of India (2015) 5 SCC 1

10 Life Insurance Corporation of India vs. Prof. Manubhai D. Shah (1992) 3 SCC 637

11 Bobby Art International & Ors. vs. Om Pal Singh Hoon & Ors. (1996) 4 SCC 1

12 K. A. Abbas vs. Union of India (1970) 2 SCC 780

13 Padmanabh Shankar vs. Union of India 2019 SCC OnLine Kar 3087

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More