India: Data & Privacy Both Matter: No Step Forward, Countless Steps Backwards

1. Introduction

The need to address modern privacy issues and protect data privacy rights is a global trend and necessity. In India, the Personal Data Protection Bill of 2019 (“PDP Bill”) was expected to control, govern, manage and shape the future of India's data driven geopolitical landscape. However, after more than four years of being in the pipeline and having seen different avatars, at the start of August the Indian government withdrew the draft PDP Bill. This sudden withdrawal was a shock since the draft was being projected to overhaul India's current data protection regime, which continues to be governed by the archaic Information Technology Act, 2000.

To set the context briefly, back in 2018 a panel led by Justice Srikrishna, a retired Supreme Court judge, prepared a draft bill on data protection which was introduced in 2019. Stakeholder comments were invited and, upon receipt, a Joint Committee of Parliament reviewed them and provided its recommendations along with a draft Bill in November 2021. Significant time was invested before this was issued and it contained numerous amendments to the bill finalized originally by J. Srikrishna panel.¹ According to Justice Srikrishna, data privacy is a burning issue and there are three parts to the triangle. “The citizen's rights have to be protected, the responsibilities of the states have to be defined but the data protection can't be at the cost of trade and industry.”  Somewhere, somehow, these parts were neglected. When the revised 2021 version was released late last year, it drew a lot of flak particularly from large, global technology companies like Google, Amazon, Meta, who feared the legislation could restrict how they managed sensitive information while giving government broad powers to access it.

This newsletter discusses these developments and underscores the criticality of having a law in place.

2. The Ongoing Debate   

The Union Information Technology Minister explained the reason behind the withdrawal and stated “The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint Committee of Parliament. 81 amendments were proposed and 12 recommendations were made towards a comprehensive legal framework on the digital ecosystem. Considering the report of the JCP, a comprehensive legal framework is being worked upon.” In essence, on the premise of coming up with a more comprehensive law, the existing draft was withdrawn.

There is no law in any part of the world which is perfect. With strong protectionist and authoritarian clauses and ambiguity on the processes, some of the challenges of the erstwhile draft law included (a) significant and unfettered rule-making power was attributed to the Data Protection Authority, but without very little independence or actual accountability; (b)  exemptions given to the government simply as if it was “expedient” to do so camouflaged in the name of national security or public order; (c) imposition of a strong data localization mandate, requiring companies to store all sensitive personal and critical personal data (remained undefined) in India which really attracted the ire and criticism of Big Tech companies and activists alike; and (d) recommendation to subsume regulation of personal and non-personal data within a single legislation.

Simply put, the draft bill created a preventive framework but without the necessary checks and balances on the state and its agencies. Further, it posed a serious threat to privacy, a universally accepted fundamental right. Historically, in countries like the US privacy has often been regarded as sine qua non for liberty, the right to be free from intrusions by the state. If implemented, the PDP Bill would have led to dilution of privacy qua the state, while businesses would have to overstretch themselves with compliance. Privacy jurisprudence is not new for India, but until 2017 it mostly focused on situations where harm was caused due to violation of privacy. That year in Justice K.S. Puttaswamy v. Union of India the Supreme Court held that the Indian Constitution included a fundamental right to privacy. It would be fair to state the notion of data protection stems from the right to privacy and both are instrumental in preserving and promoting fundamental values and rights.

Despite the abundant criticism, was scrapping an appropriate and an unavoidable step, destroying years of work and potentially causing further harm? Add to that, the sheer absence of a committed timeline for passing a new law.² As India evolved to become a global services hub combined with an increased reliance on web-based applications for day-to-day activities, sharing personal data has increased beyond anticipation. In a digitized ecosystem and in view of the high data breaches there is a dire need to protect information about an identified or identifiable living person and ensure both the public and private sectors engage in fair processing i.e., collection, use, storage of personal data. Consequently, a new law needs to create a framework designed to protect personal data; balance privacy; address and prevent situations that may emanate from its breach; and contain effective protections, redressal and enforcement mechanism.

3. Business Ramifications

With the increasing commercialization of large data sets, more so in the last decade, nations enacted rapid and stringent regulations to address different aspects of businesses that continue to evolve at a frenetic pace. India remains no exception. However, by withdrawing the PDP Bill the government appears to have derailed the process completely whereas the nation needs a law on this subject more than ever, aligned with business needs and universal principles on the subject.

May 2018 saw a defining moment in the privacy and data protection space universally when the GDPR was implemented. It is the most progressive and extensive legal regime for protection of personal data and its ongoing security, that set global standards. It applies to EU member states and any organization that collects or processes data of EU residents.  The GDPR contains six principles, embedded in almost every article. Specifically, Article 5 provides for them: (a)  lawfulness, fairness, and transparency; (b) limitations on the purpose of collection, processing, and storage; (c)  data minimization; (d) data accuracy; (e)  data storage limits; and (f) integrity and confidentiality.

More than 120 countries have crafted some form of international privacy laws for data protection to ensure citizens and their data have rigorous protections and controls. They are generally guided by the following five³ privacy principles

• Notice: advising visitors, readers and users of policies in place to protect personal information;
• Choice and Consent: providing people with choices and consent around the use, storage, management and collection of personal information;
• Access and participation: ensuring information is accessed and used by correct people within the right security protocols;
• Integrity and security: ensuring data is secure with no unauthorized access; and
• Enforcement: ensuring that the platform, service and solutions are aligned with regulations that enforce compliance.

The purpose of reiterating these long-standing principles is not to discuss their constituents but underscore that any law needs to ensure they remain the bedrock for the formulation of legal provisions, while being aligned with country-specific business requirements. The PDP Bill had extrapolated several provisions and concepts from GDPR, but later carved-out numerous exceptions.  While it is now history, at least, it was something in the pipeline (versus nothing) and without a defined timeline, India, with more than 750 million internet users, will continue to be deprived of a basic privacy framework. As the law stands today, individuals do not have recourse against private parties for breach of fundamental rights. Add to the mix, the pandemic accelerated Modi government's push for digital India with an impetus on data interlinking through different means. This means that despite a massive digital push, one has to anticipate foul play but very little protection exists (or existed) regarding data breach.

Then, cybersecurity is a real threat and requires to be countered. Data protection eventually focuses on protecting data and information from both internal and external threats. In the personal view of the author, data breach is not given the importance it deserves. In 2020, when the pandemic led the global workforce to work remotely, data privacy and protection took center stage. Remote devices are most vulnerable to attacks from cybercriminals, making desktops, laptops, servers as prominent targets as they are entry points to access business networks, steal data, attack software vulnerabilities and more. Companies regularly store sensitive information about clients, its organization, workforce, business partners etc. In other words, since a great degree of sensitive information is at stake, data protection is not only a legal necessity but also imperative to protect and maintain the reputation of a business.

It is necessary to highlight that in the first quarter of 2022, India was at second position in data breaches, after Russia. The average cost of a data breach globally has reached an all-time high of over USD 4.3 million in 2022, according to an IBM report on Cost of a Data Breach. Evidently, absent a statutory right but an enhanced digitization footprint, the data remains at grave risk of being exploited, sold, and misused without consent of the concerned individuals. If there has to be seamless data transfer to and from India with the same level of data protection for its residents and those of other countries, it is critical to swiftly develop a strong regulation which will provide assurance and warrant the transfer of such data from foreign jurisdictions.

According to Gartner, by 2023 65% of the world's population will have its personal data covered under modern privacy regulations. Clearly, data protection and privacy are important for businesses and, increasingly, consumers will sever ties with organizations that do not alleviate concerns and cannot be trusted with data. Rather, strong data privacy framework will be a reason why people choose specific products, similar to organic or free trade labels in recent years.⁴

4. Conclusion

While the Information Technology Act of 2000 has been amended a few times, but it does not meet the requirements of a changed business environment in a nation of 1.4 billion people. In the absence of a single statute for protection of data, remedies and preventive mechanisms have been provisioned under several sector-specific regulations and other legislations.⁵ Conglomerates articulated concerns about the absence of minimal protections and devised their own best practices to ensure business continuity. Clearly, both data and privacy matter and instead of forging ahead, PDP Bill took retrograde steps in India's privacy debate. But, with its scrapping, as a nation we seem to have taken countless steps backwards. Data is oil, data is currency and organizations are obligated to use the data ethically. In this process and the fight between Big Tech and the state, the loser is the individual who faces grave risks of compromise of data. Rapid action is required, and the time is now.

1 Amongst other changes, the scope of the proposed law was expanded to address non-personal data too i.e., set of data that does not contain personally identifiable information. Proposals also included regulation of social media companies, such that they do not act as intermediaries and, instead, be liable for the content they host. Needless to say, Big Tech resisted this

2 According to media reports, sources in the Information Technology Ministry believe the government will introduce a new law in the winter session of the Parliament, but that remains to be seen

3 In 1998, the U.S. Federal Trade Commission produced a document called “Privacy Online: A Report to Congress” where it reiterated these principles in the context of the internet and stated they were widely accepted

4 See  https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023–65–of-the-world-s-population-w (last accessed on Aug 23)

5 These include Information Technology Act, 2000 and its corresponding rules; SEBI Data Sharing Policy, 2019 and RBI Guidelines on Cyber Security Framework for Banks and Information Security, 2016

Originally Published August 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.