Encoding Privacy in a Digital World

– Shivani A Tannu (Third Prize Winner, Indian Liberals Essay Contest 2019)

The rise of internet and social media has led to privacy concerns as it encroaches our personal space and gives the online social providers access to the user’s personal data. The cost that user’s pay for accessing online services is not cash but voluntarily giving up on our personal data. The flip side – potential abuse and sharing of the data.

In the case of most online providers, the consent to collect data is presumed and one can opt-out or disable some of these features that allow the provider to collect as well as share the data. The user gives up the ownership of his data when signing up for these online services.  

While there are justifiable uses of data that are vastly beneficial, such centralization of data, profiling of individuals and increased surveillance, has led to mounting concerns relating to erosion of privacy of individuals, ability to impact public decision-making process and national security. Information could be used for the beneficial purpose; but the arbitrary and unregulated use of personal information has increased concerns regarding freedom of an individual and the privacy. The concerns are mostly related to centralized databases, individual profiling, surveillance leading to erosion of individual’s freedom.

Data protection refers to the practices, safeguards, and binding rules put in place to protect user’s personal information and ensure that users remain in control of it[i]. The purpose of personal data protection isn’t to just protect a person’s data, but to protect the fundamental rights and freedoms of persons that are related to that data[ii].

Data protection doesn’t mean abandoning intelligent business use of personal data – it means being responsible and transparent with that use; continuing to pursue company objectives, but not at the expense of, or even with priority over, the individual data rights of the customer[iii]. One challenge stands out when framing data protection regime for e-commerce– how to create a supporting environment for e-commerce that fosters innovation while placing the privacy concerns at the forefront of the approach. Good legislation should complement market forces in bringing values and welfare to both consumers and organizations[iv].

Privacy can have various meanings based on different context. It is important to understand the concepts of Privacy according to their context. Privacy has been identified with 3 broad types– spatial privacy (related to physical spaces and things), decisional privacy (related to certain significant decisions) and informational privacy (related to personal information)[v]. Data protection is related to informational privacy. With ubiquitous nature of technology, the impact of data protection can also be seen on spatial and decisional privacy too.

In its judgement in the Puttaswamy vs. Union of India case, in August 2017, the Supreme Court recognised the fundamental Right to Privacy under the Indian Constitution.

Existing Indian Laws[vi]

India does not have an independent data privacy legislation; however, it does have what can be inferred as the code for data protection laws that is embedded in the Information Technology Act, 2000 (“IT Act”) and Information technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 notified under the Section 43A IT Act. These Rules provide privacy law for protection of data in electronic transactions.

Data as defined in the IT Act is restricted to collection, possession, handling/dealing or transfer of “personal” information which related to natural person. Thus, the law is restricted to an individual and does not deal with data between corporate entities. Also, the law makes no distinction regarding the obligation of a data collector and a data processor. Some salient features of privacy rules–

Personal Information vs. Sensitive Personal Data or Information (SPDI)

Data protection law in India does not protect all personal information but only “sensitive” personal data. The threshold of what is included as part of “sensitive” data is low. The definition includes critical financial information such as bank account details, debit and credit card details and other information related to payment instruments. These are deemed to be included as part of SPDI.

Collection of Information

Regarding information, the obligation is to inform the data subject (an entity whose data is being protected under the law) that its information is being collected. In case of SPDI, the bar for compliance is higher since a written consent is mandated which can be revoked by intimation in writing. Rules 5(2) and 5(4) are laid down in accordance with global best practices that are known as “data minimization”. To ensure data subjects do not disclose SPDI, it creates an obligation on data collectors to obtain information only when necessary and must be retained only for as long as it is necessary to achieve the purpose of collection.

Transfer of Information: Consent vs. Necessary for Performance

Consent does not result into legitimizing all data collection, but only “necessary” information can be collected and transferred. As opposed to collection, in case of transfer compliance is not just restricted to SPDI but also applicable to the entire pool of information. Over and above, information can be transferred to a third party only when (i) the third party also adopts the same level of data protection as mentioned under the IT Rules; (ii) the transfer is necessary for performance of an existing contract and (iii) consent of data provider is obtained.

International Laws

GDPR is an important law that has recently been in force in European Union (EU) and the provisions of this regulation have been referred in the Indian draft Data Protection Policy and Justice B N Srikrishna Committee report.

GDPR is a legal framework that provides guidelines for the collection and processing of personal information. While its jurisdiction is limited to EU, any state that transacts with EU member state and has access to its customer’s critical personal data will have to abide by GDPR guidelines. Non-compliances also attract a hefty penalty.

While GDPR is not an act but guidelines that can be used to draft legislation by member nations, yet it is fruitful to compare the broad contours of GDPR with the relevant Indian law – Data Protection Bill. The major points of difference between the two are[vii] –

•         While GDPR mandates entities to share names and categories of other recipients of personal data with citizens whose data is being processed, the Indian draft bill does not require this rule
•         Citizens in Indian draft bill cannot demand erasure of their data while there is a separate article ‘Data reassure’ in GDPR for this provision
•         GDPR mandates time frame for which data will be stored by entities while the Indian draft bill does not mention any such time frame
•         GDPR explicitly mentions sharing of the source from which data has been acquired about citizens if it was not directly collected from him/her while there is no such requirement in a draft Indian bill
•         In the case of a data breach, the entities are not required to share this information with the citizens whose data is compromised according to draft Indian bill. Instead, the Data Protection Authority determines whether the breach should be reported to the affected persons. GDPR provides for such provision where all breaches are to be reported to the affected persons
•         GDPR requires that the data which is being processed about the citizens shall be made available to him/her while the Indian draft bill mentions the provision of the summary to the citizens without defining what summary means

Conclusion

Data privacy is a legal right and existing data protection framework in India under the IT Act is largely inadequate, in terms of implementation, protections and remedies and it lacks basic protections such as provisions for data breach notifications[viii]. Therefore, India urgently needs to enact a dedicated data protection law.

In framing the data privacy regime, the policy makers will have to balance the access of businesses to technological innovations in data analytics with the need to protect customer data. This would also include the requirement of the government to ensure law enforcement and regulatory authorities would have access to Indian data upon requests and that the government would be able to limit the unwillingness of MNCs to respond to law enforcement requests.

[i] Accessnow.com. Data protection: why it matters and now to protect it. (2018). Retrieved from  https://www.accessnow.org/data-protection-matters-protect/

[ii] Njordlaw.com. Three reasons why we need strict data protection regulations. Retrieved from  https://www.njordlaw.com/three-reasons-need-strict-data-protection-regulations/

[iii] Information-age.com. Getting Value from your data under GDPR. Retrieved from https://www.information-age.com/data-under-gdpr-123476524/

[iv] Iapp.org. Can we balance data protection with value creation. Retrieved from https://iapp.org/news/a/can-we-balance-data-protection-with-value-creation/

[v] Meity.gov.in. White Paper of the Committee of Experts on a Data Protection Framework for India. Retrieved from http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf

[vi] Bar & Bench. (2018). Understanding Data Protection Laws in India. Retrieved from https://barandbench.com/india-law-connect/legal-briefing/understanding-data-protection-laws-india/

[vii] Cioandleader.com. (2018). 8 differences between Indian data protection bill and GDPR! Retrieved from https://www.cioandleader.com/article/2018/07/30/8-differences-between-indian-data-protection-bill-and-gdpr

[viii] Nipfp.org.in Data localisation in India: Questioning the means and ends. (2018). Retrieved from https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf

I am Shivani Tannu, a Chartered Accountant from Pune. I am currently pursuing an MBA at IIM Bangalore. I have previously worked at Accenture as a Financial Analyst and now interning at Citi – securities and markets. Besides finance and law, I have a keen interest in the process of policy making, I have taken part in various youth parliament sessions before. My hobbies include trekking and reading.