Data Privacy in India: the story so far
“If you’re not paying for a product, then you’re the product.” -Daniel Hövermann
Imagine being infected by a virus and not being aware of the same. Imagine your body getting fatigued and falling ill more often without knowing the reason or necessary precautions to take. A situation where you neither know the cause nor the precautionary or curative measures to deal with it. This is very similar to the Pegasus scandal, which a few years back shook the foundations of data privacy across the globe. It was alleged that Pegasus spyware was being misused by Governments to tap and extract sensitive information of prominent personalities, particularly journalists, opposition leaders or businessmen. The spyware could infect a device without any interaction with the source and could access possibly everything without the user being aware of the same. This scandal brought forth the need to protect data of citizens and to ensure responsible and transparent functioning of Governments.
We are living in a technologically advanced society where data is driving everything. From a miniscule gadget to giant machinery, from marketing to consulting, from consumer behavior to analysis, it is all data. A user browses for a commodity and his feed starts popping up with related advertisements the next day. We use any site and absentmindedly accept cookies which means uninformed consent for the website to store our information and share it with third party applications. There are instances where an application asks for unnecessary permissions, like Uber asking for access to Gallery or Camera for instance. We need not give our consent if we don’t want to, and the provider cannot deny the service on these grounds. Thus, we, as consumers, should understand the difference between consent and informed consent.
Data privacy had not been much of a concern in India, not until the Supreme Court of India, in a landmark judgment made Right to Privacy a fundamental right of Indian citizens under Article 21 of the Constitution in August,2017. The Court very clearly stated that citizens have the right to not disclose their personal information in public domain. After the verdict, it was argued that a Data Protection law is needed to protect sensitive and critical data of citizens which the data fiduciaries (the companies collecting data) were storing abroad and selling to third party clients.
Regarding the same, a Joint Parliamentary Committee was set up in 2019 to discuss and suggest a framework for the Personal Data Protection Bill which would lay out stringent guidelines and regulations for ensuring data privacy. The bill categorized data into personal data, which includes name, contact number, gender details of individuals; sensitive personal data, which includes health and financial data; and critical personal data which includes military and data pertaining to national security. As per the proposed bill, companies are free to store and process personal data wherever they wishes to. While the sensitive personal data should be stored in India, it could be processed outside with due permission of individual and Data Protection Authority (DPA). The critical personal data however should be stored and processed in India itself.
The bill also advocates setting up of a Data Protection Authority and appointment of a Data Protection Officer (DPO) by every company who will ensure complacent behavior. Another important framework the bill puts forward is the Right to be forgotten i.e. the right of an individual to opt out of an agreement and to ensure his or her personal data is erased as and when he/she wishes to.
The Joint Parliamentary Committee submitted its report to the parliament in 2021 wherein it proposed some changes to the original draft. One of the major proposals was to exempt government agencies from all provisions of this act, which means those agencies can store and process data as they wish to and can also ask data fiduciaries to provide them with required data which is critical for policy making. Owing to the amendments proposed by the committee, the Centre withdrew the old bill from the parliament, promising a revised bill, which will fit into the comprehensive legal framework and will consider the changes.
Nothing vast enters the life of mortals without a curse. Every creation, invention or object can be used wholesomely and with good intent or used in manipulative agitation or to purposefully cause harm. Thus, with spywares like Pegasus in operation, it’s imperative that we remain aware of the dangers our new technologies bring to the table.
We are being watched, recorded and surveillance every day. As we become smarter and more dependent on smart devices, we make ourselves more prone to cyber attacks and data breaches. The only way we can protect ourselves from such evolving threats is by being more aware and informed of our rights and more alert on online platforms. Data is the new oil and India is a heavily unexplored oilfield with companies dying to capture the market. With the withdrawal of the bill, India still lacks a legal framework to hold companies accountable for the data they store and process. With several incidences of data leaks and breaches, having a properly knit act is a requisite.