Authors: Arshiya Sawhney and Ratnadityasinh Chavda
The wave of development in the Indian Telecommunication and Information Sector, ushered in by the Telecom Revolution in the 1990s, has radically altered the technological landscape of the country over the last three decades. The near universal shift to virtual platforms, in an attempt to conduct our businesses and interact with friends and families online, is evidence of the immense changes it has brought about. While most would classify these advancements as beneficial, there are a number of growing concerns which must be addressed – the elephant in the room being the lack of privacy in this hyper-interconnected world.
The Indian Supreme Court recognised the importance of the same as it concluded that the Indian Constitution included a fundamental Right to Privacy as an extension of the Right to Life (guaranteed under Article 21), in the Justice K.S. Puttaswamy vs. Union of India case. With this landmark judgement by the apex court came the understanding that laws for personal data protection must be designed more stringently to prevent and penalise the harms that emanate as a result of its violation.
In that spirit, the Minister for Electronics and Information Technology introduced the ‘Personal Data Protection Bill’ in the Lok Sabha, which replaces the previous Information Technology Act. The Bill encompasses the collection, storage and use of personal data by the government, national and international companies within the geographical territory of the Republic. It subscribes to the principle that personal information should be procured and processed on the basis of ‘free, informed and specific consent’. Apart from a long list of obligations to be fulfilled by businesses, the bill introduces a previously unknown concept of data related rights – the individual’s choice to withdraw consent even after having granted it in the case of ‘Sensitive Personal Information’. Finally, the bill outlines the formation of the Data Protection Authority of India (DPA).
The emphasis on consent also limits previously unrestricted freedom in the private sector in terms of marketing, lead generation, research, etc., which are often done without consent in the current climate. Furthermore, the Bill’s blanket ban on processing of critical personal data outside India may lead to hurdles during cross border M&A transactions in the near future. In an effort to circumvent these concerns, the Bill permits entities involved in AI, Machine Learning and ‘any other emerging technologies in public interest’, to apply for certain relaxations for a maximum of 6 months.
Apart from curbing extensively used data harvesting activities, the preventive framework will also push up compliance costs across small and big businesses. As a result, companies may need to rethink their strategy and start brainstorming on how to counteract consumer fear of data exploitation enveloping online activities.
A particularly unsettling aspect of the Bill has provisions for the government to exempt any of its agencies as it sees fit, especially keeping in mind issues of national security and relations with friendly states among others. However, some see this as a new avenue for national security agencies to conduct surveillance, which in fact would have the conflicting effect of diluting privacy.
Finally, the proposed Data Protection Authority will act as a bulwark against unconstitutional and illegal use of personal data of citizens. It will be responsible for framing regulations on issues such as consent mechanisms, limitations of data processing, and data localisation. However, government involvement in appointing and dismissing DPA members has raised eyebrows given that conflict of interest issues may arise with far-reaching consequences when possible breaches harming citizens are being investigated, especially in the case of subsidies and health programs.
The DPA stands to face an array of difficulties if appointed by the legislature, in terms of conflicts with its purpose and decisions. In order to maintain the independent nature of the DPA, the manner of appointment of personnel serving, their conditions of service and lastly their method of removal, should be given special emphasis. The DPA has a mammoth task before it and must ensure that rules are framed in a transparent and consultative manner. In line with the considerable changes that will be introduced with the adoption of the bill, it has become all the more evident that the new provisions go a step further in holding major stakeholders in the industry responsible, requiring companies to overhaul operations and even reconsider their practices and strategies.