India’s data protection law: Strengthen rules but also follow through to the last mile
Post the Justice Puttaswamy v. UOI Privacy judgment and its emphatic declaration of privacy being a fundamental right, there is renewed interest in personal data protection, this time however with the individual and not commerce being the focus
News of the Washington DC attorney general’s case against Facebook has brought the spectre of Cambridge Analytica back with a bang. The case is not just about the violation of consumer rights by a social media giant, but also about a government executive standing up for the rights of the common man. It reiterates not just the need for protecting personal data but for that need to be filled by government action. For, it is when the “law hangs limp” that breaches flourish.
The saying goes that you become a criminal only when you are caught – the Cambridge Analytica expose is not an isolated incident. It probably was not even the first and it certainly will not be the last such abuse of huge quantities of personal data. The risks of social behaviour manipulation, whether it is for marketing or elections, merely red flags the tip of the proverbial threat iceberg.
While it remains to be proven, the checklist of violations in the US case against Facebook is indicative of what is in store for users of many online platforms – from allegations of misleading privacy settings to indiscriminate sharing of data with third parties and failure to disclose data breach, the list covers them all. The conspectus of the averments primarily brings to the fore the abject absence of choice and consent.
The Cambridge Analytica breach is not contained to either Washington DC, or even just the US. Its tentacles have spread far and wide, encompassing Indians’ personal data within its insidious fold. India’s statistics on data breaches at 52% in the 2018 Thales Data Threat Report- India Edition, is higher than the global average. The stark absence of legal prosecutions against such data breaches, therefore, is not just puzzling, but also a matter of concern.
India did understand the need for strong data protection laws and planned a standalone enactment in the late 1990s. Instead, a barely discernable and lone provision for data protection was introduced under Section 43 of the Information Technology Act, 2000 (“IT Act”). Commerce substantially dictates evolution of legislations too and data protection is no exception. With India losing a substantial portion of the “business of data” due to its lack of perceptible data protection laws, the stop-gap arrangement, which remains till date was the introduction of two additional provisions under Section.43A and Section.72A of the IT Act, with the former providing civil penalties and the latter, criminal prosecution. The IT Rules for data protection, which were a direct lift from the European Union’s eight data principles under its 1995 directive along with the above provisions, unfortunately did not improve India’s prospects for being tagged a suitable destination for personal data transfers.
Post the Justice Puttaswamy v. Union of India privacy judgment and its emphatic declaration of privacy being a fundamental right, there is renewed interest in personal data protection, this time, with the individual and not commerce being the focus. Consent by design and emphasis on choice permeates the proposed legislation though there are many concerns in exceptions provided to the same. Inclusion of data localisation in a layered manner is another indication of keeping the focus on user rights. While we await the final draft of the data protection bill and its future, it may be expedient to also take stock of where we stand today and what lies ahead.
There is one commonality in the tepid provisions under the IT Act, 2000 or its slightly stronger siblings under the amended IT Act of 2008 or the Rules framed thereunder – the poor record of enforcement.
From the well-known decisions of Maximillian Schrems (EU Court of Justice, 2015) striking down personal data transfers to the US on grounds of breach of citizens’ rights through state sponsored surveillance to the lesser known case of WM Morrison Supermarkets PLC (2017, UK), where a supermarket was held liable for a payroll data breach by an employee, what stands out is the strong enforcement of data protection provisions. India’s record does not bode well for citizens.
Strengthening laws is certainly an important first step but the follow through to the last mile is what India needs if its data protection processes are to be taken seriously. The strong position taken by the Reserve Bank of India with respect to data localisation of financial data is a case in point. The deadline stringently imposed by the regulator is long gone and the majors who are handling the substantial majority of financial transactions did not comply and yet there were no sanctions backing the strong posturing. The message that then goes out, of laws in India, to borrow Justice Krishna Iyer’s words, is that they hang limp and bark but seldom bite.
NS Nappinai is a Supreme Court advocate specialising in cyber laws
The views expressed are personal