India’s position in the realm of digital privacy

Introduction

“Privacy is not an option, and it shouldn’t be the price we accept for just getting on the Internet”, a well-contented quote by Gary Kovacs has the ability to encapsulate the incessant dilemma faced by internauts across the globe. At a time when digital footprints of individuals dictate both territorial as well as cross-border social, economic and political alterations, concerns regarding digital privacy become ecumenical.

India is experiencing a ‘data-based’ revolution. With the explosion of digital services, India is generating a significant quantum of personal data. This collected data is being used by a wide variety of enterprises to deliver value to their users and alter their businesses. The internet traffic in India witnessed an unprecedented four-fold rise from 21 exabytes in 2016 (1 exabyte = 1 million terabytes) to an estimated 78 exabytes in 2021[1]. Moreover, a recent study by MeiTY (2019) estimated the size of India’s digital economy at US$200 billion in 2019, which is expected to rise to US$500 billion by 2025 in their ‘business as usual’ scenario[2].

However, with the growing adoption of digital tools by citizens, issues pertaining to the extent of control individuals have on their own data takes centre stage. According to a survey by Deloitte, 97% of Indian consumers are concerned about their data privacy, indicating a growing demand for comprehensive data protection measures.[3] This has in turn escalated the need for a dedicated privacy protection legislation in the country. While the Indian government is working towards the enforcement of a dedicated data protection legislation, several factors including hindrance to businesses, lack of awareness in consumers etc. have served as barriers to the same. However, the newly-introduced draft Digital Personal Data Protection Bill, 2022 provides the citizens of the country with the much-needed belief that India may soon join the league of nations enabling citizens to choose the manner in which their data is handled.

Laws and regulations driving the data privacy landscape

The Right to Life within Article 21 of the Indian Constitution has been held to include all aspects of that makes a person’s life more meaningful and the Right to Privacy is one of these rights. This issue was first raised in Kharak Singh vs. the state of UP (1962)[4], the Supreme Court held that ‘the right to privacy is part of the right to protect life and personal freedom’. Several other judgements have followed the principle of upholding the Right to Privacy as an integral part of fundamental existence of individuals.

At present, data protection and privacy in India is primarily governed by the Information Technology Act, 2000 (the “IT Act”)[5] and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[6]. Apart from these, other sectoral ancillary regulations, aimed at safeguarding data also exist.

Although some provisions under the IT Act aim at regulating the processing of personal data in cyberspace, the primary focus of the IT Act has been on providing information security regulations for the protection of personal and sensitive data in cyberspace. The IT Act, 2000 deals with a range of issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data. Moreover, the Act contains a number of provisions pertaining to safeguards against online privacy. These include but are not limited to the provisions against hacking, online frauds, monitoring, interception etc.

Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.

Further, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 provide reasonable security practices and procedures, which the body corporate or any person who on behalf of the body corporate collects, receives, possesses, stores, deals or handles information is required to follow while dealing with "Personal sensitive data or information". The SPDI Rules are not intended to be exhaustive, but require companies to have a privacy policy, follow consent requirements and inform data subjects related to the manner of use of their data. In case of any breach, the body corporate or any other person acting on behalf of the body corporate, the body corporate may be held liable to pay damages to the person so affected.

While the IT Act and its ancillary Rules did create some extent of regulation in the data privacy space, the need for a dedicated data privacy legislation was felt within all spheres of the society. The Indian government recognised the need for robust legislation for the protection of citizens’ right to privacy, while also ensuring the acceleration of the digital economy. Accordingly, a committee of experts was constituted in 2017, headed by Justice BN Srikrishna (the “Srikrishna Committee”) to identify key data protection issues, methods of redressal etc. The Srikrishna Committee submitted its report in 2018, along with a draft bill to tackle issues pertaining to digital privacy.

Pursuant thereto, a Personal Data Protection Bill (“PDP Bill”) was introduced in the Indian parliament in 2019. The PDP Bill was thereafter referred to a joint parliamentary committee and was subject to deliberation for almost two years. The joint parliamentary committee tabled its report in the Indian parliament, along with a revised version of the PDP Bill in the year 2021. However, in 2022, the PDP Bill was withdrawn from parliament by the Indian government, citing substantial revisions suggested by the joint parliamentary committee. It is pertinent to note that the joint parliamentary committee recommended 81 changes in a total of 99 provisions of the Bill. The Bill was criticised for being highly restrictive for data driven businesses and was speculated to cause irreparable loss to Indian business, if enforced.

Taking into consideration the views of relevant stakeholders, the Indian government thereafter published the new draft Digital Personal Data Protection Bill, 2022[7] (the “DPDP Bill”) in November 2019 for public comments. In its current form, the DPDP Bill is a significantly simpler version of covers certain key provisions of the prevailing Indian laws relating to data privacy. The DPDP Bill applies to any 'digital personal data' processed within India and encompasses data collected offline and subsequently digitized as well as data collected online by a 'Data Principal'. The Bill proposes to introduce obligations for companies (defined as "Data Fiduciaries") which determine purposes and means of processing. It also aims to regulate entities which process such data. As per reports, the Bill is likely to be tabled in the monsoon session of the Parliament. If passed into law, the DPDP Bill will introduce significant key provisions that may impact tech players, digital businesses, start-ups, and society at large.

Conclusion

With rapidly growing technological advancements, the need as well as the nature of digital interactions have augmented radically. Within the limitless layers of the internet, individuals are often dispossessed of their right to individual privacy. While privacy has been a subject of conjecture for several decades, the recent cyber-identity violations have highlighted the need for a dedicated legislation to enable individuals to choose the time, manner as well as extent of their data being used.

[1]https://www2.deloitte.com/content/dam/Deloitte/in/Documents/about-deloitte/Privacy_and_Data_Ethics-A_Roadmap_for_India_Report_V4.pdf [2]https://www2.deloitte.com/content/dam/Deloitte/in/Documents/technology-media-telecommunications/in-TMT-2023-noexp.pdf [3] https://www2.deloitte.com/us/en/insights/industry/technology/protecting-consumer-data.html [4] 1964 SCR (1) 332 [5]https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMjk4NzY= [6] https://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf [7]https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf