Rashmi Guptey
1st February 2022
Harish Talreja
25th January 2022
Sid Talwar
31st December 2021
Ankit Moorjani
30th June 2021
20th January 2024
Sandeep Murthy
17th March 2022
1st January 2020
20th November 2017
7th June 2022
15th May 2022
17th February 2022
28th November 2023
Prashant Mehta
2nd February 2022
22nd September 2021
30th August 2021
15th March 2022
21st January 2022
14th January 2022
4th October 2024
5th August 2024
25th June 2024
20th December 2023
20th October 2021
25th April 2021
Akshat Jain
12th February 2021
31st May 2020
Tanya Rohatgi
19th August 2024
20th June 2024
Siddhant Ahuja
25th April 2022
14th February 2022
2nd June 2018
5th June 2024
15th February 2024
9th February 2024
26th May 2022
1st February 2024
20th November 2020
Shivani Daiya
20th February 2020
17th August 2014
18th July 2019
17th September 2021
15th September 2021
Maansi Vohra
28th January 2021
Atharva Purandare
10th January 2021
Tanvi Ghate
23rd January 2024
Ahan Rajgor
12th May 2022
8th March 2022
22nd February 2022
22nd August 2024
29th July 2024
5th June 2022
5th May 2022
16th April 2021
15th November 2014
25th October 2021
8th March 2020
7th August 2018
27th December 2016
17th February 2021
29th September 2020
24th September 2020
26th July 2020
20th January 2020
15th October 2018
26th June 2018
13th June 2017
21st May 2024
13th February 2024
15th July 2024
10th April 2024
20th February 2024
While India leads the world in data consumption and app downloads, monetising the Indian internet user has been a massive challenge. This begs the question who is funding the creation and sustenance of all the apps we are downloading – is it our personal information? Few among us are aware of the extent to which we are permitting internet businesses to gather personal data and fewer still are aware of how these businesses are using our data.
India is the largest & fastest-growing market for digital consumers, heading toward 730 million internet users by the end of 2020, as projected by NITI Aayog. Indian mobile data users consumed 8.3 GB of data each month, had 1.2 billion mobile phone subscriptions and downloaded more than 12 billion apps in 2018 alone, proclaimed Amitabh Kant, CEO – NITI Aayog, in a Nov ’19 tweet.
The mainstreaming of technologies like machine learning, artificial intelligence and natural language processing has meant that businesses are able to monitor our every move on the internet and profile us based on our behaviour, preferences, spending patterns, etc. Several new internet-native business models have emerged. Some of which are predicated on selling our personal data for better ad-targeting, upselling products and services, etc. In fact, India alone has witnessed the emergence of over 1,000 start-ups working in machine learning, artificial intelligence.
Businesses across the board recognise the value of data. At an event around artificial intelligence that we had organised at our office, the founder of one of India’s largest AI assistance platform stated emphatically to the audience that a data analyst should be one of the first three people hired in ANY company starting up. Much like crude oil enabled the automotive revolution, data will enable the technological revolution. Clive Humby, the founder of Clubcard, said it best - Data is the new oil! It is the most useful resource of the 21st century, and has tremendous monetary potential. But like every good story the data story has a dark side, which includes misuse, theft, fraud and breach of privacy. Cambridge Analytica, being the most popular cautionary tale of what can go wrong when data is misused. The need for a framework to protect personal information is evident, however one size doesn’t fit all in this case resulting in diverse policies across the globe.
Evolution of Data Protection Law globally and in India
Several countries over the years have tried to formulate a data protection regime suitable to their ethos. The EU has adopted an approach where personal privacy of an individual is the central pillar of the protection regime. The US being a laissez faire culture, has mainly focused on an individual's right to be left alone by the State and the restrictions are largely around personal information being processed by the Government. China, on the other hand has adopted a centrally dominant model focussing on aversion of national security risk. Each of these regimes is founded on each jurisdiction‘s understanding of the relationship between a citizen and the State in general.
India’s path to a personal data protection law has its roots in the Aadhar case, wherein a nine-judge Constitution bench ruled that the right to privacy is a fundamental right flowing from the right to life, individual dignity and personal liberty as well as other fundamental rights securing individual liberty under the Constitution. The Supreme Court recognised that ‘Privacy, in its simplest sense, allows each human being to be left alone in a core which is inviolable’. Taking this forward, B N SriKrishna Committee (constituted in 2017 to identify lapses in the extant framework) introduced the ‘right to be forgotten’ which provides the user a commanding tool. The Personal Data Protection Bill, 2019 (Bill) followed suit.
Evolution of Data protection law in India
Implementation and challenges:
The Bill is centred around the principle that informational privacy, is a right to autonomy and self-determination with respect to one‘s personal data. Digital companies now become “data fiduciaries” instead of being mere data collectors, where they assume responsibility for obtaining user permission for both initial collection and subsequent processing of user data. Social media intermediaries have been categorised as “significant data fiduciaries”, knowing they have a substantial impact on the electoral democracy, security of the State, public order or the sovereignty and integrity. A user now becomes a “data principal” enhancing the autonomy of individuals with regard to their personal data.
User consent: The Bill requires that a data fiduciary must provide a notice to a data principal before collecting their personal data and seek an explicit permission before processing their personal data. In doing so, it must explain the extent and the purpose of data collection, identity of the data fiduciary, source of such collection and also inform him about his right to withdraw consent. Explicit permission must also be obtained at each stage of subsequent data processing. Compliance with this provision could be tricky, because digital companies not only collect personal data, they also process that data bunched together with data collected from other principals to create new information that does not belong to the original data principal. Further, a lay man often cannot comprehend/ does not take the effort to understand what he is agreeing to when he consents to e-contracts – the Government must find a way to simplify such contracts.
Ownership of personal data: The Bill and logic both propose that an individual should be the owner of their own personal data. While simple in idea, this vision could impose a massive implementation burden for digital companies. Further, once data has been processed and new derived information has been created by a fiduciary, how does one ascertain ownership?
Data Portability: Fiduciaries now need to store sensitive and critical personal data on servers located in India. Sensitive personal data may be processed outside but must be retained in India. Critical personal data cannot be taken out of the country at all, even for processing. Digital companies currently operate in a seamless cyber world, where they mostly store and process their data wherever is economically most efficient. With this restriction, companies will now be forced to have adequate data storage systems in India, which may not go down well with the global tech companies.
State interest: The Government and their public sector entities are exempt from the purview of the bill and can collect and process any form of personal data. Ideally, an individual should be entitled to make autonomous life choices free from interference of State and non-State actors. Unfettered data access to the State could lead to political surveillance and propaganda. This is a massive dilution of the individual’s right to privacy. On the other hand, one needs to be mindful that the Government would want some access for national security and governance reasons. It remains to be seen how the middle ground will be achieved here.
Compliance and enforcement: The Bill proposes stringent compliances such as requirement to conduct an annual data audit by certified third parties and steep penalties for non-compliance or data breach or inaction by the fiduciary upon a data breach, reach up to INR 15 Crore or 4% of a company’s annual worldwide turnover for the preceding financial year, whichever is higher. Since there is no monetary threshold for qualifying as a data fiduciary, even small companies/ start-ups will have to bear this burden at par with multi-nationals.
Standout provisions:
Having laid out the obstacles in implementation, I do believe this a bold step for India in the right direction.
The right to be forgotten granted to data principals under the Bill is a very powerful one, enabling individuals to ask organisations to limit, delete or correct their personal information on the internet. This right to me is the hero of the Bill! It is in sync with the right to privacy upheld in the Puttaswamy case and establishes autonomy in it’s true sense.
Data localisation will help tremendously in easy access to data for investigation purposes and solve for jurisdictional complexities. While it may be a tough pill to swallow for global organisations, it will change the way privacy is perceived and practiced and will build a strong base for a ‘trustworthy’ digital India.
A national Data Protection Authority (DPA) is proposed to be established in India for the first time to ensure supervision and enforcement. It would be relevant for the DPA to collaborate with its counterparts across the globe to enforce some of the aspects of the Bill such as cross border data transfers and share some learnings through the journey. The transformative potential of the digital economy to improve lives in India and elsewhere, is seemingly limitless at this time. At the same time, the potential for discrimination, exclusion and harm is equally likely and needs to be protected for. The Bill is India’s first attempt to legislate data protection and the optimist in me believes it will do well for our country and its citizens.
In the words of Justice BN SriKrishna, ‘The data protection law will be like a new shoe, tight in the beginning but comfortable eventually’.
You will receive the next newsletter in your inbox.
The monthly Gazette is your source of happenings within Lightbox - updates, blogs, deep dives, opinion pieces and all things consumer tech
Join the thousands who hear from us