This blog is authored by Harshit Chauhan a first-year law student at Gujarat National Law University
The recent WhatsApp controversy regarding the privacy of data once again brought to light the debates on data protection laws. When it comes to social media and related online apps, the pre-existing laws on data protection in India are of limited scope. These include rules laid down under Section 43 A of the IT act - The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, (SPDI Rules). The above-mentioned rules provide guidelines for “compensation for failure to protect data”, thereby guaranteeing reasonable security practices and procedures to be implemented for providing protection to the sensitive personal data.
However, due to a lack of legal support and improper implementation of these SPDI Rules, the need to create an all-encompassing data protection mechanism which ensured complete security of citizens from all the dimensions was felt. Under Justice AP Shah, the AP Shah committee analysed the existing privacy laws in the international sphere, which could be utilised to further recommend a privacy framework for India. The nine principles were recommended by the committee to formulate laws for nationwide privacy concerns and fill the gap. This model was carefully scrutinized in the creation of the Personal Data Protection Bill (PDP Bill) 2019.
Personal Data Protection Bill
Primarily based on the European Union’s General Data Protection Regulation (GDPR), the PDP bill was introduced in the parliament in 2019. The provisions of PDP follow a nation centric approach, the data generated by the citizens of India within the nation’s boundaries will be treated as an asset, which can only be stored and guarded within the physical boundaries of the nation and any movement for cross border transfer of data will require heavy compliances. These provisions apply not only to the government and corporations within India but also to global players such as Facebook, Google etc.
The provisions of PDP highlight that the companies shall be required to bring certain changes in their models and policies to ensure that they are in accordance with the framework. These regulations aim to keep privacy at the highest tenet when dealing with corporations which often exploit customer’s personal data. These set of laws are aimed at ensuring that corporations and social media platforms will not be allowed to profit by misusing, retaining, selling off the user data, etc
The digital companies have been defined as data fiduciaries rather than being labelled as mere data collectors like in GDPR, because they hold complete responsibility of using the data in good faith. This shifts a heavy burden on the corporations to be careful about the usage because eventually as the fiduciary they will be held accountable for any breach of privacy.
Classification of Data
The Bill has classified the generated data into three main categories to impose control according to the type of data being shared. Each type of data has a different set of compliances and requirements that must be followed by the data fiduciaries in order to use and collect that particular type of data.
The first type - it is the ‘sensitive data’ of a user that contains all the essential information regarding their finances, gender, sexuality, health, religion, caste etc.
The second type - is the ‘critical data’ which is the important information shared by the government, regarding national security, military control.
The third type - is the general type of data which contains everything except the first two categories like names, emails etc.
According to the PDP Bill, the sensitive and critical data cannot be stored outside India, they must be stored on the servers located within the boundaries of the nation. The sensitive data is allowed to be processed outside with certain prior conditions such as users consent, but the storage has to be within India.
The critical data is prohibited from any cross-border transfers at all whereas no storage restrictions are applicable on general data. The digital companies till now stored their data as was feasible to them. However, the bill would require companies to create a local boundary centric server in order to collect sensitive data.
Further, the requirements comprise of user’s consent. Any digital company needs to take an explicit permission from the user, not only should the permission contain complete explanation about the purpose behind the collecting their data but also obtain so at every step of data processing to keep the user consistently informed. Thus, the consent must cover initial collection as well as any further utilization and processing of data.
Another relevant provision is regarding ownership of the data generated by a user. A user might want to delete all their personal information stored by a certain social media website, doing so will be easier by bringing right to erasure into play. Many such data ownership rights have been incorporated to allow users to delete, withdraw, modify their information which has been stored and the digital companies will have to comply.
For example, an individual using Facebook might want to delete all the data stored by the application even after deleting their social media account. The impact of such rights can affect the data shared with third parties as well because these corporations often tend to further sell off the data. These rights are similar to the participation rights granted by the European Union under GDPR.
A very important regulation with respect to social media is the bringing of ‘verification tag’. According to this all the digital companies will have to put an identification tag on their users. These tags will divide the users into three separate categories, which includes users with verified registration and displaying real names, users that have a verified registration but anonymous names and lastly the non-verified users. Such an identification tag could recognize and differentiate genuine users from bots.
Thus, further reducing possibilities of scams and hacking concerns on the social media websites. The digital companies will have to set up proper procedures to verify identities of the users and disclose the non-verified users. It was found that Facebook has more than 100 million fake accounts. This causes several issues of identity theft and breaches the privacy of users. It is a very unique provision and the first to be introduced to minimise privacy concerns in the usage of global social media.
To ensure a strict compliance with all the provisions, heavy penalties have been laid down in the bill. The crimes involving data breach or no action by the digital company in a situation of data breach can attract fines up to $ 700,000 or 2% of a company’s global revenues, whichever is higher. Whereas for other violations involving lack of proper consent the penalty amount could double.
The penalties can vary depending on the global income of the corporations and jail sentences can be announced for officers of these digital companies who were responsible for enforcement. Thus, the social media platforms cannot take these provisions lightly.
Right to Privacy
In the case of K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., the Supreme Court of India had recognised the right to privacy as a fundamental right. This included digital privacy, which meant the right of an individual to have sole discretion and control on the digital information created by the user. The right to privacy allowed a citizen to keep their personal information outside the purview of misuse by organisations, government bodies or any other individuals.
Privacy of an individual is a very abstract term. It has been categorised into three different dimensions. First is the ‘spatial privacy’ which includes the privacy with respect to physical spaces, bodies and things, second is the ‘decisional privacy’ that contains the privacy of certain significant self-defining choices and third is the ‘informational privacy’ which is the privacy of personal information.
Data protection arises from the right to informational privacy. It was recognised by the Hon’ble Supreme Court that the ‘informational privacy’ must be protected against both state and not-state actors. An individual must have the right to protect the private information and must have the power to exercise this right to prevent dissemination of this information. This was of course limited by the legitimate reasons such as national security.
The decision by the Hon’ble Supreme Court ensured that any action which resulted in violation of data privacy of an individual will amount to a fundamental breach under the Constitution of India, Article 21. This was the first step towards providing citizens a right over their personal information. This decision empowered Indian citizens to attain a judicial relief and invoke their fundamental right if they faced privacy issues with respect to their data shared online.
However, it is also crucial to note that providing citizens the right to privacy does not provide them complete protection from exploitation, because corporations like Facebook Inc. which own the most popular social media platforms do not have servers within the territory of India, they are located outside and therefore they do not fall within the purview of Indian laws. This forms a huge lacuna because India does not have any data protection agency or data protection laws which can regulate or criminalise wrongful acts of these entities.
The Indian laws require more compliances on the digital company’s part. The PDP Bill has tried to give utmost importance to the rights of the citizens however it deviates from this perspective in certain provisions by bringing in the elements of data being a national asset. This attempt to convert the user data into a national asset diminishes the citizen centric approach and focuses more on the nation’s interest. Eventually if the law is passed, it will be beneficial for the users because it will ensure privacy of users on social media and otherwise.