28th January was the Data Privacy Day which is currently observed in the United States, Canada, Israel and 47 European countries, but has ramifications across the globe. The purpose of the day was to raise awareness and promote privacy and data protection best practices. And today the relevance of this purpose cannot be overstated.
News is making rounds about Data Privacy around the world, and especially India, where a large number of users have started fleeing in bulk from a widely used messaging app to other (now well known) app. The apparent exodus is due to one of the policy updates, which asks them to ‘Either Agree and Continue’ or ‘Disagree and leave the app’ soon.
While the users in EU are enjoying the app with no such policy update, it has become a strong concern for users in India. The panic would not have come into being, if we had a data protection law similar to GDPR. At present, there are no such data protection acts in India. The only existing act is Information Technology Act, 2000 (IT Act), which gives grieved individuals a right to compensation for improper disclosure of personal information.
It is not so that such acts have not been thought about in the country. The Personal Data Protection Bill, 2019 (“PDPB”) was introduced in Lok Sabha by the Minister of Electronics and Information Technology – to provide protection of privacy of individuals relating to their Personal Data, and to establish a Data Protection Authority of India for the said purposes and the matters concerning the personal data of an individual. The bill was clearly a step in the right direction. However due to insufficient information, the bill is still pending.
This raises some pertinent questions, from both perspectives.
- At government’s front: Is it the insufficiency of information which is pending from user’s front – example: user’s reaction of acceptance or rejection to any acts or policies? If the government receives timely feedback from their citizens, will it help them to establish/implement any act faster? Or there is something else that is missing?
- At user’s front, what percentage of consumers are really reading and trying to understand the entire message of such privacy policies (India’s Literacy rate is 77.7%)? If they read it properly, what is the level of awareness people have about their Privacy rights? Do they know their rights to accept or refuse such terms? Is it just the word of mouth that spreads to create news and compel masses to follow others blindly to take any action (in this case to either delete or retain an app or even download a new one as replacement)?
As understood from various information sources, there are only 12 non-EU countries that have data protection laws considered adequate by the EU (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US). Further, Australia, New Zealand, Hong Kong, and Japan have modelled their own data protection laws. Also, outside of its own country specific legislation, the US and the EU have adopted the EU-US Privacy Shield Framework. Not forgetting, while other countries are still in process of making their Privacy Laws, China published the first draft of its Personal Information Protection Law (PIPL) for public comment on 21 October 2020, which was their answer for GDPR, and too specific to rules in China.
The action taken by different countries suggest that there is a need to activate a strong Data Privacy Act in India to safeguard the information of their citizens and protect their data privacy, whatever changes happen in the Web world.
- AGREE: Out of 52% who agreed to the changed policy, only 25% actually read the policy. Rest of them agreed even without consideration about the potential impact of changed policy.
- DISAGREE: Those who did not agree to the changed policy, seemingly significant at 48%, did not necessarily indicated their aversion towards the app, rather – it is their indifference. Only a minuscule 2.5% actually read the policy and then disagreed.
- OTHERS: Others have either not received any notification or more likely ignored the notification altogether.
So, the consumer’s evident lack of concern (or may be awareness?), about the data privacy issues, might explain the Indian government’s relatively sluggish pace on the issue. Does this advise them – When people aren’t really bothered about data privacy, what’s the hurry in drafting a policy then? Why fix something that’s not broken?
The author is an SVP and Head – International Research Practices at Hansa Research Group.