The existing privacy framework under the IT Act 2000 and Telegraph Act 1885 is seriously inadequate when it comes to providing protection to personal data or remedies in case of data breach.
By Ritesh Kumar Singh
Post the Supreme Court’s decision in the Puttaswamy vs Union of India case (2017), the right to privacy has clearly been established as a fundamental right under Article 21 of the Constitution. The judicial decision has been applauded by citizens and privacy activists alike, given the rampant data leaks and unauthorised use of users’ personal data.
While the law is settled, people feel strongly about privacy. A recent research by AudienceNet, a social and consumer research company, noted that for as many as 92% of the urban Indian respondents irrespective of age or gender, privacy is a priority in their use of social media. They depend on relatively safer encrypted platforms such as WhatsApp to communicate on a day-to-day basis and expect encryption across social media platforms, which is viewed as critical to the public as it protects users and their personal data from the prying eyes of unintended recipients.
However, critics argue that fully encrypted platforms are prone to misuse and a tool to spread fake news and political propaganda that may be used during elections to influence electoral outcomes. Thus, we all agree that something needs to be done and social media platforms are increasingly taking steps to mitigate such risks.
The existing privacy framework under the IT Act 2000 and Telegraph Act 1885 is seriously inadequate when it comes to providing protection to personal data or remedies in case of data breach. Besides, there are no effective safeguards against excessive state surveillance under existing rules. On the other hand, the draft data protection Bill 2018 emphasises on the need for data localisation to ensure data privacy and to prevent foreign surveillance of Indian citizens.
No doubt, the draft Bill provides far greater protection to privacy than what’s available under the IT Act; its grievance redressal mechanism is better and punishment for data breach harsher. Yet it has several shortcomings. For instance, the scope of non-consensual processing of data is too wide—consent will not be needed for data processing on grounds such as national security, legal proceedings, and research and journalistic purposes, or for any other reasonable purposes specified by the proposed Data Protection Authority. Thus, the exceptions granted to the state by the country’s proposed data protection law do not inspire much confidence as it allows unwarranted intrusion into citizens’ privacy. The degree of data privacy will actually depend upon the effectiveness of the country’s data protection regime and not where the data is located. As things stand, it’d be wrong to argue that data localisation will ensure better privacy protection. Rather domestic enforcement agencies may pose a greater threat to an individual’s privacy than suspected foreign snoopers due to relative ease of applying coercive action within the country’s boundaries.
It’s safe to argue that India’s proposed data protection law, in its current form, is not effective enough to fully safeguard data principals/individuals against unchecked state surveillance. Thus, imposing a sweeping data localisation regime on the country without an effective mechanism to protect personal data may encourage intrusive data gathering by state agencies and will lead to lower rather than higher protection to privacy. Hence, it should be avoided especially when there are several adverse side-effects that are not being fully appreciated by the supporters of localisation.
For instance, localisation may drive up the infrastructure cost of IT companies, tech start-ups and SMEs that currently rely on storing data abroad that costs less. Besides, India’s software and IT-enabled services sector is export-driven and deals with data of non-national citizens and corporations. Thus, mandatory data localisation could be perceived as a protectionist trade barrier and may induce retaliation from other countries. That will create complications for the country’s IT industry. Moreover, consumers may have to bear the additional cost of storing data locally in the form of higher charges for digital services.
The way forward
Trust remains a major concern for users with even top names in the digital economy space accused of unauthorised sharing of personal data. So, tougher privacy norms (either self-imposed or enforced by government through legislative actions) are needed to improve ‘trust factor’ and help propel India’s digital economy.
Encryption by ensuring safety of the data will improve trust and is part of the solution. However, social media and messaging platforms must take responsibility to check the misuse of their platforms. In this context, WhatsApp has taken several proactive measures to prevent misuse of its platform and mitigate such risks. It has stopped forwarding of a message to more than five people in one go, in India. It has also started a helpline that a user can rely on to verify any message or news being circulated. These measures will rein in the possibility of spreading fake news and misinformation campaigns, and enhance users experience while protecting every Indian’s right to privacy.
Encryption strengthens privacy, while localisation may weaken it. There is a potential danger that allowing state unrestricted access to users’ data through regulatory moves such as data localisation will dilute privacy protection and may lead to unnecessary state’s intrusion into citizens’ personal lives. Moving towards a surveillance state is not the answer. Besides, it undermines the spirit of the Supreme Court’s decision in the Puttaswamy case. Then, there are side-effects of data localisation that can’t be ignored. A far better alternative to data localisation would be bilateral and multilateral data sharing agreements that will keep digital economy open and yet expedite criminal investigation without diluting protection to privacy.
The author is CEO, Indonomics Consulting. Views are personal