The discussion with respect to a composite data protection legislation has gathered traction in recent times, in the wake of reports of security breaches, which have rendered the personal data of millions of people worldwide susceptible to exploitation and misuse.
The discussion with respect to a composite data protection legislation has gathered traction in recent times, in the wake of reports of security breaches, which have rendered the personal data of millions of people worldwide susceptible to exploitation and misuse. The data protection legislation in India has been in a budding stage for several years now and the current law is often termed as inadequate. Earlier in this decade, the Indian government tried to bring in a law on data protection, but it could not take off for a variety of reasons and, at present, India is devoid of such a legislation.
The law today
The key provisions pertaining to data protection are covered under the Information Technology Act, 2000, and rules framed under it. In addition to the Act, there are sectoral regulations that prescribe data protection-related norms. However, the current state of affairs is expected to undergo significant transformation owing to fast-paced developments. Last year, the Supreme Court not only held that the ‘right to privacy’ is a fundamental right under the Constitution of India, it also noted that informational privacy is an important facet of the right to privacy and stressed on the need to have a robust legislation on data protection. The government has constituted an expert committee under the chairmanship of Justice (Retired) BN Srikrishna to chart out a data protection framework for India.
Endeavours by DoT and TRAI
Amidst this, the Telecom Regulatory Authority of India (TRAI) and the Department of Telecommunications (DoT) have also come up with recommendations on data protection related to the communications sector. TRAI has been actively working towards formulating standards on privacy, security and ownership of data in the telecom sector. It is commendable that TRAI has emphasised on protection of data over the entire digital ecosystem rather than strictly restricting itself to telecommunications. The issues raised are contemporary and are in line with the ever-changing technologies. TRAI has indicated that it will submit its recommendations to DoT as well as the expert committee regarding its inputs on additional safeguards that may need to be adopted for the information and communications technology.
Recently, DoT issued the draft National Digital Communications Policy providing an insight on the government’s outlook on digital communications. In this document, the government has identified safety and security of digital communications as one of the main missions. The policy document describes the government’s vision of establishing a comprehensive data protection regime for digital communications that safeguards the privacy of individuals and outlines the importance of security standards for digital communications infrastructure and services. It aims to achieve these goals by augmenting the current provisions in the licence agreements executed between DoT and telecom service providers.
Existing sector-specific provisions
In the telecom sector, the provisions relating to maintenance of confidentiality, data localisation and protection of a customer’s data are predominantly encapsulated in the telecom licences issued by DoT. On network security issues, licences also require telecom operators to install network elements that meet prescribed standards, as well as to periodically get them audited to ensure that these requirements are consistently met.
The licences, inter alia, mandate that ‘user information’ cannot be sent outside India, except in certain limited circumstances. Where the licences fall short is not defining terms such as ‘user information,’ leading to ambiguity. Further, the provisions were framed several years ago and have not kept pace with technological advancements, rendering them insufficient and outdated. With the growth in adoption of Internet of Things, concerns regarding the nature of data being collected and the purpose for which it will be used needs to be addressed.
Licence agreements are executed between DoT and telecom operators, meaning that subscribers may not have a direct recourse against telecom players as far as protection of their data is concerned. Perhaps the data protection law along with communication-specific regulations will bridge this gap.
The process relating to data protection law is approaching its end and a draft legislation is expected soon. What will be interesting to look out for is the sanctity that will be accorded to the communication sector regulations once the data protection legislation has taken effect. The government will need to take a larger view in a manner that the laws do not interject and can subsist in isolation, without overreaching their respective jurisdiction.
The endeavours taken by DoT and TRAI are commendable, but considering that the general legislation is in the process of being formulated, the timing of release is questionable. To avoid any potential disparity, it would be ideal if the general legislation on data protection, which will cut across all sectors, is notified first. This can be followed by communication sector regulations so that they supplement the general laws and plug the gaps that may not have been covered under general laws.
Harsh Walia, Shobhit Chandra & Piyush Ranjan. Walia is associate partner, Chandra is senior associate, Ranjan is associate, Khaitan & Co