By: Aditya Kashyap and Anusha Agarwal
The Internet has revolutionized various sectors of Indian economy like commerce, communication, governance, and entertainment. It has become the most sought-after public service delivery mechanism for the government because of its efficiency and accountability. Indian IT sector has shown remarkable growth by employing millions of professionals and also at the same time earning a major share of India’s foreign exchange. With the rise of the internet of things, the internet has become indispensable for smoothly carrying out day to day functions. Prevalent times are often termed as ‘Age of data’ which often leads to a parting of personal data while using various internet services ranging from social media to e-mail to instant messaging platforms. With the exponential rise in users incidents of identity theft, unauthorized access and other such breaches have increased. Users have limited control over how data collected from them are utilized and in many cases, they do not even have the sole ownership of their own personal information provided online. Especially in the business process outsourcing sector, it leads to the accumulation of a vast amount of personal and sensitive data of users like their credit card details, financial information, and even their medical history. The question arises on how in this ‘smart’ world where we are dependent upon apps, sensors, and other connected tools, we can ensure the protection of vital data.
With the government aggressively pushing the digital India plan, this has led to an extensive rise in digital payments, the explosive growth of the e-commerce sector and the unprecedented rise of digital services requiring personal information for authentication. Biometrics based Aadhaar data augments the need for a robust data protection mechanism to ensure trust and further growth of the internet led the industry as India’s data protection regulations are woefully inadequate. Courts on several occasions have interpreted “data protection” within the ambits of “Right to Privacy” as implicit in Article 19 and 21 of the Constitution of India. Many companies also rely upon the contract law as an important tool to protect their data. Contractual agreements such as ‘non-circumvention and non-disclosure’ agreements, ‘user license’ agreements, and ‘referral partner’ agreements, containing confidentiality and privacy clauses are entered into by them. But more precise would be the Information Technology Act 2000, amended in 2008 and the subsequent IT rules defined in 2011 which contain certain provisions regarding data protection. But this suffers from many drawbacks – it hasn’t defined personal information explicitly and just provides guidance for reasonable security practice and due diligence Section 43A of The Information Technology (IT) Act 2008 talks of reasonable security practices and procedures to be followed by a body corporate possessing, dealing or handling sensitive personal data or information.[1] Most government departments and agencies can’t be classified as a “body corporate” and hence it is beyond the purview of Section 43A’s compliance requirements. Additionally, regulatory oversight and enforcement have not been effective to ensure compliance by the organizations. In essence, it is a toothless law and is seldom used. For instance, when data leaks such as the ones from the McDonald’s McDelivery[2] app have happened, section 43A and its rules have not been useful in successfully prosecuting the accused.
Companies nowadays tend to save data in an electronic form due to its ease, but this has also made it easier to copy and distribute such data often for commercial gain. Due to lack of legislation dealing with the database, firms are forced to rely on the interpretation of Copyrights act by the honourable court. In one of the leading cases, the court had held that the Copyright Act only protects slavish imitation of data. This makes it difficult to enforce it in cases where another person’s data has been copied with slight modification.[3] In another case the court had held that unless the work has been formulated with one’s own labour and skill and presence of originality is evident, it will not be a protected work. The whole work constitutes an original skill with the presence of original skill and considerable labour.[4] The Database which mostly pertains to the assimilation of data may not be termed as an original work, additionally due to the presence of a mass volume of data normal processes like correction and verification also requires considerable labour and therefore they could be said to be different from the original work. With the growing integration of world economy, cross-border data flows are becoming common exponentially with the proliferation of data centers in various parts of the world. This had led to the alarming situation, to combat which, countries have started developing internal data protection rules such as developing multilateral mechanisms for controlling data flow. Lack of comprehensive data protection in India could be an impediment to incoming investments in the IT sector. It can limit the work being outsourced to India due to privacy concerns. For example, in the medical sector patient’s history needs to be protected.
Robust laws are necessary to ensure that our business process outsourcing firms move up the value chain by diversifying into areas like clinical research, engineering design, legal research areas and other areas related to intellectual property rights. Lack of such regulations would lead to loss of business from countries like the European Union which demands comprehensive data protection regulations even for firms dealing in business to business (B2B) sector. If India doesn’t act fast other countries with better data protection laws will fill in the void left by the Indian IT sector. Comprehensive data protection framework would boost global sentiments regarding Indian IT sector leading to more market share and export opportunities.
Moreover, right at the stage of data collection, the user should be clearly informed of the intended use of their data. Only relevant and adequate data should be collected and the collection process should abide by the principles of lawfulness, fairness, and transparency. Another important aspect is to inform the users about any data breach incidents so as to give them an opportunity to take measures to protect their digital assets. The user should also be allowed to review or update any sensitive information as well as given an option to withdraw consent for the usage and sharing of his data. Undoubtedly, the historic judgment ruling the right to privacy as a fundamental right is a step in the right direction by acknowledging the importance of this issue, but an effective and quick action plan has to be put into force to lay down the required law.[5]
Data protection framework should include the power to take stringent actions against the defaulters, it can be both fines and penalties. For reference EU General Data Protection Regulation has set 4% or 20 million euros whichever is higher as the limit on fine.[6] Italy’s data protection authority, the Garante, fined five companies in excess of 11 million euros for unlawful processing of Personal Information. Internet giant like Google has faced heavy fines by EU regulators. Strict fines and penalties act as a deterrent and ensure that firms invest in quality cybersecurity mechanisms and develop foolproof mechanisms to prevent the cuff violations of personal data. India should not ape the west but rather develop indigenous cyber security solutions to ensure adequate data protection, yet at the same time ensure that it does not stifle innovation. India needs a strong independent watchdog to ensure that organisations handling personal data of citizens have adequate safeguards to prevent violation of their privacy.
[1] The Information Technology Act 2008, s 43(a).
[2] ‘Mcdonald’s India App ‘Leaks’ 2.2Mn Addresses, Phone Numbers; Card Details Safe’ (Hindustan Times 20 March 2017) <http://www.hindustantimes.com/tech/mcdonald-s-india-app-leaks-customer-data-for-more-than-2-2-million-users/story-1EBCFinC4NItlfpyfj43VM.html> accessed 4 September 2017.
[3] V Govindan v EM Gopalakrishna Kone AIR 1955 Mad 391.
[4] Eastern Book Company v D B Modak (2008) 1 SCC 1.
[5] Justice K S Puttaswamy v Union of India [2017] SC, WP(CIVIL) NO 494 OF 2012.
[6] ‘The protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive’ (2016) OJ L119/1 < http://eur-lex.europa.eu/eli/reg/2016/679/oj> accessed 20 September 2017.
(Aditya and Anusha are currently students at Gujarat National Law University, Gujarat)
The RMLNLU Law Review Blog 