
On date, India does not have a privacy law, but a personal data protection bill is pending before the Lok Sabha. It is India’s first attempt at regulating how personal digital data of citizens can be used by the government or any third party.
Of late, the Government of India has pointed its gun on Zoom and apps like tik-tok and ‘so on and so forth’. It becomes very important for India to implement a full-fledged Data Protection Law in a fast track mode. Until then, following is the current regulatory overview, which is more in bits & pieces, for collection and processing of data under Indian laws.
As stated above, India has not yet enacted any specific legislation on data protection. However, the Indian legislature did amend the Information Technology Act, 2000 (“IT Act”) to include Section 43A and Section 72A, which gives a right to compensation for improper disclosure of personal information.
It may be noted that Rule 6 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Rules”) inter alia lays down that disclosure of “sensitive personal data or information” (“SPDI”) by a body corporate to any third party shall require prior permission from such person who has provided the information, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.
Sensitive personal data or information of a person under SPDI means “such personal information which consists of information relating to (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise”.
The collector needs to evaluate if it collects any information which falls under the category of ‘sensitive personal data or information’ and in the event that as part of the registration process or for provision of services, the collector collects ‘sensitive personal data or information’, then the collector needs to obtain prior consent of the users and ensure the following:
- The need to have a privacy policy in accordance with the parameters set out in the Data Rules.
- The need to provide an opt out option to the provider of SPDI.
- The need to maintain reasonable security practices and procedures in accordance with the requirements of the Data Rules.
Further, personal data is also protected through indirect safeguards developed by the courts under common law, principles of equity and the law of breach of confidence. The Supreme Court of India has recognised in a judgement the right to privacy as a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty”. Fundamental rights are enforceable only against the state and instrumentalities of the state and the Supreme Court in the same judgment recognised that enforcing the right to privacy against private entities may require legislative intervention.
The IT Act also deals with the concept of violation of privacy in a limited sense; it provides that the privacy of a person is deemed to be violated where images of her private body areas are captured, published or transmitted without her consent in circumstances where she would have had a reasonable expectation of privacy and prescribes a punishment of imprisonment of up to 3 years and/or fine of up to INR 2.00 lakhs.
Further, In India, the Consumer Protection Act, 1986 (“CPA”) governs the relationship between consumers and service/goods providers. There is no separate consumer protection law that is specific to and regulates online transactions. Liability under the CPA arises when there is “deficiency in service” or “defect in goods” or occurrence of “unfair trade practice”. The CPA specifically excludes from its ambit the rendering of any service that is free of charge.
The data protection bill seeks to provide for protection of personal data. Chapter 6 of the Bill contains measures relating to transparency in processing of personal data and security safeguards that companies would have to undertake while processing of the personal data. The Bill also requires the companies to take consent of users before processing of their personal data and gives users the right to withdraw consent, update or erase their data. The bill, once implemented.
As heard, zoom sharing data with Facebook without explicit notice is a sign that is reflective of a deeper problem of accountability within the data protection space. There are no laws, and when laws do exist in bits and pieces as stated above, they are near impossible to impose and monitor. This should serve as a warning sign of practices and India should implement the full-fledged Data Protection Law with proper safeguards, consent mechanisms and robust mechanism for liability and penalization.
Author: Prashant Jain, Co-Founder & Partner.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter. For any queries, the author can be reached at prashant@samistilegal.in.
Updated as on April 20, 2020
Image generation credit: https://www.canva.com/templates/