The Best Time to Enact Data Protection Laws was 20 Years Ago; The Next Best Time is Now!

The road to personal data protection in India has been rocky. In 2017, India’s Supreme Court upheld the right to privacy as a part of our fundamental right to life and liberty. A panel chaired by retired Justice B N Srikrishna was given the task of drafting a Bill. In 2018, this panel submitted its draft to the Ministry of Electronics & Information Technology. The Personal Data Protection Bill that was eventually tabled in parliament in December 2019 proposed restrictions on the use of personal data without the explicit consent of citizens and introduced data localization requirements. It also proposed establishing a Data Protection Authority.

However, the bill was widely seen as a diluted version of what was originally envisioned by the Srikrishna panel in terms of its ability to truly protect the data/privacy of individuals. The bill was seen to place a significant regulatory burden on businesses and thus viewed as an impediment to the “ease of doing business” in India. A major bone of contention was the bill granting the government a blanket right to exempt investigative agencies from complying with privacy and data protection requirements. Understandably, there was pushback from BigTech, global financial services players as well as activists; even startups were unhappy with the proposed regulatory burdens.

In December 2021, after a number of extensions spanning over two years, the Joint Parliamentary Committee (JPC) that was set up to examine the draft bill submitted its report to the Lok Sabha. The JPC report has reportedly highlighted areas of concern and proposes a number of amendments/recommendations such as:

  • a single law to cover both personal and non-personal datasets;
  • using only “trusted hardware” in smartphones and other devices;
  • treating social media companies as content publishers, thus making them liable for the content they host.

In early August 2022, the government withdrew the Personal Data Protection Bill, 2019, with the promise to introduce a new one with a “comprehensive framework” and “contemporary digital privacy laws”.

 

India needs New Regulations to Plug the Data Protection Gap

That India needs robust data protection and privacy regulations which should be enacted soon is beyond debate. With digitalization becoming ever more pervasive by the day, the longer we are without clear regulations, the greater the risk is to our citizens. Each of the major trends below has the potential to infringe on individual privacy and can give rise to large-scale risks of user data (including personally identifiable information) being leaked/breached and misused:

  • The growth in digital banking, payment apps and other digital platforms.
  • The potential for Blockchain-based apps (in education- e.g., degree certificates, mark sheets; in health care – medical records; in unemployment benefits; KYC, passports etc.).
  • The growing popularity of crypto assets (and the attendant risk of them being used for money laundering, funding terror/anti-national activities etc.).
  • The rise of Web 3.0.
  • The increase in the use of drones for civilian purposes (e.g., delivery of vaccines, food to disaster-hit areas etc).
  • The emergence of the Metaverse as a theatre of personal/commercial interactions.

According to a news report, IRCTC had sought the services of consultants to help them analyze the huge amount of customer data they have and explore avenues to monetize the information. Given that the existing bill has been withdrawn, they have deferred this plan till new legislation is in place. Delays in enacting new data protection legislation thus also can impact revenue growth and profitability of various businesses- which is another reason for quickly coming up with new legislation.

 

The New Data Protection Law should be Well-defined and Unambiguous

While “consent” must be a cornerstone of any such legislation, the government must also ensure that users whose data need to be protected, fully understand the implications of what they are consenting to. For example, each time an individual downloads an app on his/her smartphone, the app seeks a number of permissions (e.g., to mic, contacts, camera etc.). As smartphones become repositories of larger slices of personally identifiable information as well as financial data (such as bank/investment details), and authentication details such as OTPs, emails etc., the risks of data breaches and misuse that cause serious harm increase. There are a number of frauds and digital scams to which citizens are falling prey. Commercial and other organizations that build and manage various digital platforms must be held accountable for what data they capture, how they do so, why they need the data, how/where they will store such data, who will have access to them etc.

Just as important is for the new law to define unambiguously terms like “critical data”, “localization”, “consent”, “users”, “intermediaries” etc. Many companies are establishing their Global Captive Centres (GCCs) in India, to take advantage of the large talent pool and process maturity. Strong laws will encourage more layers to consider this route seriously, thereby adding to jobs and GDP growth. Such investments also make it easier for India to be a part of emerging global supply chains for services (including high-value ones such as R&D and innovation).

It must address the risks of deliberate breaches as well. For instance, if hybrid working models are indeed going to remain in place, who should be held responsible for deliberate data leaks by employees working remotely? Or by their friends/relatives/others who take screenshots (or otherwise hack into systems) and share data with fraudsters?

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. If the government fails to do so, our aspirations to become one of the top three nations on earth will take much longer – worse, they main only remain on paper as grandiose but unfulfilled visions.

Picture Credits: Photo By Fernando Arcos: https://www.pexels.com/photo/white-caution-cone-on-keyboard-211151/ 

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. 

POST A COMMENT

The Metaverse and its Numerous Concerns

There is a lot of buzz being generated around the “Metaverse,” which can be defined as a virtual reality-based shared digital world in which users (through their “avatars”) can enjoy three-dimensional, multi-sensory experiences. This rapidly-evolving, technology-driven paradigm is a huge shift away from the present, where digital interactions are based on text, audio and two-dimensional images/videos. The excitement around the Metaverse is due to the immense possibilities that exist around how it can be used for social interactions, commerce, media & entertainment, education, manufacturing, healthcare, defense etc. Not surprisingly, many companies, even in India, are investing in Metaverse capabilities.

While the potential for metaverse cannot be denied, it is just as important to recognize and acknowledge that there are several grey areas around this paradigm. If timely actions to prevent the misuse of the metaverse are not taken by the global community, we run the serious risk of opening a new Pandora’s Box. And once the proverbial genie is released from the bottle, it is virtually impossible (pun intended) to put it back inside.

The Potential Dangers of the Metaverse

 
What are the biggest fears surrounding the Metaverse? Concerns have been expressed from different quarters around issues relating to the privacy, safety and well-being of people who are active in the metaverse. In the current scenario, people use social platforms to connect with each other. If someone with whom I do not wish to engage seeks to connect with me in a basic digital world, I can easily deny the friend request. Even after having granted them permission initially, I can choose to block such persons. During the time they have permission to engage with me, the worst that can happen is that they send unwanted texts, audio messages or images and videos.

This is bad enough, but in the metaverse, the kind and nature of obscene or harmful content will change drastically; consequently, so will the impact of such material and experiences on vulnerable segments of society. 

For example, in the metaverse, it is quite possible for complete strangers to enter someone else’s personal space – without the latter being aware of who the former is. Given the multi-sensory capabilities of the metaverse, which includes haptic technology (the sense of touch), the experience and impact can be far worse. Arguably, the metaverse (as it exists currently) lends itself more easily to bullying, sexual abuse or intimidation. Indeed, there have been recent media reports that some VR-based games that are accessible to young children contain inappropriate content. 

AI-driven deep fakes can further muddy the waters by creating and distributing patently false content that is almost impossible to detect as fake. There is enough fake information circulating on Whatsapp as it is, think of the danger of content that purportedly shows politicians or others saying things designed to inflame emotions.

NFTs will be key to the evolution and growth of the metaverse, providing owners of physical assets such as paintings and IPR such as rights to music, movies etc. new avenues to monetize them at scale. Cryptocurrencies and tokens are likely to form the principal currency in the metaverse, powering commerce and payments. As of now, cryptocurrencies are anonymous and independent of mainstream banking and financial systems. 

In the absence of regulations that are uniformly enforced globally, such parallel payment systems can be easily misused for illegal and immoral activities and transactions, including child sexual abuse. It is likely that fraud and crimes will increasingly crisscross between the current digital world and the metaverse (and perhaps the physical world), making them harder to detect and bring the perpetrators to book.

Addressing the Issues Surrounding Metaverse 

 

A multipronged approach is key to addressing the potential dangers of the metaverse. It is vital to frame appropriate legislation and arm various regulatory agencies with the power to catch and punish violators is vital. The basic premise around legislation has to be this: if something is illegal or against the law or generally accepted social mores in the “real”, physical world, it must be treated the same way in any parallel “virtual reality” based universe.

However, legislation alone cannot secure the metaverse. It will be essential to hold creators of content and platforms that enable distribution and access responsible for violations. The metaverse infrastructure needs to be designed with more intent to put in place appropriate safety mechanisms right at the beginning. As a global society, we must learn from our experiences with the downsides of social media platforms (false information, cyber-bullying, digital fraud etc.) and take preemptive actions that can prevent problems before they become common. This is significant because changing processes after people have grown accustomed to them is never easy; also, some damage may have already occurred. It may also be necessary to think of ways to incentivize good behaviour in the metaverse.

The metaverse is expected to surge ahead quickly on its evolutionary path. Its trajectory cannot be predicted in advance, therefore, what is needed is constant vigilance and for global action to be taken in a concerted manner. The UN system is supposed to be the primary keeper of international order. A number of events over the past couple of decades have painfully driven home the point that the UN architecture needs an urgent and major overhaul. As part of this exercise, it may be useful to establish a new global body tasked with the responsibility of overseeing and governing the metaverse. Regional political/economic blocs must be encouraged to ensure that their members comply with rules and regulations related to the metaverse.

The metaverse is expected to surge ahead quickly on its evolutionary path. Its trajectory cannot be predicted in advance; therefore, what is needed is constant vigilance and for global action to be taken in a concerted manner.

POST A COMMENT

Modifying the Personal Data Protection (PDP) Bill to Deal with Rising Privacy Concerns

OVERVIEW OF DATA PROTECTION REGIMES

The recent advent of WhatsApp’s updated privacy policy has brought to light the legal loopholes that the Indian Data Protection Laws are laced with. A revised and updated change in Data Protection Laws in India could have prevented the possible infringements that may take place with WhatsApp’s new privacy policy.

The European Region has been able to circumvent this issue due to its updated Data Privacy Laws that successfully provide users with protection from such policies. These policies legally mandate WhatsApp to prevent the sharing of data with Facebook and a violation of it would infringe the provisions of the General Data Protection Regulation (GDPR).

We have discussed here the modifications that could possibly be added to the Personal Data Protection Bill (PDP Bill) in India in order to ensure an air-tight privacy regulatory authority.

RISING PRIVACY CONCERNS- A STUDY ON WHATSAPP’S PRIVACY POLICY

With an undeniable rise in the relevance and indispensability of the digital platform; comes the numerous concerns regarding its safety in terms of data and privacy protection norms. A case in this instance would be that of WhatsApp releasing its updated terms of Privacy on January 04,2021, under which it would deprive users of their choice to share data or other information with other apps, including those owned by Facebook. Moreover, this policy was accompanied by a condition under which users who did not accept the updated privacy terms, would have to quit using WhatsApp altogether- beginning February 08, 2021- when the updated terms and policies was planned to be enforced.



The updated privacy policies of WhatsApp leave the end-to-end encryption clause intact. This means that WhatsApp has no access to one’s text messages and cannot share the same with any other party. However, this clause does not cover the protection of metadata- which entails everything in a conversation apart from the actual text. This information can be shared with Facebook and other apps.

WHY THIS POSES A PROBLEM

A close perusal and analysis of the entire case reveals the observation that this issue could have been avoided with a concrete Data Protection Law or Regulation in place in India.

The core issue that centres the entire case is that people largely use WhatsApp to communicate with friends and family. The data thus shared on this App by individuals is now proposed to be shared with other companies to run their businesses, for monetary gains. This implies that the purpose for which WhatsApp would be using personal data and information is not even remotely connected to the purpose for which users had share that information on the app.

This issue assumes an even graver character due to the inability of the Indian Data Protection Laws to safeguard their users from a misuse of data. Without a data protection authority or regime in force; users will be exposing their data to the surveillance of the entire Facebook group of companies.

Its lack of effectiveness to provide remedies or relief in such situations stands in stark contrast to the legal frameworks that are in place in other jurisdictions, most particularly the European countries. These countries are equipped with laws that can impose fines on Facebook for unduly sharing and using information through WhatsApp. This clause came into effect when the Competition Commission of certain European countries imposed this condition on Facebook during its purchase and acquisition of WhatsApp.
An important point to take note of, is also the commitment made by WhatsApp during its launch in 2009- “to not sell user data or personal information to any third party”. This stance changed with the acquisition of WhatsApp by Facebook in 2014; and its sharing of data with its parent company in 2017.However, in 2017; users were given a choice to prevent the sharing of such data to other platforms. The updated policies have mandated the exposure of such data as a condition to continued usage of the App.
The users are thus breached of the expectations and commitments with which they had initially installed the App.

IMPLICATIONS ON USERS

Unfortunately, due to the technical and legal intricacies of the issue; a majority of the Indian population will stay unaware of this issue and not do much about it other than accept the terms being forced upon them.

However, there are sections of the population sensitive to data protection and privacy norms. This brings to light the possibility of shifting to alternate and safer platforms such as Signal, Telegram and iMessage. Moreover, petitions have also been filed in several legal courts pursuant to the policies introduced by WhatsApp in January 2021 seeking to stay the implementation of these policies. After all, Right to Privacy is a Fundamental Right granted under Article 21 of the Constitution of India and therefore, must not be compromised upon.

It is thus proposed that till an appropriate legal and concrete regulatory and supervisory authority is not in force vis-à-vis the Data Protection issues in India, the Court must prohibit the execution of this new Privacy Policy set forth by WhatsApp. Pursuant to this, the Supreme Court has directed WhatsApp and its parent company, Facebook, to file their replies to the petitions and growing concerns on privacy violations.

In furtherance of these directions, WhatsApp has most recently implemented its updated Privacy Policy with a new campaign. Through this updated campaign, WhatsApp aims to increase communication about its changes with its users through a small banner at the top of the chat, while also offering more time to let them read, understand and accept its terms. Following the backlash received, now the new Privacy Policy terms is expected to go into effect at a later date i.e. May 15, 2021.

HOW THE PDP BILL CAN BE MODIFIED TO INCREASE DATA PROTECTION

The PDP Bill can and must be modified in certain ways to ensure that arbitrary clauses in such online policies do not deprive the users of the rightful protection they are entitled to under the Right to Privacy. One of the main additions that the PDP Bill must incorporate is a clause or term in the law that prohibits the changing or modification of the terms of a contract after its enforcement. For instance, WhatsApp modified the terms of its contract resulting in a clause that was contrary to its initial commitments and objectives.

Moreover, since the PDP Bill has not been passed yet; it is crucial to look to other alternate legal provisions and statutes that may offer protection in such situations. For instance, the Information Technology Act of 2000, under Section 87 gives the government the authority to come up with regulations that can put a stop to arbitrary policies introduced by online platforms that pose a threat to privacy and data protection rights granted to individuals.

A company must not be able to modify terms according to their whims and mandate users to abide by it simply because they consented to the initial contract. Terms of such contracts must be regulated and privacy laws must ensure that changes in these policies have undergone user consent.

SUMMARY

In order to honour the Fundamental Right to Privacy, it is vital for the concerned platforms to provide clarity regarding its policies to ensure that a well-equipped and protective mechanism is set in force to deal with instances of data protection infringement in India. It is also crucial to formulate a structure on the PDP Bill that is well equipped to handle policy changes while ensuring a constant protection of data privacy rights. Other alternative laws must also be incorporated and interpreted in ways to prevent a breach of privacy.

The European Region was able to circumvent the imposition of data sharing norms by Watsapp due to its updated Data Privacy Laws that successfully provide users with protection from such policies. Our extant laws are glaringly inadequate and the proposed draft, as well as the delay in the passage, of the Personal Data Protection Bill (PDP Bill), is posing a serious threat to our online privacy and security.

REFERENCES

1 WhatsApp’s new privacy policy: Yet another reason why India needs data protection law – The Hindu BusinessLine.
2 Privacy Policy – Feb 2021. (whatsapp.com)

POST A COMMENT