Follow Us:
Monday, September 20, 2021

What India needs: Data law, regulator

What is the data protection framework in India? And how safe or unsafe is your data? Though India does not have a larger data protection framework, over the years, a number of domain-specific laws have been amended to protect users’ data.

Written by Krishn Kaushik |
Updated: June 26, 2018 12:11:31 pm
Data protection in India Though India does not have a larger data protection framework, over the years, a number of domain-specific laws have been amended to protect users’ data.

In his 266-page judgment declaring privacy as a fundamental right, Justice D Y Chandrachud wrote, “Ours is an age of information. Information is knowledge. The old adage that ‘knowledge is power’ has stark implications for the position of the individual where data is ubiquitous, an all-encompassing presence… The Internet has become all pervasive as individuals spend more and more time online each day of their lives.”

Emphasising the threat to privacy from both the State and non-State actors, the judge asked the government to “put into place a robust regime for data protection”.

What is the data protection framework in India? And how safe or unsafe is your data?

Though India does not have a larger data protection framework, over the years, a number of domain-specific laws have been amended to protect users’ data.

Related | Who needs your data? And should you be worried?

Foremost among these is the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011. Issued under Section 43A of the Information Technology Act, 2000, it is, however, only applicable to corporate entities, not to any arm of the government. Also, the rules are restricted to sensitive personal data — medical history, biometric information and sexual history, among other things.

There is an array of other laws and regulations — provisions in the Aadhaar Act, the Credit Information Companies (Regulations) Act for the financial sector, and data protection laws for the telecom and health sectors.

Experts, however, say that in the age of digital data, these laws are not adequate and what India needs is an “omnibus” or horizontal data protection law.

Sunil Abraham, Executive Director at the Centre for Internet and Society, a Bengaluru-based not-for-profit body, calls the existing laws “minimal”, merely defining personal information and placing “certain obligations” on data controllers.

A major void in these laws, according to Abraham, is that “citizens don’t have much recourse; only if you have lost property or suffered financial harm can you approach the court for justice”. A breach of personal information, however, does not allow a person to to seek damages or compensation.

Malavika Raghavan, a researcher with Dvara Research who works on consumer protection in the digital economy, says the long ‘Terms and Conditions’ users agree to while downloading an app or signing up on a platform such as Facebook or Google “effectively tie us into the arrangements and all the purposes that the collecting entity includes”.

Raman Jit Singh Chima, policy director for India at Access Now, an international digital rights advocacy group, agrees with Raghavan, calling the current data protection regime in the country “very token stuff”.

Chima says India urgently needs “a federal office for privacy and data protection”, a body with cross-border regulatory powers like the Competition Commission of India, especially when companies such as Facebook and Google, which may have the largest amount of data on users, are not even Indian.

Such a body might be on its way.

In July 2017, the government created a committee headed by former Supreme Court judge Justice B N Srikrishna, to bring out a draft of the data protection framework for the country. One of the most important proposals in the committee’s white paper was on setting up a high-powered statutory authority with regulatory capacities.

Raghavan has another concern: whether such a data protection law would take into consideration India’s first-time users. “We are not building products and regulations for first-time Indian users of data-driven services,” she says.

“As the country prepares for laws and organisations build more products, we need to listen more to voices from the ground. Very complicated structures that distance people’s data from them and lock it away must be avoided,” she says.

While internationally Facebook has been at the centre of the data-leaks storm, in India, instant messaging platforms such as WhatsApp, which also gather large amounts of data, could be a possible cause for concern.

Also read | Meaning Psychographics: Analysis of personality and opinion, using data

Chima says that WhatsApp, owned by Facebook, may be the only product that a lot of first-timers use, unaware that WhatsApp shares this data with its parent company. A challenge to the data WhatsApp should be allowed to share with Facebook is still pending in the Supreme Court.

Prasanth Sugathan, legal director of the Software Freedom Law Center, a legal services organisation, says that though WhatsApp cannot read messages sent over the platform since they are encypted, it has access to a lot of other information, including all the WhatsApp groups a user is part of, data about whom a person messages, the location etc. Chima adds WhatsApp gets to know the likes and dislikes of a user every time she opens a weblink shared with her on WhatsApp.

Experts, however, say any legal framework will have its limitations. Apar Gupta, a constitutional lawyer who practises in the Supreme Court and has been part of a number of cases at the intersection of freedom of expression and technology, says, “No law will ever completely insulate us from the harm that will come from technological advances, but some basic guiding principles can take care of a lot of problems.”

As India has an opportunity to build its data protection framework, it has two models to choose from: the one adopted by the European Union, which is tilted towards privacy of individuals; or the second, the path chosen by the US where innovation is given primacy over regulation. The Srikrishna Committee mentions the two models, and says that “factoring in these diverse objectives, a nuanced approach towards data protection will have to be followed in India”.

In the absence of a data protection regime, can data be used to manipulate voters, like what is alleged to have happened during the 2016 American presidential elections? There is no simple answer to that.

Express Explained | How Facebook data may build picture of voters’ minds

The truth is, data has always played a role in elections, with political parties bundling voters on the basis of caste, religion, gender, location, language, etc. Now that the issues of micro-targeting, misinformation and fake news have come to the fore, says Gupta, there needs to be a debate about amending laws to “prevent such events from happening in the future”.

Abraham of CIS takes a more philosophical approach to how technology may influence voters. “When a technology is new and novel, its impact on the human mind is more profound. As more and more people get used to it, there are diminishing returns on its impact,” he says, adding that till the Internet reaches the last person on the ground, it will continue to influence voter choices. “It does not necessarily have to be through manipulation.”

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For all the latest India News, download Indian Express App.

  • The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.
0 Comment(s) *
* The moderation of comments is automated and not cleared manually by