Introduction
“Data is the pollution problem of the information age, and protecting privacy is the environmental challenge”
–Bruce Schneier
It is an undeniable fact that after the advent of the Digital India program, India with its 450 million internet users has entered the “information age”. India is now on the path to becoming a world economy with a growth rate of 7-8%, and a promising future for all the tech companies and global players. The 21st century has seen a massive rise in the use of information and information technology, and India with its billion-plus population has well recognized the need and significance of promoting digital literacy and information protection.
Linking digital economy with personal data
Ever wondered why privacy concerns have been raised only recently? The answer is obvious. Every single transaction or activity on the internet involves some sort of data transaction. This data, at most times, involves some personal data of an individual. Take for example the newer markets and companies that have come up. These work essentially on the data provided by various parties/users. Their business model is based on the personal data and information provided by the users and it is only with these data that these companies actually work. Consider these facts:
- Uber and Ola do not have their own vehicle fleet;
- Facebook and Instagram, the most widely renowned content and media creators create no content;
- E-commerce platform like Alibaba has no inventory of their own;
- Airbnb owns no real estate;
- Zomato and Swiggy do not prepare their own food.
Does this click a bell? That’s the reason it is often said that if it’s free, then you’re the product. These platforms often operate based on the data which is provided by their users to use the services. It is the data that we provide which is of interest. Now how this data is used, stored, and processed by the internet companies is what involves privacy concerns and calls for a legal framework of data protection.
Importance of data protection
Have you ever wondered what happens to the data and information that we provide these companies without reading their terms and conditions and data handling policies? The answer depends on a case-to-case basis. But if there is no policy in place, or if the user gives permission to the companies without reading all the terms (Given our natural tendency to skip the lengthy legal documents and hit “I accept the terms and Conditions”), there are chances of the data being misused or sold to third parties. It’s not that all companies would necessarily do it, but the possibility of this happening cannot be ruled out.
While sharing this data makes our lives easier by giving us access to essential services, however, unregulated and arbitrary use of data by organizations, be it private or governmental, has raised serious concerns related to privacy. Even the Supreme Court of India has recognized the right to privacy as a fundamental right.[1] Various committees have been formed to look into the aspect of data protection and privacy concerns. The objective is to “ensure the growth of the digital economy while keeping the personal data of citizens secure and protected.”
What should an ideal legal framework address?
Broadly speaking, there are a lot of issues to be addressed. Since this would affect a large number of people and probably future generations too, a robust, effective, and practical solution is required. Fundamentally, the ideal legal framework should address the following two concerns:
- How to keep the data of citizens protected and prevent its misuse?
- How to make a regime that would embrace data-driven innovation and entrepreneurship?
It is pertinent to state here that the Data Protection Bill/Act should incorporate provisions that are required more explicitly to avoid any backdoor entry. While the focus of the legislation should be individual autonomy and protection, the same should not be fundamentally detrimental for companies to devoid them of any growth or profit. A cue can be taken from the data protection legislation of other countries to evaluate how various provisions work out in reality and what would fit the Indian scenario in practical terms.
The upcoming data protection regulations also increase the existing scope of data protection in India. As per the existing Section 43 of the Information Technology Act, 2008, “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.”
The upcoming Data protection regime will widen the scope by offering a comprehensive data protection framework that shall apply to the processing of personal data by any means, and to processing activities carried out by both the Government as well as the private entities- not only the Body Corporate.[2]
Pillars of data protection
We are on the verge of having our first data protection law. In order to be effective, a data protection framework must be rested on the following pillars:
- Consent-based approach: Every expression on the internet or which is made to any party should have free and meaningful consent in order for it to be truly autonomous.
- Data minimization: Data should be used only for the purpose for which it is acquired/provided and nothing else. Even the data should be used sparingly and only when absolutely necessary.
- Fixing accountability and liability: The person or organization handling the data shall be held responsible for protecting the data from any breach or unauthorized use. It should be held accountable for data processing and storage.
- Effective Enforcement: The enforcement agencies should be capable and must have adequate statutory authority to take swift and prompt action to address breaches of data protection provisions.
- Deterrent penalties: The penalties should provide adequate safeguards against the offenders to have a deterrent effect in a real sense.
Conclusion
The data protection bill is in the pipeline and might take some time to become law. A lot of homework has been done and it is expected that the final deliberated version would address all the concerns effectively and would be at par with expectations. Till the time, it is important to understand the implications of sharing personal information online, how it can be (mis)used and if the benefit of such sharing is more than the risks involved. Though the tables have turned in the recent past and companies are acknowledging their fault and working on making their systems safer. The ethical issues involved are also well known and we hope to see a change in the near future. Whether or not it happens, prevention is always better than cure. The next time you visit a website or use an application, be extra cautious of the information you share. Don’t share what’s not necessary (For instance, why give the gallery access to a food delivery app?). Use common sense, and stay safe!
Relevant Commentaries on Data Protection
[1] K.S. Puttaswamy and Anr. v. Union of India and Ors., Writ Petition (Civil) No. 494 of 2012.
[2] Kindly refer to https://digitalindia.gov.in/writereaddata/files/6.Data%20Protection%20in%20India.pdf
