A Sound Data Protection Authority is the Need of the Hour

Protecting the data of citizens is of vital importance, especially as India has around 290 million social media users, 340 million messaging application users and around 400 million search engine users. These can easily be siphoned off to a foreign land and used for micro-targeting advertising. If the EU has the General Data Protection Regulation and the US laws dealing with privacy, why not India? It has been almost four years since the K.S. Puttaswamy-I judgment came out and three years since the Srikrishna Committee gave its report, writes ASHIT KUMAR SRIVASTAVA


IT was in 2017 when the Supreme Court in K.S. Puttaswamy-I recognised the Right to Privacy as a part of fundamental rights. Further, it also realised that digital privacy is as important as spatial privacy (Justices D.Y. Chandrachud and Sanjay Kishan Kaul deserve honorable mention).

Keeping this objective in mind the Union government had appointed a Committee under the chairmanship of Justice B.N. Srikrishna for proposing skeletal legislation for filing a void in the discipline of data protection. 

The Committee came up with its report and draft legislation in the form of the Personal Data Protection Bill, 2018.

EU Safeguards

It was a much-appreciated bill, mostly following the patterns of European Union’s General Data Protection Regulation (GDPR). However, there was criticism of the Bill for its blanket usage of the data-localisation provision. Apart from that, most of the Bill’s provisions were much inspired by the dignity jurisprudence of the GDPR.

In 2019, Parliament again revised the Bill and much deviation from the 2018 Bill was evident. The new Bill was denominated as PDP Bill, 2019.  

The first deviation was the blanket provision of data localisation, which was substituted with partial data localisation. As per the 2019 Bill, only critical personal data needs to be localised within the country (however, there are exceptions to this; read Sections 33 and 34 of PDP Bill, 2019 for better understanding).

However, sensitive personal data can be transferred outside the country with some rider clauses (this is an obscure reflection of the Adequacy Mechanism of GDPR). Further, under Section 35, the government has the discretion to exempt an agency from the provisions of this Act. If so, it may do so by written order.

There is no unequivocal stand that a Data Protection Law is of much necessity, especially for a country with around 290 million social media users, 340 million messaging-application users and around 400 million search engine users. These data reflect a vulnerable state for Indian citizens whose personal data can easily be siphoned off to a foreign land and utilised for micro-targeting advertising.

Western Nations

After the 2016 U.S. elections, western countries seriously calculated the risk that social media and search engine websites post for human dignity and have relentlessly worked in this discipline.

The European Union created GDPR, while the US, though without a blanket Data Protection Law like GDPR, has sectoral laws to deal with matters of digital privacy.

These include the U.S. Privacy Act, 1974, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act and Children Online Privacy Protection Act.

Therefore, India is undoubtedly on the right path. However, it is turning out to be a slow path, as it has been almost four years since the K.S. Puttaswamy-I judgment came and three years since the Srikrishna Committee came out.

This delay in the prospective Bill becoming an Act has impacted the digital privacy of millions of citizens, especially as foreign e-websites are not taking the existing data protection regime in India seriously.

This is especially so as the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Information Technology Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, are not adequate to handle the prowess of multinational corporations (something which even the Srikrishna Committee has accepted).

Therefore, a sound data protection regime is of much necessity. Interestingly, the Bill is still with the Standing Committee and is expected to be presented in the second part of Budget Session, 2021. However, what is interesting to note is that the current PDP Bill runs the risk of turning redundant even before becoming an enactment as a lot of technological advancement has taken place.

Blockchain Technology

With Blockchain gaining much space on the digital front, it has to be realised that the PDP Bill is a fiduciary-centric mechanism.

This means it requires a third-party intermediary who will be held responsible for data manipulation. However, blockchain technology is a peer-to-peer-centric mechanism, meaning there is no third-party intermediary. Thus, there would be no requirement of a PDP Bill for governing the Blockchain. With several forums turning into Blockchain, now there are Blockchain search engines and Blockchain social media websites.

The other issue which has recently cropped up in the absence of a sound data protection regime is WhatsApp’s change of terms of service and privacy policy. As per its updated privacy policy, the application has implicitly left two options to the user–either accept it or leave it.

Under this policy, it is stated that WhatsApp shares and receives information from other Facebook companies to help operate, provide, improve, understand, customise support and market their services and offerings.

However, this sudden change of privacy policy and its compulsive nature has raised legitimate fear in the minds of WhatsApp users across the globe that it can be utilised to micro-target them. Billionaire Elon Musk has even called out to people to shift to Signal (a messaging application).

However, WhatsApp has maintained that the changes of privacy policy align with the Information Technology Act, 2000, and there is no privacy concern for private chats. Additionally, Facebook and WhatsApp are separate entities.

Competition Commission of India’s Role

However, the Competition Commission of India (CCI) has taken suo-motu cognisance of this issue. It has claimed that Facebook would be a direct beneficiary of this updated policy and this would possibly lead to abuse of the dominant position by WhatsApp and Facebook.

Invoking the Competition Act, the CCI has claimed that impediments in interoperability and the absence of any alternative will give WhatsApp a dominant position in the market.

However, WhatsApp has claimed that the updated privacy policy comes into effect from May 15, 2021. CCI has called for an investigation into this issue but has not issued any interim injunction on WhatsApp regarding its updated policy.

It becomes essential from a data protection perspective that if January 4, 2021, policy is read carefully, it means that the new privacy policy does not apply to European regions. That means WhatsApp is treating India and European regions differently. This is indirect discrimination and the prime reason behind this is the presence of GDPR in the European Union, which acts as a safety guard against issues pertaining to data protection and imposes a heavy penalty for it.

In the absence of any proper data protection provision along with the lack of an efficient mechanism such as a data protection authority (DPA), data protection officer and appellate tribunal, there is a void in this discipline of law.

Probably messaging applications are looking to exploit this area. If there was a DPA, it would have ensured that there is a level playing field. The idea of take it or leave it makes the service provided by this messaging giant contingent and knowing the position WhatsApp holds in the lives of citizens, it will be hard to imagine them shifting to other services very soon.

Therefore, the role of the DPA becomes crucial; it should have been the A-team in this scenario. The stance taken by the CCI is welcome to the cause of data protection.

It is time that requisite changes are made in the Data Protection Bill, 2019. Additionally, the technological leaps made in the last two to three years also need to be addressed knowing that they have the capacity of turning the law redundant.

There is more work that needs to be done to adapt to the dignity-jurisprudence of the European Union. For example, the application of data localisation (even for Critical Personal Data) involves much infrastructural investment. An adequate mechanism also needs to be put in place to measure the environmental impact of data localisation.

All said and done, a fertile area of data privacy cannot be left empty knowing its implications on every citizen’s life.

(Ashit Kumar Srivastava is an Assistant Professor of Law at Dharmashastra National Law-Jabalpur. His research deals with  Data Protection Law,  South-Asian Constitutionalism & Constitutional Law. The views expressed are personal.)

The Leaflet