Cyber data privacy in peril

Pavan Duggal
Cyber Law Expert

The recent controversy triggered by WhatsApp’s move to unilaterally amend its privacy policy appears to have acted as a catalyst to shake Indian citizens out of complacency.

Though deferred for now, Whats- App will be implementing, unilaterally, amendments to its privacy policy which would mean sharing of sensitive personal data of individuals, not just to Facebook and Facebook group of companies, but also various business affiliates, third parties and service providers. The said privacy policy appears to be in contravention of the applicable prevailing law for the time being in force. However, the said incident has once again brought forward the need for Indians to be caring about their cyber data privacy.

There is no denying the fact that data is the new oil of the new economy. Data constitutes new building blocks, on which the new economy is being built. Hence, every stakeholder is specifically interested in accessing users’ data for monetisation.

In this context, the Indian nation appears to be a more fertile market. India today is a growing population that is increasingly jumping on to the digital bandwagon.

In 2020, India had nearly 700 million Internet users across the country. This figure was projected to grow to over 974 million users by 2025. In fact, India was ranked as the second largest online market worldwide in 2019, second only to China.

Digital users have been all transformed by the Internet and they have become global authors, global broadcasters of data. Hence, with humongous volumes of data being generated by Indians in cyberspace, Indian data has suddenly caught the attention of digital stakeholders globally. However, India is currently experiencing a policy vacuum pertaining to the protection of cyber data privacy.

India does not have any dedicated law on privacy. This is despite the fact that the Supreme Court, in the landmark case of Justice Puttaswamy vs Union of India, has already recognised the right to privacy as a fundamental right to life under Article 21 of the Constitution. However, in the absence of a direct legal provision on privacy protection, one has to look at other available legal provisions.

India has its mother legislation to deal with the electronic form, the Information Technology (IT) Act, 2000. The Act is also not a privacy-centric legislation. However, it does have some provisions to deal with infringement of privacy. For example, Section 66E of the Act makes it an offence if somebody, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person. The offence is punishable with imprisonment which may extend to three years or with fine not exceeding Rs 2 lakh, or with both.

Further, the Act does not deal specifically with the issue of data privacy. The Government of India had presented the Personal Data Protection Bill, 2019, before Parliament, which referred it to its Joint Parliamentary Committee. However, the Bill is still pending for consideration.

A lot of digital stakeholders have quickly realised that India is going through a very historically transient time where there is a policy vacuum concerning cyber data privacy protection. Consequently, all stakeholders are trying to take the benefit of the policy vacuum and various initiatives are aimed at access and monetising of data of Indian citizens. The recently amended Whats- App privacy policy issue is an example in this direction.

Clearly, the Indian cyber law is not adequate for the moment and long outdated as the same has not been amended since 2008. The recent actions by intermediaries like Whats- App demonstrate the urgent need for amending the information technology Act.

Further, the Indian law on intermediary liability needs to be made far more stringent. The legal approach on intermediary liability needs reboot. India can take a cue from how the US has already initiated a process of revisiting Section 230 of the Communication Decency Act.

While intermediaries need not take legal frameworks for granted, the government must quickly strengthen the legal process of safeguarding the users’ interests from the hands of unscrupulous service providers.

India needs to come up with strong legal frameworks to protect the interest of its users. The government also needs to act quickly and come up with strong rules and regulations under Section 87 of the IT Act to protect the users of the various services of intermediaries and data service providers.

With the Personal Data Protection Bill, 2019, being awaited and expected to provide remedies for generators of cyber data, users need not keep on waiting for the said law. It is imperative that they exercise due diligence and must do all in their power and possession to protect their data and personal privacy from various stakeholders. We need to be mindful of the fact that Covid-19 has already ushered in an irreversible process of the evolving New Cyber World Order.

The government needs to take the WhatsApp incident as a wake-up call and quickly galvanise into action. India as a nation has to realise that the protection of its cyber sovereign interests has a direct connection with the protection of data and the continuing expansion of Indian data sovereignty.

Hopefully, the government comes up with an effective mechanism to deal with various issues connected with the protection of cyber data privacy.