Challenges to consider before implementing a privacy law in India-Are we ready yet?

The developed nations of the world have been gearing towards information privacy and so have been the developing economies. Adding to the list of developing economies is India which introduced the Personal Data Protection bill in 2019, and since then the law seems to have been stuck in the quagmire of legal proceedings and formalities with no further certainty in its implementation. Obviously, it takes a no-brainer to guess why this law was introduced considering the thrust that is being given to personal data protection laws throughout the world. We see a growing trend in countries to build a data privacy regime for their citizens, but is India ready to take the leap yet? What are the challenges it needs to consider before dropping a bill that looks good to read but is actually difficult to implement?

1. Changing the mindset towards privacy

Being a country that is at the crossroads of protecting the personal data of Indian citizens and managing the massive information technology revolution that has taken place over the last decade, India also represents a nation that culturally believes in sharing its knowledge publicly and orally more than privately between communities and individuals. Whether we look at how our history has been narrated to the upcoming generations or how traditional knowledge has been transferred through folk art, books, or medieval architecture, the information out there has always been open and available to all. Storytelling has always played a fundamental role in Indian society. Cultural practices are imbibed so deeply that even today the practice of providing justice in rural areas involves village Panchayat hearing out personal cases in public space with members from the same community/caste giving their views on the personal issue between two individuals.

According to Hofstede, India is a collectivist society with a low individualistic index. Individuals in collectivist societies have more trust and faith in other people than individuals in individualist societies.  Communicating views publicly is not new to Indians, but as a community, our private lives have been open to our family, our community, or a society’s opinion in general. So while we talk about a data protection bill that will be implemented sooner or later, we need to realize what data privacy would mean in actual context. Privacy awareness should start by educating Indian society at a holistic level about why protecting personal data is important and what harm it can cause to an individual if personal information is breached.

Creating a sense of urgency on understanding the privacy clauses is critical and has to be taken up by governmental authority before the bill is introduced. Here we are not just talking about implementing controls in companies to protect the personal data of Indian citizens but about changing the entire mindset when it comes to the privacy of an individual in India. 

2. Questionable practices in handling personal information

If we examine the global privacy laws, we can safely conclude that privacy obligations are not only applicable to electronic data but also to non-electronic personal data collected through various sources. Consider a scenario where I need to visit a friend in India, and on reaching her place I am asked to provide my personal details such as my address, phone number, and other details by the security guard who records the data. This is a common practice that is followed almost in any residential society in our country. Since we neither have any view nor have any information on the record management that is done post our data is collected, it is alarming as maintenance of privacy of personal record will be applicable to a scenario as basic as this. Recently we have also witnessed cases where screenshots from Whatsapp of individuals were circulated by media houses in India without taking consent from the affected party. Will the Indian privacy law be applicable to electronic evidence and if applicable, what systems will be in place to track entities misusing the same. Please check your mobile phones at this very moment, and let me know if you too can see text messages received from random sources flooding your inbox. The more intriguing question is from where these entities collect our personal phone numbers and how they process our data. Therefore, when it comes to privacy, the Indian data protection bill has to evaluate if it is leaving any kind of gap to what can be considered as “personal and sensitive” information and whether our legal system is ready to prosecute anybody misusing the same. At a time when business models hinge on data monetization, a sense of responsibility should be instilled within every individual to manage personal data securely. The onus is on the regulatory authority of India to support victims of data privacy breaches by ensuring fair and speedy trials.

Law of proportionality in Privacy should uphold:

3. Aadhar Act and its contradiction to Indian PDPB

Another major challenge would be to tackle the consent management need with the already existing Aadhar Act of India. One of the critical things, which almost all the major data privacy regulations have successfully managed to do, is to shift the power of managing consumer’s personal data from the corporates to the consumers themselves. Interestingly, in India, while on one hand, we have consent management right in our IT act that mandates an entity collecting personal data to take the consent of an individual, we also have an Aadhar act which states that every Indian resident is mandated to own an Aadhar number by submitting his/her demographic and geographic information. However, the Aadhar Act is silent regarding consents being acquired from individuals from agencies enrolling them. It won’t be incorrect to infer that since the Aadhar Act proposes a scheme that is compulsory and doesn’t technically require consent; it can act as a bottleneck while implementing the controls protecting the data subject rights in the upcoming PDPB (Personal data protection bill). This ambiguity in the clauses of both the laws is an issue that needs to be looked into beforehand before introducing a bill that specifies the dos and don’ts for an entity and privacy rights granted to an Indian consumer. 

4. Scope Applicability and its Challenges

Finally, the bill has to introspect the scope of applicability to the enterprises considering the high cost of compliance that would be required towards meeting the privacy requirement in India. Currently, the scope includes not just technology companies and e-commerce entities, but also extends its relevance to real-estate firms, auto dealers, hotels, the banking and telecom sector, and restaurants. It creates a number of obligations on the data controllers, especially from the medium and small enterprises (MSMEs) who, according to the latest IBEF (India Brand Equity Foundation)report, contribute about 29% towards GDP in the Indian economy. The design and probable impact of the bill will be on this sector where most of the data processes are unstructured, partially automated and personal data is collected majorly through undefined sources.

So, while we are hoping for a personal data protection bill to change the course of the Indian privacy landscape, we first need to evaluate if the regulatory clauses could be updated for enterprises depending upon the volume of the personal data processing they are involved in before setting out scope applicability that would put undue pressure on these small scale industries.

The government should take affirmative action and help them become compliant by stating exemptions clearly in the law. Striking a perfect balance between innovation and consumer privacy is the need of the hour without burdening the MSMEs.

References :

https://www.moneylife.in/article/is-your-aadhaar-information-being-used-without-your-consent/50508.html

https://www.thinkpragati.com/opinion/2039/culture-meet-privacy/

https://www.business-standard.com/article/current-affairs/surveillance-consent-welfare-all-you-need-to-know-about-the-aadhaar-case-118092600113_1.html

Understanding-the-Lack-of-Privacy-in-Indian-Cultural-Context.pdf