The government can, and must, stand for privacy
It’s a good thing that WhatsApp created more than a ripple with its proposed privacy policy change, now deferred till May. It indeed is a good thing, as it finally lit a fire under dormant privacy concerns – with users, government, even courts.
The first public interest litigation (PIL) was filed against WhatsApp’s move before the Delhi High Court and now another is before the Supreme Court. These call for immediate protections, including through court intervention and also for government action.
This clarion call will likely provide succour not only against WhatsApp and its discriminatory data-sharing policy but also against all digital platforms, including social media and e-commerce sites. It will also hopefully result in further review of profiling provisions under India’s proposed Personal Data Protection (PDP) legislation to ensure actual protection against the same for users.
The reaction to what WhatsApp believed it could do with impunity is probably going to be the best thing to happen to Indians, who have patiently waited for the PDP legislation, which is technically two decades late and certainly languishing for the last three years. With a
PDP Bill draft doing multiple rounds since 2018, there is also misapprehension in the minds of users that India lacks legal frameworks for data protection. This misconception appears to have permeated many debates, emphasising the need for urgent parliamentary action.
What India’s Personal Data Protection Bill, 2019, which is being reviewed and revised by the joint parliamentary committee, does is to adapt wider protections in line with the European Union’s General Data Protection Regulation (GDPR), 2016 (effective from 2018).
Two aspects of WhatsApp’s actions negate its claims — its ultimatum to users, including individual users, to allow sharing of data with Facebook or exit the app and that it is doing so in a discriminatory fashion. The same WhatsApp gives actual choice to users in the EU to either allow or deny such permission without the demand for exit. This is clearly warranted due to GDPR’s stringent provisions. We do, therefore, need the PDP Bill to become law and quickly to combat such ultimatums that reduce the construct of “consent” to a mere joke.
Till such time, we are not totally toothless or powerless to combat the unmitigated data drain. The minimalistic provisions under India’s Information Technology (IT) Act, 2000 (as amended) provide some succour against corporate abuse of data. While the two provisions (one civil, S.43A, and one criminal. S.72A), by themselves, may not be sufficient, the expansive IT rules framed under S.43A of the IT Act provides limitations akin to EU Data Directives of 1995 and of the United Kingdom’s data protection laws, including with respect to consent, use, sharing and transferring of data collected in India.
Framing rules under the IT Act is permitted under the IT Act provisions. The government, using this delegated rule-making power, formulated the IT rules for protecting sensitive personal data. These rules can be expeditiously tweaked to include protections similar to those under GDPR to protect against violation of the “consent framework”. The rules could also be expanded to assure transparency to categorically address personal/sensitive personal data collection purpose, use, retention and sharing.
The provision, as it exists, read with the existing consent framework gives sufficient leeway for government to intervene through effective rule-making to prevent circumvention of consent through ultimatums and also limit purpose, usage, retention, sharing and transfer of data.
The Intermediary Rules framed under Section 79 of the IT Act have been awaiting a change since 2018 also. This is another process through which effective protections can be extended to users of social media, chat apps and e-commerce platforms.
Whatever be the path that the government chooses, it will be most effective only if strict adherence is mandated under the rules to consent frameworks, which cannot be predicated on ultimatums. The government also ought to call for transparency and accountability in data use and sharing, for without these, platforms resort to mere platitudes.
In 2016, the Delhi High Court missed the opportunity to lead the way in ensuring PDP while deciding the Karmanya Singh Sareen’s case. We now have the unequivocal affirmation of privacy, as a fundamental right through the privacy judgment in 2017 in Puttaswamy’s case. While deciding the PIL, the Supreme Court, therefore, is well within its right to fill vacuums in legal frameworks, if it believes that one exists for PDP or interpret existing provisions to ensure actual implementation of the consent, transparency and accountability framework. This may be needed in the interregnum till either the PDP Bill becomes law or even till the government resorts to rule-making. It is also important for Indian courts to affirm, as have US courts, that extending a free service does not permit platforms to force unconscionable terms on users.