Easy Office
LCI Learning

Consumer Data Rights & Protection Laws in India

F.S Dhiman , Last updated: 02 July 2021  

Have you ever heard the jugglery of words in India "Apni aapas ki baat Kisi Aur ko Mat Batana (Don't tell anybody about our mutual matters)? This "Maxim" when jumped into the social media platforms through the Internet world has an overriding effect, means while you press "GIVE PERMISSION" before browsing at any website or before installation of APP into your mobile, you allow to share your private data with the third parties. 

On average every Indian uses about 10-12 apps including for online ticket booking, online food order, Whatsapp, Facebook, etc. and all of the above a must have is "Google" and its allied apps for various reasons. We seldom bother to read the terms of the privacy policy, while every company procures its drafts of "Privacy Policy" in gimmicky phrases from top notch law firms for us only. Unwillingly the "User" has to press "Yes" for the smooth running of the app on a phone or laptop which results in sharing your location preferences, tastes, news trends, and web browsing habits.

However this information is filtered by the big giant "Data Fetching Companies" and "Marketing companies" to make policies for the future selling of products and services. When in past years policy for sharing cookies changed worldwide, Google "Chrome" browsing platform had to make changes in its settings to allow the net surfer to press "YES" or "NO" even for sharing the cookies (Data codes of net users left in the backend page of the site).

But for all other websites, there came a new trick with the aid of developers, they started using a small pop up screen "YES" and "KNOW MORE" . The catch is "NO" word was planned in such a way that first the user of App or website should first see the entire cookies policy and then barely see a small button for "NO" beneath the policy end note . Finally users end up to prefer "YES" as a quick solution to save the time . Here the users fall pray to the hands of the developers of the website or APP and that user admits to share the private data.

Australia is one such country which uses the term CDR i.e Consumer Data Rights, and it has its own exclusive laws and rules which explains that as consumer, the net surfers have the rights to permit to share the data or deny it totally . In November 2017, the Australian Government introduced Consumer Data Right (CDR) in Australia. CDR will give consumers greater access in Australia to control over their data and will improve consumers" ability to compare and switch between products and services. It will encourage competition between service providers, leading not only to better prices for customers but also more innovative products and services.

But in India the PDB ( Privacy Data Bill ) was kept delayed for various unavoidable circumstances. India is all set to follow the GDPR (EU"s General Data Protection Regulation). Hence the big digital companies will be resorted to use data of third parties for business under certain conditions, The new GPDR DPB alliance forbids for working on Indian citizens data processing work in a similar framework of Chinese data laws that prevents global players like Facebook and Google from operating within its borders . However "Indian Data Protection Bill" provides the more protective provisions as compared to the EU regulations. India wants to go with an assumption that data generated by its citizens is a National Asset and can be detrimental to the interest of India from the defense and economic prospective . Hence this Privacy Data Protection Bill (DPB) will safeguard and control processing, assimilation or storage or transfer of private data .As per the statistical reports the digital economy in India will reach to the tune of $1.4 trillion dollars by 2023 and Global Companies need to go through the nod of DPB in India.

Consumer Data Rights and Protection Laws in India

Citizen's privacy in India is a fundamental right

In 2017, the Supreme Court of India ruled out that personal information in the shape of privacy in howsoever form is a constitutional right of Indian citizens to keep private . Whosoever uses internet, if leaves the cookies or personal data on the internet, that data is a National Asset . DPB plays an important role that how, when and why this private data can be used to safeguard citizen's privacy rights. In this Bill it will be checked that how and when the virtual benefits turned into monetary benefits for the companies in data processing, and the taxation authorities may ask to add profit element from that users privacy information's in mass .

The revised Personal Data Protection Bill, 2019

The Supreme Court of India in its verdict in the Justice KS Puttaswamy case, highlighted the issue of Privacy as a constitutional right . Thereafter Ministry of Electronics and Information Technology ( MEITY) formed a 10 member committee headed by a retired SC judge Mr B.N. Srikrishna for seamless working of the PDP BILL for the protection of personal data in India . Almost in one year this committee presented a report titled 'A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians and with a PDP BILL for the personal data protection. This revised PDP Bill, 2019 was introduced by Sh. Ravi Shankar Prasad, in 2019 in the Lok Sabha

This Bill is still under consideration by a 30 member team which includes a Joint Parliamentary Committee (JPC) who is soon expected to give a finishing touch to the Bill.

Recent Trends and Update

A three-judge bench headed by Chief Justice of India (CJI) SA Bobde directed that "People have grave concern about loss of privacy." Hence The Supreme Court in the Month of June,2021 required the WhatsApp to provide a well written undertaking on oath that it does not share the private data of users . The court has issued notices to the Centre, WhatsApp and Facebook over the privacy row and the matter is in proceedings.

Formation of DEPA (Data Empowerment And Protection Architecture) 

On the issues of data privacy a plan named "Data Empowerment and Protection Architecture ('DEPA') was formed in the year of 2020, NITI Aayog, which with an elaborate dialogues with the various industry representatives made a draft policy via DEPA. By doing this NITI Aayog has a bent of mind to make and form secure data privacy laws in India. DEPA aims to build over existing regulation by the RBI on "Account Aggregator" models, so in this manner every citizen of India will avail the benefit of sharing the financial data securely across banks, insurers, lenders, mutual fund houses, investors, tax collectors, and pension funds .


Policies in Health Industry-Commerce & Transport

A policy framework was planned in India in the year of 2019 by a National Digital Health Mission ('NDHM') initiated by the Central Government with the aid of Ministry of Health and Family Welfare ('MOHFW') for an "Ecosystem" with tools of digital data processing of all citizens of India to monitor the Health data and framing of policies of all the patients, hospitals, and healthcare bodies & its levels .

Consequently in the year of 2020, MOHFW gave a nod to a Health Data Management Policy "HDM Policy mainly in the footprints of the PDP Bill to watch the entire Ecosystem. The HDM Policy led to implement the plan for data collection at micro level for the management of patients data, individuals data, Health IDs, Doctor's and Nurse's ID's. It protected the privacy info with an additional layer under HDM Policy with a consent-based sharing of data . The HDM Policy will have a significant impact on the medical and pharmaceutical industry once implemented, as healthcare institutions will have increased compliance obligations.

Turning to the E-commerce area, the new e-commerce policy is in the pipeline which allows the sharing of source codes, algorithms and other data with the Government whereas the use of non-personal data of consumers, Intellectual property rights as well as cross border data shall be monitored .

In a similar way "Motor Vehicle Aggregators" i.e. in travel & transport, "The Ministry of Road Transport and Highways" has its own MV Aggregator Guidelines-2020 to regulate and monitor the new licensing regime for driving in India which includes rule and regulation of charges & fare, vehicles record updates as well as managing the apps and websites. Even ride-sharing, and safety measures and ride cancellations need a compliance check to privacy laws. Hence the mandatory data with this regard will be monitored given by these commercial ride providers . The MV Aggregator Guidelines explains that any stored data by APP owners or website owners must be stored in India for a minimum of 3 months and maximum of 24 months from the date of generation. The state govt has also the right to access this data for the safety of Citizens and crime control in a state . None of the Global company can share this travel or transport data without the commuters consent in India .

Privacy Data, its Kinds and Core laws in India

Private Data in whatever shape may be i.e. cookies, web codes, back-end codes passwords, payment gateway codes, wire transfer rights and information uploaded in online forms it is generally classified in three kinds :

I. Personal Data 

It is the data which is kept personal at superficial level by the website or APP aggregator and without it the website or App cannot run smoothly and it can be processed and stored outside India .It includes general permissions for access to a website or APP.

II. Sensitive Personal Data 

It forms part of inside data in a personal mobile or laptop equipment which a particular Website owner or APP developer ask to access and can access on acceptance and it is just for better customer experience and marketing tools .This sensitive data, generally can be stored in India and may be transferred outside India for processing, if explicitly consented to by the data owner for such transfer and subject to certain additional conditions by following the laws of India and such transfer should be made pursuant to intra-company policy of global company with its subsidiary company approved by the regulatory in India and keeping in view the terms of protection of the rights of the data principal under the relevant Acts.

III. Critical Personal Data

It can only be processed and stored in India. Any critical personal data may be transferred outside India, only where such transfer is— (a) to a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action or (b) to a country or, any entity or class of entity in a country or, to an international organisation, where the Central Government has deemed such transfer to be permissible under clause (b) of sub-section (1) and where such transfer in the opinion of the Central Government, does not prejudicially affect the security and strategic interest of the State. (3) Any transfer under clause (a) of sub-section (2) shall be notified to the Authority within such period as may be specified by regulations.

Indian Government and its Power to access any data

For this purpose of the Information Technology Act, it enumerates section 69 of the IT Act, which explains that any person, authorised by the Government or any of its officer specially authorised by the Government, if satisfied that it is necessary or expedient so to do in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

Corporate Contracts & Agreements to use Privacy Data

Keeping in view the Information Technology Act -2000 and Amendments up to date, there are various sections which must be adhered to, in case any Software Development company in India plans to set a strong database to work in the long run . Any negligence may result into facing regulatory punishments. The related IT or cyber laws are well explained in the Act .

Following are the crucial Sections, Rules for software companies in India :

a. Section 10A was inserted in the IT Act which deals with the validity of contracts formed through electronic means which lays down that contracts formed through electronic means "shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose .

b. Section 67C deals with the preservation and retention of information by intermediaries.

c. Section 84A directs the crucial points on modes or methods for encryption.

e. Section 66A is on the Crime laws and deals with the punishment for sending offensive messages or posts through communication service, etc.

f Section 66E explains punishment for violation for privacy.

g. For digital signatures on all contracts in India Digital Signature (End entity) Rules, 2015 are applicable .

h. Can approach the Chairperson of CAT i.e. at the Cyber Appellate Tribunal and all the grievances can be settled .

i. Global firms may follow the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.


Judiciary Review In India for Data Privacy

A) Recently an ongoing application challenged the privacy rule introduced by WhatsApp which required Indian WhatsApp users to agree to their new rule allowing the company to share data with third party companies. A three-judge bench headed by Chief Justice of India (CJI) SA Bobde said, "People have grave concern about loss of privacy. WhatsApp may be a two trillion or three trillion company, but people value their privacy more than your money. Hence it is the duty of the judiciary to protect Citizens privacy." Advocate Shyam Divan, representing the petitioner argued that Indian users are being treated unfairly as WhatsApp has a different privacy regime for European users. The application required the top court to order WhatsApp not to go ahead with its new policy till the Constitution Bench decides on it or the Centre comes up with Data Protection law. Senior advocate Kapil Sibal, appearing for WhatsApp, denied that any private sensitive data is being shared and pointed out that the issue was small.

B) In Balu Gopalakrishnan v. State of Kerala an order with interim direction was passed in April 2020 on issues of collecting and processing of COVID-19 related data by the State Government of Kerala and later exporting it to a US-based entity "Sprinklr" for analytics purpose. The High Court held that no measures were adopted and negligently the State Government granted access the data to "Sprinklr". These terms of exporting the data were initiated by keeping the data secretly under control, obtaining indirect consent from Indian citizens and later with a promise to return this critical data once contractual obligations come to an end. The High Court also lashed out on the advertisements program and the commercial exploitation of the data by "Sprinklr". This judgment is an exemplary proof for all companies working in PPP mode in the POST COVID-19 era in the field of data sharing of Indian Patients, the symptoms, the doctor's prescription & the pharma consumption etc.

However finally the year of 2020 proves to be yardstick to form appropriate laws in India on the privacy and data protection for its citizens rights from big global companies .The Bill must come as expeditiously as possible and all the Industry representatives should come on a common platform before it is tabled at the Parliament. The Information Technology Act 2000 along with its various amendments from time to time can be an important tool to regulate the various guidelines in the BILL. The legal platform in India in strong enough to nurture the forthcoming laws by facing the challenging laws.

The article is contributed by FDC, Indian corporate law firm through its interns

Join CCI Pro

Published by

F.S Dhiman
(Chief- Counsel)
Category Info Technology   Report



Related Articles