Indian data laws that made the headlines
J Sagar Associates, Bengaluru
J Sagar Associates, Bengaluru
The year 2020
The Covid-19 pandemic brought the world to its knees in 2020, revolutionising life as we know it. History will remember the corona-virus for the mayhem it wrought worldwide: the despair of the health sector, the slump in economies, governments struggling to provide essential commodities to citizens, and a world in lockdown. While it may be difficult to find any silver lining in the disasters that beset 2020, one plus was the acceleration in India’s digital world. The general inertia with regarding application of technology metamorphosed into a more tech-savvy India and the country began to establish itself as a major player in the digital economy.
As a necessary corollary, the spotlight was on data. Data law enthusiasts will remember 2020 for reasons other than the lockdown, working from home and the general dislocation of normal life. India Inc began to focus on the good, the bad and the ugly of all things data. As a result of such deliberations, the government began testing the data regulation waters. In this piece, we revisit the government’s most critical data moves which made headlines around the world.
Banning Chinese apps
In an unprecedented move, the Government of India (GoI) blocked several mobile applications offered by Chinese developers between June and September 2020. Banned applications include TikTok, UC Browser, WeChat and Shein. A press release stated the bans were the result of these apps being ‘prejudicial to the sovereignty and integrity of India, defence of India, and security of the state and public order’. In this context, it may be pertinent to note that the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009 empower the GoI to block applications for certain reasons listed under the law. As such, the GoI justified the ban on the grounds that several complaints alleged these applications were transmitting user data in an unauthorised manner outside of India. The banning of apps is touted as one of the strongest protectionist measures by the GoI to safeguard the privacy rights of citizens.
To say that the Covid-19 pandemic forced Indians as global citizens to re-think long-held democratic liberties would not be altogether incorrect. Tough circumstances have called for tough measures the world over. Some tough measures are backed by disruptive technology and India is no exception.
Like several other countries, India is adopting emerging technologies to fight the pandemic. One such technology is the Aarogya Setu application. This app was developed on the premise that if two persons are close enough for their devices to connect via Bluetooth, they are potentially close enough to spread the Covid-19 virus. While the idea itself is plausible, experts have expressed concerns about the app, particularly from a privacy and data security standpoint. In addition, a security glitch was recently exposed where certain elements of user data provided to the app were accessible to YouTube servers. Thankfully, our world is still governed by rules where concepts such as health and privacy need not conflict with one other.
Schrems II judgment and impact on transfer of data to India
In a landmark decision in Data Protection Commissioner v Facebook Ireland (‘Schrems II’), Maxmillian Schrems changed the global perception of data transfers. Schrems II invalidated the Privacy Shield when it affirmed the need for a higher degree of care. Indian companies receiving data from the European Union have traditionally relied on standard contractual clauses and binding corporate rules to be compliant with the General Data Protection Regulation (GDPR). Following Schrems II, a data transfer proposal requires due diligence that shows that any recipient country outside the EU may guarantee a high standard of data protection to EU data subjects. Though the data flow to India has not abruptly stopped, companies are taking proactive steps to ensure that recipients have adequate controls in place. A noticeable trend is an active rise in the enquiries on mitigation measures and framing of an adequate data transfer framework.
It should be remembered that India has adequate controls in place for surveillance and monitoring. That said, companies sending data to India will need to review data flows and consider the adoption of supplemental measures that always ensure an adequate level of data protection.
Regulating data obtained by vehicle aggregators
It is commendable that all government departments in India are taking the concept of ‘data’ more seriously. One such department is the Ministry of Road Transport and Highways which, in November 2020, published the Motor Vehicle Aggregator Guidelines, 2020 (‘Aggregator Guidelines’) with the objective of governing vehicle aggregators and thereby promoting ease of doing business, customer safety and driver welfare. The Aggregator Guidelines, among other obligations, require that the data generated upon application of the aggregators or website be stored in India for a minimum of three months and a maximum of 24 months from the date such data is generated. The data must also be accessible to state governments after following due process. Given that the focus is to serve the larger public interest, any data related to customers shall not be disclosed without the customer’s written consent. Furthermore, concern over the increased number of cyber security attacks has resulted in the requirement that the applications of these aggregators be certified by a recognised cyber security firm.
The GoI has liberalised the regime governing geospatial and mapping data – a reform that is being hailed a ‘game-changer’. On 15 February 2021, the GoI issued Guidelines for acquiring and producing Geospatial Data and Geospatial Data Services including Maps (‘2021 Guidelines’). The 2021 Guidelines have clarified that no prior approval, security clearance or licensing is necessary (until certain thresholds are met) for the collection, generation, preparation, dissemination, storage, publication, updating, and/or digitisation of geospatial data and maps within India’s borders. This is a radical change from the law proposed previously, which sought to subject mapping to a strict licensing regime.
Companies engaged in sectors such as e-commerce, logistics, supply chain management and urban transportation depend on location-based data fto function. Most companies using geospatial data in India were subject to several restrictions prior to the 2021 Guidelines. For instance, Amazon, Swiggy, Zomato, Uber and Ola technically ‘needed’ government approval to process geospatial information. Now, the 2021 Guidelines have opened-up endless opportunities for the entire geospatial data ecosystem.
Payment Aggregator Guidelines
On 17 March 2020, the Reserve Bank of India issued Regulation of Payment Aggregators and Payment Gateway’ (‘Payment Aggregator Guidelines’), which seek to regulate the activities of payment aggregators and gateways in India. The Payment Aggregator Guidelines have introduced several controls for effective governance coupled with some interesting data-linked obligations.
Payment aggregators are prohibited from storing customer card credentials within their database or on a server that is accessible by the merchant. The data localisation norms applicable to payment system operators - (i) storage of complete end-to-end transaction data in systems in India; (ii) deletion of any data processed abroad; and (iii) bringing the same back to India within 24 hours - are also applicable to payment aggregators.
The Payment Aggregator Guidelines also mandate risk assessment systems, processes, merchants and vendors, and prescribe adherence to specified data security standards. Further, data security controls are in place even for regulated entities that outsource certain functions.
With the surge in digital payments in India, the GoI aims to clarify the applicable regulatory regime so that the boom in Fcompanies is not hindered on account of opaque laws.
In February 2021, the GoI announced the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules 2021 (‘Intermediaries Rules’). The Intermediaries Rules seek to regulate entities transmitting content through digital media. They will apply to intermediaries and publishers operating in India as well as overseas entities or platforms that target Indian users.
Among other obligations, the Intermediaries Rules require intermediaries to provide identity verification information to any lawfully authorised government agency for the prevention, detection, investigation and prosecution of offences or for cyber security incidents. They must do so no later than 72 hours after receiving a written order. Further, intermediaries are also required to preserve, maintain and/or store information collected for the registration of a user for 180 days after the said registration is disabled or withdrawn.
While the law is in the news for various reasons (right and wrong), two entities that will be significantly impacted are social media intermediaries and over-the-top media services, the content of which is currently moderated by the GoI directly. The law stipulates that a significant social media intermediary providing primarily messaging services to identify the ‘first originator’ of the information on a computer resource. It is being argued that this provision may undermine the concept of end-to-end encryption and will dramatically impact the privacy of social media communication. Intermediaries such as WhatsApp may need to break the end-to-end encryption, which could cause a dent in the privacy protection framework by design construct.
Social media intermediaries are required to appoint personnel such as chief compliance officer, nodal contact person or grievance officer. These identified personnel must be resident in India. This may be a challenge for entities such as Signal and Telegram which do not have offices in India, and for several others which will now have an additional operational burden.
The Unmanned Aircraft System Rules 2021 (‘UAS Rules’), notified in March 2021, pave the way for new laws on unmanned aircraft. The applicability of the UAS Rules has been extended to all drones registered in India, even when they are operating outside Indian borders.
The UAS Rules provide that an authorised unmanned aircraft system operator shall be responsible for ensuring the privacy of persons and its property during operation at all times. Further, operators are also required to ensure that the data collected during operation is not shared with any third party without prior permission of the person to whom the data pertains.
In addition, protectionist measures have been adopted wherein the GoI may exempt any ministry/department of central or state government or agency thereof from the requirement to hold an operator permit if in India’s security or national interests.
While India has made significant headway in respect of laws governing data, the scope for more progress is evident. Data protection in India is still governed by the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, issued under Section 43A of the IT Act. The Personal Data Protection Bill (‘PDP Bill’), which is designed to encapsulate the law on the subject, was slated to be deliberated on and passed by the GoI. However, given that the PDP Bill has been impeded by glaring ambiguities, it is currently being analysed by the Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders. The JPC has been tasked with the responsibility to provide a detailed assessment of the PDP Bill and identify its shortcomings in a modern digitised economy.
Based on feedback from the JPC, the PDP Bill is expected to be substantially amended. Though no formal version has yet been floated, there is conjecture that at least 89 amendments have been made to the initial draft. Once the PDP Bill is passed, companies engaged in data usage will need to rethink their priorities: whether the data in their possession is actually an asset or the compliances outweigh the benefits. The new determinants will undoubtedly raise the level of compliance and, also, the associated costs.