In a nutshell: data protection, privacy and cybersecurity in India

All questions

Overview

A decidedly inadequate collection of statutes currently governs cybersecurity and data protection in India. Authorities constituted to regulate compliance and enforce penalties for non-compliance under the Information Technology Act 2000 and the Information Technology (Amendment) Act 2008 have been inactive for years, and very little significant jurisprudential development had occurred on the subjects of cybersecurity, privacy and data protection until late 2017. In 2013, the government drafted a National Cybersecurity Policy, which generated considerable interest both in India as well as abroad, particularly in view of India's position as an exponentially growing business process outsourcing destination. Sadly, progress on the policy was stymied for unknown reasons, reflecting rather poorly on the government's intention to provide clear, robust and watertight law on these matters.

This is not to say that the urgent need for change in this respect has not been recognised.

Subsequent to the government's launch of a heavily advertised campaign called Digital India in 2015, the major agenda of which was to create 'digital infrastructure' to facilitate the digital delivery of services and increase digital literacy, the prime minister has been involved in an aggressive attempt to compensate for lost time as regards the enhancement of cybersecurity. Digital India triggered major investment flows into the technology sector, and the campaign has caused questions to be raised in the media and academia about privacy and the protection of data, which will hopefully spur the government on to legislate more clearly and in detail on these subjects.

In 2016, Parliament passed the Aadhar Act, a piece of legislation aimed at the targeted delivery of financial benefits to the poor. Also under this Act, every Indian citizen was to be issued with a national identity card called the Aadhar card with a unique identification number similar to social security numbers in the United States.

In 2017, the government amended the Income Tax Act 1961 to make it mandatory for taxpayers to link their permanent account numbers to their Aadhar cards in order to file income tax returns, open bank accounts and conduct financial transactions beyond a threshold, to curb tax evasion and money laundering. In essence, this would provide the government with an enormous database of financial information on every citizen of the country, with no real protocols, safeguards or laws to regulate the storage, use and control of this information. The Department of Telecommunications also sought to use Aadhar cards as tools for subscriber verification from existing mobile telephone subscribers and made it mandatory for these cards to be linked to new mobile telephone connections.

The Aadhar Act was challenged in a series of petitions that questioned its constitutional validity. One question raised in these petitions was whether privacy is a fundamental right guaranteed under the Constitution of India. The verdict on these petitions was delivered by a nine-judge constitutional bench of the Supreme Court, which held privacy to be a fundamental right of every citizen under the Constitution. The move to link Aadhar cards to the financial and biometric information of all Indian citizens was also challenged before the Supreme Court. In September 2018, the Supreme Court upheld the Aadhar Act but struck down certain provisions therein. The Court stated that while the use of Aadhar cards will remain mandatory for the filing of income tax returns and issuance of permanent account numbers, Aadhar cards would no longer need to be linked to individual bank accounts or mobile telephone connections. Along with the recognition of privacy as a constitutionally guaranteed fundamental right by the Supreme Court in 2017, this development indicated the genuine interest of the judiciary in compensating for years of legislative apathy with specific regard to data protection and privacy.

The year in review

The government empanelled a 10-member committee under the chairmanship of Justice BN Srikrishna, a retired Supreme Court judge, to put together detailed reviews of current data protection laws as well as suggestions on how to fill judicial and legislative lacunae. The committee compiled an extensive report containing a draft data protection framework, along with the draft Personal Data Protection Bill 2018. Since 2011, various iterations of the Privacy Bill have been released, the latest of which was the Data Privacy Bill 2017. It appears that the draft Personal Data Protection Bill 2018 may be intended to replace the Data Privacy Bill 2017, although the intention of the legislature in this regard is unclear at the moment. Barring some limited overlap, both documents cover different aspects of the law, and perhaps the public interest will be better served if both were to coexist. A number of rounds of consultation have already been conducted on the draft Personal Data Protection Bill 2018, and extensive feedback has been submitted by various stakeholders, including the US government. The draft Personal Data Protection Bill 2018 may be brought before in Parliament later this year.

Outlook

There is no doubt that India urgently needs to take a keen look at its poorly regulated digital spaces and at the virtual activities of individuals, private organisations and governmental authorities alike. The several agencies performing cybersecurity operations in India, such as the National Technical Research Organisation, the National Intelligence Grid and the National Information Board, require robust policy and legislative and infrastructural support from the Ministry of Electronics and Information Technology, and from the courts, to enable them to do their jobs properly. The EU's General Data Protection Regulation may provide impetus for India in this regard, particularly given that not only will the regulation affect cross-border information flow (and India is a net information exporter), but also the EU has exposed several lacunae in the standards applied by the Indian government to the protection of data and enforcement of cybersecurity in a report following approval of its new data protection regulation. While it seems that the government is concerned and keen to bring about change in this sector, in view of India's rather poor record in prioritising these matters, optimism is not necessarily warranted at this stage.