WhatsApp has recently updated its privacy policy. Subsequently, it has given us a take it or lose it offer. This step created huge uproars among people. Suddenly, all of us become conscious of our privacy. Showing a rare example of our unity, we made ‘signal’ the most downloaded app in India! Privacy activists filed Public Interests Litigations in the Supreme Court and High Courts. Even the Government of India has written to WhatsApp regarding its privacy policy! We at the individual level have deleted WhatsApp or shifted to Telegram/Signal to protect our privacy. However, I want to ask you all a simple question. Do we care about privacy? When previously you had read the privacy policy of the website/App before clicking at I agree? Do you hesitate in allowing an app to read your message and access your phone content? These apps generally do not even ask for your permission. Several apps can read your message, access your photos and contacts, collect your locations without your knowledge. Most of these apps do not have privacy policies at all. Hence, we do not know what data they collect and how do they use our data. They can even sell our personal-sensitive data to phishing agencies. We have witnessed the incident when phishing agencies accessed our OTP by screen mirroring our phones. WhatsApp is at least informing us that what information it is collecting and how it is using it! Hence, uninstalling WhatsApp does not suffice our problem in protecting our privacy. We have a lot of issues to debate and deliberate. In this article, I am explaining to you the legal position of privacy law in India.
In 2018, the Honorable Supreme Court, in the case of Justice K.S. Puttaswamy (Retd) vs. Union of India pronounced that ‘right to privacy’ is our fundamental right under Article 21 of the Indian Constitution. Indeed, it gave us a sense of security that no one can breach privacy as any such action amounts to breaching fundamental rights. However, when the euphoria of 2018 judgments ended, we find that nothing much has changed on the ground level. The collection and sale of our personal data is the staple of most of the Apps that claim to be free App. We need to remember that if we do not pay for a product then we are a product! Unfortunately, we do not have much-needed privacy legislation to deal with breach of Privacy and regulate information collection. The Personal Data Bill, 2019 is yet to pass from Parliament. We do not know how much time it will take to be enacted legislation. In essence, the entire domain of privacy law in India is governed under an executive order Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (2011 Rules). The 2011 Rules have been framed under Section 43A of the Information Technology Act, 2000 (“IT Act“).
Section 43A was inserted in the Information Technology Act, 2000 in the year 2008. Section 43A requires the maintenance of reasonable security practices and procedures by bodies corporate that possess, deal or handle any sensitive personal data or information and provides for compensation for failure to protect such data) and Section 72A, which penalizes intentional personal data breach. Accordingly, the 2011 Rules were enacted. IT Act read with 2011 Rules provides a framework of data protection in India. However, in my opinion, the same is not adequate in 2021. The existing laws are applicable only to body corporate. Hence, we shall not be able to sue a common app developer who breaches our privacy if it is not a body cooperate. 2011 Rules has narrowly defined Personal Sensitive Information. Under 2011 Rules only passwords, financial information such as bank account or credit card or debit card or other payment instrument details, physical, physiological, and mental health condition, sexual orientation, medical records and history, biometric information is considered as sensitive personal data. However, information like official identifier, sex life, genetic data, transgender status, intersex status, caste or tribe, and religious or political belief or affiliation, etc. are not considered as Personal Sensitive Information. Further, 2011 Rules have been made under IT Act. Hence, it shall be applicable only to personal data or information which is in an electronic format or a computer resource. It would not apply if any personal data is held in a non-electronic form, such as in a physical register or other hard copy documents. We need a law that should be applicable to all sensitive data whether or not collected online. Poor execution of the mandates under the 2011 Rules is another issue. For example, Rule 4 of the 2011 Rules requires everybody corporate (or any person who on behalf of the body corporate) that collects, receives, possesses, stores, deals or handles information of the information provider, to provide a privacy policy. However, we find that there are so many websites and Apps floating without any privacy policy-violating the 2011 Rules. 2011 Rules mandates that Body Corporate shall collect information strictly on a need basis and use the same only for the specified process. Unfortunately, most of the Apps collect irrelevant information like contact details saved in our phone, our photos, and other private information. These App can read personal messages, collect confidential information like passwords and OTP. This is the reason how a fraudster robs money from the banks even without us sharing password/OTP! 2011 Rules also mandates that a Body Corporate shall appoint Grievance Officer to address the grievances of an aggrieved person under the Rules. Again, we can see that nobody follows this. The 2011 Rules further mandates that a body corporate needs to take the prior information from the person before sharing his/her personal data to any third party (subject to few exceptions). Unfortunately, many business organizations treat our personal data in an unregulated manner as their own property. They use/transfer the data in the manner they find profitable. 2011 Rules also talks about penalties for the breach. However, it is rare to find that someone has been punished in violation of the 2011 Rules. It is disheartening to note that we do not have consolidated legislation related to privacy. Our existing laws are neither adequate nor properly executed.
Hence, if we care about privacy, merely deleting WhatsApp shall not suffice. At an individual level, we need to be very cautious while installing an App on our phones. We should be alert while providing this App access to our phone. We should not click on random links sent via text messages/Apps. The government should enact the Indian data protection law at the earliest along with the execution framework.
We are sitting in 2021. This is an era of corporate surveillance. We have to care about our privacy!
Photo credit: https://in.pcmag.com/
