Newsletter- Data Privacy In India – Need of the Hour-Jan 2021

WhatsApp is in the news off late for its proposed privacy policy update. As of July 2019, WhatsApp had 400 million users in India, the omnipresence of WhatsApp is evident from our contact lists, yet if users do not consent to the new terms by February 8, 2021, they would have to stop using the application. At the core of it is the apprehended concern on the privacy front and speculation has played a major part in users preferring to evaluate other messaging options. The apprehension has created the necessary spark to discuss data privacy across India and raise user awareness. The lack of adequate personal data protection legislation in India has become even more evident with this episode. The current Information Technology Act, 2000 is quite inadequate when compared to the comprehensive Personal Data Protection Bill, 2019. We will take a deep dive on the issue and evaluate how the legal framework and business practices play an important role in handling privacy.

What is new in WhatsApp Privacy Policy

The policy is mainly focused on users messaging business accounts and does not compromise the content of encrypted private messages rather shares meta-data like phone number, payments transaction data, mobile device information, IP address, etc. 1 The policy also provides WhatsApp business accounts with specific data metrics. Yet when we compare the privacy policy that is being updated in India with that of European Union (“EU”) a difference is noticeable in how the shared data will be collected and used.2 The contrast in policies is due to the absence of a comprehensive data protection law and an alert data protection authority in India. It is in the nuances of a privacy policy that the legal framework plays an important role.

Larger questions regarding the need for a data protection framework and privacy policies.

The Personal Data Protection Bill, 2019 is under review by the Joint Parliamentary Committee and is bound to be presented before the Parliament this year. In the meanwhile, there is glaring gap in the law when it comes to protecting an individual’s right to privacy. The migration of users to privacy friendly businesses is a welcome yet inadequate sign of the evolving privacy environment in India. The increasing user awareness regarding privacy is a sign for businesses to project a privacy conscious image. While most businesses have already implemented the General Data Protection Regulation (GDPR) operational in EU, the remaining businesses need to start integrating privacy practices.

The Personal Data Protection Bill, 2019 had envisaged clauses inspired from the GDPR, some key aspects are-

• Wide scope and extra territorial application of the law

• Classification of data based on sensitive personal data, critical personal data with added compliances

• Establishment of a data protection authority

• Increased compliance with privacy principles along the lines of GDPR

• Increased compliance where children’s data is involved

• Rights of individuals regarding their personal data

• Frameworks for cross boundary data transfers/ data localisation requirements

• Sharing of personal and non-personal data with the government

• The designated authority and government will have greater power in coming up with codes of conduct and deciding what is critical data

• Large penalties for contravention of the law

The Joint Parliamentary Committee in charge of reviewing the Personal Data Protection Bill, 2019 has come up with substantial changes and is set to present its recommendations at the start of 2021. The suspense mounts regarding how the committee has dealt with certain key conflicts and issues in the bill. We will be coming up with an update on the evolution of privacy laws in India to put into context the new report that will be shortly tabled before the Parliament, along with other latest developments on privacy laws in India.