Privacy protection: Need for proactive cyber legal approaches in India

By Pavan Duggal

Social media sites are governed under the Indian Cyberlaw. The Information Technology Act, 2000 treats social media sites as intermediaries, since they are legal entities, who on behalf of another person, receive, store or transmit electronic records and also provide services with respect to those records.

Social media sites are mandated under the Indian Cyberlaw to exercise due diligence while discharging their obligations under the law. Further, while the social media sites are dealing, handling or processing sensitive personal data, there are other sets of compliances that are required to be undertaken by the said sites.

Many of these parameters have been detailed under the Information Technology Rules, 2011. However, most of the social media companies are observing the Information Technology Act, 2000 and also rules and regulations made thereunder in breach, rather than in observance.

Image Credit: Reuters

Image Credit: REUTERS

India does not have a dedicated law on privacy, as also on data protection. Consequently, the sharing economy ecosystem aspects are not adequately dealt with under the Indian Cyberlaw. If social media sites shares data with third party legal entities in India, for any purposes other than business and marketing objectives, there is not much effective legal remedies that are available.

In fact, even the Information Technology Rules, 2011 in the year 2011 only concentrated on compliances for entities who are dealing, handling or processing sensitive personal data. Lot of users’ data may not be sensitive personal data but may qualify as personally identifiable information. Hence, there is an urgent need to revisit and amend the Indian Cyberlaw to provide for specific provisions to govern sharing of the said data with third parties by social media websites.

Terms and Conditions need to be clear

terms and conditions

A lot of websites provide very detailed terms and conditions mandating all users to accept terms and conditions before they can download the relevant app or grant access to services provided by the said service providers. Majority of users go ahead and accept the said terms and conditions. The law recognises the accepting of the said terms and conditions by the user as electronic contract. It is the responsibility of the user to read the terms and conditions before accepting the same. If a user accepts the said terms and conditions without going through them and without understanding the legal ramifications of the same, he or she is alone responsible for the legal consequences emanating therefrom.

Independent of this, there is no doubt that companies need to put their terms and conditions in crystal clear understandable language so that it can be understood by any lay person.

I personally believe that terms and conditions should not become fishing tools to target unsuspecting genuine and bonafide users and used them as the handle for depriving them, their legitimate rights. The terms and conditions should not become an instrument for signing off rights and liberties and privileges. Further, terms and conditions need to be displayed in a conspicuous manner. The onus must be put on the service provider to ensure that they should at least make the user understand the legal ramifications of the terms and conditions.

There are reports in the public domain as to how data from social media companies was shared with third party which would be ultimately used by authorities. The grounds on which snooping can take place should be strictly regulated. The legislative provisions must be clear and unambiguous in this regard.

Further, when third parties misuse the APIs of social media sites, then they alone would be responsible for the legal consequences emanating therefrom. Needless to say, social media sites must have crystal clear policies detailing the exact rights and duties of APIs users and further elaborate the consequences for misuse of APIs, in the event the user data is misused by the said third party against public.

Apple CEO Tim Cook Tech2 720

Apple has already shown the way forward by concentrating on privacy as an important USP. Social media service providers also need to focus on personal and data privacy to keep on retaining their customers’ trust and confidence.

Need for a stronger privacy law

Going forward, there is an urgent need for India to take a strong view on privacy in terms of legislative frameworks. Unfortunately, at the time of writing, India does not have a dedicated law on privacy. The Information Technology Act, 2000 hardly has effective provisions to protect any data and personal privacy in the digital ecosystem. The Indian Government needs to come up with strong privacy law which can protect both personal privacy and data privacy in an effective manner.

Further, with the onset of new things like Internet of Things, it is imperative that enabling legal frameworks for protecting and preserving personal privacy and data privacy must be in place in India.

India could have various models to choose from. It could either choose a regulator/authority driven approach. Alternatively, it could also be choosing more bottoms-up approach to privacy. Whatever approach India adopts, one thing is crystal clear. Any cut-and-paste approach in India would not work and merely reproducing some provisions on privacy from other countries without customising them to keep in mind the specific Indian conditions as a methodology would not work. We will need to have our own customised approach and provisions to protect privacy, both personal and data, in the Indian conditions.

This is one area that requires urgent and immediate attention. All stakeholders have to quickly realise that protecting data privacy and personal privacy are important pillars which can help contribute to the further strong development of digital ecosystem and the mobile environment.

The author Pavan Duggal, Advocate, Supreme Court of India, is Asia’s & India’s leading expert and authority on Cyberlaw, Cyber Security Law & Mobile Law and has been acknowledged as one of the top four cyber-lawyers in the world. He can be contacted at his email addresses and More about the Author is available at 

Published Date: Jan 12, 2017 09:38 AM | Updated Date: Jan 12, 2017 09:38 AM