hiddenNov 09, 2016 10:32:39 IST
By Asheeta Regidi
The difference UK’s comprehensive data protection law makes
UK has a dedicated data protection law- the Data Protection Act, 1998. This establishes the Information Commissioner’s Office (the ICO), which is exclusively responsible for data protection. This law establishes several procedures with respect to data processing and use. Under this law, the company in possession of user data, here Whatsapp, has to notify the ICO of any changes being made to its use of the data. On being notified, the ICO has a right to review the change and consider if the change can cause substantial damage or significantly affect the rights of the users. This discretionary power granted to the ICO makes all the difference in the world.
The ICO has exercised this power in writing to Facebook asking it to discontinue its use of Whatsapp data. The Information Commissioner, Elizabeth Denham, objected to the fact that how the data was to be used had not been explained properly to the users. This made the consent obtained invalid under the UK law. Additionally, the ICO objected to the 30 day limit of opting out, insisting that users should be given ongoing control over how their data is used. Under the UK law, a user must have the option to withdraw his consent for the use of his data at any time.
Since Facebook’s move violated UK law, it was forced to pause its use of Whatsapp data, or face enforcement action against it from the ICO. The ICO insisted that users be given an unambiguous choice for allowing Facebook to use their data, and that they be allowed to make this choice at any point of time. Facebook is yet to agree to this.
India has no specific data protection law
India, on the other hand, has no dedicated data protection law. India’s sole privacy legislation is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These rules serve only to protect the use and disclosure of ‘sensitive personal data’. This is a closed list of information, such as information of a person’s identity, financial information, health conditions, biometric information, etc.
The vast troves of data in the possession of Facebook and Whatsapp, such as messages, photographs, contact lists, etc., do not fall under the category of ‘sensitive personal data’. Thus, even though Whatsapp would be sharing one category of sensitive personal data, the user’s identity, for the most part, the IT Sensitive Data Rules do not apply. Even under the Information Technology Act, 2000 itself, the only data protection rules, again, pertain only to the use and collection of sensitive personal data.
Right to privacy as a fundamental right is in question
To be a fundamental right justifying a writ, the right to privacy needs to be read into the constitutional right to life, guaranteed under Article 21 of the Constitution of India. As it happens, there have been several conflicting decisions both supporting and rejecting the theory that the right to privacy is a fundamental right. As a result, this issue has been referred to the Supreme Court of India, in K.S. Puttaswamy v. Union of India, and the final decision is pending. Until this is done, the right to privacy is not a fundamental right yet. This prevented the Delhi High Court from taking action on the ground of violation of a fundamental right.
Facebook’s Take-It-Or-Leave-It approach is legal
Additionally, the Delhi High Court observed that Whatsapp and Facebook users have been given the option to opt out. As long as this option is available, the actions of Whatsapp was legal. This is, in fact, the rule laid down under the IT Sensitive Personal Data Rules- the user has the option to withdraw consent, and the company, here Facebook, has the right to refuse to provide its services in return. Therefore, Whatsapp’s take-it-or-leave-it approach is perfectly legal.
Moreover, sharing of data is permitted if the user’s consent has been obtained. As Whatsapp had acquired permission, the disclosure of the data to Facebook was legal. There is no requirement under the IT Sensitive Personal Data Rules that the users need to be aware what they are consenting to - so long as they consent, it is legal.
India needs a data protection law
As the Information Commissioner notes, we live an era where we are increasingly reliant on digital services. User data has become an asset to be bought and sold, with several company mergers being made for this very purpose.The dangers of combining such information is very great, and needs to be stopped. Any vagueness in the terms and conditions to which users consent should not be allowed.
The IT Act and the IT Sensitive Personal Data Rules are completely inadequate in dealing with the requirements of data protection and privacy today. The questioning of the right to privacy as a fundamental right makes this even more worrying.The need for a comprehensive data protection regulation in India can no longer be ignored.
The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.