The recent judgment of the Supreme Court, which declared privacy a fundamental right, noted: “Knowledge about a person gives a power over that person. The personal data collected is capable of effecting representations, influencing decision making processes and shaping behaviour.” With the unearthing of the Cambridge Analytica (CA) scandal, this is truer than ever. While the debate continues regarding the degree to which CA’s actions have influenced elections worldwide and the form in which the data was shared, undeniably, there has been misuse of data.
It was recently discovered that data of approximately 50 million users of a social media platform was unauthorisedly provided to a political consulting firm, and was allegedly used by that firm in engineering the outcomes of inter alia the United States presidential election and the United Kingdom’s referendum on exiting the European Union. In 2005, several users of the social media platform had taken an application-based personality quiz, which not only accessed the users’ personal data, but also that of their entire network. It has emerged that these very data were later shared by the owner of the application to CA for a consideration.
Whether an aggrieved data subject in a similar circumstance will have effective recourse in India is an opposite question. This article seeks to provide an overview of how the concept of “consent” is covered within the existing relevant legislations in India, and the nature of remedies available under them.
Consent is key
The ideas of “informed consent” and “purpose limitation” are touched upon under Privacy Rules framed under the Information Technology Act, 2000, (IT Act) at a very peripheral level, but have not been developed further.
The Privacy Rules permit a body corporate that collects any sensitive and personal information or “SPDI” (that is, personal information such as passwords, financial information and health information that is capable of identifying a person) to collect such information as long as (a) it is for a lawful purpose connected with a function or activity of such body corporate, and (b) considered necessary for that purpose. This nebulous language, coupled with craftily worded privacy policies, has allowed organisations to assimilate data to create data repositories.
The Supreme Court’s privacy judgment has further emphasised on the importance of consent and that use of data should be limited to the purpose for which it was collected. These concepts have also been echoed in the views of the expert committee headed by Justice (Retd.) Srikrishna for devising a data protection framework for India (“expert committee”) in their white paper.
The expert committee noted that individuals are often concerned with the immediate benefit that they derive and are unable to make an informed choice about how their information may be used by organisations in the long run. The European Union’s General Data Protection Regulation (EU GDPR), which will be implemented from May 25, 2018, onwards, aims to address this situation by mandating that consent needs to be expressed by a “statement or clear and affirmative action”. To this end the expert committee, while relying on the provisions of EU GDPR, has opined that “for consent to be valid, it should be freely given, informed and specific” as a part of its provisional view.
There are consequences stipulated for failure to protect data under the IT Act. However, the liability of the body corporate to pay damages arises when it is demonstrably negligent in implementing reasonable security practices, which causes wrongful loss to a person. In other words, to succeed in an action for damages, the aggrieved party is required to prove both these elements. Another provision prescribes an imprisonment of up to three years, a fine of up to rupees five lakh or both in case data is disclosed in breach of a contractual duty or without the consent of the data subject. However, even in this case, it must be established that the aggrieved party has suffered a wrongful loss. Notwithstanding the punishment with imprisonment, the quantum of fine is insufficient to act as a deterrent. For these reasons, an overhaul of the IT Act is required in view of the expert committee.
The EU GDPR prescribes a hefty penalty upwards of euro 20 million or 4 per cent of the global revenue, however its practical utility is yet to be seen.
What lies ahead
Individuals are increasingly becoming aware of their rights with respect to their data. As legislations like the EU GDPR come into force, they vest people with the ammunition necessary to safeguard their interests, while ensuring that data controllers and processors are held accountable for their actions, or in some cases, inactions.
In India, the shortcomings in the data protection framework are palpable. However, with the impetus provided by the “privacy judgment” and substantial ground covered by the expert committee, comprehensive data protection legislation for India, which will be on a par with its global counterparts, may soon become a reality. In the meantime, one can hope that if a similar incident as the CA scandal were to take place in the future, such law will empower individuals.
Walia is associate partner and Chandra is senior associate, Khaitan & Co., New Delhi