March 21, 2019
March 28, 2019


After a while you learn that privacy is something you can sell,
but you can’t buy it back”
                                                                                                                                                                                        -Bob Dylan
These words seem to be true after the Cambridge-Analytica issue, where the Facebook shared the private information of its user for money. The other incidents which shook the conscience of the world and raised a concern for privacy worldwide are the revelations by Julian Assange, Edward Snowden of United States espionage. Due to this, the countries across the globe are working on bringing up a framework for data protection. This list includes countries like Pakistan, European Union, Britain etc. Moreover, the international instruments like Universal declaration of human rights[“UDHR”],[1] the International covenant on civil and political rights[“ICCPR”],[2] are committed towards privacy. Informational privacy first came into media through the petition of Karmanya Singh Sareen.[3] This case was about sharing of user information by WhatsApp to its parent company Facebook. The court did not take any clear stand here. This case was followed by Justice Puttaswamy’s petition claiming privacy as a fundamental right enshrined in the constitution. The Apex Court affirmed that privacy is a fundamental right while adjudicating the petition.
In 2017, the Apex Court foiled the plans of the Central government to link the various government schemes with Aadhar.[4] The court maintained that procuring the biometric data is a violation of right to privacy and thus linking of Aadhar is not mandatory. But this has caused a serious paradox. In order to combat the black money in the real estate sector, the Government was planning to make it mandatory to link Aadhar with the property.[5] This step could have further resulted in creation of a central database, compiling all information about the property with all the necessary details.[6] On the other hand, the Supreme Court has many a times, asked the government to take serious steps to wipe out black money from the Indian economy.[7] After this case, now an enigma has been created as to whether linking property with Aadhar will be remain legal.
The alleged sharing of unpublished price sensitive information[“UPSI”] on WhatsApp in Axis Bank, TATA attracted the attention of many in 2018.[8] The refusal by WhatsApp to share the information with Securities and Exchange Board of India[“SEBI”] caused much stir in the country. Questions were raised as to whether SEBI can take actions against the wrongdoers and WhatsApp. The problem was that there was insufficient regulatory framework which could justify any action by SEBI against WhatsApp besides approaching the courts. Within the SEBI Act itself, there are certain measures which allow SEBI to demand for information from a person/authority established under any central or state act.[9] But foreign companies like WhatsApp are not constituted under any of the Indian Act. Hence, they refused to comply with the directions of SEBI. Now, it seems that this controversy has finally been settled. The bill allows the authorities to process the personal data necessary for its functioning.[10] The TK Vishwanathan committee also recommends of giving power to SEBI to intercept phone calls and electronic communications.[11] But the problem still persists, because Information Technology Act prohibits any person from accessing any computer, computer system etc. of another without his/her permission.[12] This means that SEBI even after the bill will face issues in getting access to the personal information.
In its initiative to push for data protection, Reserve Bank of India[“RBI”] has made it mandatory for the payment companies to store the user data in India.[13] The foreign companies lured by the rapid growth in the Indian digital payment sector, are the worst affected by it. But this directive by RBI is not equally affecting every foreign company. Companies like WhatsApp, Google etc. which have just started off with their payment services are not facing much difficulty whereas companies such as Visa, Master Card, American Express having a long presence in India are finding it difficult to implement the changes. These companies are a bit reluctant to implement as this will require a complete infrastructure to store information in India. Further, it is a herculean task for the companies to fulfill the new obligations within the set deadline. This move will also allow the unfettered access to the RBI to the user data.[14]
‘In India’ or ‘Only in India’
The stand of RBI of storing data ‘only in India’, is not acceptable to the companies. The companies along with the Finance Ministry are lobbying for data mirroring. This will allow the companies to store their data outside India with the respective copies stored ‘in India’. Justice BN Srikrishna’s draft on data protection also advocates for data mirroring.[15] But it seems very unlikely that RBI will soften its stand. The purpose behind the direction was to ensure the unfettered monitoring of data and to prevent incidents like Cambridge-Analytica. Making the copies available to the authorities with the main data outside India will be of no use.
But in the author’s opinion, this act of RBI will not do any good. The circular clearly allows the authorities to monitor the data. But in the recent Puttaswamy judgment, the court held that Aadhar is not completely secured and the information can be easily leaked. Additionally, it will allow the authorities to snoop in the personal life of the individuals. Moreover, history is filled with instances where the regulatory authorities successfully get an access to the information using advanced technology. Apple’s fiasco to protect the data of a terrorist from FBI which hacked the phone to get access to information is an epic example of this. The case of Edward Snowden where the US spied on the personal details of people across the globe is the epitome of misuse of information by Government authorities.
Block chain is a sequential and logical data base of transactions recorded by a series of network where each piece of information is recorded on a specific block.[16] The bill imposes an obligation on the companies to protect the personal data.[17] Whether the companies (or the data fiduciary), should go for block chain technology because of the advantages it has? It is considered as a safe mode, free from any hacking as the information is divided into blocks, each connected to other. Every block is related to another through a digital signature, which if interfered even with a bit of information, will change the signature completely. Additionally, the information recorded through block chain technology is decentralized, making it free from any individual interference. The bill grants certain rights to the data principal against data fiduciary. These rights include the right to confirmation and access, right to correction, right to data portability, right to be forgotten etc. Further, anonymity in block chain is evident from the fact that bitcoin is completely based upon block chain. This has lured the terrorists and international hackers, making the cross-border payments easy.
Hence, using block chain with reference to bill for data protection can be a suitable option but before that it requires much deliberation.
“Power corrupts and absolute power corrupts absolutely”
After delving into deep, one thing is clear that there is a requirement of maintaining a balance between data privacy and reasonable intrusion. There has to be a reasonableness and not absoluteness. Upholding right to privacy for personal data is essential as it is something very personal to an individual. On the contrary, a proper monitoring of that data by the authorities is indispensable. In its absence, the user data might be prone to misuse including the chances of fraud also. This is a delicate issue which has to be seen from a reasonable insight.
In the author’s, the bill maintains this aspect of reasonability. On one hand, it affirms the rights of the data principal i.e. the user, over the way in which his data should be used. While on the other, it also recognizes the rights of the data fiduciary to use the information reasonably, to safeguard their business interests. The bill also allows the government authorities to access the data, while conducting investigation.
But in the author’s kind opinion, the bill does not deal with every area relevant for data privacy. The bill does not even touch the aspect of block chain, which is presently gaining much prominence. The block chain technology is being used around the world for recording the land titles, maintaining particular about the individuals etc. Keeping away ourselves from these concepts may hinder the very object for which the bill was introduced i.e. to protect the personal data as an essential facet of informational privacy.

[1] Article 12, Universal Declaration of Human Rights, 1948.

[2] Article 17, International Covenant on Protection of Civil and Protection Rights, 1976.

[3] Karmanya Singh Sareen v. Union of India, (2017) 10 SCC 638 (India).

[4] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1(India).

[5] Aadhaar linkage may stifle secondary realty sales, THE HINDU BUSINESS LINE (February 8, 2019) https://www.thehindubusinessline.com/news/real-estate/aadhaar-linkage-may-stifle-sec ondary-realty-sales/article9 974043.ece.

[6] Trust, privacy and India’s need to protect both, THE ECONOMIC TIMES (February 8, 2019) https://economictimes.indiatimes.com/news/politics-and-nation/trust-privacy-and-indias-n eed-to-protect-both/artic leshow/66025330.cms.

[7] Manohar Lal Sharma v. Central Bureau of Investigation, Writ Petition (Crl.) No.65 of 2016.

[8] Employees under lens for leaking earnings data, THE ECONOMIC TIMES (February 8, 2019) https://economictimes.indiatimes.com/markets/stocks/news/employees-under-lens-for-leak ing-earnings-data/articl eshow/64266422.cms.

[9] Section 11(ia), SEBI Act, 1992.

[10] Section 13, The Personal Data Protection Bill, 2018.

[11] Securities and Exchange Board of India, Rep. of Committee on Fair Market Conduct under the Chairmanship of Dr. T.K. Viswanathan(February 8, 2019), https://www.sebi.gov.in/reports/reports/aug-2018/report-of-committee-on-fair-market-conduct-fo r-public-comments_39884.html.

[12] Section 43, The Information and Technology Act, 2000.

[13] Section 10(2), Payment and Settlement Systems Act 2007.

[14] Notification of RBI on Storage of Payment System Data (February 8, 2019) https://www.rbi .org.in/scripts/NotificationUser.aspx?Id=11244&Mode=0.

[15] Section 40, The Personal Data Protection Bill, 2018.

[16] Shraddha Kulhari, The Midas touch of Blockchain: Leveraging it for Data Protection, Nomos Verlagsgesellschaft mbH (February 8, 2019), https://www.jstor.org/stable/j.ctv941qz6.6.

[17] Section 29, The Personal Data Protection Bill, 2018.



Saket Agarwal is pursuing B.B.A, LL.B from National Law University, Jodhpur. His areas of interest include corporate law, securities law, trade law, constitutional law.



In Content Picture Credit: LAWNN

Leave a Reply

Your email address will not be published. Required fields are marked *