ardenceinmywords

Access & Use of Personal Data: Understanding Indian Regime

The processing of personal data is already pervasive as the world moves toward a digital economy. Practically, all of an individual’s activities entail some type of data exchange, which is a fact of the digital environment. Most big businesses today are data-driven. New industries dealing with the gathering, organising, and processing of personal data have emerged, which either directly or indirectly employ internet to churn their business models.

Research Questions:

  1. What is the current privacy & data protection framework in India?
  2. What is the current status of personal data analysis or behavioural analysis?
  3. Whether foreign agencies & their policing agencies are allowed to store personal data of Indian Citizens?
  4. Whether facial data is personal data, & use of FRT violative of Data Protection Regime of India?

Important Documents:

  1. The Personal Data Protection Bill, 2019 (As introduced by the Minister for Electronics and Information Technology, Mr Ravi Shankar Prasad). (link)
  2. Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (Tabled on December 16, 2021). (link)
  3. Information Technology Act, 2000. (link)
  4. AADHAAR Act, 2016. (link)
  1. CURRENT LEGAL POSITION OF PERSONAL DATA & IT’S SCOPE

The several laws, rules, and regulations that make up India’s existing legal framework for privacy and data protection each deal with a distinct facet of data protection. Following may be referred for a detailed understanding:

Information Technology Act 2000:

The Information Technology Act of 2000 is the key piece of law pertaining to data protection (IT Act).

  1. Section 43A of the Act, body corporates are subject to civil liability if, while handling sensitive personal data or information, they are discovered to have neglected to implement reasonable security practises and procedures, and this results in an unauthorised loss or gain to any person.[1]
  • In addition, anybody who discloses a person’s personal information to a third party without that person’s authorization is criminally liable under Section 72A.[2]
  • The IT (Reasonable security practises and procedures and sensitive personal data or information) Rules, 2011[3] [SPDI Rules] should be read in conjunction with these provisions because they define sensitive personal data or information[4] and outline the steps a body corporate must take to collect, disclose, and transfer information.[5] The Rules also define what security techniques and processes are reasonable.[6]
  • Service providers, intermediaries, data centres, and corporate entities are required to voluntarily notify in the event of certain types of “Cyber Security Incidents” under the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013[7] (CERT-IN Rules).
  • In terms of contractual binding of consent, as all common types of electronic contracts are enforceable in India, breaking the terms of service that violate taking personal data, will be a contract law violation.[8] (Section 4, 10A- Electronic Contracts)
  • It is also illegal to gain unauthorized access to a computer resource or extract data from one without the authorization of the owner.[9]

Data Protection Regime:

The joint parliamentary report on personal data protection[10] and the proposed data protection bill[11] are intended to promote the development of the digital economy while safeguarding and protecting the privacy of citizens. In practise, a strong legislative framework for data protection will:

  1. Keep people’ personal information safe and secure; and
  2. Serve as the cornerstone for India’s data-driven innovation and entrepreneurship.

Following are the definitions of personal data and its breach in the Joint Parliamentary Report on the PDP Bill:

  1. Personal Data: means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
  • Personal Data Breach: means any unauthorised including accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data to a data principal.
  • Sensitive Personal Data, defined 2019 Personal Data Protection Bill states that the processing of publicly available data without the data principal’s consent.[12] Unlike the 2019 Bill, this Report has removed the information that is publicly available or accessible in the public domain from exemption from the definition of SPDI under the laws controlling sensitive personal data or information (“SPDI”) under the IT Act.[13]  

Thus, unlike the 2019 Bill, the Report of 2021 amended and made publicly available information also a personal information, for which the consent is mandatory.

  • Under Section 15[14] of the Proposed Draft, the sensitive personal data categorization has been provided. This Significant Personal Data has to be interpreted in the possible contextual expectation of the data to kept confidential and to the extent of which the consent is given. Hence, when persons give data to certain entities, their consent extends to the such entities only.
  • Under Section 34(b)(iii),[15] such sensitive personal data shall not be shared with any other foreign government or agency unless such sharing is approved by the Central Government.

Analysing Consent:

As per the PDP Bill 2021, firms would be required to inform customers about their data gathering activities and obtain their consent. They’d have to gather and maintain proof that such notification was made, and that approval was granted. Because the Bill grants customers the ability to withdraw their permission, corporations would have to devise methods to enable this.

In this stance, Section 11(3) of the J-PDP,[16] provides that this consent should be:

  • In respect of sensitive personal data and processing of that same, such consent should be explicitly obtained
  • The data principal must be informed of the purpose or operation in processing, which is likely to cause harm
  • This must be communicated in clear terms, without interference of recourse drawn from conduct or context
  • The data principal must also be given choice of consenting separately for purposes of operations and use of categories of such sensitive data.

According to the Srikrishna Report,[17] the digital economy’s data processing procedures are based on permission (Page 32).

  1. As a result, the 2018 Bill stipulated that personal data be handled only with the data principal’s free, informed, explicit, and informed permission.
  2. Furthermore, it noted that consent must be able to be revoked (Clause 12).

The PDPB accepts the 2018 Bill’s consent requirements.

  1. But adds that agreement must be expressly acquired once the data principal has been given the option of agreeing to the use of distinct types of sensitive personal data individually [Clause 11(3)].
  2. The PDPB also states that the consent provision does not apply to the performance of any State function authorised by law, the provision of any service or benefit from the State to the data principal, or the issuance of any certification, licence, or permit for any action taken by the data principal [Clause 12].[18]

The consent mechanism proposed in the PDPB is extensively adopted in the Draft Data Protection Bill, 2021.

Non-Personal Information:

According to the JPC Report’s recommendations, because Bill’s goal is to safeguard privacy, limiting Bill’s scope to personal data would be counterproductive (Para 1.15.8.3).

As a result, the Draft Data Protection Bill of 2021 empowers the federal government to formulate any digital economy strategy, including non-personal data processing [(Clause 92(1)).

The Draft Data Protection Bill, 2021 also mandates the Central Government to yearly publish to Parliament the directives it may issue to data fiduciaries under Clause 91(2) [(Clause 92(2)].[19]

Recourses:

Under the meaning of data, personal data or sensitive personal data; the word “publicly” available data has been given the exception. Hence, the recourses available at the lines of data protection are very minimal; however, in case of a data breach or consent inadequacy, the following are the PDP 2021 provisions:

               “Data fiduciaries are only required to notify the DPA of a data breach if the breach is “likely to cause harm to the data principal” [Clause 25(5)] under the draught Data Protection Bill of 2021. The JPC has advised that data fiduciaries notify the DPA if personal data is breached. In addition, the Draft Data Protection Bill of 2021 requires data fiduciaries to notify the DPA within 72 hours [Clause 25(3)].”[20]

Violation Procedure:

  1. Adopted designation of government bodies that process data as distinct “government data fiduciaries” who would be accountable for any infraction committed.
  2. The Bill further provides that if a government data fiduciary commits an infraction, the Head of Office of the data fiduciary in question will undertake an internal investigation, after which culpability will be determined.
  3. As a result, the government’s data fiduciary must assess its own crime [Clause 86].[21]

The penalty prescribed under the Joint Parliamentary PDP Bill 2021 is fine, not exceeding five crore rupees or two percent of its total worldwide turnover of preceding financial year, whichever is higher.

AADHAAR Act:

The AADHAAR Act 2016, post the coming of Srikrishna Committee,[22] has undergone monumental changes to incorporate data privacy & protection laws. The report had initially suggested that amendments must be made in AADHAAR provisions to significantly bolster privacy protections and ensure autonomy of the UIDAI. The following are current data protection regime of AADHAAR Act, & its subsequent notifications:

Privacy Policy:

The Aadhaar Act does not mandate a privacy policy for the UIDAI or other players, although in practise the contracting agencies (the body corporates within the Aadhaar ecosystem) may keep one on their website.

Consent, Opt-out & Withdraw Consent:

The Act is vague on whether enrollment agencies or registrars must get consent. Section 8 does not define the type (written/via fax), but it mandates that any seeking organisation obtain authorization from the person before collecting his or her Aadhaar information for authentication purposes.

The Aadhaar Act does not include an opt-out clause and does not provide users the chance to revoke their agreement at any moment. According to Section 7 of the Aadhaar Act,[23] a person has no choice but to apply for an Aadhaar number whenever the Central or State government deems AADHAAR authentication necessary for getting a benefit. The sole compromise given is that if an individual does not receive an Aadhaar number, another workable form of identification will be supplied to enable them to receive the benefit.

Collect Information & Retention Limit:

According to Section 3(1) of the Act,[24] each resident has the right to request an Aadhaar number by providing his biometric data and demographic data throughout the enrollment procedure.

The Act is ambiguous on this topic and makes no mention of how long the entities UIDAI contracts with must keep a person’s personal information on file.

Notice:

According to Section 3 of the Act,[25] the enrolling agency must advise the person at the time of enrollment and information collection of how their information will be used, what types of organisations they will be shared with, their right to access their information, and how to do so. Regarding notice of the name and address of the agency collecting and maintaining the information, the Act is silent.

Purpose Limitation:

In violation of this, Section 57[26] stipulates that the Act would not preclude the State or other organisations from using the Aadhaar number for other legal reasons. According to Section 8 of the Act, a requesting organisation must get consent before collecting Aadhaar information and must only use it for authentication with the CIDR.

According to Section 29 of the Act, the basic biometric data gathered may not be disclosed to anybody for any reason and may only be used for the production of Aadhaar numbers and authentication. Additionally, the identity information that is made accessible to a requesting organisation will not be used for any other reason than that which has been disclosed to the individual, nor will it be shared with other parties without the approval of the individual.

Act won’t stop the State or other organisations from using the Aadhaar number for other legal purposes.

Right to Access and Correct:

Section 3 of the Act mandates that, upon enrollment, a person be notified of the existence of a right to access information, the process for requesting such access, and the identity of the person or department to whom such requests may be directed.

Every Aadhaar number bearer is allowed access to his identifying information, with the exception of basic biometric data, according to Section 28 of the Act.[27] Every Aadhaar number bearer is allowed to get a copy of their authentication record under Section 32.[28] Aadhaar number holders can also ask the UIDAI to modify their record in the CIDR if their demographic or biometric information changes, is lost, or is shown to be inaccurate.

Compensation & Penalties:

Affected party damages are not included in Chapter VII of the Act,[29] which deals with offences and punishments.

  • According to Section 37,[30] disclosing or disseminating identity information intentionally to anyone not authorised by the Aadhaar Act or in violation of any agreements made under the Act is punishable by up to three years in prison, a fine of up to 10,000 rupees (for an individual), or a fine of up to one lakh rupees (in case of a company).
  • If any of the actions described in Section 38[31] are carried out without authorization from the UIDAI, a punishment of up to three years in prison and a fine of at least ten lakh rupees is prescribed.
  • Forging data in the Central Identities Data Repository is punishable by up to three years in prison and a fine up to 10,000 rupees, according to Section 39 of the Act.[32]
  • If a requesting entity uses identification information in contravention of Section 8 (3),[33] Section 40[34] holds them accountable and imposes penalties of up to three years in jail, up to ten thousand rupees in fines (if an individual), and up to one lakh rupees in fines (in case of a company).
  • According to Section 41,[35] any violators of Sections 8 (3)[36] or 3 (2)[37] are subject to up to a year in prison, a fine of up to ten thousand rupees (in the case of an individual), or a fine of up to one lakh rupees (in case of a company).
  • For any violation of the Act or its regulations for which there is no specific punishment specified, Section 42[38] imposes a general penalty of up to one year in prison and/or a fine of up to 25,000 rupees (in the case of an individual) or a fine of up to one lakh rupees (in case of a company).

The Aadhaar Conduct does not ensure the safety of the information and does not offer compensation in the event that the rules are broken, even if it stipulates penalties for unauthorised access, use, or any other act that violates the regulations.

Grievance Officer:

There is no such procedure for grievance redressal by registrars, enrolling agencies, or seeking organisations in the Aadhaar Act. However, as the contracting agencies will also be subject to the IT Rules if they qualify as “bodies corporates,” the IT Rules will also apply to them, making the designation of a grievance officer mandatory.

Disclosure of Consent, Prohibition on Publishing and Further:

The Act states that the inquiring entities must get the person’s permission before disclosing identifying information in order to comply with this provision. The Act also mandates that the Authority take the required steps to protect information’s confidentiality against disclosure. The UIDAI may, however, provide identification information, authentication data, or any other information in the CIDR in response to a court order from a District Judge or higher as an exemption under section 33. In accordance with directives from a Joint Secretary to the Government of India or another person with higher rank authorised for this purpose, the Act also permits disclosure made in the interest of national security.

Regarding getting the individual’s permission under certain exclusions, the Act is silent on the subject. The Act also prohibits the publication, exhibition, or posting of an individual’s Aadhaar number or any other key biometric information about that person for any reason other than those allowed by rules.

Transfer of Sensitive Personal Data:

Regarding the transfer of personal data into another jurisdiction by any contractual parties, such as the Registrar, enrolment agency, or asking companies, the Act is silent. The aforementioned obligation governing the transfer of data to another jurisdiction under IT Rules would, however, apply to these agencies if they meet the definition of “body corporates” under section 43A.[39]

The Aadhaar Act does not appear to forbid data transfers to other countries, which appears to be a severe flaw given the sensitive nature of the data involved.

Security of Information:

According to Section 28 of the Act,[40] the UIDAI is responsible for maintaining the security and privacy of identification information and authentication records. Additionally, it stipulates that the Authority must design and execute suitable organisational and technological security measures and make sure they are implemented through contracts or other agreements with its representatives, consultants, advisers, and other individuals.

Although it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them, it does not specify which standards or measures have to be adopted by all the actors in the Aadhaar ecosystem to ensure the security of information.

Other Laws:

Certain other laws that discuss personal data protection are as follows:

  1. The Credit Information Companies (Regulation) Act, 2005[41] (CICRA), which relates to the protection of financial data, mandates that the credit information of persons in India be gathered in accordance with the privacy standards stated in the CICRA regulation. Any potential breach or manipulation of this data is equally the responsibility of the organisations collecting and storing it.
  • The Digital Information Security in Healthcare Act (DISHA), 2018,[42] intends to preserve patient privacy by safeguarding their medical data with regard to the security of health data. It outlines the process for electronic sharing of personal health records across different healthcare service providers.
  • Additionally, the Registered Medical Practitioner is required under the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2020[43] to abide with the pertinent sections of the IT Act, data protection and privacy regulations.
  • If any of the parties violate the agreement’s privacy or confidentiality restrictions, the Indian Contract Act, 1872 also comes into play.
  • When there is a data theft, the Indian Penal Code, 1860 is relevant because there may be a criminal investigation and prosecution for the offences of theft,[44] misappropriation of property,[45] or criminal breach of trust[46] under the Code.
  1. LAW STANDING ON DATA ANALYSIS OR BEHAVIOURAL ANALYSIS:

(Such as, recommendations, featuring or mapping interests, across platforms)

PDP 2019 & JOINT PARLIAMENTARY DP BILL 2021:

The Joint Parliamentary DP Bill has defined personal data as:

“…. means data about or relating to a natural person who is directly or indirectly identifiable, … and shall include any inference drawn from such data for the purpose of profiling.”[47]

According to this definition, any recommendation, mapping across platforms or personalised featuring will be an inference drawn from data, from the data collected through that portal or website, across websites or collective data.

Additionally, the breach of such personal data shall take place when any unauthorised activity that jeopardises the confidentiality, integrity, or accessibility of personal data to a data principal, including unintentional disclosure, acquisition, sharing, use, alteration, destruction, or loss of access.

In this stance, two noteworthy points are:

  1. Unauthorised, that is one without consent or authorisation
  2. Accessibility, which is extent of such consent or authorisation

Consent:

Section 11(3) of the J-PDP,[48] provides that this consent should be:

  • In respect of sensitive personal data and processing of that same, such consent should be explicitly obtained
  • The data principal must be informed of the purpose or operation in processing, which is likely to cause harm
  • This must be communicated in clear terms, without interference of recourse drawn from conduct or context
  • The data principal must also be given choice of consenting separately for purposes of operations and use of categories of such sensitive data.

Extent of Consent:

Under Section 15[49] of the Proposed Draft, the sensitive personal data categorization has been provided. This Significant Personal Data has to be interpreted in the possible contextual expectation of the data to kept confidential and to the extent of which the consent is given. Hence, when persons give data to certain entities, their consent extends to the such entities only.

In these two stances, any act of behavioral analysis or data analysis for consumer by recommendation or creating biases or manipulating weaknesses shall be violative.

Consent for Sensitive Personal Data:

  • Users in India must consent to the processing of sensitive categories of their personal data under current draft data protection laws.
  • Consent for the processing of personal data must be explicit and precise, and users must be provided with enough information before obtaining consent.

The PDP Bill, 2019[50] requires data fiduciaries (entities which control the purpose of the use of personal data) to publish detailed privacy notices, which ensure that user consent is not only informed but free, specific, clear, and capable of being withdrawn.

Section 11:

The requirements for consent would render data behavioural analysis or manipulation such as confusing privacy policies, lack of an opt-out, or pre-checked acceptances of terms and conditions illegal, automatically.[51]

Section 22:

  • It states that all data fiduciaries must prepare a ‘privacy by design’ policy, which would need to be certified by the proposed Data Protection Authority (“DPA”).
  • This policy would put user privacy at the forefront, with data fiduciaries obligated to specify the technology used in processing personal data, the measures adopted to avoid harm to the user, the protection of privacy throughout processing from point of collection to the point of deletion, among other requirements.[52]

However, Section 22[53] only requires that the data fiduciary make positive declarations regarding measures implemented to protect user privacy. As a consequence, these disclosures would not indicate the flaws in the design of the data fiduciary which could adversely impact the user. Additionally, the DPA is not obligated to then look beyond the declarations submitted by the data fiduciary in the privacy by design policy.

IT (SDPI) RULES 2011:

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011[54] (“SPDI Rules”) also require the informed consent of the user before their personal or sensitive personal data is collected.

CONSUMER PROTECTION ACT 2019:

The Consumer Protection Act of 2019[55] in India forbids unfair commercial practices and false advertising and could be a useful tool for regulating deceptive design decisions.

The 2019 Act[56] and Consumer Protection (E-Commerce) Rules, 2020[57] have sought to regulate emerging technologies by bringing e-commerce entities within their ambit.

Wide Definition of ‘consumer’

  • This includes those who purchase through online transactions and hold online platforms accountable for misleading advertisements and unfair trade practices.
  • The inclusive definition of unfair trade practices provides potential to address the particular challenge posed by such behavioural analysis which are used to advertise and sell products and services on online platforms, or are connected with the “ad-supported internet.”

The Parliamentary Committee Report on the Consumer Protection (E-Commerce) Rules, 2020[58] has recognised that:

  • that consumer data privacy is often not respected on e-commerce platforms, recommending a more robust system that categorises the data according to sensitivity.
  • the presence of practices such as click farming, which deceptively inflates web traffic to a product to influence consumer decisions, which is a data behavioural analysis or manipulation in itself.

The term “behavioural analysis or data analysis or manipulation” explicitly has not been used in the Report; however, it does demonstrate the potential for consumer protection law in India to regulate employment of such behavioural mapping acts.

  1. STATUS OF USING DATA OF INDIAN CITIZENS: BY OTHER FOREIGN GOVERNMENTS OR THEIR POLICING AGENCIES:

As noted earlier, under the Joint Parliamentary DP Draft 2021, Section 34(b)(iii)[59] states that such sensitive personal data shall not be shared with any other foreign government or agency unless such sharing is approved by the Central Government.

India, in status quo, considering cross border personal data access, does not have any structure or agreement (like that of UK- USA).[60] None of the dialogues that have been had or that have been proposed are, as of yet, relevant to India. India is not a party to the Budapest Convention and is therefore excluded from the Second Additional Protocol talks now taking place. The e-evidence concept is also not applicable to India because it is an intra-EU agreement.

The Indian government may re-evaluate its stance on the Budapest Convention in light of the country’s rising need for electronic evidence and the necessity for global collaboration and capacity-building efforts in this area. The IT Act, the nation’s main cybercrime law, will be reviewed in 2020, according to a government announcement.[61]

In India, police officials currently make a significant number of requests directly under section 91 of the CrPC, which does not meet this need. Similar to this, the PDP Bill, 2019’s proposed extensive exemptions for law enforcement agencies make it unlikely that the prerequisites for proper rules, processes, and monitoring mechanisms for data collection and processing would be met.

India might indicate its starting stance for further discussions on this topic by putting in place a model agreement on cross-border data access. Without this signal, there is a chance of being forced into the beginning position put out by possible counter-parties or of leaving such crucial choices up to a small group of negotiators.

  1. STATUS OF FACIAL RECOGNITION TECHNOLOGY IN LIGHT OF PERSONAL DATA LAW:

In 2017, the Supreme Court of India ruled that the right to privacy is a basic one protected by the Indian Constitution, subject to reasonable limitations and with the federal government having a legitimate avenue through which to interfere with an individual’s private. Therefore, the Supreme Court’s guidelines and the lack of any specifics on the use of FRT must be taken into consideration while evaluating the legal sanction and legitimacy of FRT.

PDP Bill 2019 & Jt. Parliamentary DP Bill 2021:

According to Jt. Parliamentary DP Bill,[62] the stored data of all the internet users’ from publicly available information and giving access to such massive information to other foreign investigational authorities, is a direct breach of the expected extent of the dissemination of sensitive personal information.

Under the Bill’s definition of biometric data, facial photographs, iris scans, and fingerprints are also recognised as sensitive personal data under clause 3.[63] According to the PDP Bill,[64] if a current data fiduciary employs new technology for processing or on the basis of the sensitivity of the personal data handled, the proposed Data Protection Authority would notify them as a major data fiduciary. When using sensitive personal data, such as genetic or biometric information, the significant data fiduciary must first conduct a Data Protection Impact Assessment before processing the sensitive data.

Therefore, before starting with the deployment of face recognition technology, data fiduciaries in the public and commercial sectors will both need to complete a data protection impact assessment.

However, the PDP Bill also stipulates that the Central Government may, subject to any prescribed procedure, safeguards, and oversight mechanism, exempt any agency of the Government from the application of all or any of the provisions of this Bill if it determines that doing so is necessary or expedient. The Central Government has been granted a broad exception that allows it to exclude any of its agencies from all or any of the Bill’s requirements.

Additionally, the Bill’s section 36[65] allows for exemptions from certain of its requirements when processing personal data is done so as to prevent, identify, investigate, and bring legal action against any crime or other infraction. This includes being excluded from being categorised as a significant data fiduciary and from having to carry out a data protection impact analysis.

The Supreme Court outlined three requirements in Puttaswamy[66]:

  • legality, which means the legislation must have been approved by the federal or state legislatures;
  • a legitimate state goal; and
  • it must pass the proportionality test, which means it must be the least restrictive policy.

Thus, the PDP Bill & Jt DP Bill, both sanctions state and central government to employ FRT and use FRT databases.

IT Act 2000:

In accordance with the IT Act, data is defined as:

Applying the definitions of information and data under these clauses, it is clear that the state has the power to monitor current computer systems and create a database of information (within the bounds of Section 69B (8),[68] which specifies the deadlines for record deletion).

Although the IT Act would let governments to gather information from current CCTV feeds, it is not clear if this information could be utilised as part of a larger FRT system. It is evident, however, that the IT Statute cannot be used as a formal legal justification for the installation of such FRT equipment, for example, this act cannot be used to support the installation of specific FRT cameras.

  • ANALYSE CASE STUDIES & STATUS OF THOSE COMPANIES (FINE OR OTHERS):

Following are certain case studies that should be referred:

  1. The American Civil Liberties Union and several other NGOs filed a complaint against ClearviewAI in Illinois state court two years ago,[69] and the business has signed an agreement as part of the settlement. It will not provide free trials of its software to individual police officers without prior approval from their supervisors under the terms of the agreement. According to the deal,[70] Clearview is prohibited from selling its software within Illinois for the next five years, including to state or municipal law enforcement organisations.
  • The Information Commission’s Office said on Monday that the corporation had broken data protection regulations in the United Kingdom. The Information Commissioner’s Office (ICO) has ordered Clearview to destroy any data it possesses on UK people and has barred it from collecting any more. A privacy authority in the United Kingdom fined it £7.5 million ($9.4 million).[71]
  • Italy’s data protection watchdog slapped a €20 million fine on facial recognition company Clearview AI earlier March 2022.[72]  The Italian digital regulator, Garante per la Protezione dei Dati Personali (GPDP), was outraged by the company’s scraping of personal biometric data such as face photographs, which included those of Italians.

According to the authorities, this was a violation of GDPR, the EU’s data protection regulation, and the corporation was ordered to stop collecting this information and erase the database.  The year-long examination found that the corporation had been collecting data without alerting the people involved and had failed to specify how long it would keep the data.  Clearview has faced a spate of similar accusations and fines from other European countries.

  • Clearview AI, a face recognition business, has been threatened with a punishment in France for illegally gathering individuals’ data.  According to the French data protection authority (CNIL), the American firm obtained hundreds of images of French residents without their permission.  Clearview has been given two months to destroy its picture database and stop collecting data by the authorities.  The CNIL stated in a statement[73] that the corporation had broken the rigorous General Data Protection Regulation of the European Union (GDPR).

NOTE: More Case Studies in Indian Context could be refereed at the said footnote.[74]

  • JUDGEMENTS:

Following are certain cases that should be referred:

  1. Justice K S Puttaswamy v. Union of India[75]

In a nine-judge panel of the Supreme Court unanimously decided that, in accordance with Article 21 of the Indian Constitution, the right to privacy is an integral component of personal liberty. This demonstrated the requirement for comprehensive data protection regulation including all direct and indirect issues.

The Personal Data Protection Bill of 2019—currently under examination by the Joint Parliamentary Committee—was the most recent move in that direction.[76] India will have a single piece of legislation solely devoted to privacy and data protection if this Bill is passed into law.

  • Peoples’ Union for Civil Liberties (PUCL) v. Union of India, 1996 [77]

The lawsuit focused on the question of political spying by the union administration through unauthorised phone tapping. Any type of telephone monitoring must be carried out in accordance with the relevant laws and in a way that is just, fair, and reasonable. The court established a test with prerequisites in order for the executive’s use of surveillance to be deemed legal in order to satisfy these requirements. The most crucial of these prerequisites were:

  • Only the Home Secretary of the union government or of a state government may give orders for telephone tapping. However, in an emergency, this authority may be given to any official of the union’s or a state’s home department. There is never any requirement for court authorisation (warrant).
    • The decision-maker must take into account if there are other, more reasonable ways to obtain the information.
  • Vinit Kumar v. Central Bureau of Investigation, 2019 [78]

In this case, the Bombay High Court ruled that only two circumstances—public emergency or public safety—permit the issuance of any orders pertaining to the interception of information under article 5(2) of the Indian Telegraph Act.  138 In the PUCL case, the Supreme Court of India earlier established the meanings of these terms, stating that a “public emergency” is defined as the presence of an unexpected event or state of affairs impacting the general public and necessitating quick action. The term “public safety” refers to the situation in which the general population is free from risk or danger.

  • WM Morrison Supermarkets PLC v. Various Claimants[79]

The UK Supreme Court, recently held that vicarious responsibility does not apply where there has been a data breach. For the first time, it is clearly clear how companies can be held responsible for any disclosure of private information by their workers.

Additionally, it is quite possible that Indian courts would adhere to the precedent established by the Supreme Court of the United Kingdom when interpreting cases under the proposed Data Protection Act.

  • OLX Cases of 2016:

OLX had successfully acquired a permanent restraining order against a corporation to restrict them from scraping any data, including commercial data, from OLX’s website via automated/manual means.[80]

That information qualifies as an OLX ‘proprietary database,’ which was created with a great deal of expertise, labour, and imagination. According to the court, such a database of information qualifies as an “original literary work” and thus is protected under copyright law.[81]

  • Manohar Lal Singh v. Union of India & Ors.[82]

In this Supreme Court case, claims were made against the central government for allegedly spying on Indian residents in the Pegasus malware case. The Honorable Court established a group to examine instances of privacy violations and give suggestions on how to improve data protection procedures under the existing surveillance legislation. This marked a noteworthy difference, as exemptions were extended to government agencies with respect to data processing.[83]

  • Karthick Theodre v. The Registrar General, Madras High Court, Chennai[84]

The Madras High Court denied a petitioner’s request to have his criminal history and court records cleared after his acquittal in the case. The court decided to dismiss the case because it was in the public interest to complete the work at hand. The court said that if India established a legislation protecting personal data, these rights would be more effectively applied.

  • Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems[85]

On the grounds that the protections available for the access and use of data transferred from the EU to the United States by U.S. public authorities did not meet the standards stipulated under EU law, this decision invalidated the EU’s Decision 2016/1250 on the adequacy of the EU-U.S. Privacy Shield arrangement.

In light of this European court’s ruling in the Schrems II case, the relationship between a nation’s internal surveillance regime and the legality of its foreign data access and transfer agreements has become even more important.

  1. Stipulated Order for Permanent Injunction and Monetary Judgement[86] 

In this case, the court called for fining the respondent $10 million due to the online children’s education company’s alleged concealment of the fact that users that signed up for “special offer” memberships would be automatically charged a renewal fee at the end of the 6 or 12-month period and obfuscation of the cancellation process.

An FTC commissioner’s extremely strong statement regarding dark patterns, issued in connection with the Age of Learning matter.[87]

  • Italian Competition & Market Guarantee Authority Case:[88]

In the registration phase, information on the use of personal data is “lacking in directness, clarity and completeness”.  The option to share user data is pre-checked, without explicit consent, and the ability to opt-out is only provided at a later time (and this choice inhibits the full enjoyment of the service).

  • French Case: January 2019 by CNIL (National Commission on Informatics and Liberty)[89]

In this case, CNIL fined Google 50 million euro, for reasons similar to those for which Facebook was fined in Italy. Specifically, among other things, making it overly complicated for users to access essential information, such as the scope of data collection, the duration of its storage, and the type of personal data used for targeted advertising. Information was available on various pages, but required many clicks in order to be reached.

  • Sprinklr Case, 2020[90]

The appeal over the state government’s contract with the US-based tech company Sprinklr, which is intended to analyse data based on information of persons under surveillance in the state as a result of the coronavirus epidemic, is now pending with Supreme Court. However, as an interim order of Kerela High Court, it has ordered the state government to:

  • compile all historical data, anonymize it, and then only then provide Sprinkler access; and
    • get informed permission from individuals prior to allowing a third party to process their health information.

[1] Information Technology Act, 2000, s. 43A

[2] Information Technology Act, 2000, s. 72A.

[3] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[4] Id, rule 3.

[5] Id, rule 5, 6 & 7.

[6] Id, rule 8.

[7] Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.

[8] Information Technology Act, 2000, s 4 and 10A of the IT Act grant legal recognition to electronic contracts.

[9] Information Technology Act, 2000, s 43.

[10] Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (Tabled on December 16, 2021).

[11] The Personal Data Protection Bill, 2019 (As introduced by the Minister for Electronics and Information Technology, Mr Ravi Shankar Prasad), Access At:

[12] Clause 14(2)(g), PDP Bill.

[13] Proviso in Rule 3, The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[14] Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, s. 15.

[15] Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, s. 34, cl. b, sub-cl. (iii).

[16] Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, s. 11, sub cl. 3.

[17] Committee of Experts under the Chairmanship of Justice B. N. Srikrishna, Report of the Committee of Experts under the Chairmanship of Justice B N Srikrishna, Committee Report (India: Ministry of Electronics & Information Technology, Government of India, July 27, 2018), 88, https://meity.gov.in/ writereaddata/files/Data_Protection_Committee_Report-comp.pdf.

[18] The Personal Data Protection Bill, 2019, Refer to cl. 11(3) & 12.

[19] Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, para 1 & cl. 91 & 92.

[20] The Personal Data Protection Bill, 2019, Refer to cl. 25(3).

[21] The Personal Data Protection Bill, 2019, Refer to cl. 86.

[22] Committee of Experts under the Chairmanship of Justice B. N. Srikrishna, Report of the Committee of Experts under the Chairmanship of Justice B N Srikrishna, Committee Report (India: Ministry of Electronics & Information Technology, Government of India, July 27, 2018), 88, https://meity.gov.in/ writereaddata/files/Data_Protection_Committee_Report-comp.pdf.

[23] Id, s. 7.

[24]  Id, s. 3, cl. 1.

[25] Id, s. 3.

[26] Id, s. 57.

[27] Id, s. 28.

[28] Id, s. 32.

[29] Id, CH VII.

[30] Id, s. 37.

[31] Id, s. 38.

[32] Id, s. 39.

[33] Id, s. 8, cl. 3.

[34] Id, s. 40.

[35] Id, s. 41.

[36] Id, s. 8, cl. 3.

[37] Id, s. 3, cl. 2.

[38] Id, s. 42.

[39] Id, s. 43A.

[40] Id, s. 28.

[41] Credit Information Companies (Regulation) Act, 2005.

[42] Digital Information Security in Healthcare Act (DISHA), 2018.

[43] Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2020.

[44] Indian Penal Code, 1860, s. 378 and s. 379.

[45] Indian Penal Code, 1860, s. 403.

[46] Indian Penal Code, 1860, s. 405, s. 408 and s. 409.

[47] Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (Tabled on December 16, 2021).

[48] Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, s. 11, cl. 3.

[49] Id, s. 15.

[50] The Personal Data Protection Bill, 2019.

[51] Id, s. 11.

[52] Id, s. 22.

[53] Id, s. 22.

[54] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[55] Consumer Protection Act of 2019

[56] Id.

[57] Consumer Protection (E-Commerce) Rules, 2020.

[58] Parliamentary Committee Report on the Consumer Protection (E-Commerce) Rules, 2020, Access At: https://rajyasabha.nic.in/rsnew/Committee_site/Committee_File/ReportFile/12/131/245_2021_3_17.pdf

[59] Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, s. 34, cl. b, sub-cl. (iii).

[60] Smriti Parsheera and Prateek Jha, Cross-Border Data Access for Law Enforcement: What Are India’s Strategic Options, November 2020, CARNEGIE INDIA (INTERNATIONAL PEACE: WORKING PAPER), pp 18-19, Access At: https://carnegieendowment.org/files/ParsheeraJha_DataAccess.pdf.

[61] Navadha Pandey, “Govt Plans New IT Act to Factor in Cyber Crime, Data Privacy, New Tech,” Live Mint, February 26, 2020, https://www.livemint.com/industry/infotech/plan-to-revamp-it-act-ravi- shankar-prasad-11582716511721.html.

[62] Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019.

[63] Id, cl. 3.

[64] Personal Data Protection Bill, 2019.

[65] Id, cl. 36.

[66] Justice K S Puttaswamy v. Union of India, (2017) 10 SCC 1.

[67] Information Technology Act 2000, s 2(o)- Definition of Data.

[68]Id, s 69B, cl. 8.

[69] Clearview AI Settles ACLU Illinois Lawsuit Confirming Continuity of Business Supporting Public Safety, Clearview AI, New York, May 12, 2022, Access Here: https://www.clearview.ai/clearview-ai-settles-aclu-illinois-lawsuit-confirming-continuity-of-business-supporting-publics.
May also refer to: Information Privacy Act. (Source: P.A. 95-994, eff. 10-3-08.) (740 ILCS 14/1), Illinois General Assembly.

[70] In Big Win, Settlement Ensures Clearview AI Complies With Groundbreaking Illinois Biometric Privacy Law, ACLU, Chicago, May 9, 2022, Access At: https://www.aclu.org/press-releases/big-win-settlement-ensures-clearview-ai-complies-with-groundbreaking-illinois

[71] ICO fines facial recognition database company Clearview AI Inc more than £7.5m and orders UK data to be deleted, ICO, May 23, 2022, Access At: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/05/ico-fines-facial-recognition-database-company-clearview-ai-inc/.

[72] Facial recognition: the Privacy Guarantor fines Clearview for 20 million euros. The use of biometric data and the monitoring of Italians is prohibited, GDPD, Press Release, March 09, 2022, Access Translated Version At: https://www-garanteprivacy-it.translate.goog/home/docweb/-/docweb-display/docweb/9751323?_x_tr_sl=it&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc

[73] Facial recognition: the CNIL gives Clearview AI formal notice to cease the reuse of photographs accessible on the internet, CNIL, January 06, 2022, Access Translated Version At: https://www-cercle–montesquieu-fr.translate.goog/newsletter/newsletter/303/article/1070?_x_tr_sl=fr&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc.

[74] Important Cyber Law Case Studies, Cyber Laws & Information Security Advisors, Access At: https://www.cyberralegalservices.com/detail-casestudies.php.

[75] Justice K S Puttaswamy v. Union of India, (2017) 10 SCC 1.

[76] Read More At: Cyril Amarchand Mangaldas, ―Right To Privacy: Surveillance In The Post-Puttaswamy Era, BloombergQuint (blog), December 11, 2019, available at https://www.bloombergquint.com/law-and- policy/right-to-privacy-surveillance-in-the-post-puttaswamy-era.

[77] People‘s Union for Civil Liberties v. Union of India, (1997) 1 SCC 301.

[78] Vinit Kumar v. Central Bureau of Intelligence, (2019), ALLMR (CRI), 5227.

[79] WM Morrison Supermarkets PLC v. Various Claimants …. (Also Refer to: According to Lord Nicholls’ ruling in Majowrski v. Guy’s and St. Thomas NHS Trust……, an employee must do the wrong while acting in the course of his job for there to be vicarious responsibility.)

[80] OLX BV and Ors. v. Padawan Ltd., Delhi HC order 15 December 2016; http://delhihighcourt.nic.in/dhcqrydisp_o.asp?pn=245500&yr=2016.

[81] OLX BV and Ors v. Padavan Ltd., Delhi HC order dated 31 March 2016;  http://delhihighcourt.nic.in/dhcqrydisp_o.asp?pn=71402&yr=2016

[82] Manohar Lal Singh v. Union of India & Ors. Writ Petition (Criminal) No. 314 of 2021 (SUPREME COURT)

[83] Other Similar Challenging Petitions:  Amit Sahni v. Union of India and others, W.P. (Civil) No. 2 of 2019. Mahua Moitra v. Union of India and another, W.P. (Civil) No. 13 of 2019. Shreya Singhal v. Union of India and others, W.P. (Civil) No. 34 of 2019. Internet Freedom Foundation v. Union of India and others, W.P. (Civil) No. 44 of 2019.

[84] Karthick Theodre v. The Registrar General, Madras High Court, Chennai W.P.(MD) No. 12015 of 2021 & WMP(MD). No. 9466 of 2021 (MADRAS HIGH COURT)

[85] Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Court of Justice of the European Union, Case C-311/18 (July 16, 2020).

[86] Federal Trade Commission v. Age of Learning, Inc., No. 2:20-cv-7996 (C.D. Cal Sept. 8, 2020, Access Here: https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3186-age-learning-inc-abcmouse

[87]FTC commissioner, Access Here: https://www.ftc.gov/system/files/documents/public_statements/1579927/172_3086_abcmouse_-_rchopra_statement.pdf

[88] Facebook- Sharing Data with Third Parties – November, 2018 Case: PS11112- Provision no. 27432 Translated Page: https://fdocumenti-com.translate.goog/document/ps11112-facebook-condivisione-dati-con-terzi-2020-02-10-facebook-un-social.html?_x_tr_sl=it&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc

[89] In Re: CNIL (National Commission on Informatics and Liberty, 2019, Access Here: https://www.cnil.fr/sites/default/files/atoms/files/cnil_cahiers_ip6.pdf

[90] Neethu Reghukumar, ‘Anonymise Data’: Kerala High Court Issues Strict Guidelines to State Over Sprinklr Row, NEWS 18, April 24, 2020, 1942 IST, Access Here: https://www.news18.com/news/india/anonymise-data-kerala-high-court-issues-strict-guidelines-to-state-over-sprinklr-row-2591541.html.

Leave a comment