“Right to Privacy” was declared a fundamental right in India in a landmark judgment by the Hon'ble Supreme Court of India on August 24, 2017, in the case of Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India And Ors. The judgment brought a change in the privacy regime in India, i.e. the need to protect the personal data and the privacy of the individuals through a proper codification of the law. Accordingly, a progressive step was adopted by the Central Government by appointing a data protection committee chaired by the retired judge of the Supreme Court, i.e. Justice Srikrishna, who released an extensive white paper on the protection of the data privacy and subsequently, in July 2018, the committee came up with the draft bill on Personal Data Protection Bill, 2018. Thereafter, with the stakeholders’ recommendation and some modifications, the bill was laid before the lower house of the parliament in the year 2019 and is pending before the house currently.
Since 2021, the government has been active in protecting the data and privacy of individuals. The coordination between legislation and the executive has paved the way for privacy laws development. Therefore, with this background, the Indian government has brought significant changes such as liberalising the archaic geospatial data regime, introducing industry standards for privacy assurance, and introducing tighter security measures in the digital payments sector.
While on the other hand, the judiciary has been active enough to pronounce the judgments related to the issues of anonymity, the right to be forgotten, and state surveillance.
The proposed data protection law, along with the revised version, was presented by the Joint Parliamentary Committee in the parliament in 2021. The Data Protection Bill, 2021, is yet to be considered and will be passed by the parliament. The stakeholders are calling for a fresh consultation and bringing the new changes as compared to the earlier iterations of the proposed law, such as expanding the scope of the law to cover not only personal data but also non-personal data. The stakeholders are asking for the phased implementation of the enactments under the act.
The Department of Science and Technology has issued the guidelines regarding “Acquiring and producing geospatial data and geospatial data services including Maps”. Prior to such notification, there were several guidelines and notifications published from various ministries/ departments of the Government of India, inclusive of the Ministry of Defence, Survey of India, Ministry of Finance and Ministry of External Affairs regulating mapping data etc., which were mostly unclear and archaic in form. With the new regulation in place, the requirement of any approval, clearance, license, etc. on the collection, generation, preparation, dissemination, storage, publication, updating and digitisation of geospatial data and maps within the territory of India, is subject to a negative list of attributes for which there are restrictions has been dispensed with.
Further, regulation restricts foreign entities from creating and owning or hosting geospatial data finer than specific prescribed threshold values. The new notification bans the foreign entities from conducting the terrestrial mobile mapping surveys, street view surveys and surveys in Indian territorial waters.
The Reserve Bank of India (RBI) has laid down the guidelines regarding the regulation of the payment aggregator or payment gateways in order to create a license and regulate the payment intermediaries thereby facilitating and handling the payment between both the parties i.e. users and the merchants via electronic modes. With the strict guidelines in place, the RBI has put restrictions on the intermediaries and the merchants regarding the storing of card and card-related data. A circular was issued on behalf of the RBI regarding this on September 7, 2021, mandating that from January 1, 2022, (a) no entity other than card issuers or card networks is allowed to store card data, and (b) all such data previously-stored should be purged. As an exemption, the last 4 digits of the card number and the card issuer’s name could be stored for transaction tracking and reconciliation purposes.
The Bureau of Indian Standards has declared to the public the new standards regarding data privacy protection. As per the latest standards laid they seek to provide a privacy issue framework for all the institutions in order to establish, implement, maintain and continually improve their data privacy management system. Under the new law regime, the processors and data fiduciaries are required to implement the security safeguards and use any or all methods like de-identification, encryption, steps to protect personal data integrity and to prevent misuse, unauthorized access, modification, disclosure or destruction of personal data.
With such amendments, notifications, and rules in place, India may emerge as a country that is bent on protecting the data and the privacy of the individuals the priority. The year 2022 may become a landmark year in which the country may see its first comprehensive, general data protection law introduced. The bill can be tabled any sooner in the parliament's upcoming sessions. It may also happen that fresh consultations could happen, which would lead to significant changes/modifications in the draft bill. It would be noteworthy to watch how the government would propose the bill and protect and balance the national interest and security.