When China watches you: Why India needs a personal data protection law

The data reportedly accessed by the Chinese company is largely available in the public domain and a personal data protection law would've safeguarded it

The brouhaha over a Chinese tech company reportedly monitoring personal data of some Indian politicians and policy makers highlights the need for dedicated laws to protect personal data of the country's citizen. The data reportedly accessed by the Chinese company is largely available in public domain, and not considered as sensitive personal data. However, cyber law experts point out most of the personal data freely available in the public domain are leaked online without the consent of the concerned individual. That is where the presence of personal data protection law could help make individuals more aware of their data privacy rights, and make any breach a punishable offence, they add.

The Personal Data Protection Bill, 2019 is under review by a Joint Parliamentary Committee. It was introduced in Lok Sabha in December 2019.

Currently, the Information Technology Act, 2000, read along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, contain specific provisions governing protection of personal data in India.

Experts contend that as the personal data, collated and harnessed by the tech company is freely available in public domain, it is unlikely to come under the ambit of the Information Technology Act. Moreover, as the information does not appear to be ‘secret official data’, the Official Secrets Act, 1923 – the law that covers espionage related issues – may not apply in this case.

They point out that the case reflects the gaping hole in our law - as it stands. “Profiling of data principals is an activity meant to be strictly regulated by a dedicated data protection law which lays down restrictions on profiling, and makes profiling (without the necessary consent, and without safeguards) not just a civil wrong, but a punishable offense,” says Bharat Chugh, former judge, and Supreme Court advocate.

Udbhav Tiwari, public policy advisor at Mozilla, too feels that the recent events have provided further evidence of the dire need for a strong data protection law in India. “It is the only effective way to hold entities which leak personal information in the public domain (without the consent of impacted individuals) accountable for their actions,” he says. The government should focus on enacting the draft Data Protection Bill at the earliest, experts add.

However, that is just the first step towards protecting personal data of individuals from prying eyes from across the border. Experts point out that Section 2(A)(c) of the proposed bill tries to answer this concern by making the proposed data protection law extra territorial. “It will also regulate processing of personal data/profiling anywhere in the world if it concerns profiling of data principals within the territory of India,” says Chugh.

However, enforcement of such a provision is a different matter altogether. One way forward, experts note is to put in place necessary Mutual Legal Assistance Treaties/Conventions/Arrangements obligating other countries to co-operate and bring offenders to the book. That, of course, is easier said than done with respect to countries such as China, they add.