Technology, Media & Telecommunications Law: Legal Milestones in 2019 and a Look Ahead

THE YEAR THAT WAS

The year 2019 saw many changes in terms of regulatory and legislative measures by the Government as well as judgments by the Supreme Court. The introduction of the Personal Data Protection Bill, 2019 before Parliament was a watershed moment in the history of privacy rights in India. Further, as a direct result of the Supreme Court’s ruling on Aadhaar, the Government introduced changes to the legislative scheme surrounding Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act) to put in place more robust mechanisms for identity verification. Additionally, the Government rolled out regulatory initiatives relating to e-commerce, regulation of information technology intermediaries, and consumer protection.

The year 2019 also saw the introduction of a foreign direct investment (FDI) cap of 26% for circulation of news and current affairs through digital media. While it is not yet clear how this will affect news aggregators and intermediaries, it nevertheless is an important development in the regulation of online news media by the Government.

Government bodies also undertook consultation processes in various fields such as artificial intelligence, non-personal data, provision of cloud services, and other service providers (OSP) whose potential impact remains to be seen. The involvement of stakeholders in formulating recommendations on these subjects is a step forward in policymaking in the technology and telecommunication sector in India.

MAJOR DEVELOPMENTS IN 2019

• Technology and Data Protection
  • Personal Data Protection Bill 2019

    The existing legislative framework in India to address issues of privacy of citizens’ data comprises of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. It covers some basic tenets for the collection, storage and processing of information about certain identified categories of ‘sensitive personal data or information’ of natural persons such as financial information and health data.

    However, after the Supreme Court recognised the privacy of individuals as a fundamental right under the Constitution of India and highlighted the need for privacy legislation in 2017, the Government set up a committee of experts (Committee) to look into the contours of such a law. The Committee came up with a draft Personal Data Protection Bill (2018 Bill) after expansive consultations in 2018. The 2018 Bill introduced the concepts of ‘data fiduciaries’ and ‘data principals’, as opposed to the more commonly used terms ‘data controller’ and ‘data subject’. It envisages a fiduciary relationship between the data fiduciary and data principal wherein the data fiduciary must act in the best interest of the data principal. Any natural person whose personal data is collected was referred to as the ‘data principal’ and the entity that determines the purpose or means of processing this data was referred to as the ‘data fiduciary’.

    After the 2018 Bill, the Government conducted a series of consultations and a revised Bill (2019 Bill) was released in December 2019 and is currently placed before a joint parliamentary committee for examination and stakeholder consultation is underway. The 2019 Bill introduced several important changes to the 2018 Bill, as follows.

    Data Localisation

    The 2018 Bill required the storage of a serving copy (which can be interpreted as a live copy) of all personal data (PD) covered by the Bill, on a server or data centre located in India. It also mandated the processing of ‘critical personal data’ (CPD) only in India. Further, even data that did not fall within this category could only be transferred outside India subject to satisfaction of specific conditions. However, the 2019 Bill does not mandate localisation of PD that does not qualify as sensitive personal data (SPD) or CPD. Moreover, it provides that with the explicit consent of the data principal and the satisfaction of specific conditions, SPD may be transferred outside India for processing. However, such SPD will have to be stored in India as well.

Download PDF to read more