Jyotsna JayaramPartner
Rachana Rautray Senior Associate
Sindhu A.Associate
Key Developments
-
Revised proposal for personal data protection regulation in India
On 18 November 2022, the draft of the Digital Personal Data Protection Bill, 2022 (DPDP Bill) was released by the Ministry of Electronics and Information Technology (MeitY) - a simplified version in contrast with previous iterations.
The DPDP Bill, if implemented in its current form, will result in existing data protection practices in India undergoing a major overhaul, with far reaching consequences for both data principals and data fiduciaries.
Most importantly, the DPDP Bill: (i) does not categorise personal data based on sensitivity into sensitive personal data or critical personal data; (ii) alters the legal bases for non-consensual processing of personal data; (iii) provides for certain data principals’ rights and imposes (for the first time) duties on them; (iv) permits the cross-border transfer of personal data to notified countries subject to certain conditions; and (v) focuses on tempered penalties in place of the earlier trifecta of compensation, penalties and criminal liability.
(To read our detailed update on the draft DPDP Bill, click here.)
-
Privacy Jurisprudence
Privacy jurisprudence in India is evolving at a heightened pace with several courts ruling on the extent of privacy rights. In this context, it bears mentioning that the constitution bench of the Supreme Court has recently held that fundamental rights under Article 19 and 21 of the Constitution of India are enforceable even against persons other than the state or its instrumentalities. This is a significant development as individuals may now be able to enforce their right to privacy against private entities as well.
Given this background, few other major judicial pronouncements are discussed below.
-
Right to privacy of deceased persons cannot be inherited by legal heirs
On 14 October 2022, the Delhi High Court, in the case of Ruba Ahmed & Ors. v Hansal Mehta & Ors., denied ad-interim injunction to the plaintiffs on the grounds that the ‘right of privacy’ of an individual, specifically of the deceased, cannot be inherited by their legal heirs, since such right is an 'in personam' right, which extinguishes upon one’s death.
The plaintiffs, who lost their daughters in a terrorist attack in 2016, had filed a petition before the Delhi High Court in 2021 seeking an injunction against the release of a movie ‘Faraaz’ (based on the terror attack) since this movie disclosed personal details and exhibited images/caricatures of the plaintiffs and their daughters.
It will be interesting to see how this judgement ties in with the recent draft of the DPDP Bill (discussed above) which provides data principals the right to nominate any individual in the event of death or incapacity.
-
Right to be forgotten cannot exist in open court justice system
In the case of Vysakh K.G. v Union of India & Anr., the Kerala High Court on 22 December 2022 held that the claim for protection of personal information based on the right to privacy cannot exist in an open court justice system. However, the Court allowed the masking of personal information in matrimonial cases and cases where in-camera proceedings are held. The Court also opined that in the absence of adequate legislation on the grounds under which the right to be forgotten may be invoked, each case in this regard would need to be analysed on a case-to-case basis.
This case involved over nine petitions seeking removal of personal information from online sources on the grounds of infringement of the right to privacy, since the petitioners were either acquitted, or the orders were quashed, or they pertained to family matters, adoption, etc.
-
-
Intermediary rules amended to expand scope of obligations of intermediaries and introduce grievance appellate mechanism
With an intent to further regulate intermediaries and establish a robust process for users to exercise their rights against intermediaries, the central government amended the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Rules) in October 2022.
These amendments expand the scope of existing obligations and impose additional obligations on intermediaries. Certain key obligations introduced through the amendment include (i) making relevant policies and agreements of intermediaries available to users in their preferred language which may be English, or one of the 22 languages specified in the Eighth Schedule to the Constitution of India; and (ii) ensuring respect for the rights accorded to users under the Indian Constitution, including the fundamental rights guaranteed under Articles 14, 19 and 21. The amendments also empower the central government to establish Grievance Appellate Committees which are responsible for expeditiously resolving appeals.
(To read our detailed update on the latest amendment to the Intermediary Rules, click here.)
-
Encouraging private sector participation through release of National Geospatial Policy
In continuation of the deregulation reforms and various relaxations introduced under the ‘Guidelines for acquiring and producing Geospatial Data and Geospatial Data Services including Maps’ (Geospatial Data Guidelines 2021), the government on 28 December 2022, notified the National Geospatial Policy 2022. It aims to promote innovation in and harness the potential of the geospatial sector by providing a level playing field to private players. However, the regulatory position in relation to geospatial data has not undergone any major changes in comparison to the previously introduced Geospatial Data Guidelines 2021 on 15 February 2021. (Click here to read our detailed update on the 2021 guidelines.)
-
Government notifies e-KYC setu for Aadhaar authentication
In a likely response to violations of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act) by private entities providing Aadhaar verification services, the Ministry of Finance has notified the ‘e-KYC setu’ application. This application allows Aadhaar authentication to be done by permitted entities in accordance with standards of privacy and security under the Aadhaar Act (in a limited sectoral context under specific circumstances). Introduction of e-KYC setu should further help strengthen the security measures around the process of Aadhaar authentication.
In the next quarter, we anticipate several key developments in the data protection space, with the draft DPDP Bill being presented in the upcoming sessions of the Indian Parliament. Following several key amendments to Intermediary Rules, we also anticipate additional obligations being imposed on online gaming intermediaries which will need to be structured into their platform design.
