Legal teeth for data protection & privacy needed

Amandeep Singh Kapoor

Director, Central Detective Training Institute, Jaipur

IN 2017, the Jodhpur police deciphered the modus operandi of gangster Lawrence Bishnoi during the custodial interrogation obtained after a string of gruesome murders. The gang members were making the most of faceless communication (wherein the participants cannot see or hear each other), courtesy a legal ambiguity that led to a unilateral interpretation by the intermediary social media platforms regarding data privacy and Voice-over-Internet Protocol, and non-compliance with Department of Telecommunications (DoT) norms by Internet service providers (ISPs).

This somehow nudged us to submit suggestions as a part of the public consultation under way then on the draft Data Protection Bill, assuming that it would address the misgivings of intermediaries and alike. But similar suggestions by way of public consultation were being sought regarding the data protection regime by both the Ministry of Electronics and Information Technology (MeitY) and the Telecom Regulatory Authority of India (TRAI) at the same time.

Today, opinions are being sought again separately by MeitY as a part of the draft Digital Personal Data Protection Bill and public consultation on the draft Telecom Bill by TRAI. Over five years down the line, we stand again amidst consultations of different agencies and see gangsters still having a free run through faceless communication behind privacy shields. A similar problem is being encountered in the realm of fake news.

The previous Data Protection Bill was criticised for excessive exemptions, but, for once, can we shift the focus from the exemptions to security agencies to the expectations? Will the new Bill help end the tyranny of intermediaries and data processors, whether Big Tech or ISPs, when local law enforcement agency (LEA) units, such as the Jodhpur police or the Sangrur police, face the might of gangsters and terrorists, who are thriving on fintech-enabled laundered money?

In India, the IT Act is administered by MeitY. The TRAI administers legislation such as the Indian Telegraph Act, 1885. And the law enforcement agencies are significant execution agencies of statutes such as the IT Act and the Telegraph Act. The grey zones created by regulatory duplication (created partly by multiple sectoral regulators of data) are the ideal space where legal eagles of Big Tech find ways of subverting the seemingly well-crafted laws. When the voice sample of a member of Bishnoi's gang was sought, they brought in the best lawyers to defend privacy rights of the gangsters because no law existed. Only after a tough legal fight could we obtain the sample.

Contrast this with the aviation industry and observe the precision of the legal teeth it possesses. The Director General of Civil Aviation (DGCA), as the overarching regulator, administers both air security and ground handling through its security wing, the Bureau of Civil Aviation Security. The Reserve Bank of India, which could authoritatively call the bluff of foreign banks on data localisation, incidentally operates a common ombudsman for non-banking financial companies (NBFCs) and scheduled banks. This is the reason for the easy sharing of financial information compared to communication-related information.

Another worthy example of oversight regulation is the financial transaction reporting regime under FIU-IND (Financial Intelligence Unit-India), which is an auto-pilot mechanism. If the Prevention of Money Laundering Act led to the FIU-IND mechanism successfully and all banks (private and foreign), depositories and NBFCs under the SEBI Act are reporting the transactions after being deemed as reporting entities, the proposed regulator — the Data Protection Board — can also ensure reporting of 'suspicious data movements' from the social media platforms and intermediaries.

From the point of view of law enforcement agencies, notable plugging of gaps has taken place in the form of Virtual Private Network (VPN) localisation issued by CERT-In (Indian Computer Emergency Response Team), new Intermediary Rules, Criminal Identification Act 2022 and Interception Rules.

But content still is not being pulled down despite these new rules being in place. What is imminent or objectionable for us is not so for the intermediaries steeped in free speech or privacy absolutism.

Who then brings the State’s intent into the picture? This led to the creation of the Grievance Appellate Committee (GAC) after yet another amendment to the IT Intermediary Rules. A couple of months ago, IT Minister Rajeev Chandrasekhar warned that “the self-created community guidelines of the platforms, whether headquartered in the US or Europe, cannot contradict the constitutional rights of Indians.” The thrust to bringing OTT under regulations in the new Telecom Bill stems from such clarity.

We should gauge the import of the word ‘digital’ added to the present Data Protection Bill. In the digital realm, the magic is created by servers and phones. So, secure and robust data empowerment will happen if loopholes of both are plugged. Cyberspace and telecom platforms should have an overarching single regulatory body.

The board being mooted in this Bill should come off as a regulator which should have oversight over cross-sectoral data regulators. To begin with, the GAC can be merged with the Data Protection Board. In any case, Section 29 of the new Bill gives overriding status to its provisions over other laws in force, if any. This mechanism can be subsumed in the Digital Act whenever it is in place.

The time is ripe to assert the intent of the State in respect to data protection and privacy through the new Data Protection Bill and the Telecom Bill, both crucial pieces of legislation, in double-quick time.

Join Whatsapp Channel of The Tribune for latest updates.