The Law Tries to Catch Up with Tech

The Law Tries to Catch Up with Tech is a feature article published in Fortune India on 22 May 2018. Written by Arnika Thakur, the piece examines India’s data protection legislative vacuum in the wake of the Cambridge Analytica scandal and Mark Zuckerberg’s April 2018 Congressional testimony mentioning Indian elections. The article critiques the Information Technology Act 2000’s inadequate amendments, highlights the absence of breach notification requirements, and explores lessons from the EU’s General Data Protection Regulation scheduled for 25 May 2018 implementation, whilst the Justice B.N. Srikrishna Committee worked to draft India’s first comprehensive data protection bill.

Article Details
Full Text
Context and Background
External Link

Article Details

📰 Published in:: Fortune India
📅 Date:: 22 May 2018
👤 Author:: Arnika Thakur
📄 Type:: Feature Article
🔗 Publication Link:: Read Online

Full Text

It isn't the Wild West, but India's legal framework offers little protection in case of data theft, say experts.

At his testimony before the U.S. Congress, Facebook CEO Mark Zuckerberg spoke about the upcoming elections in India. "2018 is an incredibly important year for elections not just with the U.S. midterms, but around the world. There are important elections in India, in Brazil, in Mexico, in Pakistan, and in Hungary," he said. "We want to make sure we do everything we can to protect the integrity of those elections."

But is Zuckerberg's assurance enough? Can Facebook truly ensure that there is no meddling in India's general elections; political consulting firm Cambridge Analytica is accused of harvesting Facebook data of millions of people, and targeting them with ads designed to influence the Brexit referendum and the U.S. presidential election?

Instead, shouldn't India proactively strengthen its data privacy laws?

India's existing regulation on data protection—the Information Technology (IT) Act, 2000 in its original form, experts say, did not explicitly protect data. And even subsequent amendments were "retrofitting of the law", says Sunil Abraham, executive director of the Centre for Internet & Society, a Bengaluru-based research and advocacy firm.

One amendment, Section 43-A, makes a "body corporate" possessing, dealing or handling any sensitive personal data or information liable to pay damages if it has been negligent in implementing and maintaining reasonable security practices, and thereby causing "wrongful loss or wrongful gain" to any person. The other amendment, Section 72-A, provides criminal remedy imprisonment of up to three years or a fine of up to Rs 5 lakh or both for disclosure of personal information in breach of lawful contract.

But Abraham says by specifying sensitive personal data, the law excludes breach or misuse of data that aren't biometrics or the like. "Whenever you produce regulations in this manner those regulations are rarely comprehensive, and, therefore, we are in this situation," he says. In other words, seemingly innocuous information such as a person's pop culture interests, political ideology, literary preference, shopping history is not protected.

Under the current law, companies are also not responsible for notifying users if their data are breached. "The entire framework around notification, or how does a user know that their data has actually been affected by a breach; none of these provisions actually exist under Indian law," says Amlan Mohanty, senior associate, technology and policy, PLR Chambers, a law firm.

Sahir Hidayatullah, CEO of Smokescreen Technologies, a cybersecurity firm, says since Indians are not culturally attuned to the idea of privacy, a comprehensive law is important.

India understands that the existing data protection law is behind the times. Last year, the government constituted a committee of experts chaired by former Supreme Court Justice B.N. Srikrishna to study the matter, make specific suggestions, and suggest a draft Data Protection Bill. In February, speaking on the sidelines of an international conference, India's electronics and information technology minister Ravi Shankar Prasad said the committee will soon submit its report.

The lawmakers can perhaps take a cue from the European Union's General Data Protection Regulation (GDPR), which will come into effect this May. Among other things, GDPR gives individuals greater rights to access data on them, correct inaccuracies, erase personal data in certain cases, and to even transfer their data from one firm to another.

GDPR also clearly defines consent. "The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language," it says. The law gives the users the right to withdraw their consent at any time. Currently, most Internet companies seek consent to multiple matters at once, usually when a new user registers for or downloads its service and it is often difficult, if at all, to review it. GDPR will change that in the EU.

Supratim Chakraborty, associate partner at law firm Khaitan & Co, says a clear regulation on consent is requisite in India, where many are first-time Internet users or do not understand English or are even illiterate. "When you obtain consent, it has to be understood in a proper manner by the people, and secondly, the people who are receiving the data are also obligated to protect it in a particular manner. That is something that we should gun for in the new law," says Chakraborty.

Mohanty of PLR Chambers says GDPR also spells out the principles of applicability with clarity by stating the law will be applicable even on a foreign entity if the breach impacts an EU citizen. "The problem in India is ensuring that foreign companies operating in India are held accountable," he says. "One of the key issues that India has to deal with is ensuring that the law that India passes is going to be applicable to entities that function outside India."

Sivarama Krishnan, partner and leader, cybersecurity, at consultancy PwC India, says India also needs to address the issue of who or which body will implement the data protection law. "In the Western world, there is usually a privacy commission or authority, and resources to enforce the regulation. In India, there is lack of enforcement capability in the government to implement the existing regulation," he says.

There is also the matter of the government's priority. The union government's biometric identification programme, Aadhaar, does not have a spotless record on data protection users' data have on multiple times been breached, or even published online, by third party service providers, hackers, and even by government websites.

But India has seen serious consequences of weak data protection: A judge's report on the 1993 Bombay riots found that voters' lists and business registers were used by perpetrators to identify victims and their businesses.

Today, there is a lot more data a criminal can get access to, from a government identification programme to your Facebook profile to your smartphone's GPS signal. No data breach is innocuous.

(The article was originally published in the May 2018 issue of the magazine.)

Context and Background

This article appeared three months after the Cambridge Analytica scandal broke in March 2018, when The Guardian and The New York Times published whistleblower Christopher Wylie’s revelations that the British consulting firm had harvested data from up to 87 million Facebook users without consent. Cambridge Analytica allegedly deployed this data for psychographic profiling to influence the 2016 Brexit referendum and U.S. presidential election through targeted advertising. Facebook CEO Mark Zuckerberg testified before the U.S. Congress on 10–11 April 2018, specifically mentioning India’s 2019 general elections alongside other major democratic exercises globally, pledging to protect electoral integrity.

India’s legislative framework proved woefully inadequate for addressing such data exploitation. The Information Technology Act 2000 contained no comprehensive or rights-based data protection framework. Sunil Abraham of the Centre for Internet and Society characterised subsequent amendments as “retrofitting”, acknowledging fundamental design flaws. Section 43-A, inserted through the 2008 amendment, imposed civil liability on “body corporates” for negligent security practices causing wrongful loss or gain, limited to “sensitive personal data” including passwords, financial information, biometrics, sexual orientation, medical records and physical/mental health conditions. Section 72-A criminalised personal information disclosure breaching lawful contracts, prescribing imprisonment up to three years or fines up to Rs 5 lakh.

Abraham identified critical exclusions—political ideology, cultural preferences, shopping histories and browsing patterns remained unprotected despite their exploitation in psychographic profiling operations like Cambridge Analytica’s. Amlan Mohanty of PLR Chambers highlighted the absence of breach notification obligations, meaning users had no guaranteed mechanism to learn their data had been compromised. Sahir Hidayatullah, CEO of cybersecurity firm Smokescreen Technologies, argued India’s weak privacy culture necessitated comprehensive legislative intervention.

On 31 July 2017, the Ministry of Electronics and Information Technology constituted a 10-member Committee of Experts chaired by retired Supreme Court Justice B.N. Srikrishna to study data protection issues and draft legislation. The committee’s establishment occurred during K.S. Puttaswamy v. Union of India, wherein the Supreme Court was deliberating whether privacy constituted a fundamental right under the Constitution. The Court’s 24 August 2017 unanimous ruling affirming privacy as a fundamental right under Article 21 intensified pressure on the Srikrishna Committee. In February 2018, IT Minister Ravi Shankar Prasad announced the committee would “soon” submit its report (ultimately delivered on 27 July 2018).

The European Union’s General Data Protection Regulation, approved on 4 May 2016, was scheduled for 25 May 2018 implementation—just three days after this article’s publication. GDPR established comprehensive individual rights including data access, rectification, erasure (“right to be forgotten”), portability between service providers, and consent withdrawal. Crucially, GDPR mandated consent requests be “clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language”—prohibiting the bundled consent mechanisms standard in software terms of service agreements.

Supratim Chakraborty of Khaitan & Co emphasised consent clarity’s importance for India’s digitally diverse population, including first-time internet users, non-English speakers and illiterate citizens. Mohanty highlighted GDPR’s extraterritorial application—foreign entities processing EU citizens’ data faced regulatory accountability regardless of physical location. India struggled with jurisdictional enforcement against foreign companies operating domestically. Sivarama Krishnan of PwC India noted Western democracies typically established dedicated privacy commissions with enforcement resources, whilst India lacked such institutional capacity.

Aadhaar’s data security record undermined government credibility. Multiple breaches through third-party service providers, hackers and government websites had exposed biometric and demographic data. The article invoked the 1993 Bombay riots, where Justice B.N. Srikrishna’s judicial inquiry (ironically, the same individual now chairing the data protection committee) found electoral rolls and business registers had been weaponised to identify Muslim victims and properties, resulting in over 900 deaths. This historical precedent demonstrated data exploitation’s potential for communal violence.

Contemporary data ecosystems vastly exceeded 1993’s informational environment. GPS location data, social media profiles, biometric databases and digital transaction histories created unprecedented surveillance and targeting capabilities. Cambridge Analytica’s operations demonstrated how ostensibly innocuous data—Facebook “likes” and personality quiz responses—could be algorithmically transformed into political persuasion tools.

In May 2018, Cambridge Analytica filed for Chapter 7 bankruptcy following the scandal. Facebook faced escalating regulatory scrutiny culminating in a July 2019 Federal Trade Commission fine of $5 billion—then the largest penalty ever imposed for privacy violations—and an October 2019 UK Information Commissioner’s Office fine of £500,000. The FTC settlement cited continued violations of a 2011 consent decree requiring express user consent for data sharing, including unauthorised sharing with friends’ apps, default-enabled facial recognition, and advertising use of phone numbers provided for security purposes.

The article’s publication timing—three days before GDPR’s implementation—positioned India’s legislative vacuum against Europe’s comprehensive regulatory framework. The contrast highlighted India’s lag in addressing data protection challenges despite facing similar threats, exacerbated by a digitally stratified population and weak enforcement institutions. The Srikrishna Committee’s forthcoming recommendations would determine whether India adopted robust rights-based protections or perpetuated the inadequate “retrofitting” approach Abraham criticised.