Data, Privacy: What’s on the Cards

The Data Lawyer and Aureus Law Partners wish you a very happy 2019 (and we sincerely hope that in the new year, no one infringes your privacy, steals your data or leaves you with a lack of choice!). 

In this post, we take stock of some imminent developments within the realm of data privacy in India, and its potential impact on individuals and businesses alike. Needless to say, what’s on the horizon is mostly tied to what transpired in the last year.  

Aadhaar and Other Laws Amendment Bill

On December 17, 2018, the Cabinet approved certain amendments to the Prevention of Money Laundering Act, 2002 (the “PMLA”), the Telegraph Act, 1885, and the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 (the “Aadhaar Act”) that are intended to pave the way for use of Aadhaar details for obtaining new mobile numbers or opening bank accounts when customers opt for its use ‘voluntarily’. We had written about the possible outcomes of this here: https://thedata.lawyer/2018/12/18/what-the-proposed-pmla-amendments-might-mean/.

The Bill was introduced in Parliament in this week. The Bill proposes a regime for allowing every client, beneficial owner, or person (such terminology depending on whether the necessary identification is in relation to telecom or PMLA requirements) who is sought to be identified, the voluntary choice of one of the following modes of identity verification:

  1. authentication under the Aadhaar Act if the party doing the verification is a banking company (under the PMLA regime), and by all persons licensed to ‘establish, maintain, or work a telegraph’ (read: telcos and ISPs); or
  2. offline verification under the Aadhaar Act (whether the offline verification will be paper-based or paperless mechanisms is not currently known and will be “through such offline modes as may be specified by regulations” says the Bill); or
  3. use of passport issued under Section 4 of the Passports Act, 1967; or
  4. use of any other officially valid document (“OVD”) or modes of identification as may be notified by the Central Government.

Simply put, the Bill allows Aadhaar e-KYC, Aadhaar offline KYC and other forms of KYC through passport or other OVDs, depending on the individual’s choice. 

Note that there are several additional steps that need to occur before we see the result of these amendments: these include the issuance of specific regulations that would, presumably, set out the details of how each of these various forms of identity verification are to take place. Here are a few additional points about the changes proposed in the Bill that one needs to keep in mind:

  • While the proposed changes to the PMLA currently contemplate the use of Aadhaar eKYC only by banking companies, the Bill also states that the Central Government may permit other types of entities that to use Aadhaar eKYC is they meet the standards or privacy and security set out under the Aadhaar Act. This leaves significant opportunity for regulatory widening of the permissibility of Aadhaar eKYC by – you guessed it – ‘fintech’ companies
  • Several industry bodies and associations have made representations to regulators in the past months, urging the adoption of ‘paperless’ processes for non-Aadhaar-authentication-based (read: non-Aadhaar-eKYC) identification processes; whether these have been accepted, and if so, to what extent, would only be apparent once the updated regulations are published and made available.
  • The Bill states emphatically that no person may be denied services for not having an Aadhaar number. But it keeps a window open for mandatory authentication of an Aadhaar number holder for the provision of any ‘service’ if such authentication is required by a law made by Parliament. Possibly, the ‘service’ in question is one for which the expenditure is incurred from, or the receipt thereform forms part of, the Consolidated Fund of India, as described in Section 7 of the Aadhaar Act.
  • Other noteworthy changes proposed by the Bill relate to granting of teeth to the UIDAI by allowing it to appoint officers and employees to discharge its functions, issue directions to any entity in the ‘Aadhaar ecosystem’, and also impose hefty fines ranging from one crore to additional penalties of upto ten lakh per day of an unremedied contravention. This is important, because one of the grounds on which the compulsory use of Aadhaar eKYC was challenged is that private players were allowed to gather demographic data without much oversight over their use, retention, or processing of such data. These changes may result in greater compliance by entities within the ‘Aadhaar ecosystem’; but note that the proposed changes in the Bill do not include specific provisions under which an Aadhaar number holder could file a complaint against an erring ‘Aadhaar ecosystem’ member: inquiries under the new Section 33A(l) of the Aadhaar Act may only be initiated upon a complaint made by the UIDAI. 

Watch this space for timely updates on the Bill’s journey through Parliament. 

Review Petition against the Aadhaar Judgment

Even as the Government and the regulators showed sluggishness in reacting to the Supreme Court’s Aadhaar judgment (in the matter of Justice K.S. Puttaswamy (Retd.) v. Union of India & Others), we hear that a petitioner by the name of Imtiyaz Ali Palsaniya has made some quick moves to file a review petition against this judgment, contending that various grounds urged in applications filed in the matter had not been considered by the Hon’ble Court in its judgment. The petition purportedly sets out eight grounds for reviewof the judgment, of which the following is of interest to us:

“The absence in the judgment of any direction by the Hon’ble Court for deletion of Aadhaar data which already is in the possession of private companies, entities, schools, colleges, work places, banks, post offices, telecommunication service providers, etc. The petitioner contends that such a direction ought to have flowed as a consequence of the Supreme Court Bench’s reading down of Section 57 of the Aadhaar Act. While the contention appears logical, it remains to be seen whether it garners the apex court’s interest. If it does, it is hoped that the directions if any issued, are not impractical to comply with.”

The Information Technology Intermediaries Guidelines (Amendment) Rules

On December 24, 2018, the Ministry of Electronics & Information Technology (“MeitY”) issued a draft of “The Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018” inviting public comments on certain measures to regulate social media, which had Indian social media buzzing for several hours. 
Among others, the draft Rules state: 

“When required by lawful order, the intermediary shall, within 72 hours of communication, provide such information or assistance as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto. Any such request can be made in writing or through electronic means stating clearly the purpose of seeking such information or any such assistance. The intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised.”

Since a previoushome ministry notification authorising 10 intelligence and security agencies to intercept data on computers, mobile devices, and servers caused uproar, the Government gave a longer reaction time to stakeholders on this one.  

While the Government’s efforts to reign in the internet and social media – much in contrast to the fundamental premises on which these are designed – are nothing new, one wonders what would happen to intermediaries if they are ever called upon to handover information or assistance of a nature that they are ill-equipped to even store, let alone handover. Even a law-abiding intermediary would be hard-pressed to think of all the types of information that might fall under a description as vague as “information concerning cyber security…matters connected with or incidental thereto”. It is hoped that stakeholders take due notice of such draft rules and regulations and make known their difficulty in complying with them. 

And in parting, let’s mention the Draft Personal Data Protection Bill, which generated much discussion and debate, but has not been presented before Parliament in the current session. With general elections around the corner, and a veritable sea of representations and suggestions having been made to MeitY in response to its invitation of comments from the public, the date of the Bill’s passing into law, as well as its final form, remain matters of speculation. 2019 promises to be an interesting year for privacy and data protection!

Here’s how you can reach the authors:
Bhavin Patel (bhavin.patel@aureuslaw.com)
Hemant Krishna (hemant.krishna@aureuslaw.com)