In India, the year 2021 was a blink-and-you'll-miss conveyor belt of privacy and data protection operations. There was no shortage of action on the legislative and executive sides as the clamor for a comprehensive data privacy law in India became louder than ever. Significant reforms were made by the Indian government, including the liberalization of the outdated geospatial data policy, the introduction of industry standards for privacy assurance, and the tightening of security measures in the digital payments sector. On the legal front, decisions have been made on matters such as anonymity, the right to be forgotten, and state monitoring. The current draught of the planned GDPR-inspired data protection law, which has been in the works for two years since the previous draft, takes the cake.

In this article, you’ll go through the roller-coaster ride of privacy and data protection law-related legal developments. So, are we ready?


Proposed Data Protection Law

On December 16, 2021, the Joint Parliamentary Committee presented its report on the proposed data protection law to Parliament, along with a revised version of the bill, the Data Protection Bill, 2021. The draft bill has yet to be tabled as a draft law for Parliament's examination and approval. Following the release of the draft bill, the industry has called for a new round of consultations, claiming that several of the clauses differ from the previous version, which was released two years ago.

The proposed bill, which has elements of the GDPR, has several important revisions from previous versions of the proposed law, such as broadening the law's scope to include not only personal data but also non-personal data. Stringent data breach reporting regulations (within 72 hours), hardware manufacturer regulations, and a certification framework for all digital and IoT devices to mitigate data breaches have also been created. The proposed measure also allows for a phased adoption, with the central government announcing different dates for certain clauses to take effect.


New regime for geospatial data and map services

On February 15, 2021, the Indian government's Department of Science and Technology published "Guidelines for acquiring and producing geospatial data and geospatial data services including Maps." Before the guidelines, numerous notifications and guidelines regulating mapping data had been issued by various government ministries/departments, including the Ministry of Defence, Survey of India, Ministry of Finance, and Ministry of External Affairs, the majority of which were either unclear or archaic, or both. The collection, generation, preparation, dissemination, storage, publication, updating, and/or digitization of geospatial data and maps within the territory of India is no longer restricted, and no approval, clearance, license, or other requirement is required under the new guidelines, subject to a negative list of attributes for which there are restrictions. Foreign businesses are also prohibited from developing, holding, or hosting geospatial data that is finer than certain prescribed threshold values, according to the new restrictions. They can't perform land mobile mapping surveys, street view surveys, or surveying in Indian territorial seas, either.


Banking regulator clamps down on card data storage

The Reserve Bank of India (RBI) issued "Guidelines on Regulation of Payment Aggregators and Payment Gateways" to license and regulate payment intermediaries that facilitate and handle payments between customers and merchants via electronic/online payment modes. Payment aggregators and merchants are prohibited from retaining card and card-related data under these guidelines. In March 2021, additional explanations were released, emphasizing the card data storage constraints. The RBI issued a circular on September 7, 2021, demanding that, beginning January 1, 2022, (a) no entity other than card issuers or card networks be allowed to hold card data, and (b) any previously held card data be purged. The last four digits of the card number and the name of the card issuer could be saved as an exception for transaction tracking and reconciliation purposes.

Tokenization has been proposed as a viable approach for complying with card storage constraints while maintaining online payment continuity. The RBI expanded the previous device-based tokenization framework to include all devices, as well as allowing card-on-file tokenization. On December 23, 2021, the RBI extended the deadline for compliance until June 30, 2022, based on several industry representations to the RBI.


Data privacy standards issued

In mid-2021, the Bureau of Indian Standards (BIS) will make public its new data privacy assurance standards, IS 17428, which was previously notified. The standard aims to offer companies with a privacy assurance framework for establishing, implementing, maintaining, and continuously improving their data privacy management systems. It is divided into two parts: a prescriptive portion with rules that must be followed by anyone applying the standard, and a suggestive part with specific best practices to aid in the implementation of the prescriptive part's requirements.

It could be assessed whether organizations' implementation of IS 17428 deems them compliant with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, which require them to maintain reasonable security practices and procedures for sensitive personal data or information. However, these guidelines and the IS 17428 do not clearly state that compliance with the duty to maintain acceptable security policies and processes is regarded in conformity with the prescriptive section of the IS 17428. As a result, companies may be required to demonstrate that implementation of the prescriptive section of the IS 17428 satisfies such a requirement.

Data fiduciaries and processors will be required to implement security safeguards that include de-identification, encryption, and other measures to protect personal data integrity and prevent misuse, unauthorized access, modification, disclosure, or destruction of personal data under the upcoming data protection law. It should be assessed and defined whether the IS 17428 implementation can be shown to comply with these security obligations.


Large messaging apps are required to introduce traceability features

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, were notified by the Ministry of Electronics and Information Technology on February 25, 2021, replacing the Information Technology (Intermediaries Guidelines) Rules, 2011. The new intermediary rules impose specific due diligence duties on online 'intermediaries,' including the necessity to maintain information about all users obtained during registration for 180 days, even if the registration is canceled or withdrawn. The guidelines went even further, recognizing certain intermediaries as "major social media intermediaries" if the number of registered users exceeds a specific threshold (subsequently notified as 50,00,000 registered users).

One of the additional due diligence requirements that major social media intermediaries that provide messaging services must meet is the ability to identify the first originator of any information transmitted through such intermediary if required to do so by a court or a government order to intercept, monitor, or decrypt the information. According to the new intermediary guidelines, a prominent social media middleman must only provide the identity of the communication's first originator, not the contents of any electronic message or any information about the first originator or other users.


Antitrust concerns with WhatsApp’s privacy policy update

In January 2021, WhatsApp LLC, the company that runs the messaging network WhatsApp, changed its privacy policy and terms of service. Unlike prior WhatsApp upgrades that allowed users to 'opt-in' to data sharing with Facebook, this privacy policy update compelled users to consent to data sharing with Facebook to continue using the service. The Competition Commission of India, India's antitrust authority, launched an inquiry into WhatsApp, Inc. and Facebook, Inc. on March 24, 2021, to investigate the potential impact of the WhatsApp update on competition in the Indian market.

The unilateral mandate that users approve the amendment to WhatsApp's privacy policy breaches their voluntary agreement, according to the report, and appears to be unjust and unreasonable to the users.

In separate cases before the Delhi High Court, Facebook, Inc. and WhatsApp, Inc. contested the Competition Commission of India's order to open an inquiry. The WhatsApp update, it was maintained, does not take away users' freedom of choice and is intended to increase clarity about WhatsApp's data-sharing procedures with Facebook. The Delhi High Court dismissed the appeals and affirmed Facebook, Inc.'s indictment, judging it to be an important component of the inquiry.


National strategy on blockchain recommends data localization

In December 2021, the Ministry of Electronics and Information Technology released its 'National Strategy on Blockchain', which aimed to provide insight into strategies and recommendations for developing a trusted digital platform using blockchain that can ease trusted service delivery to businesses and citizens. Surprisingly, the ministry has noticed that several countries have imposed data localization limitations and proposes that data localization be permitted for blockchain-based systems in the country as a security/privacy safeguard. This criterion for localization might be met by "hosting the blockchain infrastructure, data, and smart contracts within the country," according to the report. While this is still a policy topic, it is unclear how data localization measures for decentralized technology would be applied.


The parliamentary standing committee recommends permanent blocking of VPNs

On March 15, 2021, the Parliamentary Standing Committee on Home Affairs presented the upper house of Parliament with its 233rd report on Atrocities and Crimes against Women and Children. Virtual Private Network (VPN) services, according to the research, are a "technical challenge" since they allow criminals to remain anonymous online and access the dark web to conduct crimes while avoiding security barriers. It was suggested that a coordination mechanism with international entities be devised to ensure that these VPNs be blocked.

Because VPNs are also used as security and privacy-enhancing tools by users to maintain anonymity on the internet, such a suggestion would have to be viewed through the lens of a person's right to remain anonymous, which is part of the fundamental right to privacy affirmed by the Supreme Court in K.S Puttaswamy v. Union of India.  There are currently no general legal limitations that specifically prohibit or govern individual usage of VPNs.