Tracking the Data Protection Regime in India

The article is authored by Abhishek Tripathy, a fourth-year law student at the Institute of Law, Nirma University. 

The Personal Data Protection Bill, 2019 as introduced in Lok Sabha has been referred to a Joint Parliamentary Committee of both the Houses, under the Chairperson of Smt. Meenakshi Lekhi for further evaluation. It has to be noted that this bill is not the same as the Draft Personal Data Protection Bill, 2018 which was made public by the Srikrishna Committee last year. The bill which is most likely to be placed in the winter session is expected to have certain changes especially with regards to the data localization norms. The bill will mark the way for a new data protection regime in India.

Background

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules which was released on 18th April, 2011 by power conferred under Section 87 (2)(ob) read with Section 43A of the Information Technology Act is the only existing law on data privacy in India. The SPDI Rules is currently the only existing law that ensures the safety and security of sensitive personal data or information. The IT Act defines sensitive personal data or information as such personal information which should be protected by the government with due consultation of professional and experts. According to Section 43A of the Act, a corporate body has to be accountable to the possession of any sensitive personal data or information, and any wrongful use of the same will make it liable to pay damages to the person aggrieved. 

The 2011 rules which specifically deal with body corporates and persons illustrate certain fundamental principles on data privacy. The rules define personal information as any information that directly or indirectly assists in the identification of an individual. A body corporate thus in case of usage of any information should provide a clear and accessible statement of its policies, the type of information and the purpose of such collection. Such Information collected must be necessary and shall not be retained for longer than required. Consent is the cornerstone of privacy laws around the world and the use, transfer or processing of personal data is impossible without prior permission. Obtaining consent is a prerequisite for the collection of information and an option of non-participation must be provided prior to the collection of information. 

The SPDI rules also allow for a right to review to the providers of information with an option to amend or change any data that is inaccurate. Moreover, the data collected cannot be used in any other manner than for the purpose for which it is collected. Security of information is the sole responsibility of the body corporate which acts as a data fiduciary in the entire process. Any kind of grievance should be dealt with by an officer (appointed by the body corporate) within a month of receipt of such grievances. Consent can also be withdrawn by the provider if it is sent in writing to the concerned corporate/person. Disclosure of SPDI to third parties is not prohibited if a similar level of data protection is provided and such disclosure is necessary for the performance of a contract between the three parties. A body corporate is said to comply with reasonable security practices and procedures, if they have implemented such security practices and standards such as either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved. In cases of a breach, a body corporate can be mandated to prove the requisite practices followed. The absence of effective enforcement machinery, therefore, raises concerns about the implementation of the SPDI Rules.

The SPDI Rules recognise financial information, health information, etc as "sensitive personal data" and thus regulate its collection, use and disclosure. 

The other primary legal instruments that address data protection in the financial sector include the Credit Information Companies (Regulation) Act, 2005 (CIC Act), the Credit Information Companies Regulation, 2006 (CIC Regulations) and circulars issued by the Reserve Bank of India (RBI). According to the CIC Act, credit information companies (CICs) are identified as collectors of information and have to adhere to privacy principles at the stage of collection and use of such credit information. Maintenance of data secrecy along with adherence to a large number of recognised data protection principles is mandated by the CIC Act. As per RBI regulations, information collected through KYC and various other information collected therein should be kept secure and in utmost confidentiality. Data protection norms for personal information collected under the Aadhaar Act are found in the Aadhaar (Data Security) Regulations, 2016 (Aadhaar Security Regulations). The Aadhaar Security Regulations mandates UIDAI to have a security policy encapsulating varied measures adopted to keep information secure such as maintenance of confidentiality and controlling access to data collected. 

The Data Protection Bill, 2019

The bill is expected to have major changes with regard to the data localisation norms. The draft e-commerce policy was received with a lot of backlashes as it advocated that data of all kinds should be localized from India. The cost of maintenance, investment and trade were supposed to get adversely affected due to the government’s stance on data localisation. The bill of 2019 addresses this concern by differentiating varied kinds of data. The differentiation will be on the basis of “Sensitive Personal Data” and “Critical Data”. The sensitive personal data can be processed with consent outside the country but cannot be stored. The Critical Data, which is to be defined by the government (mostly on security and defence matters), will have to be mandatorily processed and stored in India. Whereas the general data can be processed and stored outside India. The entities will be given up to 2 years to make changes in their structure to adhere to the provisions of the Act. For the purpose of the investigation, certain agencies will be exempted from the bill. The penalty from a gross violation can go up to 15 Crore or 4% of the global turnover, whichever is higher. Minor violations can attack penalty up to 5 Crores or 2%, whichever is higher. The data protection bill will establish a much needed rigid and full-fledged data protection framework in India. 

Understanding 'Network Effect'

The article is authored by Abhishek Tripathy, a fourth-year law student at the Institute of Law, Nirma University. 

Network effect can be defined as a consumer’s effect from using a good or service on the total perceived value of that product or service for others. The number of users/consumers who use a product or service is directly proportional to the value of the network. Let’s take the example of an online messenger, suppose X no. of people join the messenger, it will attract Y no. of people who are not on the platform but want to access X through the services provided by the messenger. The e-commerce scenario in India is majorly a two-sided market, wherein there is a user network, a seller network and they both are connected through an intermediary. E-retailing platforms, food delivery applications, etc act as an intermediary to connect the supplier to the consumer. In a two-sided market, an increase or decrease in the number of users on either side of the market will affect the other side of the market i.e. more the no. of users, more the sellers would get attracted to the platform and vice versa (indirect network effect). This determines the value of the platforms and dominance in a certain sector which results in the market tipping in favor of the one with a greater number of users. Thus, there is a need to keep a check on entities with an existing network effect to prevent anti-competitive practices such as predatory pricing, unfair trade practice, etc. In the case of MCX v. NSE, the concept of network exchange was extensively discussed, perhaps for the first time in Indian competition jurisprudence. The dissenting opinion in the case laid down certain characteristics of network effect; 

1. The network effect creates an inverted U demand curve, equilibrium of which show variance in network sizes.  
2. The pace of market expansion is greater in industries with network effect as compared to no-network industries.  
3. Strong network effect creates natural oligopolies. Network industries are characterised by high inequalities of market shares and profits.  

It should be noted that there are two kinds of competition, one type of competition is “in the market” whereas the other type of competition is “for the market.” Network effect plays an important role in the later, as the network industries try to attract more users to gain a dominant position in the market. In such determination, it is important that the competition regulators take the market structure into equation before deciding on the relevant market. A Chicken-Egg problem, on the other hand, is stated as one in which a participant on one side of the market will be willing to participate to the platform activity only if he expects an adequate number of participation from the other side. For example, consumers would like to go for those credit cards, which are accepted by more merchants; similarly, merchants would like to join those platforms which have a large number of consumers. However, there are several two-sided markets that only perform the job of matching buyers and suppliers. Till the time enough number of both the participants are attracted to the platform, market makers are required, who try to resolve the temporary imbalance by standing in between the two parties i.e. they are willing to find out the existing problem to ensure smooth functioning of the platform.  The rise of e-commerce has again raised the age-old debate of inclusion of structural aspects of the market in the ambit of competition supervision. The first major school of thought to develop emerged at Harvard University when, in the 1930s, researchers conducted analyses of specific industries. In the middle of 20th century Harvard economists such as Edward Chamberlain, Edward Mason, Joe Bain argued that structure of an industry is essential to be looked into in order to examine competitiveness in the economy. The original insight of Harvard school developed a general theory that linked market structures to market performances, known as Structure-Conduct-Performance (SCP) paradigm stating that performance is determined by firms’ conduct, which is in turn determined by the market structure. According to the Harvard School approach, the regulators have to apply the presumption of illegality irrespective of the nature of the transaction. It is irrelevant if the said transaction is causing any benefits to the consumers, as the assessment is done on the performance of the entity and the existing structure in the market. On the other hand, the proponents of Chicago school consider consumer welfare as the utmost parameter in addressing competition concerns. With the advent of Chicago and the Post-Chicago school of thought, SCP had slowly lost its importance. Now as the markets get tangled and trickier, it is important that factors such as network effect should be considered as a relevant factor in tackling varied issues.