14 September 2017
The Supreme Court of India (‘the Supreme Court’) issued, on 6 September 2017, an order (‘the Order’) in response to Pallav Mongia v. Union of India and Ors WP (C) No. 347 of 2017 (‘the Petition’). The Petition, filed as public interest litigation under Article 32 of the Constitution, aims to challenges the accountability of a number of respondents including the Telecom Regulatory Authority of India, Facebook, Inc., Twitter, Inc., and Google, Inc., among others, with respect to the current data protection framework in India. In particular, it is submitted in the Petition that the current framework fails to adequately protect the rights of Indian citizens, especially with respect to data transfers.
Pallav Mongia, Advocate-on-Record at the Supreme Court of India, told DataGuidance, “The Petition requests that the Supreme Court strike down the present data protection regime and protect the fundamental rights of citizens […] A fundamental issue involved in the present matter is that the data collected by large tech companies is stored/processed outside the territorial jurisdiction of India. As most of these businesses are located outside India, and their Indian subsidiaries do not have control over the data collected, it poses a serious threat to the right to privacy of Indian citizens and also creates legal enforcement issues. This allows them to operate in India in a legal void with no accountability whatsoever towards local users and local laws.”
The issue has gained much impetus post the decision of the Supreme Court holding the right to privacy as a fundamental right under the Constitution of India
The Petition was conjoined with the ongoing Karmanya Singh Sareen v. Union of India and Ors SLP (C) No. 804 of 2017, commonly known as the WhatsApp case, wherein the data transfer practices of WhatsApp to Facebook are also under scrutiny by the Supreme Court. Furthermore, the Order has given the respondents four weeks to file affidavits on the claims made under the Petition, after which the matter will be listed for consideration of passing an interim order. The Supreme Court clarified that if the assertions made under the affidavits would not require any intervention it may decide not to pass an interim order.
Srishti Saxena, Assistant Legal Manager at the Goods and Services Tax Network, explained, “The Petition has to be seen against the backdrop of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (‘the Privacy Rules’), the clarification [as to the scope of the term ‘body corporate’] issued by the Government of India dated 24 August 2011 (‘August Clarification’) and the recent privacy judgment [issued by the Supreme Court]. These rules provide that any body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to them.”
The Petition requests, inter alia, that because the services provided by private respondents are essential to contemporary life, and the August Clarification nullifies the very intent of Section 43A of the Information Technology Act, 2000 as well as the Privacy Rules, the Supreme Court issue a writ declaring the Privacy Rules and August Clarification as unconstitutional, and, further, that a writ be issued to the Union of India for it to prohibit the transfer of data pertaining to Indian citizens outside of the country other than when it is adequately protected.
Mongia highlighted, “The issue has gained much impetus post the decision of the Supreme Court holding the right to privacy as a fundamental right under the Constitution of India. ‘Informational privacy’ is now recognised as a specific ingredient to the right to privacy.”
Hernán R. Dutschmann | Privacy Analyst