Even as the world grapples with the idea of State surveillance, Financial Times recently carried an alarming article revealing the extent of private surveillance that we may unknowingly be subjected to. The article discloses that in the multi-million dollar consumer surveillance industry, your basic personal data such as gender, age and location is sold for as little as $ 0.0005. It discusses how this industry is so extensive that “resulting dossiers include thousands of details about individuals, including personal ailments, credit scores and even due dates for pregnant women. Companies feed the details into algorithms to determine how to predict and influence consumer behavior.” Companies regularly collect such information by scouring web searches, social networks and also purchase it from service providers virtually sitting on a goldmine of data.
Think of the number of times you have been asked for your personal data by your service provider in the past. From opening a bank account to obtaining a sim card, applying for an insurance policy to a Shoppers’ Stop card, these are only some of the occasions where you have handed over personal information ranging from basic (name, gender, etc.) to sensitive (personal telephone number, email ID, credit card details, etc.). So, what happens to the data you share with your service provider? Is it obligated to keep it confidential? Does the law allow service providers to use consumer data for their own benefit? In the wake of an increasingly aggressive consumer surveillance industry fueled by data-rich service providers, this post summarizes the Indian regulatory framework for data protection in the burgeoning Indian service sector.
Data protection regime under IT Act
In the absence of an umbrella statute recognizing an across-the-board right to privacy in India, the Information Technology Act, 2000 (IT Act) contains perhaps the most comprehensive data protection provisions applicable to the Indian service sector.
The IT Act obligates service providers possessing sensitive personal data (such as passwords, financial information, medical records, etc.) of other persons to implement reasonable security practices, failing which, they would be liable to compensate those affected by such failure. It prohibits them from collecting personal information, except where such information is connected with and necessary for the service provider’s activity. Service providers are also obligated to disclose to consumers the purpose of collecting such information and the intended recipients thereof. Consumers are entitled to the choice of not providing the information sought or withdraw their consent to use such information, and in such case, service providers may refuse to provide only those services for which such information was necessary. Finally, the IT Act criminalizes unauthorized disclosure of personal information by any person (including telecom and internet service providers, search engines, online payment systems and market platforms), if such person has obtained such information while providing services under the terms of a lawful contract. Thus, breach of privacy protection provisions under the IT Act entails civil and criminal proceedings against a service provider.
Despite the fairly extensive data protection framework put in place by the IT Act, market practice indicates that much of the above framework lacks strict implementation, in as much as the data protection regime is largely based on consent which consumers do not often have the option to withhold. So far as concerns enforcement, whilst the IT Act provides for an adjudication mechanism for breach of data protection provisions, there is no comprehensive database compiling orders passed by adjudicating officers, and as such, their orders are publicly reported far and few between. This has resulted in information gaps amongst the public in this sphere. Often, there is a general tendency to ignore minor offences of data leakage by a service provider, especially if such leakage does not involve financial data.
Sector-specific regulatory framework
Several service industries are additionally governed by data-protection guidelines issued by their regulators. For instance, in the insurance sector, IRDA (the insurance regulator) has prohibited service providers such as TPAs from trading in information. The IRDA has permitted insurers to purchase customer databases only from IRDA-licensed referral companies. Similarly, in the banking sector, RBI has repeatedly asserted the obligation of every bank to maintain secrecy of its clients. The RBI also mandates banks to collect only relevant information from their customers and prohibited them from using it for cross-selling purposes. Likewise, in the telecom sector, TRAI has taken steps to promote confidentiality of its customers and their communications. For instance, licenses issued to telecom service providers require them to maintain a mechanism for ensuring such confidentiality. Similarly, professional service sectors such as accountancy, medicine and legal services are governed by self-regulatory codes of conduct, and aggrieved customers can seek redress of privacy violations through disciplinary bodies of such sectors.
A holistic analysis of data protection laws in India suggests that there is a far-reaching data protection legal framework applicable to service sectors. Strict enforcement, strong deterrents and greater customer awareness may, however, go a long way in creating a safer environment for your data with your service provider.
 The Constitution of India does not expressly confer a fundamental right of privacy on its citizens. However, the Supreme Court has, on several occasions, held that the right to privacy is a part of the fundamental right to life conferred on every individual, and can be violated by none, not even the State, except in situations of public emergency.
 Section 43A of the IT Act, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal information) Rules, 2011.
 Section 72A of the IT Act.
 The Cyber Appellate Tribunal has a website which reports orders passed by the tribunal in appeals made against orders passed by the adjudicating officer under the IT Act.
 For instance, under the IRDA (Third Party Administrators-Health Services) Regulations, 2001, third party administrators which customarily undertake all data entry work, are prohibited from trading information.
 IRDA (Sharing of Database for Distribution of Insurance Products) Regulations, 2010.
 Master Circular on Customer Service in Banks and Master Circular on Credit Card Operations of Banks, issued by the RBI.