Naina Bora, a third-year B.B.A. LL.B (Hons.) student, and Devika Bansal, a third-year B.A. LL.B. (Hons.) student, who both study at Gujarat National Law University, Gandhinagar, India discuss the data privacy law concerns around the Mitron App in India...
In the “Privacy Judgement” of Justice K.S Puttaswami & Anr. v. Union of India, the Supreme Court has recognized the right to privacy as a fundamental right under Article 21 of the Constitution. Furthermore, it has also recognized “informational privacy” as a facet to such a right that needs to be protected.
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
It can be observed that the section only mentions the term “body corporate” which is limited to “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.” A bare reading of the section shows that individual app developers are not explicitly mentioned under this. The bill addresses the problem of holding an individual developer accountable under Section 2 of the bill which states that “if passed, the bill would apply to ‘any Indian citizen or any person or body of persons incorporated or created under Indian law.’” Making matters worse, under the current IT act, a penalty is to be levied only if there is a wrongful loss to such a user. Thus, failing to take any kind of pre-emptive measures.
Another shortcoming of the app was that users were denied their right to be forgotten. Once an account was made, there was no possible way to delete it from the app. The user could either log out of the app or uninstall it. The right addresses the power to have personal data erased in certain circumstances. For example, the data subject withdraws consent. This right is recognized by various data protection laws, such as the one applicable in the European Union. Unfortunately, it is not applicable in India. There are precedents that have recognized this right with regard to the anonymity of victims in relation to sexual offenses against women. The Gujarat High Court has taken a different view, it dismissed a plea to restrain public exhibition of judgment on public resources. The bill, however, introduces an express right to be forgotten in accordance with which the data subjects may reserve their option in continuing the disclosure of their personal data.
While handling sensitive information such as access to the user’s phone camera, microphone, and location, apps need to have more transparency in their privacy policies. Further, according to security experts, if the source code was sold by the foreign-based company to another app developer, such an app developer would have been able to tap into the database of Mitron users.
The infamous Cambridge Analytica scandal serves as a reminder of how data can be misused, without the permission of the users. The firm was instrumental in bringing Trump into power in the 2016 US elections. This was achieved by creating personality profiles based on the data collected without the Facebook user’s consent. This data breach went undetected for three years. Another example of such a scenario is when a researcher discovered data breaches twice in Just Dial in April 2019. It was revealed that personal information of its users was easily accessible including those who had only called their number once or those who had left reviews. Data breaches can only be minimized with mandatory compliance of adequate IT laws.
Although privacy has been recognized as a fundamental right of every person, the legal system of India has failed to provide adequate protection to its citizens. As a consequence, it has become increasingly difficult for users to know how and what information is being stored, recorded, and shared. There is a need to ensure strict compliance with data protection laws to prevent further breaches. History serves as a reminder of how data can be misused easily. What firms fail to consider is that a data breach proves costly not only for the users but also for the firm in the form of lawsuits, falling stock prices, etc. There is a need for the government to hold the firms responsible for failing to maintain the data privacy of its users and clients. Under the current IT Act, a user shall only be compensated in case of wrongful use of such data that has been stored, recorded, and shared by the company. However, as observed in the Cambridge Analytica case, it might take years to detect such use. There is a need for transparency by such companies about how the data is being processed.
The removal of the Mitron app has nudged us into recognizing the need for the PDP Bill. However, the bill needs to be equipped to deal with upcoming challenges and problems. The bill, currently undergoing changes under the committee review, must be durable enough to meet future challenges such as artificial intelligence and robotic process automation.
The bill serves as radical legislation following the landmark “Privacy Judgement.” Thus, it shoulders the responsibility of providing a holistic bill, which will be able to deal with all the emerging evolutions in the world of data protection and privacy.
Naina Bora is a third-year B.B.A. LL.B. (Hons.) student at Gujarat National Law University, Gandhinagar, India.
Devika Bansal is a third-year B.A. LL.B. (Hons.) student at Gujarat National Law University, Gandhinagar, India.
Suggested citation: Naina Bora and Devika Bansal, India’s Data Privacy Laws and the Removal of the Mitron App, JURIST – Student Commentary, July 16, 2020, https://www.jurist.org/commentary/2020/07/bora-bansal-mitron-app/.
This article was prepared for publication by Tim Zubizarreta, JURIST’s Managing Editor. Please direct any questions or comments to him at email@example.com
Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.