The Country’s Highest Judicial Body Has Raised Concerns About Data Sharing With Cross Border Entities
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
The Supreme Court of India has reportedly issued notices to Google and Twitter, in reference to the public interest litigation petition filed against the Internet behemoths over data privacy concerns by Pallav Mongia, an Advocate-on-Record at the Supreme Court. The petition, according to sources, has raised concerns about the lack of control over data sharing with cross-border corporate entities, which could potentially be a violation of the Indian citizens’ right to privacy. Data privacy is increasingly becoming an area of concern in the country, with giants like Facebook, WhatsApp, and Monster India also being inspected for allegedly sharing user data with third-party entities.
The notice has been issued by a constitution bench of the Supreme Court formed by Chief Justice Dipak Misra and Justices AK Sikri, Amitava Roy, AM Khanwilkar, and M Shantanagoudar. As part of the notice, the country’s highest judicial body, Supreme Court, has asked Google and Twitter to share their legal views on the matter.
Commenting on the development, advocate and CriTaxCorp founder Kanishk Agarwal told Inc42, “In the wake of recent judgement by Hon’ble Supreme Court of India holding “Right to Privacy” as one of the Fundamental Rights, any entity is required to take a user’s informed consent prior to sharing or selling any personal information of that user, as he/she may not be aware, at the time of providing such personal information, that such information can be sold or be misused.”
The petitioner is being represented by senior advocate Mahesh Jethmalani, advocates Ravi Sharma, Abhinav Goyal, Pankaj Kumar Singh, and Gunjan Mangla. In his petition to the Supreme Court, Mongia has also challenged the constitutional validity of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Privacy Rules) as well as the clarification dated 24 August 2011 issued by the Ministry of Communications and Information Technology.
The petition read, “A bare reading of the clarification clearly shows that the privacy rules do not apply to body corporates outside India like Facebook, Twitter, and Google. The situation is alarming because the Indian arms of these body corporates have stated that they have no control over the content/data/information generated from India and pertaining to Indian users. The content, the website and the data/information generated on facebook.com, twitter.com and Google.com is controlled by Facebook Inc, Twitter Inc and Google Inc which are all body corporates outside India and are exempt from Privacy Rules 2011.”
Facebook Owned WhatsApp Also In Deep Trouble
In a related development, the five-member bench of the Supreme Court of India has reportedly ordered two other Internet giants, Facebook and Whatsapp, to file sworn declarations as to whether they have partaken in any kind of data sharing activities with third-party entities. This comes after two students approached the court over the changes made in WhatsApp’s privacy policy following its acquisition by Facebook.
The petitioners have alleged that WhatsApp shared all its user data with Facebook post the merger, thus violating their right to privacy.
When asked if it is the same as sharing data with third-party companies, Agarwal stated, “If users information, which was shared by users under privacy policy agreed with Whatsapp, was shared with Facebook post acquisition, but without obtaining approval of users with updated privacy policy stating that now data will be shared with Facebook, then such sharing of information is similar to sharing of information with any third-party as any modifications to privacy policy cannot have retrospective effect.”
Both WhatsApp and Facebook, however, have denied such allegations, stating that neither companies have shared any data with foreign entities. According to senior advocate Kapil Sibal, who is currently representing WhatsApp, the only information that the messenger app has shared with its holding company Facebook pertains to the user profile picture, device details, last access details, and phone numbers.
As stated by Sibal, these details have been shared for commercial purposes aimed at displaying relevant ads and offers on Facebook.
Interestingly, WhatsApp’s Legal Info page clearly states, “Nothing you share on WhatsApp, including your messages, photos, and account information, will be shared onto Facebook or any of our other family of apps for others to see, and nothing you post on those apps will be shared on WhatsApp for others to see. We still do not allow third-party banner ads on WhatsApp.”
WhatsApp currently collects user information through servers owned by third-party companies, sources have revealed. However, they remain completely encrypted, meaning that the information cannot be accessed anyone other than Facebook and Whatsapp. Its privacy policy further adds, “We’ve built privacy, end-to-end encryption, and other security features into WhatsApp. We don’t store your messages once they’ve been delivered. When they are end-to-end encrypted, we and third parties can’t read them.”
Both companies have promised to submit affidavits, in order to help the court decide whether the case requires immediate intervention. As per reports, further hearing of the WhatsApp and Facebook cases are scheduled for November 20. The Supreme Court has also ordered an additional hearing for the Google/Twitter case on the same day.
Is Monster India Selling User Data To Third Parties?
Apart from Google, Twitter, WhatsApp, and Facebook, another company that is being scrutinised for suspected data privacy violation is US-based job portal Monster.com. Recently, a trial court ordered a probe against Monster India on charges of selling data of Indian users to third-party entities. According to Naresh Kumar Laka, Chief Metropolitan Magistrate (East) at Karkardooma District Court, right to privacy dictates that online companies cannot share personal information of users with third-party entities without their “informed consent”.
To avail services by these companies, users are often required to accept a long list of terms and conditions as well as privacy policy before signing up. However, that does not mean companies are at liberty to sell or share data of users to a third-party, added CMM Laka.
CMM Laka stated, “At the time of entering personal information or data, job-seekers are not aware that the said data can be sold to any third person or that it can be misused. Accordingly, the said ostensible consent of the said applicant/individual cannot be said to be a free, voluntary or informed consent.”
Alleging that Monster India has been unlawfully selling user data to a third party company that has, in turn, duped thousands of job seekers, the court has instructed the police to conduct a thorough probe into the portal.
“It is common knowledge that when a person applies for a job on the internet, s/he feeds personal information which includes name, address, and mobile number. In my opinion, the said data being personal information cannot be transferred/shared/sold to some third person without the consent of the said person,” the court said.
Monster India, however, has dismissed all data privacy breach accusations, defending its decision to sell data to a third-party company as lawful. According to the spokesperson from Monster India, its contract with the company in question was based on the acceptance of agreement between the portal and the job seekers using the platform.
Right To Privacy Integral To Personal Liberty: Supreme Court Of India
“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”
That is the main takeaway from the historic judgment made by the Supreme Court of India (SCI) in relation to the recent Justice K.S. Puttaswamy (Retd.) Vs Union of India case. The country’s highest judicial forum overruled the eight-judge bench judgment in the MP Sharma case and six-judge bench judgment in Kharak Singh case, both of which had ruled that privacy is not a Fundamental Right.
The ruling is based on an array of petitions that challenge the mandatory use of Aadhaar. Petitioners say that enforcing the use of Aadhaar, which assigns a unique 12-digit ID to every citizen, is an infringement of privacy. They also stressed that the Aadhaar database was originally presented as a purely voluntary programme that offered to provide every Indian with an identity card. However, the current government has been moving in the direction to make biometric-based Aadhaar mandatory for availing various benefits under various social welfare schemes.
Post this judgment, a five-judge bench of the apex court has been entrusted with the task of testing the validity of Aadhaar from the aspect of privacy as a Fundamental Right.
Commenting on the development, Mishi Choudhary, President and Legal Director SFLC.in, a donor supported legal services organisation, hailed the decision and stated, “This is a milestone in a large history across the world on understanding of the right to privacy. The largest democracy in the world has now spoken on the question which we all face because 20th century constitutions, let alone earlier constitutions, did not tend to speak of right to privacy and they certainly didn’t speak of it in terms which allowed its application to the needs of human beings in the 21st century networked society. The Indian SC has taken an enormous step which is going to be looked upon by societies of law around the world with enormous importance.”
Is Data Sharing To Third Parties A Breach Of User Data Privacy?
“At present, Indian legal regime neither mandates data localisation by the foreign body corporates nor does it regulate how the information shared by Indian users is handled by such foreign body corporates, leaving Indian users vulnerable to privacy violations and giving them no control on how such data is to be used by such foreign body corporates,” clarified CriTaxCorp founder Kanishk Agarwal.
In the last few years, many companies have come under the fire for infringing data privacy. In July this year, Delhi-based eyewear platform Lenskart got into trouble on social media for sending unsolicited SMSes to users offering discounts and promotions. Some of these users pointed out that they were being bombarded with these SMSes despite being registered on the national ‘Do Not Call’ registry.
In June 2016, the United States government’s Federal Trade Commission fined mobile advertising company InMobi $950,000 in civil penalties on charges of deceptively tracking the locations of hundreds of millions of consumers, including children, without their knowledge or consent to serve them geo-targeted advertising. As per the complaint, InMobi was actually tracking consumers’ locations whether or not the apps using InMobi’s software asked for consumers’ permission to do so, and even when consumers had denied permission to access their location information.
A year prior to that, San Francisco and Gurugram based cross-device retargeting company SilverPush was accused of privacy breach in the US. According to sources, the violation took place through the company’s technology which enables users to connect their smartphones to television sets, as a way of tracking the effectiveness of an advertisement or the performance of a program.
Data sharing with cross-border companies is another major area of concern that the Indian government is currently looking into. The Ministry of Electronics and Information Technology has reportedly doubled down on its scrutiny of China-based smartphone makers allegedly involved in cross-border data leakage. The governing body has directed as many as 30 mobile phone manufacturers operating in the country, majority of them Chinese, to share the details of their security processes pertaining to user identity theft protection.
Among the companies that the governing body has sent notices to over identity theft protection concerns, are global players Apple and Samsung, as well as home-bred Micromax. The list also includes a number of Chinese smartphone makers such as Oppo, Vivo, Xiaomi, Lenovo and Gionee.
Agarwal said in a recent interaction with Inc42, “Recently in wake of apprehension of war with China, the Government of India asked mobile brands like Xiaomi and MI to ensure that the data of the Indian users be kept in servers which are physically accessible in India only and the said data should not be shared with any foreign entity, government or private. Xiaomi in its reply to the said show cause has agreed to place their data in India servers but have also stated that their data is shared on servers of Amazon Web Services and if they are ready to establish data center in India then Xiaomi has no issues whereas MI stated that no such notice has been received by them.”
Alibaba-owned UCWeb browser is another name in the list of Chinese companies suspected of stealing the data of Indian users. As part of an investigation, the University of Toronto uncovered “several major privacy and security vulnerabilities that would seriously expose users of UC Web to surveillance and other privacy violations.”
The browser, it has been alleged, retains control of the DNS of the user’s device even after the app has been uninstalled. According to the complaint, the application might be sending information about Indian users to China. If proven guilty of data privacy breach, the company could run the risk of getting banned in the country.
In Conclusion
We have all heard of the adage, “With great power comes great responsibility.” This is especially pertinent in today’s world, where a click of a button can very well change the course of someone’s life. Given that more than 2.5 quintillion bytes of data are consumed every day in the form of emails, videos, images, tweets, and content, the risk of privacy breaches has understandably increased at an alarming rate.
Agarwal added, “With the advancement in technology, development in government infrastructure is necessary for the benefit of its citizens. At the same time, it is of the utmost importance to ensure that any information collected by the government is protected and a strict process to protect any infringement of privacy of its citizens is implemented. Also, it is necessary to codify the process of sharing such information between government departments to check any abuse of power.”
While the Supreme Court is becoming increasingly vigilant when it comes to ensuring the citizen’s right to privacy, the government seems divided on the issue, especially after the onslaught against Aadhaar. With big players like WhatsApp, Facebook, Twitter, Google, and Monster also facing the heat, the country is hopefully moving towards a more efficient and proactive legal system that strikes down on all instances of data privacy infringement.
{{#name}}{{name}}{{/name}}{{^name}}-{{/name}}
{{#description}}{{description}}...{{/description}}{{^description}}-{{/description}}
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.