On April 6, the Reserve Bank of India (RBI) issued a notification to the heads of all banks and corporates offering online payment interfaces. The notification pertained to storing all payment information in India for a period of six months. The purpose as stated by the notification was to enable better monitoring of payments to ensure that safety and security measures are adopted. However, in the absence of a data protection legislation, it is laughable that the RBI wants to ensure the protection of customers' data.
On May 25 Cobrapost exposed Paytm for sharing user data with the PMO. Though Paytm has denied sharing user data with anyone other than government agencies, they neither refuted nor contradicted the allegations raised by Cobrapost. The issue here is that the current law regarding privacy is at best vague.
The Information Technology Act, 2000 has broad provisions regarding privacy. Section 72 imposes criminal liability upon authorised persons for sharing personal information with any third party. Section 43 provides for a list of contraventions under the Act. Similarly the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 also provide for breaches of privacy. However, all of these laws make an exception to a person’s privacy to the extent that a government authority requests the data. The Rules themselves do not specifically state how the data ought to be protected – despite Rules often being drafted by persons with technical expertise. The right to privacy Judgement of the Supreme Court has established privacy as a fundamental right, however, the specific boundaries of this right have not been outlined. Thus, national security is still a viable defence on the part of the government for breaching a citizen's privacy.
The 2011 Rules, however, do not specifically assign liability for a breach of privacy. At present, the most a consumer can hope for is to bring an action under the Contract Act of 1872. Though the action in this instance would be more in the nature of a 'breach of contract' rather than a 'breach of privacy'. The Srikrishna Committee is expected to suggest a framework for a data protection law. However, the Shah Committee report on the same issue was already submitted in 2012. The Shah Committee was not implemented even though they had recommended that privacy be considered a fundamental right under Article 21. However, the Shah Committee report did mention that limitations can be placed on privacy under the headings of national security, public order, disclosure in public interest, prevention, detection, investigation, and prosecution of criminal offences and protection of the individual or of the rights and freedoms of others.
The aspect of national security is troubling because it has been used and misused in the past for justifying all actions taken by the government, whether proportionate or not. Unless a data privacy law includes specific limitations on requests for data under the heading of national security, it will be meaningless. The problem is that partisan politics often makes its way into executive actions, thus government agencies can collect an individual's sensitive data citing national security for purely political purposes.