The Impact of India’s New Data Privacy Law on Social Media Companies and Their Data Collection Practices

INTRODUCTION

Data has become a valuable resource in this fast-paced digital era, driving innovation, economic growth, and societal change. However, there have been privacy concerns worldwide over the collection, processing and storage of personal data by digital platforms mainly social media companies. Governments are now enacting comprehensive data protection laws as a response to these concerns that will protect the privacy rights of individuals and ensure responsible handling practices.

India’s Personal Data Protection Bill (PDPB), 2019 is a notable legislative undertaking on these matters within its jurisdiction. The PDPB seeks to create a robust legal framework that harmonizes the protection of personal data with business interests and technological advancements with reference from General Data Protection Regulation (GDPR) adopted by European Union. It also outlines stringent requirements for consent, data localization, data processing and individual rights with the aim of revolutionizing how India manages personal information.

This blog post delves into the vast implications in respect to social media companies who operate in India henceforth under PDPB especially on their data collection practices as well as implications on users’ privacy and targeted advertisement.

Key Provisions of the PDPB

  1. Consent and Data Collection (Section 11): PDPB emphasizes that users must obtain consent before collecting and processing their personal data. These terms require that consent be specific, clear and unambiguous and that the user fully understands the data collected and the purpose of its processing. Social media platforms known for their extensive data collection need to review their approval procedures. This change is designed to give users more control over their personal data and ensure they are not at fault for how their data is used.
  2. Data Localization (Section 33): One of the most important and controversial features of the PDPB is its regional component. According to this law, businesses are required to keep copies of sensitive personal data in India and sensitive personal data must be processed only in India. This requirement is designed to protect national security, protect Indian citizens’ information from foreign surveillance, and ensure that information remains within the jurisdiction of Indian authorities. However, this action incurs significant costs for social media companies, which must invest in local data storage
  3. Data Processing Regulations (Sections 25-27): PDPB imposes strict rules regarding the processing of information. Social media companies must take security measures and comply with Data Protection Assessment (DPIA) to protect personal information. These measures are designed to identify and reduce risks to personal data and ensure that data processing is secure and transparent. The PDPB is also required to appoint Data Protection Officers (DPOs) who will be responsible for compliance with the law for companies processing large amounts of personal data.
  4. Rights of Data Principals (Sections 17-20): The PDPB offers six such rights to a data principal (see box below for an explanation of the terms). Each of these rights gives a user power to control their own personal information, and in keeping it out of the hands of those who might use it for purposes the user is not comfortable with. For example, the right to data portability allows a user to transfer their data from one service provider to another; this can be of particular importance in India, where users often do not have an alternative service provider throughout their life. But perhaps the most important right of them all for end-users is the right to be forgotten: this right allows a user to force the data holder to erase any personal data that is no longer required for the purposes it was collected in the first place.
  5. Establishment of Data Protection Authority (DPA) (Sections 41-54): One key element of the PDPB requires that there is a Data Protection Authority (DPA) established in each state to supervise compliance with the law, investigate grievances, and help to govern aspects of the new legal regime. The DPA represents the judicial branch necessary to safeguard data subjects from malicious, negligent or exploitative data collection and practices, as well as an official oversight body on which social media companies can pin accountability for safeguarding their data practices. The DPA will have the power to impose steep fines in cases where companies fail to comply with safeguarding regulations.

IMPLICATIONS FOR SOCIAL MEDIA COMPANIES

  • Enhanced Compliance Requirements

The PDPB’s stringent rules around user consent and data processing will require Indian social media companies to drastically alter their operations. Each platform will likely have to implement a thorough compliance framework consisting of elaborate consent regimes, secure data processing protocols and audit clauses to ensure continuous regulatory compliance. Implementing this exercise, which is bound to be expensive and time-consuming, is unlikely to be easy, especially for smaller platforms that lack the means to invest in scalable compliance infrastructure. At the same time, this is precisely what the law demands to ensure user privacy and the responsible handling of personal data.

  • Data Localization and Increased Costs

The data localization requirement will compel social media companies to establish local data storage infrastructure, which involves substantial financial investments. For global platforms, this means building or leasing data centers within India, which can be both logistically complex and expensive. Compliance with these requirements is essential to safeguard national security and ensure that personal data remains within the jurisdictional reach of Indian authorities. However, the increased costs associated with data localization may impact the profitability and operational efficiency of social media companies. Smaller platforms, in particular, may struggle to meet these requirements, potentially leading to market consolidation as larger companies with greater resources dominate the market.

Data Protection

IMPACT ON TARGETED ADVERTISING

The PDPB will have a huge impact on targeted advertising; which is one of the major sources of revenue for social media platforms. The availability of personal data for targeted advertising will be reduced due to stricter consent requirements and enhanced rights of users. Users, thus, have more control over their information by selecting whether or not to provide it and whom with they share such details. Consequently, advertisers will need to find other less invasive methods of reaching consumers and rely more on aggregate and anonymous data rather than individual profiles. In addition, this might reduce targeting precision but improve user privacy as well as protect against misuse of personal data.

User Privacy and Trust

From the user perspective, PDPB increases privacy and trust. The policy aims to empower users by giving people control over their personal data and making them more transparent about the processing of data. This type of authorization could support more privacy users as people become more aware of their rights and have more choices about the information they share. This can also increase trust between users and social media platforms, increasing customer trust and engagement. As users gain confidence in the security of their personal information, they may be more willing to use digital services, thereby stimulating growth and innovation in the business sector.

CASE LAW AND PRECEDENTS

The implementation of the PDPB will be affected by many important decisions in India and internationally. Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)[5],. This landmark decision laid the foundation for the PDPB, highlighting the need for strong data protection. The court stated that the right to privacy of private life is inherent in the right to life and personal freedom, and emphasized the necessity of the law to protect personal information.

GDPR sets important standards around the world and provides common sense for the use of PDPB. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014) [6] established the “right to be forgotten”, which allows individuals to request the removal of their personal data from search engines in certain cases. This document highlights the importance of user control over personal data and the need for legal procedures to enforce data protection rights. In addition, the heavy penalties imposed by the GDPR for non-compliance (such as the fines imposed on Google and British Airways) highlight the importance of maintaining processes in compliance with data protection laws.

FUTURE DIRECTIONS AND CHALLENGES

Despite its potential benefits, the PDPB poses several challenges, particularly in balancing data protection with innovation. Regulators must engage in continuous dialogue with industry stakeholders to ensure that the law evolves to protect privacy without stifling technological advancement. Collaborative efforts between the government, social media companies, and civil society will be crucial in shaping a balanced and effective data protection framework.

  • Regulatory Challenges

One of the main challenges in implementing the Personal Data Protection Bill (PDPB) will be to ensure consistent and effective enforcement. The Data Protection Authority (DPA) will play a crucial role in this aspect, but it will need sufficient resources and authority to effectively fulfil its mandate. It is essential to ensure that the DPA is independent and free from political influence to maintain public trust in the regulatory framework. Additionally, the DPA will need to establish clear guidelines and standards for compliance, providing social media companies with the necessary tools to adhere to the law.

  • Technological Innovation

Data protection and technology are very difficult to measure. The digital economy relies heavily on free information, and strict regulations can stifle innovation and hinder business growth. Regulators need to strike a balance between protecting user privacy and allowing the creation of new technologies and business models. This requires a detailed understanding of the digital environment and a willingness to change management processes as new challenges and opportunities arise.

  • Global Implications

PDPB’s influence is not limited to India; It will also have a huge impact around the world. As one of the world’s largest digital economies, India’s data protection system will influence global data management policies and standards. International companies operating in India should update their practices to comply with the PDPB, and the law can serve as a model for other countries looking to create their own data protection laws. This could lead to greater harmonization of international data protection standards, thereby improving global data security and privacy.

  • Economic Impact

The PDPB will have a significant economic impact, especially on social media companies that heavily rely on data-driven business models. Compliance and data localization requirements may increase costs, leading to higher prices for digital services and potentially affecting consumers. However, the improved privacy protections and increased user trust could also spur growth and innovation in the digital economy. By promoting a more secure and privacy-conscious digital environment, the PDPB could encourage greater user engagement and investment in new technologies.

User Education and Awareness

A critical component of the PDPB’s success will be user education and awareness. Users must be informed about their rights under the law and how to exercise them. Social media companies will need to invest in educational campaigns to ensure that users understand the importance of data privacy and the measures in place to protect their personal information. By empowering users with knowledge, the PDPB can foster a culture of privacy and security in the digital ecosystem.

CONCLUSION

India’s Personal Data Protection Bill represents a significant stride towards enhanced data protection and user privacy. While it imposes substantial challenges for social media companies, particularly in terms of compliance and targeted advertising, it also offers an opportunity to build a more transparent and trust-based digital ecosystem. The PDPB’s stringent requirements on consent, data localization, and data processing are designed to protect user privacy and ensure that personal data is handled responsibly. However, the success of the PDPB will depend on effective enforcement, continuous engagement with industry stakeholders, and user education.

As the PDPB comes into force, its real-world impact will become clearer, shaping the future of data privacy and digital interactions in India. The law’s influence will extend beyond India’s borders, contributing to the global discourse on data protection and privacy. By balancing the need for robust data protection with the imperative for technological innovation, the PDPB has the potential to create a secure and dynamic digital economy that benefits both users and businesses.

Author: Debasish Hazarika, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.

REFERENCES

[1] Government of India, The Personal Data Protection Bill, 2019, No. 373, Act of Parliament, 2019.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, O.J. (L 119) 1 (EU),

[3] Deloitte, Implications of the Personal Data Protection Bill, 2019 for Businesses, https://www2.deloitte.com/in/en/pages/risk/articles/implications-of-the-personal-data-protection-bill.html (last visited May 31, 2024).

[4] India’s Data Localisation: How It Will Impact Companies, The Economic Times (Nov. 28, 2018), https://economictimes.indiatimes.com/tech/internet/indias-data-localisation-how-it-will-impact-companies/articleshow/66837091.cms.

[5] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1.

[6] Google Spain SL v. Agencia Española de Protección de Datos, Case C-131/12, ECLI:EU:C:2014:317 (May 13, 2014).

[7] Information Commissioner’s Office, British Airways Fine Under GDPR, https://ico.org.uk/action-weve-taken/enforcement/british-airways/ (last visited May 31, 2024).

[8] Commission Nationale de l’Informatique et des Libertés (CNIL), Google Fine Under GDPR, https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc (last visited May 31, 2024).

Leave a Reply

Categories

Archives

  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010