Last week, the Karnataka High Court protected individual privacy concerning mobile communications, reviving the conversation about data collection and protection. “Informational privacy also forms an integral part of the right to privacy,” said Justice M Nagaprasanna.
Sharing mobile data for court
Last week, the High Court of Karnataka decided on a case which started with a married couple in a dispute in Bengaluru family court in 2018. The husband claims that call and text message history data would prove that his wife had been in correspondence with another man. The family court had considered giving permission to the mobile communications company to share the accused third party’s call history and data, but The High Court stopped it.[1]
The High Court deemed that companies should never divulge information intentionally, and courts should not compel them to do so. This demonstrates the government’s commitment to data protection.
Puttaswamy and And v. Union of India and Ors
This landmark case, which occurred shortly after Facebook’s acquiring of WhatsApp in 2014, established that privacy is a fundamental right guaranteed in the constitution. The case was brought by 91-year old retired High Court Judge Puttaswamy against the Union of India (the Government of India) [2] and a panel of nine judges unanimously agreed privacy is implied in the right to personal liberty. The judges decided that the right to privacy was implied in Article 21 of the Indian constitution and set the tone for other privacy laws to follow. “Data collection and processing efforts in India must evaluate and anticipate the impact of Puttaswamy on Indian data law.” [3]
SPDI rules
Most companies in India are impacted by the IT Act and SPDI rules. The IT Act mandates that corporate entities which handle sensitive personal data are liable for their negligence if that data is lost. However, the IT Act does not define what ‘responsible data management’ looks like.
The SPDI rules set that framework for the minimum standards which constitute responsible data management. The SPDI rules stipulate:
- When a corporate body is collecting any sensitive personal data, there must be a consent letter clearly outlining their data collection policies.
- A corporate body must have a grievance officer whose name and contact details are published on their website to respond to complaints. [4]
- A corporate body should follow The International Standard on “Information Technology – Security Techniques – Information Security Management System – Requirements,” or any code of best practices duly approved by the central government. Of these requirements, the company:
- should establish policies which ensure operation is reasonably secure and evaluate and test their data security measures.
- should control access to personal data
- should use encryption solutions to protect confidentiality
- must establish Risk Assessment and Risk Treatment Methodology, Risk Treatment Plan, and Risk Assessment Report. [5]
In November, India’s Ministry of Electronics and Information Technology has brought forward the Digital Personal Data Protection Act, 2022. This act aims to protect the privacy of Indians and is open for comment until December 17th.
Movius is a global team, including an office in Bangalore. We recognize the impact this legislation will have on the lives of our employees there. MultiLine by Movius is built to meet and exceed any security and personal privacy concerns. [6]
To learn more about MultiLine, visit www.movius.ai
