Legal cases with fixed pricing, standardized processes, and firm timelines
Supreme Court Advocate-on-Record Pallav Mongia filed a petition in Supreme Court pointing out the absence of data localisation by companies like Facebook and Twitter in India. A Constitution Bench comprising of Chief Justice Dipak Misra and Justices AK Sikri, Amitava Roy, AM Khanwilkar and M Shantanagoudar heard the petition and issued a notice. The bench tagged it along with the petition relating to sharing of data by Whatsapp. Senior Advocate Mahesh Jethmalani along with advocates Ravi Sharma, Abhinav Goyal, Pankaj K Singh and Gunjan Mangla appeared for the petitioner. Pallav Mongia has assailed:
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules),
A Clarification dated 24.8.2011 issued by the Central government wherein it has clarified that the ‘body corporate’ as defined in Privacy Rules refer to body corporate in India.
The petitioner has further submitted that majority of Indian internet traffic flows through internet giants Google, Facebook etc., yet their Indian subsidiaries have no control over information/ data in relation to the websites twitter.com, facebook.com and google.co.in. He stated- “As per the data, the top four websites in terms of traffic in chronological order in India as are- (i) www.google.co.in; (ii) www.youtube.com; (iii) www.google.com; and (iv) www.facebook.com. Yet, the Indian subsidiaries of these US companies neither handle nor control the content/information/data in relation to twitter.com, facebook.com and google.co.in. The same is evident from statements made by these companies or affidavits filed by them before various courts that the collection and processing of data as entered by the subscribers /account holders are not in their control.” The petitioner has cited the fact that companies like Facebook and Twitter do not have data centres in India, and all the information/data collected by them are stored in servers outside India. This, the petitioner contends, is a big impediment in seeking an efficacious legal remedy. “Often, crucial, sensitive and personal information of the user is saved on the servers which are located outside India. As on date, 13 countries have passed some degrees of ‘data localization’ laws mandating that the data pertaining to their citizens be stored within the border of their countries or strictly regulating the storage of data outside their borders. The Indian legal framework is limited to Privacy Rules which does not restrict the movement of data across the border. The law does not put any condition nor does it require the consent of the user to take the information outside the jurisdiction of India. Indian companies like Twitter Communications India Pvt Ltd. and Facebook India Online Services Pvt. Ltd. have admitted before various courts in different proceedings that they do not have any control over the data/information as available on facebook.com and twitter.com as the same is situated outside India under the control of their foreign holding companies.…Thus, whenever these companies are added as defendants in proceedings or are summoned to produce evidence in courts of law, the rights of the plaintiffs/prosecutors are subject to goodwill and consent of the foreign holding internet companies. This creates a serious impediment in seeking legal redress or enforcement of the rights of the Indian citizens denying an efficacious remedy and an effective redressed mechanism.” He added that the clarification issued by the government in August 2011 relating to body corporates makes the data of Indian users vulnerable. He has, therefore, submitted that the impugned clarification is violative of the Constitution under Articles 14, 19(1)(a) and 21. “…due to the clarification dated 24.8.2011, there is no law/regulation to protect the data collected, transferred, stored or processed by these body corporates leaving the Indian citizens and their data vulnerable and subject to goodwill of these internet giants…… This renders the users of the social media platforms remediless and without any protection. These companies are not mandated by Indian law to protect the data of Indian citizens and therefore the clarification dated 24.8.2011 is arbitrary and in violation of Articles 14, 19(1)(a) and 21.” Another ground to challenge the Privacy Rules is the classification brought about by the Rules between data/information and ‘sensitive personal data or information’ of data. “the definition of ‘sensitive personal data’ or ‘information’ is not comprehensive and leaves out a lot of data mishandling of which can cause serious damage to the user and to that extent the Privacy Rules are in violation of Article 14. It is submitted that all data/information provided by a user must be protected as the same is capable of being abused and pose threat to the user.” The petitioner has also contended that cross-border transfer of data is strictly regulated by various countries in order to protect the interest of their citizens but the same is, however, absent in India. “…due to the clarification to the Privacy Rules, there is no regulation governing the cross-border transfer of data of Indian citizens to other third countries nor is there any regulation to the subsequent transfer of data to third parties by the body corporates situated outside India. Such deficiency in Indian legal regime is in complete contrast to the comprehensive regulations as prevailing in the European Union, the fundamental right of data protection and the right to privacy” Besides assailing the Privacy Rules and the Clarificatory press note issued by the Central government, Mongia has also prayed for a direction to be issued to the Central government to devise effective mechanism for serving foreign respondents like Facebook and Twitter through their Indian arms/subsidiaries so that the Indian litigants and authorities have affordable, effective and adequate protection of their rights. He has also sought for a prohibition of transfer of data outside India unless the data is adequately protected. The Court has issued the notice in the matter.