The recent interpretation of “control” by the High Court of Delhi in a litigation between Future Retail and Amazon has once again focused attention on the perennial question of what constitutes control. As described in more detail in the note, this question cannot be considered in abstract; it must be considered in the context of a specific legislation or policy and the objective it seeks to achieve. The relevant provisions of the FDI policy, which provide the context in this case, may not have been correctly appreciated.
The outbreak of COVID-19 and its development into a pandemic has led governments across the world to take extraordinary measures to protect their residents. The Central Government and various State Governments in India, along with public-health authorities, not-for-profit organizations and corporates, are collecting, tracking, and using information about individuals to slow down the spread of COVID-19; however, since a large proportion of such information could be categorized as ‘personal data’ or ‘sensitive personal data’ its use is subject to the data protection laws in India. It is, therefore, essential that a balance is struck between an individual’s right to privacy and public interest at large. Separately, as a result of the COVID-19 pandemic, corporates are also required to implement aberrant measures to safeguard their employees and extended workforce. In this regard, the collection of personal data by corporates will need to be undertaken in compliance with the requirements of data protection laws in India.
This note discusses the use of technology platforms by the Government of India to curtail the spread of COVID-19 and the obligations of corporates in India in relation to their employees or business, in each case, in the context of the legal framework for data protection in India.
The Personal Data Protection Bill, 2019 (“PDP Bill”), which was presented before the lower house of the Indian Parliament on December 11, 2019, seeks to provide for the protection of personal data of individuals and establish a Data Protection Authority. The PDP Bill has been referred to a joint select committee of both the houses of the Indian Parliament, which is expected to submit its report in early 2020. Accordingly, there may be changes to the PDP Bill based on the recommendations of the joint select committee. Once enacted, the PDP Bill will replace Section 43 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and prevail over any other inconsistent laws in this regard (e.g., any sector-specific laws). This note provides an overview of the PDP Bill