Data is one of the most essential commodities in the current scenario in light of the rapidly increasing technological advancements in every sphere. India however does not presently have a dedicated legislation for the protection of data which naturally leads to several concerns regarding threatened vulnerabilities to not only individual citizens but also national security and interests. This present blog explores the current legislation on data protection, analyses the viability and merit of proposed legislations, and further examines the requirement of a stricter regime and regulatory framework for the collection and processing of data to avoid and tackle the potential risks associated with data handling in the energy sector and match the rapid pace of digitization and automation through illustrations of advancements in the energy sector.
Data is one of the most preeminent commodities in this world of digitization and automation. India has been witnessing a paradigm shift in the technological sector thus encouraging and propelling the storage, usage, and treatment of data within and outside the Indian territory. With the joint parliamentary committee tabling the report on thePersonal Data Protection Bill 2019, before the Parliament, it is only a matter of time that legislation regulating the data sector shall be brought to effect.
The quantum of data available in the webspace in the year 2020 was approximately 59 zettabytes and for 2021 was about74 zettabytes. The said numbers are just the tip of the iceberg, and the growth of data is expected to boom exponentially. This boom of data is fueled by a variety of factors such as increased cloud computing, improving technology, and various service sectors relying on and using more data to deliver better experiences and quality service to the consumers. With the increasing utilization of data for providing a better consumer experience, it is of utmost importance to deal with the data at hand safely and securely. It is also essential to bring in and develop data democratization, regulatory compliances, and better methods to treat the data securely and safely.
The energy sector is no exception in the utilization of data to enable fundamental transformation in consumer experiences, developed technology, and enhanced solutions. The increasing significance of data in the energy sector is a clear indicator of a shift to the adoption of improved technology leading to the requirement for a stricter and broader security paradigm. The most recent example of such technological development in the energy sector is theSmart Meter National Program by the Ministry of Power, Government of India. The nation is evidently adopting various technological advancements by implementing new and innovative systems, although, as these innovations involve a lot of data, the same makes the energy sector highly susceptible to threats and misuse leading to data breaches.
Environmental Clearances Under Concession Agreements
While data privacy laws are not encompassed in one act, they are intermittently present in a multitude of Acts. The paramount legislations covering Data privacy include:
- Information Technology Act, 2000
- The Information Technology Amendment Act 2008
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
- Information Technology (Procedures and Safeguards for Blocking for Access of Information) Rules, 2009
- Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
The aforementioned legislations, however, broach the subject of data privacy from a limited purview and do not extensively cover the scope of data privacy. Some vital aspects of data privacy that are protected under the ambit of the current legislations include:
1. Section 43A of IT Act 2000: Punishment to body corporates for negligent/wrongful handling of data.
2. The IT Rules, 2011: Protection of sensitive data including passwords, biometric information, medical records.
3. Section 72A of IT Act 2000: Punishment for willful disclosure of data without prior consent extending up to imprisonment for two years.
4. Section 66C of IT amendment Act 2008: Punishment for identity theft.
5. Section 67 of IT Amendment Act 2008: Preservation of data by intermediaries
We can hypothesize from the aforementioned sections that while there are mechanisms in place to preserve leakage of sensitive information or illicit retention of personal data, there are no provisions in place for collection, processing, or protection of data regarding personal preferences, age groups, online activities, and other generic non-specific data.
TheSupreme Court Judgement of 2017 which upheld the importance of privacy of individuals as a fundamental right, calls for a closer examination of the personal data and its treatment. While undisputedly, data that can be used to defraud people is protected such as financial information and bank details, data that can be monetized such as data that would assist companies in targeting audiences or boosting sales is barely considered under the ambit of protection of the prevailing laws.
This unregulated or rather under-regulated data not particularly protected under the purview of any current legislation today is known as non-personal data and is essentially data that cannot directly reveal the identification of natural persons. While such data may seem harmless, there are concerns regarding the misuse of such data. To further study such concerns and the possibility of data regulation anExpert Committee chaired by Mr. Kris Gopalakrishnan was formed by the Ministry of Electronics and Information Technology.
This committeereported its findings in July 2020 which essentially highlighted the requirement of regulation of such non-personal data and the associated risks of the leakage of such data which involved harm to the principal person as the primary concern because no data can be completely anonymized. The Committee identified 3 main aspects of concerns namely:
- The risk of re-identification of personal through such data,
- The possibility of causing harm to an entire group of people,
- The potential for misuse of Data may jeopardize national interests and security.
Need for Data Privacy in the Energy Sector
One of the mostvulnerable sectors in light of the aforementioned concerns is the Energy and Infrastructure Sector. The energy sector is particularly susceptible tocyber security breaches and threats. The cyber threats imminent in the energy and infrastructure sector include data theft and billing fraud. The quantum of generation of non-personal data in the energy sector is extremely high, such non-personal data also known as big data which refers to the volume variety and velocity of the data is in dire need of regulation and protection.
An illustration of the susceptibility of the Energy sector to cyber threats and privacy concerns can be displayed by the recent development in the energy sector which has further strengthened the concerns of data privacy and misuse of data. The Ministry of Power has recently made public its intention and endeavor of ensuring the installation of smart meters replacing of 25 Crore conventional Meters through the “Smart Meter National Programme”.
Smart meters are electronic devices that record real-time production and consumption of electricity and communicate that information to the utility operator for monitoring and billing. Smart meters allow consumers to adapt their consumption – in time and volume – to real-time energy prices, thereby helping them to manage their usage more effectively and, conceivably, save money. The deployment of smart meters is expected to improve customer service, with more accurate billing, easier and quicker switching between payment methods.
While conventional meters also captured such data, the linkage of the Smart meters to the internet automatically means the ability to utilize and treatment of large quantities of such data simultaneously. If treated correctly such data can assistDISCOMs in strategic planning of power purchase, distribution infrastructure, improving DISCOM finances and even offering value-added services to the end-user.
Smart meters can collect granular electricity consumption data of users and update the web-based database as often as every half an hour. The apprehended threat of such data is that upon analysis of the same, it may reveal personal user data such as patterns of occupation of households, usage of appliances and their ownership, entertainment preferences, and even daily routines. A study of an individual’s smart meter data may even reveal thetimeframe during which the said house it unoccupied which could lead to increased chances of theft. Some other crimes that can be caused due to data from smart meters include stalking and illicit surveillance.
At present nearly2.1 million smart meters have already been installed at roughly 9.1 million more have been deployed. This is a crucial stage wherein there is a dire need for the introduction of proper guidelines and frameworks to ensure the protection of such data by DISCOMs.
While the smart meter data and electricity consumption does come under the ambit of the IT Rules 2011, there is little to no public information regarding thecompliance by DISCOMs with such Rules or the enforcement of such rules. The Central Electricity Authority which advises the Government on matters pertaining to electricity and energy has recommended detailed guidelines forAdvanced Metering Infrastructure (“AMI”) which has adopted mutatis mutandis for smart metering which unfortunately does not address data privacy at all. However, privacy obligations have been placed upon AMI service providers through the standard bidding documents that lay down guidelines and requirements for eligibility to provide smart metering services. The current governance pertaining to Smart Meters is limited and lacks the extensive approach required for the regulation of such highly sensitive data.
Another correlated gap in data security in the energy sector can be exhibited by the concept ofNet metering. Net metering is a service provided by energy companies that permits users who generate their own solar electricity to make use of such energy at all times through bidirectional energy meters which record the amount of electricity utilized and generated. Such information is used to provide the users with rebates based on the amount of energy produced. Such information also leads users vulnerable to various crimes due to the ability to the utilization of such data for interpretation of information such as occupancy patterns and appliance usage which can lead to the threat of theft, stalking, and bill fraud.
It is safe to say that net metering and smart meters barely scratch the surface of data vulnerabilities of the energy sector, with the Government vociferously promoting the generation of renewable energy and attempting to cause a shift in energy consumption patterns by making use of technological innovations and digitization. Implementation of the legislature which successfully identified and addressed the data security gap in the energy sector and lays down comprehensive guidelines for protection of data is the need of the hour.
The Personal Data Protection Bill 2019
There is an imperative requirement for the legislature to find a balance between monetization of data and prevention of misuse of such data. A sliver of hope for such privacy concerns is thePersonal Data Protection bill 2019 (“PDP”), introduced by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. This bill rightfully identifies the requirement of the protection of personal data and draws inspiration from some of the most vital areas of the General Data Protection Regulation which is the legislation for the protection of data in the European Union and addresses concerns that could potentially assist in the aversion of major crimes.
TheGeneral Data Protection Regulation (“GDPR”) was introduced in the European Union on 25th May 2018 and is one of the most comprehensive Data Protection Laws. These regulations put the onus on private companies to ensure that the Companies have a valid and lawful reason for collection and processing of such data, the Companies under the purview of the GDPR also require the specific consent of the consumers. The GDPR not only imposes obligations upon members inside the European Union but upon any individual or entity dealing with members inside the European union.
A close analysis of the PDP bill illustrates that this bill has managed to identify and address some of the mostessential data security gaps. The main aspects of this bill are as follows:
1. Obligations on Data Fiduciaries:
A Data Fiduciary is an entity that decides the means and purpose of processing data. The bill lays down specifications under which the data can be collected and stored. This specification includes requirements for :
- Specific Lawful purpose for processing of data
- Limitation of data collection to the extent of the purpose
- Deletion of data upon conclusion of processing
- Notification to the person whose data is collected
- Identification of age of user and obtainment of parental consent as may be required
2. Requirement of consent:
The bill lays out stringent provisions for the collection of explicit consent of the individual to whom the data belongs by all data collectors and requires the data processors to inform the user of the exact purpose for which such data is being collected.
3. Identification of Data:
The bills lay out grounds for which data can be processed and the purpose for the same.
4. The Bill addresses the concern of data leaving the territory of India:
Sensitive personal data would require the explicit consent of users for transfer to sources outside India, further such information would necessarily also be required to be stored in India.
5. Imposition of penalty for non-compliance:
Failure of the data fiduciary to fulfil its obligations for data protection may be punishable with a penalty that may extend to Rs.5 crores or 2% of its total worldwide turnover of the preceding financial year, whichever is higher. Further Processing data in violation of the provisions of the PDPB is punishable with a fine of Rs.15 crores or 4% of the annual turnover of the data fiduciary, whichever is higher.
6. Data Protection Authority:
The PDP makes provisions for a statutory body namely the Data Protection Authority for the regulation and implementation of the PDP. The Authority shall be tasked with ensuring compliance of Data fiduciaries and other data processors to the PDP and shall also have the authority and power to impose fines and penalties for contravention of the Act. The introduction of such an Authority would increase the accountability of all data fiduciaries.
The Personal Data Protection, if passed shall be thefirst dedicated legislation on the protection of personal data in India and shall serve to safeguard India from data leakage and theft to a great extent, it shall also help regulated non-personal data and big data. The Joint Committee on the Data Protection Bill has upon taking into account the need for accountability in the management of non-personal data has suggested that while the proposed data protection act may contain separate regulations for personal and non-personal data, the regulatory body for both should be the same i.e. the Data Protection Authority. The Committee has also approved the objectives of the bill and stated that it adequately addresses concerns of data privacy that have emerged of late. The Committee has further indicated that the Bill when enacted shall be implemented in various phases to afford time to the Data Fiduciaries and other relevant data managers to comply with the provisions of the Bill.
Impact of the Project Director Case
In light of the rapid pace of the Smart Meter National Programme, the Net metering services, other technological advancements in every sector and the pre-existing unregulated non-personal data available, one can only hope that the implementation of the PDP Bill is not too little too late by the time it is fully effected. It can accordingly be surmised that while the PDP Bill shall be exceedingly apt and effective in the protection of personal and non-personal data its scope in addressing the privacy concerns of the energy sector may be limited.
Accordingly, a dedicated piece of legislation in line with the Electricity Act shall be required to sufficiently address the advancements in the energy sector. This legislation should be developed by the Data protection authority in consultation with the Central Electric Authority and while the PDP Bill should be used as a framework for these guidelines, there should be specific sector-related particulars including:
1. The Purpose of the collection of data should be in line with the Electricity Act 2003
2. Dedicated accountability compliances for DISCOMs such as the implementation of data security plans
3. Data transfer and sharing protocols which lay down responsibilities of DISCOMs, AMISPs and third-party vendors
4. Rights for consumers laying down the level of access and control the consumers shall have upon their own data
5. Prescribed frequency in which data regarding energy consumption can be collected
6. Damage control protocols for inadvertently leaked data
Thus, we can conclude that while general data protection may be on the agenda of our lawmakers, the inherent requirement for specialized data protections laws for every individual sensitive sector has not yet been identified or at least addressed which can cause prejudice to the national security and safety of individuals as general data protection laws cannot extensively cover the specific requirements of every individual sector. However, this is just an assumption that can optimistically be proven wrong upon the implementation of the Personal Data Protection Bill.
About the Authors
Ms. Ankita Singh is a Partner at A&P Partners.
Ms. Simran R Grover is an Associate at A&P Partners.
Managing Editor: Naman Anand
Editors-in-Chief: Akanksha Goel & Jhalak Srivastav
Senior Editor: Gaurang Mandavkar
Associate Editor: Aribba Siddique
Junior Editor: Vedant Bisht
Preferred Method of Citation
Ankita Singh and Simran R Grover, “The Requirement of Sector-Specific Regulations in the Data Privacy Regime” (IJPIEL, 24 December 2021).